Skip to main content
Resources

SAC 044 | A Registrant's Guide to Protecting Domain Name Registration Accounts

[PDF, 377 KB]

Domain name registrations in domain name registration accounts are as important in the virtual world as their brick-and-mortar assets are in the physical world. Individuals and organizations should thus consider measures to protect virtual assets against a range of threats or circumstances in the virtual world that may result in temporary or permanent loss of domain names.

This report attempts to catalog measures that registrants should consider to protect their domain name registration accounts and the domain names managed through these accounts. The report describes the threat landscape for domain names, and identifies a set of measures for organizations to consider. The report also considers risk management in the context of domain names so that an organization can assess its own risk and choose appropriate measures. The report explains that an organization can implement these measures using its own staff (“in house”), contracted third parties, or a registrar or registry. It discusses the merits of implementing certain measures versus outsourcing these to contracted third parties or registrars and identifies circumstances where redundant measures are worth consideration. Lastly, the report provides lists of questions organizations should ask registrars and registries concerning their registration processes and protection mechanisms. The list can be used to obtain valuable and important information about registrar processes so that organizations can make informed decisions when choosing a registrar(s).

This report specifically targets individuals or organizations that recognize that the operational value of a domain name in use is extremely or critically important. These parties are keenly aware of the need for assurances that domain name resolution is highly available and that names in a domain consistently resolve as intended. The report assumes that the reader has some familiarity with domain name registration processes, the domain name system, and other technical and operational aspects of providing Internet presence. The report is likely to be of greatest value to individuals who perform administrative or technical staff activities; however, other parties (legal counsel, management) may benefit by gaining insight into the security threats and mitigation measures recommended in the report as well.

Readers familiar with SAC040, Measures to Protect Domain Registration Services Against Exploitation or Misuse 1 will note certain similarities and overlap among the topics covered here. SAC040 identifies practices registrars can share with customers (registrants) so that registrar and registrant can jointly protect registered domains against exploitation or misuse, and discusses methods of raising awareness among registrants of the risks relating to even a temporary loss of control over domain names and associated DNS configurations. As such, SAC040 is registrar-focused. This report focuses on registrants to help them recognize the critical importance of domains they have registered and seek information that will help them implement measures of their own as well as seek out measures from registrars to protect their domain names against loss or misuse. The reports are thus intended to be complementary.


1 Security and Stability Advisory Committee, Measures to Protect Domain Registration Services Against Exploitation or Misuse (19 August 2009) (http://www.icann.org/en/committees/security/sac040.pdf).

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."