A great guide to not screwing up your domain name management.
Earlier this month ICANN’s Security and Stability Advisory Committee released a report “A Registrant’s Guide to Protecting Domain Name Registration Accounts”. Every domain administrator at small and large businesses, as well as domain portfolio owners, should read (pdf) it.
The report basically outlines steps you should consider to avoid losing access to your domain name or having your DNS hijacked due to a domain name account compromise.
It also points out that domain names may be integral to a business, and that businesses should treat domain names and domain management accounts accordingly. While a simple statement, I find that even Fortune 500 companies are often lax on domain management; assuming their $10 .com registration will be fully protected by their registrar.
One good point that is often overlooked:
In order to protect email delivery against disruption attacks, contact email addresses for a domain should be assigned to mail servers named outside that domain and registration account. For example, if the domain example.net is managed through an account A at registrar X, use email addresses assigned from a different domain (example.biz) managed through an account B (and possibly at registrar Y). This measure prevents an attacker who succeeds in compromising a domain account from preventing delivery of notification emails by altering DNS configuration for a domain.
The report also suggests keeping different contacts for the tech, administrative, and billing contacts on a domain name. This helps maintain control of the domain name if one of the contacts leaves the organization. Better yet, these roles can be assigned to generic roles within your company, such as domain administrator with generic email firstname.lastname@example.org that can be accessed by the current person in this role.
There’s one thing in the report that raises a red flag, though. It suggests considering making a web host, ISP, etc. your technical contact. Maybe it’s a bad taste in my mouth after hearing about so many web hosts and design firms “stealing” client domains, but I wouldn’t want these entities anywhere in my whois.