Domain names and DNS

ICANN prepares for more gTLDs... has enough been done to mitigate threats?

2384711319_b75212d9cd_mICANN organization has published a memorandum that describes its Readiness to Support Future Rounds of New gTLDs. The last time I looked, new TLD registrations from the 2012 round constituted around 12 percent of the total gTLD registrations. Despite justifications most commonly cited for expansion - for example, "all the good names are taken" - COM, NET, and many country code TLDs continue to prosper and grow. We should ask, "What benefits other than brand- and geo-TLDs does ICANN use to justify this new round?"  More importantly,

What's the hurry, and has enough been done to study and rectify the concentration of security threats in the new TLD space? 

In an earlier post, I commented on a January 2019 domain abuse report generated from the Domain Abuse Activity Reporting system (DAAR). DAAR is a system for studying and reporting on domain name registration and security threat (domain abuse) behavior across top-level domain (TLD) registries and registrars. From the limited data that ICANN shared, I observed that

"Over one-half of the domains identified as security threats are
registered in one-eighth of the generic TLD name space."

From the reputation data that I study nearly daily, I can say with confidence that little has changed statistically, and that no meaningful progress has emerged from ICANN concensus policy to course correct this readily observable concentration of security threat activity in the new TLDs. 

ICANN organization has asked its Advisory Committees to comment on its readiness plan. The Security Stability and Resiliency Advisory Committee, SSAC, recently published its correspondence to ICANN's Senior Vice President of Global Domains Division, where it mentioned in its closing remarks"

"it remains a significant concern for the SSAC that the last round of new gTLDs appears to have introduced the phenomenon of TLDs with exceptionally high rates of abusive registrations. It is also not clear if the ICANN Community is effectively addressing these potential threats and risks or what kind of deliberation will occur on how to mitigate them through consensus policy or contractual negotiation. The SSAC continues to be concerned that a further round of new gTLDs could be delegated prior to comprehensive metrics and mitigations being put in place to prevent such a recurrence."

Someone may have a good argument for hurrying the next round along, but if you use the same individual or composite reputation data that ICANN uses for DAAR, it's obvious that the answer to "has enough been done to study and rectify the concentration of security threats in the new TLD space?" is a resounding "NO!" 

Unspecific CZDS contract language makes zone data access approvals a dice roll

After reading yet another round of complaints regarding the approvals process for ICANN's Centralized Zone Data Service (CZDS), I set up an experiment. I applied for all Top-level domains (TLDs) available from the CZDS on May 28 2019 to observe how promptly registries respond to requests. I applied as an "Individual" by checking this choice in the profile. For reason, I stated my purpose, "I investigate phishing and fraud web sites. Zone data are needed to identify newly resolving domain names that may be used in these attacks."

Approval response times are all over the map

The chart below illustrates the arrival dates of the 1117 approval emails received from May 28, 2019 through August 13, 2019 (note: I use logarithmic scale for readability). 
Screenshot (143)
Seventy one  percent (71%) of TLDs respond within 2-3 business days. Kudos to these operators who have automated or streamlined this process. 

There are still registry operators who have not processed CZDS applications after fifty-five business days, an ample opportunity to process a request for which there are few causes for denial except for incomplete applicant data:

TLDs with Applications Pending since May 28, 2019 

aigo citadel hoteles luxury stada
airtel cyou ice madrid voting
alstom dealer ifm man vuelos
amica discover inc mango wed
apple duns intel mint weibo
beats eus intuit mobily williamhill
bharti firmdale ipiranga mtn wme
bnpparibas flir ist passagens xn--5tzm5g (网站)
bradesco gal istanbul quebec xn--80asehdb (онлайн)
build gdn lacaixa redstone xn--80aswg (сайт)
bzh gop liaison seat xn--9krt00a (微博)
canon hdfcbank lpl shaw xn--kput3i (手机)
cbn helsinki lplfinancial sina xn--mgbab2bd (بازار)
        xn--mgbb9fbpob (موبايلي)

I was denied access by

  • deloitte, moscow, xn--80adxhks (москва) denied access claiming invalid organization field. This could be a CZDS error, because I identified myself as "individual". 
  • emi, scot denied access for "invalid reason or details". I'm confounded by this response. If my email was invalid, how did I get a response? Or more troubling... why is investigating fraud or phishing not a valid reason? 
  • tatar - incomplete user information. To the best of my knowledge, my information is correct, and satisfied 1117 other operators.

Why is this even hard?

My not-an-attorney experience whenever a contract is involved inclines me to believe that unspecific or absent language is a likely suspect. There is no service level agreement for CZDS responses. Many operators are diligent and work within the spirit of the contract. Others perhaps have a variety of reasons why CZDS is unimportant or a low priority.  

ICANN should be able to fix this. Zone data isn't proprietary or secret. If over 70% of the operators have resolved the matter through apparent automation, surely these operators or ICANN organization can encourage the remaining 30% to automate as well.  

More to come

Studying renewal behavior would also be valuable. I recently saw a post on an opsec mail list where 100+ renewals were delayed by weeks or months. Since delays of renewals create gaps for automation that collects zones for both daily and historical (security) analysis, renewal behavior is perhaps a more pressing concern. In a future post, I will be sharing the renewal "experience" from my experiment with you.