News, events & blog
Three Meetings, One Message: DNS Abuse Is Reshaping the Domain Industry
DNS abuse – how neutral should a registry be?
At CENTR Jamboree, I had the opportunity to moderate a panel discussion on DNS neutrality. The discussion focused on whether a top-level domain registry should remain merely a neutral operator of technical infrastructure, or whether today’s internet environment requires registries to take a more active role in preventing abuse.
For example, we discussed how a registry should act in a situation where a domain name has been registered correctly, but from the moment of registration its name or registration pattern already suggests possible phishing or other malicious activity. In such a case, should the registry wait for confirmation from law enforcement, or can it respond earlier?
The views of European registries differed somewhat. The Norwegian and Swedish registries argued that their role is not to assess website content or determine its legality. In their view, the registry must remain a neutral infrastructure provider, and substantive decisions should only come from competent authorities.
The Dutch registry SIDN described a somewhat more active approach. They also do not act alone, but they work closely with law enforcement and respond quickly in cases where the risk is sufficiently justified. This kind of cooperation model makes it possible to stop malicious campaigns before they cause wider harm.
Estonia’s view also fit well into this discussion. For years, we have considered strong cooperation with law enforcement, CERT-EE, and other competent authorities to be essential. DNS abuse often spreads within minutes or hours, and in such situations speed is just as important as legal certainty. A registry should not decide on the legality of web content on its own, but well-functioning cooperation makes it possible to respond quickly and proportionately.
By the end of the panel discussion, one common view had emerged: cooperation between registries and public authorities will become even more important in the future. If the sector itself is unable to act effectively enough in preventing and mitigating DNS abuse, pressure may grow at the European level to regulate registry activities in more detail.
Measuring DNS abuse and building trusted cooperation
The same topic continued at Nordic Domain Days 2026, but from a more practical angle. Several presentations focused on how to measure DNS abuse more effectively and what tools could be used to detect malicious campaigns earlier.
NetBeacon Institute gave an interesting overview of its tools and platform, which help registries and registrars better understand DNS abuse patterns and assess how different interventions actually make an impact. The presentation highlighted that phishing and mass registration campaigns are concentrated among a relatively small number of registrants and registrars. At the same time, it was emphasized that the impact of abuse mitigation is not always easy to measure. It is often difficult to determine clearly which party’s action led to the shutdown of a specific malicious domain.
One particularly positive insight from NetBeacon’s statistics was that the risk of abuse in the .ee zone remains low. One important reason for this is the continued use of strong identity verification when registering domains, such as Smart-ID, Mobile-ID, the eeID service, and others. When a registrant’s identity is verified at an early stage, it significantly reduces the possibility of anonymous or malicious registrations and helps prevent DNS abuse before it can materialize. This once again confirms that preventive measures and high-quality registration data are just as important for internet security as later response measures.
The Trusted Notifier Network initiative was also introduced. Its aim is to strengthen cooperation between trusted notifiers, registries, and registrars. The idea is simple: when high-quality DNS abuse reports reach the right parties more quickly, and when those reports are processed according to common principles, malicious campaigns can be stopped much faster. In my view, this initiative also strongly confirms the main conclusion that emerged at CENTR Jamboree: alongside technical solutions, trusted cooperation between registries, registrars, law enforcement, and other stakeholders is becoming increasingly important in preventing DNS abuse.
ICANN is already shaping global rules
While Nordic Domain Days focused on practical tools and cooperation models, DNS abuse at ICANN83 was discussed from the perspective of global policymaking.
ICANN is currently running the GNSO DNS Abuse Mitigation Policy Development Process (PDP), which aims to supplement the existing DNS abuse policies in the gTLD space. Today, registrars of generic top-level domains are already required under ICANN rules to take action against a malicious domain when they receive a justified DNS abuse report. What is now being discussed is whether this obligation should be extended to other domains linked to the same registrant. This is being considered through the principle of so-called Associated Domain Checks.
The question here is whether registrars should be required to review other domains connected to the same registrant after one of their domains has been confirmed as malicious. As noted, the current system operates largely on a domain-by-domain basis. If a domain used for phishing or malware distribution is taken down, no ICANN policy currently requires the registrar to automatically check whether the same registrant controls dozens or even hundreds of similar domains. This is the policy gap that is now being addressed. The aim is to move from handling a single malicious domain to disrupting an entire malicious campaign, while at the same time preserving sufficient legal safeguards for legitimate registrants.
For me, one particularly interesting observation here is that compared to country code top-level domains (ccTLDs), the activities of generic top-level domains (gTLDs) are already regulated in much greater detail when it comes to DNS abuse. ccTLD registries have significantly more flexibility in shaping their own practices, whereas in the gTLD space the development is moving increasingly toward uniform obligations. This is actually a very different perspective and approach within the domain industry, which is why I am following the development of Associated Domain Checks with great interest, and whether ccTLDs may eventually take inspiration from it as well.
The root zone – the future of the internet’s most important infrastructure
One of the most interesting discussions at ICANN83 for me concerned the management of the root zone. This is not an issue that needs an urgent solution today; on the contrary, the internet’s root zone has functioned very stably for decades. Precisely because of that, it was considered important to discuss how to ensure the sustainability of this system for the decades ahead.
The discussions covered the future of the Root Server System Advisory Council, its governance model, and how the funding and management of root servers should evolve in the future. Questions were also raised about what principles should apply when adding or removing root servers, how their reliability should be assessed, and how to respond to possible security incidents.
An interesting insight also came from a live audience poll during the session. The most important future topics were seen to be transparency in root server governance, clear criteria for adding or removing them, the funding model, and the principles for reporting security incidents. Although this is not an urgent problem, the overall impression was that the community expects gradual progress in this area, along with greater clarity at the policy level as well — for example, so that each registry could freely make its own choices.
Three meetings, one shared direction
CENTR Jamboree, Nordic Domain Days, and ICANN83 clearly showed that the domain industry is moving increasingly toward preventive cooperation and a risk-based approach. Just a few years ago, discussions mainly focused on who is responsible for DNS abuse. Today, the focus has already shifted to practical solutions for how to detect malicious activity faster, share information more effectively, and act before the damage becomes widespread.
Registries remain a vital part of the internet’s technical infrastructure. At the same time, it is clear that society’s expectations regarding their role are growing, and cooperation with law enforcement, registrars, and other stakeholders is becoming increasingly important. Based on these three meetings, it can be said that DNS security is no longer merely a technical issue: it has become one of the central legal and policy questions in the international domain industry.
See the latest news and blogs:
News
Security
When Meta goes down, your business should not disappear with it
Last Friday's Meta outage was short, but it was a useful warning for every business that depends too heavily on social platforms. On June 12, Facebook and Instagram experienced service disruptions, in addition problems with Ads Manager tools as well. For some brands, that meant reduced visibility, interrupted campaigns, delayed communication: a reminder that they do not actually control the platforms where much of their audience lives.
News
CENTR
EIF’s Head of Development to Lead CENTR Task Force on Business Data Verification in Domain Registries
The Estonian Internet Foundation is pleased to share that our Head of Development, Timo Võhmar, has taken on a leadership role in the new CENTR task force focused on data verification of business entities in the domain registry.
News
EuroDIG
EuroDIG: the cornerstones of the internet’s future are trust, cooperation, and digital sovereignty
On 26–27 May, the European Dialogue on Internet Governance, EuroDIG 2026, took place in Brussels. This was the 19th edition of the forum, and this year’s focus was Europe’s role in shaping the future of the internet. The event was hosted by EURid, the .eu domain registry, which also celebrated its 20th anniversary as part of the occasion.