Skip to main content

DAAR Activity Project: Now Providing Personalized Monthly Reports for ccTLDs

In order to expand the effectiveness of Domain Abuse Activity Reporting (DAAR) for the community, in November 2019, country code top-level domains (ccTLDs) were invited to participate in the DAAR system designed by ICANN's Office of the Chief Technology Officer (OCTO). ccTLDs could volunteer to participate by sharing their zone files. These zone files would only be used in the DAAR system and would not be used or shared for any other purpose or in ICANN's Centralized Zone Data Service (CZDS). Every ccTLD that joined the project would be able to receive DAAR data on a daily basis via ICANN's Monitoring System API (MoSAPI).

In July 2020, I published a blog announcing that several ccTLDs were voluntarily participating in the DAAR system. To date, 12 ccTLDs have joined this effort. This not only benefits the DAAR system by allowing a broader spectrum of domains and therefore better indication of security threat concentrations, but we expect it to also provide significant benefits to the ccTLD community.

We are now providing customized monthly reports to the participating ccTLDs. These reports contain analytics specifically based on the data submitted by each ccTLD, and are only shared with them. In each report ccTLD-related statistics are shown with all the other ccTLDs and generic TLDs (gTLDs) being anonymized. The intention of these personalized reports is to help ccTLDs understand where they stand in terms of the security threat data listed by Reputation Block Lists (RBLs) in comparison to other TLDs. These documents are in addition to the DAAR monthly reports and daily security threat scores.

About DAAR

ICANN's DAAR system is used to study and report on domain name registration and security threat behavior across top-level domain (TLD) registries. The domain name data is obtained from zone files to which ICANN has access. The threat data is obtained from a curated list of Domain Name System (DNS) RBL providers. For each gTLD, DAAR provides raw counts and scores of security threats based on what is listed in the RBLs we use to identify phishing, malware, spam, and botnet command-and-control threats via ICANN's MoSAPI. DAAR reports go as far back as 2018 and can be found here.

The data being collected by the DAAR system is helping ICANN org and the community to facilitate discussions on security threat trends over time. Through the MoSAPI, individual registries can compare their DAAR data against the aggregate data for all registries in the DAAR system. Even in its anonymous form, the data has incentivized multiple large contracted parties to enhance their own anti-abuse measures and frameworks. Furthermore, independent researchers are adopting our methodology and producing measurements that help enhance the community's understanding of the DNS security threats landscape.

What Comes Next

It's important to note that these initial personalized reports shared with participating ccTLDs are still considered drafts. To continue to produce regular reports and improve features, we are asking the volunteer ccTLDs to review the reports and share their feedback with us.

We sincerely appreciate and thank the ccTLDs who have volunteered to join DAAR. We hope the personalized monthly reports are useful and that feedback from the ccTLDs will help improve DAAR for the community.

Finally, in order to generate more accurate and reliable analyses and comparisons within the DAAR system, more ccTLD participation is desirable. We encourage all ccTLDs to learn about the benefits of participating in the DAAR system for themselves and the community.

For discussions regarding DAAR project data-sharing and any other measurement of DNS security threats and abuse-related topics, please join the DNS-Abuse-Measurements mailing list or visit the DAAR webpage:                                                                           


    Domain Name System
    Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."