Sunday, September 11, 2011

COCCA Request for comments : Best Practice Recommendations for Minimising Harm ( and increasing trust ) in small ccTLDs.

Status: Draft Recommendations, posted August 17th, 2011, comment period ends September 03, 2011.
Email your comments to rfc@cocca.org.nz
 
As part of its strategic review to improve security and trust among small ccTLDs, CoCCA is seeking input from interested parties on a number of draft recommendations that reflect the views of the administrators of the Christmas Island, Norfolk Island and Heard Island and McDonald Islands TLDs ( CX / NF / HM - external territories of Australia ) in relation to potential practices available to registry operators seeking to limit potential harm caused by domain registrants.

The recommendations, while appropriate for small ccTLDs, may not be appropriate for large gTLDs or all ccTLDs (such as those which are better positioned to ensure appropriate controls at registrar level).

Recommendation One: "Trust but Verify",  applicants for new registrations must confirm to the registry that they agree to be bound by the registrant agreement and confirm the accuracy of contact details provided by the Registrar to the registry.

Until the Registrant or Administrative contact confirm their contact details with the Registry - and accept the Registrant Agreement  a domain should be excluded from the DNS zone.

Rationale: The CoCCA model differs from the "classic" gTLD shared registry system in that Registrants are bound by a collateral agreement between themselves and the Sponsoring Organization (TLD manager). This collateral agreement binds them to the ccTLD AUP policy, WHOIS policy and Complaint Resolution Service.

Although registrars are required to advise registrants of the TLD policies and conditions, with the prevalence of highly automated registration systems and expansive reseller networks it cannot be guaranteed that registrants have reviewed or agreed to the policy.  A challenge notified to the registrant by email from the registry, ensures that new applicants are made aware of and confirm their agreement to the policies.
In response to the registry’s email notification, the registrant must visit the registry website, acknowledge acceptance of the policies and verify the accuracy of the registrar supplied customer data.

The same process therefore allows the registry the opportunity to verify the accuracy of customer data supplied by the registrar, use dynamically generated images as a challenge-response verification to prevent automated processes activating domains and to directly collect and store additional identifying information about registrants, which can be utilised to control fraud.

Recommendation Two: Ensure that registration policies and terms and conditions limit registrants’ rights to a limited licence to use (but not to sub-license the use of any portion of) the allocated SLD, subject to continuing compliance with all policies in place during that time.
Registrants must warrant they will not assign the licence or sub-license any sub-domain without:
(a) securing the sub-licensee's agreement to the T&C, AUP and all other applicable policies; and
(b) obtaining the registry's consent in writing.
Rationale: It has occurred that registrants have registered a second level domain in order to set up what amounts to a third level registry, effectively sub-licensing to third parties the use of portions of their allocated second level domain..
TLD policy is generally recursive however combating criminal activity in a TLD is complicated if the registry has no information as to the user of the subordinate domain OR any way to suspend a domain in a third level. By way of example in the .CC registry the registrant of "co.cc" reportedly gave away tens of thousands or more subordinate domains for free and these were reportedly often-used for spam or malware. The practice of sub-licensing in an uncontrolled fashion should be prohibited.
Recommendation Three: Fast flux mitigation - queue for manual intervention of any DNS modifications in excess of four in 28 days.
Rationale: This minimises a registrant’s ability to frequently redelegate a domain, in order to overcome service limitations imposed by internet service providers. Frequent redelegation may also assist a malicious user to obscure their identity.
Limiting frequent redelegations enhances the effectiveness of service termination as a sanction by an internet service provider.  In the shorter term other internet users can apply temporary IP address filters.
Recommendation Four: Require manual intervention by the registry operator before domains that contain various strings such as "bank", "secure", "PayPal” etc., go into the zone.
Recommendation Five: Establish and act upon the results of a regular poll against one or more trusted databases for phishing sites operating ( in second level or subordinate domains ) within the ccTLD. Phishing activity most often occurs through a subordinate domain, rather than a directly registered second level domain.  For this reason the registry should query for any wild-card occurrence of a domain that has been flagged as a phishing site or one that contains malware.
Recommendation Six: Explore the possibility of bi-lateral arrangements with local security agencies and law enforcement (eg CERT).
One form of cooperation may take the form of early notification by security agency of malicious content.  Another form of cooperation may be the provision of user information (including historical and non-publicly available information, where available) to the security agency, to assist identification of wrongdoers.
Rationale: The existence of existing arrangements for dealings between security agencies and the registry operator facilitates the ability for both registry and law enforcement to react promptly to threats, promptly minimising harm.
Recommendation Seven: Automated Suspensions ( not seizure or transfer ). The registrant should be given an opportunity to remedy via automated processes, given the time sensitive nature of criminal activity automated suspension based on triggers / flags, or at the request of law enforcement should be enabled.
Critical domains can be manually "Super Locked" in the registry to ensure they are not removed from the zone or suspended inadvertently by automated suspension technology.
Automated suspensions will only be initiated when required to protect the public interest or network integrity. They should not be initiated to simply protect an entity’s or individual’s intellectual or other property rights - those sorts of disputes should be dealt with via a formal complaint resolution service.
Recommendation Eight: Where commercially sensible, or a risk factor has been identified, automated and regular scanning for malware of all domains (or a subset of domains ) in the registry.
CoCCA's  "pamoja" TLD registry solution from CoCCA supports the technical receomendations above. If you are a current or prospective user and need help configuring pamoja please email software@pamoja.tl