ICANN (Internet Corporation on Assigned Names and Numbers) is the not-for-profit organization in charge of setting policies that govern domain name sales, distribution, management, protection and dispute. Domain name transfer policies — from one person, company or organization to another — also fall under the authority of ICANN.
It’s this last area of ICANN authority that should concern you the most, because if you don’t follow the rules you may lose your domain names. The following excerpts are taken from SAC 044: A Registrant’s Guide to Protecting Domain Name Registration Accounts, a report from the ICANN Security and Stability Advisory Committee (SSAC) published on November 05, 2010.
Failure to Renew a Domain Name Registration
A renewal lapse occurs when, by choice or oversight, a registrant allows a domain name registration to expire. A different party may register the domain name after the expiration of relevant grace periods. In some cases, the activities of the new registrant may prove harmful to the interests of the registrant who permitted the registration to expire. In other cases, the registrant may lose the domain name and be forced to find another domain name (thereby absorbing the costs of switching to a new domain name) or to pursue a potentially costly and time-consuming dispute resolution process to regain control of the domain name.
Non-renewal of a Domain Name Associated With a DNS Name Server
Problems may arise when the registrant of a domain name A uses a DNS name server in domain B for domain name resolution, and the registrant of domain name B accidentally or intentionally allows its domain name registration to expire. In circumstances where coordination across well-intentioned parties is lost, the expected resolution of domain A may be interrupted or may become unpredictable due to A’s dependence on the name server in domain B; in other circumstances, a new registrant of domain B may configure domain A’s DNS information for malicious purposes, including phishing attacks, email interception, and redirection of Internet users to different websites with different and possibly harmful content. While domain A can be restored to proper function by updating the registry with a new name server (perhaps on domain A or C), this can present operational challenges to accomplish in the extreme short term.
In both of these cases (failure to renew a domain name registration, non-renewal of a domain name associated with a DNS Name Server), the responsibility falls on you — the domain name registrant — to ensure all of your information is correct so that your Registrar can contact you. What should you do?
Use Separate Identities for Registrant, Technical, Administrative, and Billing Contacts
Consider creating unique points of contact for registrant, technical, administrative, and billing contacts. Identifying multiple points of contact offers an organization some protection in situations where a single contact is provided for all roles and that contact ceases to be employed by an organization, or in a circumstance where the only identified contact is not available to resolve a problem or respond to a reported abuse of the domain name. Distinct points of contact also offer some diversity in managing domain names. Each of these contacts can represent departments or divisions in an organization that are responsible for some aspect of domain name management. For example, while legal staff or an IP&T department may be best suited to manage the registrant role, IT may be best suited to manage the technical role, corporate communications may be best suited to manage the administrative role, and finance best suited to manage the billing role.
Small businesses can seek assistance from web hosting companies, ISPs, resellers, or registrars to apply this kind of diversity. Provide your business entity contact as the registrant contact information to retain your association with the domain. Use your business entity contact as the billing contact as well to ensure you receive payment requests. Identify a web hosting company, ISP, reseller, or registrar as the technical or administrative contact. A small business may want to consider identifying its hosting company, ISP, reseller, or registrar as the technical or administrative contact. Such external parties often have stronger internal controls and may be better able to track changes or resolve technical problems than the small business would implement.
Incorporate Registrar Email Correspondence into Domain Management
Ask your registrar for a list of correspondence routinely issued by email, and consult with your registrar to determine which of your email contacts is used for routine correspondence. Use your email system to route correspondence to the organization’s point of contact that is responsible for responding to or taking action. For example, consider whether you can route registrar email correspondence so that your technical contact receives DNS configuration change notices, your legal department receives renewal and WHOIS accuracy notices, etc.
Identify Domain Name Registration Points of Contact by Role
In cases where a domain name is registered to an organization (business entity), consider creating points of contact that do not create a relationship between any natural person or employee. This action may help an organization avoid disputes over ownership of a domain.
Add Diversity to Email Contacts to Reduce Single Points of Failure or Attack
SAC040 explains how email is an important form of contact for registrars for routine correspondence and notifications, and that attackers attempt to defeat this popular form of automated notification when they compromise a domain name registration account. Specifically, when an attacker succeeds in compromising a domain registration account, he will attempt to block delivery of email notifications to targeted registrants by altering DNS configuration information so that email notifications will not be delivered to any recipient in the domains the attacker controls through a compromised account (e.g., registrant’s identified administrative or technical contact email addresses hosted in the domain).
Access to all the domains in a domain name registration account is commonly granted through a single user account. This access also allows an attacker to modify contact and DNS configuration information for all domains managed through the user account. Thus, if Example Networks, Inc. manages the domains example.net, example.com, and example.biz from the same domain name registration account and that account is compromised, the attacker can alter DNS and block delivery of mail to all of these domains.
Registrants should consider the benefits of using mail domains for contact emails that are managed separately from the domains that can be accessed from an individual domain registration account so that an attacker cannot interfere with a registrar’s ability to contact the registrant. Registrants should also consider other measures to mitigate this threat. For example, a registrant could distribute its domain name registrations across multiple domain name registration accounts (and possibly across different registrars). Example Networks, Inc. could manage example.com using account “examplenetworks1” and example.net using account “examplenetworks2”. Email addresses for points of contact for example.com could then be assigned from a mail domain operated under example.net. Similarly, email addresses for points of contact for example.net could be assigned from a mail domain operated under example.com. Registrants who do not want to rely on email notifications are encouraged to consult with registrars to determine whether they can receive change notifications through alternative communications methods (telephone, fax, SMS).
Individuals or small businesses can implement a similar defensive measure. Create email accounts for points of contact through an email service provider that has earned a positive reputation for managing its mail service.
Keep Key Email Accounts Secure
Email is an important component of registrant-registrar communication. Key email accounts receive registrar notifications and registration account password reset/recovery messages and thus should only be accessed by authorized parties. Maintain the security of key email accounts by strengthening client authentication. Use encryption (TLS extensions for SMTP) to protect mail client-server communications from eavesdropping. Maintain secure operations at the mail server that hosts key email accounts as well. For example, mail servers that host key email accounts should be Internet standards compliant. Consider adopting some form of email reputation, data integrity or authentication system and follow best sender, forwarding, and antispam practices published by such organizations as the Messaging Anti-Abuse Working Group (MAAWG) and the Anti-Phishing Working Group (APWG) so that your mail servers will not be reported to spam blacklists.