3,197
edits
Changes
no edit summary
ICANN's '''Contractual Compliance and Consumer Safeguards''' department charged by [[ICANN]] with enforcing the contractual compliance of registries and registrars through complaint-driven informal and formal resolution processes, ICANN-initiated monitoring, and compliance audits.
==History==
==History==
===DNS Security Threat Audits===
===DNS Security Threat Audits===
In 2018, Contractual Compliance announced that it intended to broaden the scope of its audit RFIs to include questions specific to RAA Section 3.18, which deals with registrars' threat prevention, reporting, and response processes. At the same time, the department updated its Registry Operators audit plan to "[review] processes and procedures related to preventing, identifying and handling of abusive domains. Specifically, testing is focused on verification of existence of technical analysis (security threats) reports and review for reports’ completeness in comparison to publicly available sources."<ref>[https://www.icann.org/en/system/files/files/contractual-compliance-ra-audit-report-2018-01nov18-en.pdf ICANN.org Archive - Contractual Compliance: March 2018 Round New gTLD Registry Audit Report], published September 2018 (PDF)</ref> This was part of a previously announced initiative to increase attention to security threats, partially in response to community and stakeholder group concerns that ICANN was not doing enough to respond to threats to the DNS infrastructure.<ref name="dnsblog">[https://www.icann.org/en/blogs/details/contractual-compliance-addressing-domain-name-system-dns-infrastructure-abuse-8-11-2018-en ICANN.org Blog - Contractual Compliance: Addressing DNS Infrastructure Abuse], November 8, 2018</ref>
====2019 Registry Operator Audit====
====2019 Registry Operator Audit====
In November 2018, ICANN Contractual Compliance launched a Registry Operator Audit for Addressing DNS Security Threats.<ref>[https://www.icann.org/en/blogs/details/contractual-compliance-addressing-domain-name-system-dns-infrastructure-abuse-8-11-2018-en ICANN.org Blog - Contractual Compliance Addressing DNS Infrastructure Abuse], November 8, 2018</ref> The audit was conducted over seven months, from November 2018 to June 2019.<ref>[https://www.icann.org/en/announcements/details/icann-publishes-registry-operator-audit-for-addressing-dns-security-threats-17-9-2019-en CC Audit of DNS Security Threats, ICANN Announcements]</ref> The report on the audit, released in September 2019, reported that of the 1207 TLDs reviewed during the audit, "approximately five percent (5%) of the audited ROs subject to Specification 11, Section 3(b) were not performing any security threat monitoring, despite having domains registered in their gTLDs."<ref name="19audit">[https://www.icann.org/en/system/files/files/contractual-compliance-registry-operator-audit-report-17sep19-en.pdf ICANN.org - Report on the RO Audit for Addressing DNS Security Threats], September 17, 2019 (PDF)</ref> The report noted that many of the non-complying registries had a limited number of registrations:
In November 2018, ICANN Contractual Compliance launched a Registry Operator Audit for Addressing DNS Security Threats.<ref name="dnsblog" /> The audit was conducted over seven months, from November 2018 to June 2019.<ref>[https://www.icann.org/en/announcements/details/icann-publishes-registry-operator-audit-for-addressing-dns-security-threats-17-9-2019-en CC Audit of DNS Security Threats, ICANN Announcements]</ref> The report on the audit, released in September 2019, reported that of the 1207 TLDs reviewed during the audit, "approximately five percent (5%) of the audited ROs subject to Specification 11, Section 3(b) were not performing any security threat monitoring, despite having domains registered in their gTLDs."<ref name="19audit">[https://www.icann.org/en/system/files/files/contractual-compliance-registry-operator-audit-report-17sep19-en.pdf ICANN.org - Report on the RO Audit for Addressing DNS Security Threats], September 17, 2019 (PDF)</ref> The report noted that many of the non-complying registries had a limited number of registrations:
<blockquote>In most of these cases, ROs cited a low number of registrations or tightly controlled and exclusively internal registration (e.g., where the gTLD has an ICANN-approved Specification 13 .brand designation). While the audit revealed that RBLs currently do not identify any threats originating from .brand gTLDs, Compliance explained to these ROs that monitoring is a contractual obligation that does not depend on the number or type of registrations. Remediation was required in all cases.<ref name="19audit" /></blockquote>
<blockquote>In most of these cases, ROs cited a low number of registrations or tightly controlled and exclusively internal registration (e.g., where the gTLD has an ICANN-approved Specification 13 .brand designation). While the audit revealed that RBLs currently do not identify any threats originating from .brand gTLDs, Compliance explained to these ROs that monitoring is a contractual obligation that does not depend on the number or type of registrations. Remediation was required in all cases.<ref name="19audit" /></blockquote>
The report stated that, incidences of noncompliance notwithstanding, most registry operators employed good security practices.<ref name="19audit" />
The report stated that, incidences of noncompliance notwithstanding, most registry operators employed good security practices.<ref name="19audit" />