After reading yet another round of complaints regarding the approvals process for ICANN's Centralized Zone Data Service (CZDS), I set up an experiment. I applied for all Top-level domains (TLDs) available from the CZDS on May 28 2019 to observe how promptly registries respond to requests. I applied as an "Individual" by checking this choice in the profile. For reason, I stated my purpose, "I investigate phishing and fraud web sites. Zone data are needed to identify newly resolving domain names that may be used in these attacks."

Approval response times are all over the map

The chart below illustrates the arrival dates of the 1117 approval emails received from May 28, 2019 through August 13, 2019 (note: I use logarithmic scale for readability). 

 

Seventy one  percent (71%) of TLDs respond within 2-3 business days. Kudos to these operators who have automated or streamlined this process. 

There are still registry operators who have not processed CZDS applications after fifty-five business days, an ample opportunity to process a request for which there are few causes for denial except for incomplete applicant data:

TLDs with Applications Pending since May 28, 2019
aigo	citadel	hoteles	luxury	stada
airtel	cyou	ice	madrid	voting
alstom	dealer	ifm	man	vuelos
amica	discover	inc	mango	wed
apple	duns	intel	mint	weibo
beats	eus	intuit	mobily	williamhill
bharti	firmdale	ipiranga	mtn	wme
bnpparibas	flir	ist	passagens	xn--5tzm5g (网站)
bradesco	gal	istanbul	quebec	xn--80asehdb (онлайн)
build	gdn	lacaixa	redstone	xn--80aswg (сайт)
bzh	gop	liaison	seat	xn--9krt00a (微博)
canon	hdfcbank	lpl	shaw	xn--kput3i (手机)
cbn	helsinki	lplfinancial	sina	xn--mgbab2bd (بازار)
				xn--mgbb9fbpob (موبايلي)

I was denied access by

• deloitte, moscow, xn--80adxhks (москва) denied access claiming invalid organization field. This could be a CZDS error, because I identified myself as "individual". 
• emi, scot denied access for "invalid reason or details". I'm confounded by this response. If my email was invalid, how did I get a response? Or more troubling... why is investigating fraud or phishing not a valid reason? 
• tatar - incomplete user information. To the best of my knowledge, my information is correct, and satisfied 1117 other operators.

Why is this even hard?

My not-an-attorney experience whenever a contract is involved inclines me to believe that unspecific or absent language is a likely suspect. There is no service level agreement for CZDS responses. Many operators are diligent and work within the spirit of the contract. Others perhaps have a variety of reasons why CZDS is unimportant or a low priority.  

ICANN should be able to fix this. Zone data isn't proprietary or secret. If over 70% of the operators have resolved the matter through apparent automation, surely these operators or ICANN organization can encourage the remaining 30% to automate as well.  

More to come

Studying renewal behavior would also be valuable. I recently saw a post on an opsec mail list where 100+ renewals were delayed by weeks or months. Since delays of renewals create gaps for automation that collects zones for both daily and historical (security) analysis, renewal behavior is perhaps a more pressing concern. In a future post, I will be sharing the renewal "experience" from my experiment with you.