Proposed Registrant Domain Name Compliance Escalation and Suspension Policy

Overview

Purpose: fTLD Registry Services (fTLD) is seeking comments on the Proposed Registrant Domain Name Compliance Escalation and Suspension Policy for .Bank and .Insurance. The purpose of these Policies is to provide compliance escalation notifications and ensure the transparency and predictability of the timeline for curing compliance findings. A majority of fTLD’s Advisory Council (the “Council”) and its Board of Directors (the “Board”) have voted in favor of implementing these Policies.

Current Status: Following approval at the Board meeting held 27 April 2022, fTLD is seeking public comments on the Proposed Registrant Domain Name Compliance Escalation and Suspension Policy for .Bank and .Insurance in accordance with its Policy Development Process Policy accessible here.

Next Steps: fTLD will consider and/or address comments received in the summary and analysis of comments document (the “Report”). Following the close of the comment period, fTLD will post the Report. fTLD will determine the appropriate resolution of the comments received and consult with the Council and/or Board, as appropriate, and if no further changes are needed, fTLD will implement the Policies in accordance with its Policy Development Process Policy.

Background

fTLD has five Security Requirements Registrants must implement for their domain names (see .Bank at https://www.register.bank/securityrequirements/ and the same for .Insurance at: https://www.register.insurance/securityrequirements/); all domain names in the respective zones are monitored for compliance on a daily basis. fTLD’s historical approach regarding notifications for failures and warnings has been to email the respective Registrar as many of them provide security services to their customers (i.e., Registrants) and this continues to happen weekly. Additionally, in February 2021, fTLD began notifying Registrants monthly about their compliance issues. The result of the Registrant notices has resulted in a significant increase in compliance with the Security Requirements. Notwithstanding the increased compliance rate in 2021, there are Registrants that continue to have unresolved issues despite engagement with them, or their Registrar, on proposed remediation actions. Given security is the bedrock of the value proposition for .Bank/.Insurance, continued non-compliance poses significant business and reputation risks for Registrants and fTLD. As such, we find ourselves in the position of needing to implement this policy to ensure a consistent approach to compliance actions for Registrants who fail to remediate their security vulnerabilities (i.e., compliance findings).

2 Responses

We would strongly encourage ftld and all participating domain registrars to hold both the bank and insurance industries to the conditions set out as part of the agreement to be able to obtain either a .bank or a .insurance domain. It defies logic that any party does not resolve outstanding issues to become and continue to be compliant. The whole reason and basis for the respective domain is to strengthen their industry and the reliance of the public on industry specific domains and the added security that goes with it. We have to believe that .bank stands for something relevant and non-compliance by some jeopardizes the mission for all of us.

We believe that the requirement to use DNS servers whose names are within the .bank or .insurance zone should be lifted. While we understand the philosophy behind this requirement, we don’t believe that this requirement actually ensures security. To the contrary, the DNS servers of a domain name registrar, which hosts hundreds or sometimes millions of domain names are much safer than DNS servers that are setup by a registrant just for its own domain names, as indeed higher safety measures are implemented on such servers. Furthermore, using DNS servers (primary + secondary) whose names are subdomains of the hosted domain names increases the risk of service interruption, as indeed all eggs are put in the same basket. A requirement for a registrar to follow a procedure in order to have its servers authorised as servers for the .bank and .insurance zones would be much more effective.

Furthermore, FTLD should stop to directly contact registrants (e.g. for verification process) but should rather contact the registrars, which would then get in touch with their customers for doing the requested verification. A registrant, who in most of the case is not familiar with domain names, may not know who FTLD is or may take any e-mail from FTLD for a spam or a phishing attempt. To the contrary, it is part of the registrars’ day-to-day job.

Open Date

June 10, 2022

Close Date

June 17, 2022

Report Date

July 1, 2022

View Report (PDF)

TLD

Both

Report

[to be posted within five (5) business days after the close of the Public Comment period]

Robert Steen says:

May 6, 2022 at 5:56 pm

We would strongly encourage ftld and all participating domain registrars to hold both the bank and insurance industries to the conditions set out as part of the agreement to be able to obtain either a .bank or a .insurance domain. It defies logic that any party does not resolve outstanding issues to become and continue to be compliant. The whole reason and basis for the respective domain is to strengthen their industry and the reliance of the public on industry specific domains and the added security that goes with it. We have to believe that .bank stands for something relevant and non-compliance by some jeopardizes the mission for all of us.
Steve GOBIN says:

May 10, 2022 at 12:34 pm

We believe that the requirement to use DNS servers whose names are within the .bank or .insurance zone should be lifted. While we understand the philosophy behind this requirement, we don’t believe that this requirement actually ensures security. To the contrary, the DNS servers of a domain name registrar, which hosts hundreds or sometimes millions of domain names are much safer than DNS servers that are setup by a registrant just for its own domain names, as indeed higher safety measures are implemented on such servers. Furthermore, using DNS servers (primary + secondary) whose names are subdomains of the hosted domain names increases the risk of service interruption, as indeed all eggs are put in the same basket. A requirement for a registrar to follow a procedure in order to have its servers authorised as servers for the .bank and .insurance zones would be much more effective.

Furthermore, FTLD should stop to directly contact registrants (e.g. for verification process) but should rather contact the registrars, which would then get in touch with their customers for doing the requested verification. A registrant, who in most of the case is not familiar with domain names, may not know who FTLD is or may take any e-mail from FTLD for a spam or a phishing attempt. To the contrary, it is part of the registrars’ day-to-day job.