In order to expand the effectiveness of Domain Abuse Activity Reporting (DAAR) for the community, in November 2019, country code top-level domains (ccTLDs) were invited to participate in the DAAR system designed by ICANN's Office of the Chief Technology Officer (OCTO). ccTLDs could volunteer to participate by sharing their zone files. These zone files would only be used in the DAAR system and would not be used or shared for any other purpose or in ICANN's Centralized Zone Data Service (CZDS). Every ccTLD that joined the project would be able to receive DAAR data on a daily basis via ICANN's Monitoring System API (MoSAPI).
In July 2020, I published a blog announcing that several ccTLDs were voluntarily participating in the DAAR system. To date, 12 ccTLDs have joined this effort. This not only benefits the DAAR system by allowing a broader spectrum of domains and therefore better indication of security threat concentrations, but we expect it to also provide significant benefits to the ccTLD community.
We are now providing customized monthly reports to the participating ccTLDs. These reports contain analytics specifically based on the data submitted by each ccTLD, and are only shared with them. In each report ccTLD-related statistics are shown with all the other ccTLDs and generic TLDs (gTLDs) being anonymized. The intention of these personalized reports is to help ccTLDs understand where they stand in terms of the security threat data listed by Reputation Block Lists (RBLs) in comparison to other TLDs. These documents are in addition to the DAAR monthly reports and daily security threat scores.
ICANN's DAAR system is used to study and report on domain name registration and security threat behavior across top-level domain (TLD) registries. The domain name data is obtained from zone files to which ICANN has access. The threat data is obtained from a curated list of Domain Name System (DNS) RBL providers. For each gTLD, DAAR provides raw counts and scores of security threats based on what is listed in the RBLs we use to identify phishing, malware, spam, and botnet command-and-control threats via ICANN's MoSAPI. DAAR reports go as far back as 2018 and can be found here.
The data being collected by the DAAR system is helping ICANN org and the community to facilitate discussions on security threat trends over time. Through the MoSAPI, individual registries can compare their DAAR data against the aggregate data for all registries in the DAAR system. Even in its anonymous form, the data has incentivized multiple large contracted parties to enhance their own anti-abuse measures and frameworks. Furthermore, independent researchers are adopting our methodology and producing measurements that help enhance the community's understanding of the DNS security threats landscape.
What Comes Next
It's important to note that these initial personalized reports shared with participating ccTLDs are still considered drafts. To continue to produce regular reports and improve features, we are asking the volunteer ccTLDs to review the reports and share their feedback with us.
We sincerely appreciate and thank the ccTLDs who have volunteered to join DAAR. We hope the personalized monthly reports are useful and that feedback from the ccTLDs will help improve DAAR for the community.
Finally, in order to generate more accurate and reliable analyses and comparisons within the DAAR system, more ccTLD participation is desirable. We encourage all ccTLDs to learn about the benefits of participating in the DAAR system for themselves and the community.
For discussions regarding DAAR project data-sharing and any other measurement of DNS security threats and abuse-related topics, please join the DNS-Abuse-Measurements mailing list or visit the DAAR webpage: https://www.icann.org/octo-ssr/daar.