[ALAC] The SSAC has published SAC125

Matthias M. Hudobnik matthias at hudobnik.at
Sat May 18 10:21:27 UTC 2024 

Hi colleagues, the SSAC has published SAC125.

 

### SSAC Report on Registrar Nameserver Management (SAC125):

 

The report focuses on a specific type of sacrificial nameserver where the parent domains of the renamed host objects are considered unsafe because they are registrable. This introduces a new attack surface for domain resolution hijacking, as malicious actors can exploit these unsafe sacrificial nameservers to gain unauthorized control over dependent domains, leading to manipulation or disruption. As of September 2020, this practice had inadvertently exposed over 500,000 domains within generic top-level domains (gTLDs) to resolution hijacking risk, resulting in over 163,000 domains falling under unauthorized control.

 

The report explores potential solutions to remediate exposed domains and prevent the creation of new unsafe sacrificial nameservers. Remediating exposed domains involves registrants, registrars, and registries, but coordination efforts face challenges like awareness, technical capability, and liability concerns. To prevent the risk, two primary categories of solutions are examined:

 

1) granting registrars more flexibility to delete host objects of expired domains, eliminating the need for sacrificial nameservers altogether, or

2) standardized renaming methods for sacrificial nameservers so their parent domains are not registrable.

 

Recognizing the need for balance between operational efficiency, security, and minimization of unintended consequences, the SSAC recommends a multifaceted approach:

 

·         Recommendation 1: The registry and registrar communities should collaborate to develop and implement a comprehensive code of conduct to mitigate the risks associated with registrable sacrificial nameservers.

·         Recommendation 2: ICANN org should design, develop, and regularly publish aggregated statistics on the prevalence of unsafe sacrificial nameservers and the effectiveness of mitigation measures.

·         Recommendation 3: ICANN org should directly engage with registries and registrars to assist in mitigation and prevention efforts based on the insights from Recommendation 2.

 

Link to the report: https://itp.cdn.icann.org/en/files/security-and-stability-advisory-committee-ssac-reports/sac-125-09-05-2024-en.pdf. 

 

Have a nice day!

Best,

Matthias

 

______________________________

Ing. Mag. Matthias M. Hudobnik

FIP • CIPP/E • CIPT • DPO • CIS LA

matthias at hudobnik.at

http://www.hudobnik.at

@mhudobnik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://atlarge-lists.icann.org/pipermail/alac/attachments/20240518/3536c2fc/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: not available
URL: <https://atlarge-lists.icann.org/pipermail/alac/attachments/20240518/3536c2fc/openpgp-digital-signature.asc>

More information about the ALAC mailing list