Taking the Next Steps in the Fight Against DNS Abuse

Reflecting on the ICANN community’s recent and ongoing work to improve awareness, understanding and mitigation of Domain Name System (DNS) security threats within ICANN’s remit, I reviewed my December 2021 blog post on DNS abuse and I’m reminded of how relevant that article still is. I’m also keenly aware of the progress we have made on several fronts over the last 12 months to directly address many of the issues identified then. While more work is needed, significant steps have been taken by ICANN and its contracted parties – registries and registrars – to create new obligations for action when DNS abuse is identified in our respective areas of responsibility.

A group of registries and registrars, including Verisign, met in Paris in May 2022 at a gathering of the Internet & Jurisdiction Policy Network, our first in-person meeting since the onset of the COVID-19 pandemic. As part of the discussion of a range of issues facing the industry and areas of concern for the ICANN community more broadly, the group recognized the need for more aggressive action to disrupt and mitigate harms from specific DNS Abuse – defined by ICANN as phishing, pharming, botnet command and control, malware distribution, and spam when used as a delivery vehicle for the preceding threats.

In considering the range of possible approaches to affect meaningful and material improvements in the fight against DNS Abuse, the registries and registrars recognized the need for multi-stakeholder input and dialogue in any future policy development work on the subject. ICANN’s contracted parties are fully committed to the bottom-up, consensus-based policy development processes (PDPs) enshrined in the ICANN bylaws, the Generic Names Supporting Organization (GNSO) operating procedures and the relevant contracts. There is no substitute for the GNSO’s multi-stakeholder PDP engagement for creating, developing or changing policies while ensuring consensus support of its diverse group of stakeholders and interests. But there is also recognition of concerns across the ICANN community, including among governments, that the deliberative nature of PDPs – particularly on a topic as broad and complex as DNS Abuse – can take quite a bit of time, while the harms from DNS Abuse are imminent and therefore require more timely action. It was in this context that contracted parties came together to consider a more immediate tool, one already in our tool chest, to voluntarily create new obligations for action.

In our existing registry and registrar agreements lies the power to trigger bilateral contract negotiations with ICANN. The May 2022 Paris meeting began the discussion of the potential for a very targeted set of contractual amendments that would create new, enforceable obligations for registries and registrars to act when DNS Abuse is identified in their respective areas of responsibility. In those early discussions, ICANN’s contracted parties prepared to voluntarily propose new contractual requirements that would compel all registries and registrars to meet a minimum threshold for action.

In December 2022, just six months after the Paris meeting, the contracted parties, via the Registries Stakeholder Group (RySG) and the Registrars Stakeholder Group (RrSG), sent letters to ICANN initiating the bilateral contract negotiation provisions. ICANN responded, indicating its support and preparedness to engage quickly and formal negotiations began one month later, in January 2023. Fast-forward to June 2023: Following an intense but very collaborative and constructive six months of negotiations, the contracted parties and ICANN reached agreement, jointly proposed amendments to the Registry Agreement (RA) and the Registrar Accreditation Agreement (RAA) and published them for public comment ahead of a vote by all eligible registries and registrars.

These proposed amendments will materially improve DNS Abuse mitigation in the gTLD space by requiring all contracted parties to meet a minimum threshold for action that essentially matches already existing best practices followed by the industry’s leading service providers. Verisign is fully supportive of these changes. We believe the appropriate response to DNS Abuse is to voluntarily raise the bar on ourselves as an industry by taking on new enforceable contract provisions.

Now that ICANN and its contracted parties have taken the first step within our collective, immediate capabilities – bilateral negotiations – it’s time to consider next steps. There are a wide array of perspectives and interests across ICANN’s multi-stakeholder community, and it is critical that all are heard as we discuss and debate new or revised policies related to DNS Abuse. To be clear, ICANN’s GNSO PDPs are designed to produce consensus policies that become contractual obligations for registries and registrars. There is still meaningful policy work to be done on a range of issues impacting the broad topic of DNS Abuse and it’s critical to rely on the established multi-stakeholder structure and processes to ensure consensus policies are, in fact, consensus-based, striking an appropriate balance of stakeholder interests and impacts.

This effort is an illustration of the outcomes envisioned in Verisign’s 2020 binding Letter of Intent with ICANN committing both parties to cooperate in taking a leadership role in combating security threats. This includes:

• working with the ICANN community to determine the appropriate process for, and development and implementation of, best practices related to combating security threats;
• developing new or enhanced contractual obligations based on the result of the best practices work;
• educating the wider ICANN community about security threats; and
• supporting activities that preserve and enhance the security, stability and resiliency of the DNS.

In addition to making substantial financial commitments in direct support of these important efforts, Verisign has been deeply involved and helped lead their implementation, including the development of the newly proposed registry and registrar contract amendments. From the outset, we also have been committed to participating in and supporting the multi-stakeholder work of the ICANN community in helping to inform and develop new policies necessary to reduce online harms within ICANN’s remit.

Verisign, along with ICANN and our contracted party colleagues, are all proud to play a leading role in advancing this latest work on DNS Abuse mitigation. And all involved parties remain committed to advancing continued policy work, building on this first important step in responsible industry action supported by the multi-stakeholder community and its processes. I look forward to working with ICANN, our contracted party colleagues and the broader ICANN community to continue to identify the most appropriate and pressing issues requiring further policy development and to ensure GNSO PDPs are properly scoped and executed to deliver meaningful, material and timely policy recommendations. This will help keep our distributed naming system safe, secure, resilient and trusted by the end users who ultimately rely upon us all.