Compliance and enforcement (2020-2021)
Part of our work in the compliance space includes contributing to InternetNZ’s .nz policy-making work and ensuring our regulated parties know and understand their obligations. We also intervene when rules are broken.
Over the past 12 months, the compliance team investigated three registrants who hold significant portfolios of domain names, many with incorrect registrant contact details. It resulted in over 200 cancellations of domain names for failure to meet .nz policy requirements. We also confidentiality settled our multi-year US litigation this year, protecting the privacy rights of .nz registrants.
Other notable compliance activities:
notification emails sent to registrars about minor compliance issues which were remedied following notification of the issues.
voluntary de-authorisations of registrars exiting the .nz domain name market.
domain records with glue record problems were found resulting in 5 delegation loops. Authorised .nz registrars were asked to fix this problem.
We have a responsibility to protect our .nz community, and we believe that our DNS abuse work demonstrates that we take our responsibility seriously. The 2020/21 year was a watershed year for our work on combatting domain name abuse. Highlights from our activities included:
We increased the number of threat feeds received ranging from infrastructure abuse prevention to identifying child sexual abuse material (CSAM) associated with a .nz domain name.
Networks, memberships and partnerships — for example, participation in the CSAM Referral Discussion Group at ICANN, the Cyber Threat Coalition and liaison with the DNS Abuse Institute.
Custom tool improvements — enhancements to our fake webshop algorithm and updates to our clean DNS system to give us early warning signs of issues for compliance action.
Due process and transparency:
The Commission is dedicated to natural justice and procedural fairness principles. Due process means notice and an opportunity to be heard regarding the undelegation of a domain name. Each year the Commission produces an annual transparency report with key metrics related to suspensions and privacy.
Domain name suspensions and cancellations
The Commission, on occasion, suspends domains following notification from CERT NZ, law enforcement agencies and members of the public after first attempting to validate a registrant’s contact details.
Partnership work is critical to our online safety measures. We work closely with the online safety and the law enforcement community to disrupt individuals and companies who try to operate in the .nz domain space.
There were 813 .nz domain name suspensions in 2020/2021 compared to 445 in the previous financial year.
There are four organisations that regularly report fake registrant details for the Commission to validate.
The number of domain name suspension requests that didn’t result in a suspension was 413 — up from 325 in the previous year. Reasons for domains not resulting in suspension included the registrant was contactable, the registrant validated their identity, or the registrar had already suspended the domain name.
Of the 813 suspensions, 75 were reversed following successful validation. A suspension is reversed if the registrant can confirm their identity and contact details.
The Commission in November 2020 introduced another layer of identity validation through our independent service provider validate.com. Of the 88 domains put through validate.com between November 2020 and March 2021, only 24 successfully passed our additional due diligence, a 27% success rate.
2,503 URLs, as distinct from domain names (the majority of which related to a single .nz domain name), were reported to us by our partner Internet Watch Foundation for CSAM. These reports were forwarded to our MOU partner DIA as candidates for investigation and any necessary regulatory and criminal action.
Clean DNS anti-abuse program
We run an iThreat Clean DNS dashboard to streamline our abuse monitoring.
There were 406 newly reported .nz domain names and 268 existing .nz domain names from last year that reported new abusive activity. These were captured and analysed by DNCL staff. Only 1% of these reached the basic threshold for abuse escalation and had evidence or corroboration requiring data validation. The majority were flagged for infrastructure or registration domain name abuse.
We continue to look at the volume and lifetime of domains to understand patterns and trends. In the 2021-2022 reporting year, we will demonstrate our clean DNS system to .nz authorised registrars and build on our approaches to combat domain name abuse.
Policy work: .nz policy review and .iwi.nz consultation
The Commission contributed to InternetNZ’s delivery of an independent end to end review of .nz policies. Far from repeating earlier policy review findings, the report marked a new era in the history of .nz policy formation with an advisory panel making 53 recommendations to InternetNZ for reform in the .nz domain namespace. In addition to our public submissions on the review, we spent a significant amount of time planning business process work to implement the panel's recommendations in 2022.
Together with the moderator of the .iw.nz domain namespace, we also participated in two online hui with registrants of this space. As a result of consultation, the .iwi.nz moderation policy was amended to allow more rangatiratanga and protection to iwi.nz.
A conflicted domain name is a domain name available on .nz but unable to be registered until issues with its counterparts are resolved.
2020 started with 2151 conflicted domain names and finished with 1945. A majority of this decrease was due to current domain name registrations lapsing, thereby resolving the conflict set without any conflict resolution.
In the 2020/2021 financial year, the Domain Name Commission started following up with parties who were self-conflicted (held all the registrations for the conflicted domain name). Under .nz policy, if parties are self conflicted, then they are required to resolve the conflict. We expect that a further 300 self-conflicted domain names will be resolved in the coming year and released for registration.
It will leave fewer than 1650 conflicted domain names, many of which are short, generic domain names. A sample of these domain names will be candidates for resolution through our online dispute resolution pilot that is being implemented in 2021.
Case Study: COVID-19 pandemic response
We closely tracked new domain registrations over the course of the COVID-19 outbreak to identify and disrupt those seeking to use fake registration details to take advantage of people during this pandemic.
We also worked closely with our existing partners CERT NZ and the Digital Safety Office at the Department of Internal Affairs, to keep informed of threats to the .nz domain namespace.
Using our existing tools, we suspended any domains we identified as suspicious — via a combination of manual and automated checks — at the point of registration before seeking assurances from the registrant.
We greatly appreciated the patience and understanding with which the registrar and wider registrant community greeted this more active monitoring. For more information about the way we handled COVID-19 related domain names, see our COVID-19 hub pages.
Case Study: fake webshops
A fake webshop is an online shop that claims to sell products, but either doesn't deliver or delivers counterfeit goods while taking a user’s money. They are hosted to capture the user's payment information and even directly take payment from the user.
Fake webshop reports to us increased from 222 in 2019/20 to 411 in 2020/21. This increase was driven primarily by one external reporting provider. They reported over 130 .nz domain names and had a 95% cancellation success rate for fake registration details. They have become our most frequent partner, and we value that they also include a full report as to why they are referring a domain name to us, including evidence like screenshots.