Secure Practices for Domain Owners

In This Document

Introduction

Domain owners or those charged with the governance of domains can reduce certain security risks by adhering to good operational practices. Most of the advice contained within this document is generic enough that it can be applied to both individual domain owners and organisations. An attempt has been made to include enough context for each practice, so that the reader can determine for themselves whether a control is appropriate and proportional to their circumstances.

Since domains can be registered once, then renewed automatically without direct interaction, it is common for individuals and organisations to forget or overlook basic security practices. Where possible the recommendations within this document should be regularly assessed as part of pre-existing security governance practices.

Registration

Domain owners should be familiar with the rules which govern the TLD within which they plan to register their domain. While detailed knowledge of policies can be sourced from advisors which specialise in domain name management, understanding the basic structure of the TLD will aid any risk assessment or obligations which may be incurred as part of domain registration.

The domain name industry

Most Top Level Domains (TLDs) use the commercial model where the Registry (or operator) of the TLD is a separate entity to the Registrar that sells or allocates a domain to domain owners (Registrants). For generic TLDs (gTLDs) this model is reasonably strict as it is enshrined in the Registry's contract with ICANN. Many country code TLDs (ccTLDs) follow this model to some extent. However some ccTLDs do not follow this model at all.

Nexus Requirements

Some TLDs or second level domains (2LDs) require that a Registrant meet certain requirements, such as a local presence within a jurisdiction or proof that you are a natural person. In some cases, material required to prove that you meet nexus requirements must be supplied to the Registrar. In other cases, a third party not directly involved in the registration process will accept the material from a registrant and in return supply a token or other proof that the Registrant supplies or is supplied during registration through mechanical means, to the Registrar.

There are security risks associated with both the supply and storage of nexus requirements. Domain owners should ensure that only material whose publication will not cause them harm, is supplied. Access to material supporting nexus requirements is often governed by the Registry's policy and may be subject to change without notice. When considering registering a domain in a TLD that requires nexus material to be supplied, Domain owners should prefer using a Registry and Registrar that fall within the same legal jurisdiction as they do.

Recommendation 1.

Domain owners should ensure that only material whose publication will not cause them harm, is supplied.

Recommendation 2.

Domain owners should prefer using a Registry and Registrar that fall within the same legal jurisdiction as they do.

Registration Contacts

Contacts must be supplied during the registration of a domain name. These contacts are used for a number of administrative activities. A domain's contacts and correspondence to them from Registrars also forms an integral part of any domain ownership or domain transfer dispute resolution process. For this reason it is important to choose an email address that is reliably hosted and in the case of an organisation, is shared by multiple team members. Domain owners must ensure that contact details are kept up to date in order to avoid missing critical operational emails for the domain.

All contact details supplied during registration can appear within a Whois or RDAP response. While Whois can be generally considered fully public, RDAP supports authenticated searches. Therefore Registries and Registrars do have some flexibility to offer contact details which might be suppressed in public, to a limited set of authenticated users. In response to concerns around GDPR, some Registries limit the amount of detail that is published. At the time of writing, the details of which information is suppressed and to which viewer, is not yet subject to a formal ICANN policy. ccTLDs, who are not required to follow any such policy when it arrives, remain free to publish all contact details that they receive. Domain owners should ensure that only contact details whose publication will not cause them harm, is supplied.

In many cases, Registrars offer private registrations. In this case, they publicise an email and physical address associated with their own organisation or a provider, while ensuring that all correspondence is forwarded to the contact supplied at Registration. Private registrations are a well established practice within the domain industry and that practice is now defined within the contract that Registrars have with ICANN. Registrars which operate within a ccTLD may offer similar services, but the constraints of such a service will vary depending on the country. Where possible and regardless of any general limits on publication of contact details, individual domain owners should use private registration.

Recommendation 3.

Choose an email address that is reliably hosted and in the case of an organisation, is shared by multiple team members.

Recommendation 4.

Domain owners must ensure that contact details are kept up to date

Recommendation 5.

Domain owners should ensure that only contact details whose publication will not cause them harm, is supplied.

Recommendation 6.

Where possible and regardless of any general limits on publication of contact details, individual domain owners should use private registration.

Protecting Against Unauthorised Transfers

Most Registries support transferring a domain from one Registrar to another. Initiating this process can be quite simple, which means the barrier to attempting to do so fraudulently, is very low. The transfer process requires that several steps occur before it is completed, therefore while initiating the process is simple, completing it is far more challenging for a malicious actor.

Registrar Lock

Most registrars will 'lock' a domain at registration. In practice this means that a status is set next to certain key information associated with the domain within the Registry database. Typically these statuses prevent the update of a domain's contact and reject any transfer requests. Since a legitimate transfer would require that the prohibition on transfer requests be removed, it is important to protect the login details to the Registrar. Preventing the update to a contact is one defense a Registrar may put in place to avoid pre-emptive actions a malicious actor might take to turn off domain transfer prohibitions. All domain owners should ensure that their domain is locked by the Registrar. At the very least this will mean that Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited is present within a Whois response for the domain.

Recommendation 7.

All domain owners should ensure that their domain is locked by the Registrar.

Multi Factor Authentication

Much of a domain's effective security is governed by settings or details stored by the Registrar. Therefore, ensuring that access to the domain management account is secure, is critically important. Individual domain owners should prefer Registrars that offer multi factor authentication and should ensure that it is enabled. Organisations should prefer Registrars that offer Single Sign On (SSO) services and ensure that their own Identity Provider enforces multi factor authentication for access to the domain management account.

Recommendation 8.

All domain owners should ensure that multi-factor authentication is required to access the domain management account of their Registrar.

Registry Lock

Some Registries offer a service that locks or prevents changes to your domain within their systems. This is a higher level of protection than Registrar Lock because there is no mechanical means of overriding the prohibition to change. Although it is implemented within a Registry's systems, the Registry Lock service is typically offered via Registrars, who then manually inform the Registry to enable or disable the service. Because of the labour involved there is typically a charge associated with changes as well as an ongoing charge. For the best possible protection against Registrar system compromise, domain owners should use Registry Lock to protect their most critical domains.

As changes are applied to the state of a domain manually and will involve at least 2 parties (Registrar and Registry), making changes to the domain will require advanced planning.

Registries deliberately implement Registry Lock in such a way that Registrars have no mechanical means to enable and disable the service. All changes are implemented manually. This guarantees a true separation of fate between Registrar and Registry systems.

Important

A few Registries do allow mechanical changes. In these cases, the protection for the domain owner is considerably lessened and domain owners may misunderstand their exposure to Registrar system compromise. The TLDs underpinned by these registries should be avoided for critical workloads as a result. At the time of writing .SE are known to implement Registry Lock in this way.

Recommendation 9.

Domain owners should apply Registry Lock to their critical domains

Recommendation 10.

For critical workloads, domain owners should avoid TLDs where Registry Lock is not adequately separated from Registrar systems.