The Framework to Address Abuse

The Framework to Address Abuse is a document developed by registry operators (both “generic” and “country-code”) and registrars that defines DNS Abuse and sets forth when a registry or registrar must take action (instances of identified DNS Abuse), as well as those limited and egregious categories of website content abuse when a registry or registrar should take action.

Internet and Jurisdiction Policy Network Publications 

The Internet and Jurisdiction Policy Network’s Domain and Jurisdiction Contact Group has published a number of very helpful and informative documents addressing both questions of DNS Abuse as well as dealing with website content abuse questions at the DNS infrastructure level. These resources help inform people and organizations that want to report abuse in making those reports more actionable as well as information to registries and registrars in identifying and addressing abuse. 

• Operational Approaches, Norms, Criteria and Mechanisms   
• In 2019, I&J published this foundational document. This is a comprehensive work on issues relating to DNS Abuse and website content abuse questions. It examines the role of “Operators” (registries and registrars) and their role in DNS infrastructure. It examines the impact of acting via the DNS to address both DNS Abuse and website content abuse questions. 

In 2020, I&J also put out a series of smaller one/two page documents covering specific topics:

• Effect of Action at the DNS Level
  • This document notes the impact of using the DNS to take action to mitigate a threat, including issues such as collateral damage.  It includes graphics for what happens when a domain is locked or suspended.
• DNS Operator’s Guide to Action on Technical Abuse
  • This document focuses on questions like identification, evaluation, choice of action and remediation for DNS Abuse.
• Due Diligence Guide for Notifiers
  • This document helps inform what sorts of due diligence someone making a complaint or notification should take before referring the issue to a registry or registrar.
• Choice of Action
  • This document notes the limited tools available to a registry or registrar to address abuse and describes the effect of each action. .
•  Procedural Workflow for Addressing Phishing and Malware
  • This is a very interesting document that works as a flowchart/decision tree for both registries or registrars when they receive a referral for phishing or malware.  
• Minimum Notice Components for Abuse
  • This sets forth what must go into an effective notification for DNS Abuse. 
• Typology of Technical Abuse 

Security Framework for Registry Operators

This document Framework for Registry Operators to Address Security Threats (the “Security Framework”) was jointly published between the Public Safety Working Group (a consortium of law enforcement agencies from around the world) and gTLD registries in 2017. It describes what different actions a registry operator can take when it has identified a security threat. It also delineates an implicit hierarchy of notifiers where, for instance, a particular law enforcement agency might have a particularized expertise (e.g., identifying domain generating algorithms). It also sets forth expected communications between law enforcement and registries when a security threat has been identified.

ICANN Competition, Consumer Trust, And Consumer Choice Review, Final Report

The ICANN Competition, Consumer Trust, And Consumer Choice Review (CCT RT) was created when “ICANN’s Affirmation of Commitments (AoC) called for a regular review of the degree to which the New Generic Top-Level Domain (gTLD) Program promoted consumer trust, choice and increased competition in the Domain Name System (DNS) market.” The CCT RT published its Final Report in 2018 and made several policy recommendations. It should be noted that the CCTRT utilized an early definition of “DNS Abuse” that included issues relating to website content abuse. Its definition of “DNS Security Abuse” tracks more closely to currently understood definitions of “DNS Abuse.” The CCT RT Final Report is available here. 

In 2017, a study commissioned by the CCT RT was published, titled Statistical Analysis of DNS Abuse in gTLDs – Final Report. This report compared abuse trends in legacy gTLDs and new gTLDs and across the entire DNS at that time.

Specification 11(3)(b) Advisory

This “Advisory, New gTLD Registry Agreement Specification 11 (3)(b)” was developed jointly between ICANN and gTLD registries in 2017. Specification 11(3)(b) is a part of the base Registry Agreement that requires gTLD registries to conduct periodic analysis for security threats and maintain data for purposes of reporting on those identified threats. The Advisory defines “Security Threats” very similarly to DNS Abuse and describes what technical analysis for registries should look like. It also describes the use of Reputation Service Providers and details the reports ICANN expects from registries under Specification 11(3)(b).

CENTR Resources

The Council of European National Top-Level Domain Registries (CENTR) is a consortium of predominantly European ccTLDs. CENTR seeks to promote and participate in the development of high standards for ccTLDs to the benefit of its members and the Internet.CENTR has published a document titled “Domain Name Registries and Online Content” that provides a thorough explanation of a registry operator’s role in the infrastructure of the DNS. CENTR has also published a video that provides a similar explanation, as it relates to the DNS infrastructure and dealing with website content online.