ICANN Contractual Compliance has completed its audit of registrars’ compliance with the Registrar Accreditation Agreement (RAA) requirements related to the mitigation of Domain Name System (DNS) abuse. The report summarizes the methodology and the results of the audit of 126 registrars who in aggregate manage over 90% of all registered generic second-level domain names.
As detailed in the report, ICANN Contractual Compliance identified 111 registrars that were not fully compliant with the RAA’s requirements related to the receiving and handling of DNS abuse reports (RAA Sections 3.18.1 – 3.18.3). If not cured, violations of these provisions can result in the issuance of a formal breach notice and even the termination of the accreditation. ICANN Compliance collaborated with the 111 registrars to remediate the deficiencies identified during the audit. Prior to the closure of the audit, 92 registrars took actions to become fully compliant while 19 registrars are currently implementing changes to address these deficiencies. ICANN Compliance will re-audit these 19 registrars to ensure they have made the required changes. Finally, 15 registrars passed the audit with no identified deficiencies and were not required to implement any changes.
Like the 2019 registry DNS security threat audit, this audit further demonstrates that the contracted parties take seriously their obligations to mitigate DNS abuse. Where ICANN Compliance identified deficiencies, all non-compliant registrars agreed to take remedial action, with most implementing necessary changes immediately.
ICANN Compliance selected registrars for this audit who managed at least five domains listed as DNS security threats (phishing, malware, botnet command and control) in the security threat reports received from the 2019 Registry Operator Compliance Audit program and/or the November 2020 ICANN Office of the Chief Technology Officer (OCTO) Abuse Report. The OCTO report was compiled based on data from a large number of Reputation Block Lists (RBLs). For every accredited registrar, the OCTO Abuse Report listed domain names listed by RBLs that have been identified as sources perpetrating DNS security threats.
In addition to auditing compliance with RAA DNS abuse obligations, ICANN Compliance also sent each selected registrar a sample of 5 to 20 domains under its management that were included in the November 2020 OCTO Abuse Report. Each registrar was asked, for each domain, whether it had received any reports that were listed as abusive and whether they took any action on these domains. These questions were asked for informational purposes only as they did not correspond to any contractual obligations.
Out of the 126 registrars, 33 (26%) responded that they did not receive abuse reports for any of the sample domains; 81 (64%) registrars responded that they had received an abuse report for at least some of the sample domains; and 12 (10%) responded that they had received abuse reports for all domains that have been listed in the inquiry.
More information on the ICANN Compliance Audit Program is available here.