Vetted registry operators. Recommended by APWG and security experts in the financial industry, this measure is intended to ensure that no criminal organization can own or influence a registry operator (e.g., through indirect shareholding or ownership).
Demonstrated plan for DNSSEC deployment. An applicants will be expected to publish a detailed plan and timeline for signing their zone file and for signing delegations (domain names registered in its TLD).
Prohibition of redirection by TLDs.Acting on the recommendation of ICANN’s SSAC, the ICANN Board of Directors has agreed that applicants must return negative responses when a DNS query is made to a non-existent domain and must not synthesize (redirect) queries for error resolution or advertising purposes.
Removal of orphan glue records. Orphaned glue records frequently point to name servers that host malicious domains. This measure requires applicants to explain the policy they will enforce to ensure that a name server record in a delegation will not persist in the TLD zone file when the parent domain name is deleted from the zone.
Requirement for thick Whois records. This measure requires applicants to provide Whois output that identifies the sponsoring registrar, the status of the registration, the creation and expiration dates of each registration, contact information for the registrant and designated administrative and technical contacts, plus name server information.
Centralization of zone file access. Today, organizations must individually contract with TLDs registries to obtain (FTP) access to zone files. This does not scale to the potentially large numbers of zone files the new TLD program may spawn. This measure provides for the implementation of a common access point for organizations that require access to TLD zone files. (Look for a future article explaining how centralization of zone file access will be implemented).
Documented registry level abuse contacts and procedures. This expands the ICANN SSAC recommendation that all registrars maintain an abuse handling process and publish contact information. Registries will similarly be asked to have public and easily accessible abuse handling agents.
Participation in the Expedited Registry Security Request process. A GTLD registry uses the ERSR process to request a contractual waiver for actions it might take or has taken to mitigate or eliminate a present or imminent security incident of global significance. This measure allows ICANN and registries to maintain operational security during an incident.
Draft Framework for High Security Zones Verification.The high security zones verification program establishes a set of operational and security control standards that collectively improve confidence in the ability to maintain security, availability, confidentiality, and privacy of systems and information assets supporting critical registry IT and business operations.
The publication of this explanatory memorandum and consideration of these measures for new GTLDs within the ICANN process is a landmark event. However, it's critical that all interested parties recognize that this is a discussion draft only. Simply put, this is not a "done deal." To ensure that any or all of these measures are incorporated into the new TLD application process, you must voice your support through the ICANN public comment process http://www.icann.org/en/public-comment/
Laura Mather at Silvertail Systems posted a comment on this article at http://silvertailsystems.wordpress.com/2009/11/05/comment-on-icanns-malicious-domain-mitigation-policy/
Posted by: Security Skeptic | Friday, 13 November 2009 at 11:33 AM
Tom Kelchner wrote a complementary summary of this article at http://sunbeltblog.blogspot.com/2009/11/fighting-malicious-web-sites-through.html
Posted by: Security Skeptic | Friday, 13 November 2009 at 11:02 AM