3,197
edits
Changes
→Auditing
* Technical specifications regarding WHOIS and IPv6; and
* Technical specifications regarding WHOIS and IPv6; and
* Requirements regarding DNS abuse and security threat reporting.<ref>[https://www.icann.org/en/system/files/files/audit-plan-2013-raa-31mar16-en.pdf ICANN.org - 2013 RAA Audit Plan Scope] (PDF)</ref>
* Requirements regarding DNS abuse and security threat reporting.<ref>[https://www.icann.org/en/system/files/files/audit-plan-2013-raa-31mar16-en.pdf ICANN.org - 2013 RAA Audit Plan Scope] (PDF)</ref>
===Registry Agreement Audit Rights===
The base [[Registry Agreement]], created in advance of the [[New gTLD Round]], grants ICANN or its subcontractor the right to perform "contractual and operational compliance audits" after "reasonable advance notice" has been provided to the registry operator.<ref name="basera1">[https://newgtlds.icann.org/en/applicants/agb/agreement-approved-02jul13-en.pdf ICANN.org Archive - Base Registry Agreement], as approved July 2, 2013</ref>
===DNS Security Threat Audits===
===DNS Security Threat Audits===
In 2018, Contractual Compliance announced that it intended to broaden the scope of its audit RFIs to include questions specific to RAA Section 3.18, which deals with registrars' threat prevention, reporting, and response processes. At the same time, the department updated its Registry Operators audit plan to "[review] processes and procedures related to preventing, identifying and handling of abusive domains. Specifically, testing is focused on verification of existence of technical analysis (security threats) reports and review for reports’ completeness in comparison to publicly available sources."<ref>[https://www.icann.org/en/system/files/files/contractual-compliance-ra-audit-report-2018-01nov18-en.pdf ICANN.org Archive - Contractual Compliance: March 2018 Round New gTLD Registry Audit Report], published September 2018 (PDF)</ref> This was part of a previously announced initiative to increase attention to security threats, partially in response to community and stakeholder group concerns that ICANN was not doing enough to respond to threats to the DNS infrastructure.<ref name="dnsblog">[https://www.icann.org/en/blogs/details/contractual-compliance-addressing-domain-name-system-dns-infrastructure-abuse-8-11-2018-en ICANN.org Blog - Contractual Compliance: Addressing DNS Infrastructure Abuse], November 8, 2018</ref>
In 2018, Contractual Compliance announced that it intended to broaden the scope of its audit RFIs to include questions specific to RAA Section 3.18, which deals with registrars' threat prevention, reporting, and response processes. At the same time, the department updated its Registry Operators audit plan to "[review] processes and procedures related to preventing, identifying and handling of abusive domains. Specifically, testing is focused on verification of existence of technical analysis (security threats) reports and review for reports’ completeness in comparison to publicly available sources."<ref>[https://www.icann.org/en/system/files/files/contractual-compliance-ra-audit-report-2018-01nov18-en.pdf ICANN.org Archive - Contractual Compliance: March 2018 Round New gTLD Registry Audit Report], published September 2018 (PDF)</ref> Since approval of the first base Registry Agreement for new gTLDs, there have been DNS security-related requirements for registry operators. The July 2013 base Registry Agreement contained abuse mitigation provisions requiring registry operators to publish contact information for abuse reporting, and to take action to remove orphan glue records "when provided with evidence in written form that such records are present in connection with malicious conduct."<ref name="basera1" /> Other provisions address issues of technical security and baseline operational standards.<ref name="basera1" />
The alterations to scope were part of a previously announced initiative to increase attention to security threats, partially in response to community and stakeholder group concerns that ICANN was not doing enough to respond to threats to the DNS infrastructure.<ref name="dnsblog">[https://www.icann.org/en/blogs/details/contractual-compliance-addressing-domain-name-system-dns-infrastructure-abuse-8-11-2018-en ICANN.org Blog - Contractual Compliance: Addressing DNS Infrastructure Abuse], November 8, 2018</ref>
====2019 Registry Operator Audit====
====2019 Registry Operator Audit====
In November 2018, ICANN Contractual Compliance launched a Registry Operator Audit for Addressing DNS Security Threats.<ref name="dnsblog" /> The audit was conducted over seven months, from November 2018 to June 2019.<ref>[https://www.icann.org/en/announcements/details/icann-publishes-registry-operator-audit-for-addressing-dns-security-threats-17-9-2019-en CC Audit of DNS Security Threats, ICANN Announcements]</ref> The report on the audit, released in September 2019, reported that of the 1207 TLDs reviewed during the audit, "approximately five percent (5%) of the audited ROs subject to Specification 11, Section 3(b) were not performing any security threat monitoring, despite having domains registered in their gTLDs."<ref name="19audit">[https://www.icann.org/en/system/files/files/contractual-compliance-registry-operator-audit-report-17sep19-en.pdf ICANN.org - Report on the RO Audit for Addressing DNS Security Threats], September 17, 2019 (PDF)</ref> The report noted that many of the non-complying registries had a limited number of registrations:
In November 2018, ICANN Contractual Compliance launched a Registry Operator Audit for Addressing DNS Security Threats.<ref name="dnsblog" /> The audit was conducted from November 2018 to June 2019, and reviewed data and reports from 1207 TLDs.<ref>[https://www.icann.org/en/announcements/details/icann-publishes-registry-operator-audit-for-addressing-dns-security-threats-17-9-2019-en CC Audit of DNS Security Threats, ICANN Announcements]</ref> The report on the audit, released in September 2019, reported that of the 1207 TLDs reviewed during the audit, "approximately five percent (5%) of the audited ROs subject to Specification 11, Section 3(b) were not performing any security threat monitoring, despite having domains registered in their gTLDs."<ref name="19audit">[https://www.icann.org/en/system/files/files/contractual-compliance-registry-operator-audit-report-17sep19-en.pdf ICANN.org - Report on the RO Audit for Addressing DNS Security Threats], September 17, 2019 (PDF)</ref> The report noted that many of the non-complying registries had a limited number of registrations:
<blockquote>In most of these cases, ROs cited a low number of registrations or tightly controlled and exclusively internal registration (e.g., where the gTLD has an ICANN-approved Specification 13 .brand designation). While the audit revealed that RBLs currently do not identify any threats originating from .brand gTLDs, Compliance explained to these ROs that monitoring is a contractual obligation that does not depend on the number or type of registrations. Remediation was required in all cases.<ref name="19audit" /></blockquote>
<blockquote>In most of these cases, ROs cited a low number of registrations or tightly controlled and exclusively internal registration (e.g., where the gTLD has an ICANN-approved Specification 13 .brand designation). While the audit revealed that RBLs currently do not identify any threats originating from .brand gTLDs, Compliance explained to these ROs that monitoring is a contractual obligation that does not depend on the number or type of registrations. Remediation was required in all cases.<ref name="19audit" /></blockquote>
The report stated that, incidences of noncompliance notwithstanding, most registry operators employed good security practices.<ref name="19audit" />
The report stated that, incidences of noncompliance notwithstanding, most registry operators employed good security practices.<ref name="19audit" />