ICANN72: DNS Abuse discussions shifting gears

2021-10-29 Blog

The DNS Abuse topic was omnipresent at ICANN 72. Webinars in prep week (At-Large Advisory Committee and ICANN Board workshops) set the stage and the tone for intense but overall balanced discussions.

In this post I am trying to capture the main lines of thought and initiatives that came out of what must have been 15 hours of meetings and as many hours of zoom chats.

Executive summary

This is picking up speed fast.

What is this about?

The DNS Abuse discussions are not new. After a decade of arguing over ICANN’s scope to deal with this topic, most parts of the community now seem to have accepted that ICANN can be a place to discuss technical DNS Abuse. Despite the lack of formally accepted definition of technical DNS Abuse, in all discussions the following is understood to be captured by this term: phishing, pharming, botnets, malware and spam if spam is used as a delivery channel to one of these four harmful activities.

The limitation to these activities seems to have been stable for the last couple of meetings, despite calls to reject it as a starting point for the discussions from some parts of the ICANN community (e.g. gNSO Business Constituency). Having originated and been fine-tuned in the contracted parties' Abuse Working group, this list has now found its way into all conversations. For instance in the ccNSO, there seems to be an agreement that possible incremental improvements to this definition do not seem to outweigh the extra lost time for yet another review.

Why now?

The trigger for these invigorated debates is the mounting despair by the rightsholders’ community and the law enforcement agencies about the lack of publicly available WHOIS data.

Who should act?

There is an interesting problem on the table: the collective action problem. Where something impacts everybody, but there are a number of disincentives towards acting collectively, very little progress is made. This explains the increasing role of organisations outside ICANN who are filling this gap: The DNS Abuse Institute and the Internet and Jurisdiction Policy Network have become leaders in knowledge exchange, and in the case of the former even take a proactive role in helping the industry tackle DNS Abuse. The institute plans to launch a Centralised Abuse Reporting Tool by Q3 2022.

Another phenomenon has also unlocked the whole conundrum: registries and registrars are taking steps to individually or collectively address some of the challenges outside of ICANN in order to avoid the fences put up by the ICANN mandate. The Registries and Registrars stakeholder group’s Abuse Working Group recently published a paper that provides guidance and a framework for working with trusted notifiers.

In these discussions and activities, they go way beyond the limitations set by the definition discussed earlier. Content-based action is no longer shied away from. We see this in the way large US-based operators have started to work with Trusted Notifiers and accept their reports about infringing content as a basis for deleting a domain. Rather than relying on the legal system and due process, they enforce decisions by third parties. As one participant noted: “We are very happy for them to deal with this rather than us having to waste resources”. While most ccTLDs are probably wary of that approach, this trend might create even stronger expectations to review current stances on third party notifications. To illustrate the different approach to this problem: the above-mentioned framework for trusted notifiers finds that a low false positive rate is acceptable.

Preaching to the choir?

The fundamental flaw in the logic in most of the discussions is this: those that are ready to engage in these conversations or accept ICANN’s (e.g. DAAR) or the DNS Abuse Institute’s help are already taking action and have typically good track records and cleaner zonefiles.

For instance, when it comes to spam, yet another large scale study leads to the clear conclusion that this problem is not so much with the ccTLD zones, but with a small group of actors, both in the nGTLD groups and with specific registrars. In some TLDs 90% of the identified abuse was registered through 1 registrar.

Yet, any regulation (think NIS2 art. 23) will have an effect on the whole industry. At several points during the discussions it was pointed out that proactive measures (such as identity verification) will create unavoidable friction in the sales channel, affecting 99% of well intended registrants while hardly slowing down the bad actors.


And this is probably still the elephant in the room: ICANN continues to fail to deal more forcefully with these bad actors. ICANN’s compliance process needs more teeth. Some of the contracts - the registrar accreditation agreement in particular - need a review to make that work. Rather than shifting this discussion to ccTLDs - who are consistently rating better in abuse studies - or all contracted parties, the low hanging fruit should be picked first.

As a consequence of ICANN’s incapacity to tackle this, the whole DNS industry will be jumping through a never ending series of hoops.

While some of these efforts by ccTLDs will have an impact, they come at a cost that might be too high for their marginal effect. Again the NIS2 data accuracy obligation is a prime example here: accurate registrant data in ccTLDs will not reduce the number of DDoS attacks, malware or state sponsored hacking. Anyone who keeps on making these claims is willingly spreading misinformation.

What should the ccNSO be doing on DNS Abuse?

The ccNSO held a long and interactive session to find out what - if anything - the ccNSO should do in the context of these discussions.

A range of speakers (4 ccNSO Members, 1 Public Safety Working Group Member and a Contracted Parties Abuse WG member) presented ideas for ccNSO actions which were then voted upon. Some of the ideas were way outside the scope of the ccNSO (audits on abuse mitigation, maintaining centralised lists of abusive domains), and others will for sure be controversial with ccTLDs (a voluntary Code of Conduct drafted by the ccNSO). As all participants in this open session took part in the voting, the results are not reliable as a base for ccNSO actions (only about 20% of participants were ccTLDs). It was an excellent kick start of the debate on the role of the ccNSO, but by no means an endpoint. The ccNSO Council will now prepare a proposal for discussion with ccNSO Members at ICANN 73.

ccTLDs might be just too different for a regional - let alone global - approach on this complex issue.

Links to the main DNS Abuse related sessions

Board workshop on DNS Abuse

At-Large session on Tackling DNS Abuse

GNSO: CPH DNS Abuse Work Group Community Update

ccNSO session on the role of the ccNSO in the DNS Abuse discussions Part I

ccNSO session on the role of the ccNSO in the DNS Abuse discussions Part II

GNSO: BRG - Regulation, DNS Abuse and the Next Round - dotBrand Perspectives


This blogpost was written by Peter Van Roste, General Manager of CENTR. It is part of a series of blogposts CENTR will be publishing on the ICANN72 meeting.