[PDF, 377 KB]
Domain name registrations in domain name registration accounts are as important in the virtual world as their brick-and-mortar assets are in the physical world. Individuals and organizations should thus consider measures to protect virtual assets against a range of threats or circumstances in the virtual world that may result in temporary or permanent loss of domain names.
This report attempts to catalog measures that registrants should consider to protect their domain name registration accounts and the domain names managed through these accounts. The report describes the threat landscape for domain names, and identifies a set of measures for organizations to consider. The report also considers risk management in the context of domain names so that an organization can assess its own risk and choose appropriate measures. The report explains that an organization can implement these measures using its own staff (“in house”), contracted third parties, or a registrar or registry. It discusses the merits of implementing certain measures versus outsourcing these to contracted third parties or registrars and identifies circumstances where redundant measures are worth consideration. Lastly, the report provides lists of questions organizations should ask registrars and registries concerning their registration processes and protection mechanisms. The list can be used to obtain valuable and important information about registrar processes so that organizations can make informed decisions when choosing a registrar(s).
This report specifically targets individuals or organizations that recognize that the operational value of a domain name in use is extremely or critically important. These parties are keenly aware of the need for assurances that domain name resolution is highly available and that names in a domain consistently resolve as intended. The report assumes that the reader has some familiarity with domain name registration processes, the domain name system, and other technical and operational aspects of providing Internet presence. The report is likely to be of greatest value to individuals who perform administrative or technical staff activities; however, other parties (legal counsel, management) may benefit by gaining insight into the security threats and mitigation measures recommended in the report as well.
Readers familiar with SAC040, Measures to Protect Domain Registration Services Against Exploitation or Misuse 1 will note certain similarities and overlap among the topics covered here. SAC040 identifies practices registrars can share with customers (registrants) so that registrar and registrant can jointly protect registered domains against exploitation or misuse, and discusses methods of raising awareness among registrants of the risks relating to even a temporary loss of control over domain names and associated DNS configurations. As such, SAC040 is registrar-focused. This report focuses on registrants to help them recognize the critical importance of domains they have registered and seek information that will help them implement measures of their own as well as seek out measures from registrars to protect their domain names against loss or misuse. The reports are thus intended to be complementary.
1 Security and Stability Advisory Committee, Measures to Protect Domain Registration Services Against Exploitation or Misuse (19 August 2009) (http://www.icann.org/en/committees/security/sac040.pdf).