Note: The views expressed here are mine alone.
The Centralized Zone Data Service (CZDS) was introduced to facilitate and accelerate the process of requesting access to generic Top Level Domain (TLD) zone data. CZDS is included in the new TLD registry operator contractual obligation:
Registry Operator will enter into an agreement with any Internet user, which will allow such user to access an Internet host server or servers designated by Registry Operator and download zone file data. The agreement will be standardized, facilitated and administered by a Centralized Zone Data Access Provider, which may be ICANN or an ICANN designee (the “CZDA Provider)
Legitimate consumers of zone data - criminal or abuse investigators, first responders to cyber attacks, operational security professionals, abuse researchers - rely on daily downloads of zone files to monitor and respond to additions, deletions or changes to domain names registered in all TLDs to identify and respond to security threats that make use of domain names. In many cases, a reliable, daily feed of zone data assists in the early mitigation of phishing, spam, malware hosting or botnet enrollment.
The response to CZDS is overwhelmingly positive. CZDS simplifies what might have been a registration nightmare: if you think that I exaggerate, imagine having to apply for access to potentially a thousand separate business entities, each having unique acceptable use policies or enrollment processes. CZDS considerably reduces this complexity. Still, as a colleague of investigators who use CZDS extensively, I receive a steady stream of complaints or concerns regarding CZDS implementation or execution.
Let me share three top concerns and suggest some remedies.
CZDS Application Approvals
Timely processing and approval of CZDS applications is important, especially since this is the current method for renewal. It's disturbing to learn that applications remain in a pending state for 100 or more days for certain new TLD registries. Every operator has business or operational priorities, but you will do your organization a service by processing applications promptly.
Access to zone data is typically granted for a limited period; however, investigators depend on uninterrupted zone access to observe additions, deletions or changes to domain names registered in each TLD. Delays in approving renewals creates "black holes" in zone data histories. These gaps hamper long term analyses that can be particularly useful to registry operators in identifying abuse behaviors; for example, investigators or researchers may discover a flocking behavior that a registry operator may be able to mitigate, e.g., abuse registration spikes on specific days, or through targeted registrars.
PLEASE consider offering long renewal periods for applicants who you can associate with legitimate anti-abuse actvities.
Denials of zone access requests
New TLD registry operators are obliged to support CZDS. The CZDS registration portal collects applicant contact information and other data related to access (e.g., IP addresses the applicant will use to download zone files). Certain registry operators deny access to zone data when the applicant submits a post office box rather than a physical location. In such cases, the registry operator contends that it cannot ascertain the legitimacy of the applicant because they cannot determine the nature of the applicant's business or geo-location.
There are several legitimate reasons why investigators use PO boxes rather than street addresses, and many of these have to do with physical safety. Abuse investigators have been and remain targets for retaliation from criminals whose activities they disrupt. High profile incidents are not limited to cyber attacks such as defacements or DDoS, but also kidnappings and swatting,
There's a simple remedy here. PLEASE do not reject zone access in cases where applications include a PO Box. Take the time to contact the applicant by email or phone. In all likelihood, you will gain a better appreciation for the legitimacy of the applicant through such contact than you would from an address.
A second recourse: Contact me, to reach out to the operations security community to help you vet the applicant. It's very possible that someone in OPSEC knows the investigator or is one connection removed. Worst case scenario is that you've at least confirmed that a large trusted collaborative community is unfamiliar with the applicant. Best case is that you are able to grant access to a applicant with some confidence regarding their legitimacy.
Either remedy is likely to produce a positive outcome. Either remedy is also less time consuming for all parties (applicant, registry operator, ICANN compliance) than processing a complaint.
Know your friends
Investigators are not the enemy of registries. You run a legitimate operation. They are working to mitigate abuse of your operation. Assisting investigators is in your best business interest.