How Does ICANN Improve Internet Security?

The Organization Behind the Internet's Safety Net — Explained

From DNS Security and Root Zone Integrity to Abuse Mitigation and Global Policy — Here Is Everything ICANN Does to Keep the Internet Safe

Every time you open a browser, send an email, or use any internet-connected service, a complex chain of infrastructure decisions is working silently in the background to make sure you reach the right destination — and that bad actors cannot intercept, redirect, or impersonate what you are accessing.

ICANN — the Internet Corporation for Assigned Names and Numbers — sits at the heart of that infrastructure. It is not a government, not a corporation, and not a security firm. It is a nonprofit, multi-stakeholder organization whose decisions shape the technical security of the entire global internet.

So how exactly does ICANN improve internet security? The answer is broader, deeper, and more consequential than most people realize. This guide covers every major dimension of ICANN’s contribution to internet security — from cryptographic root zone management to DNS abuse policy to global security advisory work.

💡  The Short Answer:  ICANN improves internet security through six interlocking pillars: DNS Root Zone security via DNSSEC, DNS abuse mitigation through registrar and registry contracts, registrar accreditation standards, WHOIS/RDAP data accuracy enforcement, the Security and Stability Advisory Committee (SSAC), and global security coordination through its multi-stakeholder community.

ICANN’s Security Mandate: What It Is and What It Is Not!

To understand how ICANN contributes to internet security, you first need to understand the boundaries of its mandate. ICANN is not a cybersecurity agency. It does not investigate cybercrime, deploy antivirus software, or monitor individual users. Its security role is specifically focused on the security, stability, and resiliency of the internet’s unique identifier systems — the domain name system (DNS), IP address allocation, and Autonomous System (AS) numbers.

Within that mandate, however, ICANN’s security work is remarkably powerful. The DNS is the internet’s address book — the infrastructure that makes every website, every email, and every connected service reachable. Securing the DNS means securing the foundational layer that everything else on the internet depends on.

📌  ICANN’s Security Scope:  ICANN’s security mandate covers: (1) DNS Root Zone integrity via DNSSEC; (2) DNS abuse prevention via registry and registrar contractual requirements; (3) WHOIS/RDAP data accuracy for security investigations; (4) Registrar accreditation standards; (5) Security advisory through SSAC; and (6) Coordination with law enforcement and security researchers.

The Six Ways ICANN Improves Internet Security

1. DNSSEC: Signing the Root of the Internet’s Trust Hierarchy

The single most significant security contribution ICANN makes to the internet is managing the DNSSEC Root Zone Key Signing Key (KSK) — the master cryptographic key at the apex of the entire global DNS trust hierarchy.

Without DNSSEC, the DNS is vulnerable to cache poisoning attacks that can silently redirect users to fraudulent websites. ICANN, through its IANA functions, generates and secures the Root KSK in tamper-resistant Hardware Security Modules at two geographically separate Key Management Facilities. Four times per year, ICANN conducts publicly witnessed, live-streamed Root KSK Signing Ceremonies where the KSK is used to sign the Zone Signing Key (ZSK), which in turn signs the DNS Root Zone.

ICANN also contractually requires all new gTLD registry operators to sign their zones with DNSSEC under the Registry Agreement — extending the chain of trust from the root through every ICANN-contracted TLD.

• Root Zone signed by ICANN on July 15, 2010 — foundational moment for global DNS security
• Root KSK Rollover coordinated by ICANN in 2018 — first-ever replacement of the Root Trust Anchor
• Signing ceremonies conducted 4x per year, witnessed by Trusted Community Representatives globally

2. DNS Abuse Mitigation: Contractual Enforcement Against Malicious Use

DNS abuse — the use of domain names to enable phishing, malware distribution, botnet command-and-control, and spam — is one of the internet’s most persistent security threats. ICANN addresses this through binding contractual requirements in its Registry Agreements and Registrar Accreditation Agreements (RAA).

The 2013 RAA — the contractual framework between ICANN and all accredited domain registrars — introduced significantly strengthened security requirements, including obligations for registrars to maintain current and accurate WHOIS data, implement measures against DNS abuse, and respond to documented security threats within defined timeframes.

In 2021, ICANN introduced the DNS Abuse Framework — a policy document establishing shared definitions of DNS abuse and minimum standards for registry and registrar response. Key obligations include:

• Registries must implement abuse mitigation policies and publish contact information for security incident reporting
• Registrars must act on documented reports of malicious domain use within contractually defined response windows
• ICANN’s Contractual Compliance team investigates and enforces non-compliance, with sanctions up to termination of accreditation
• Registry operators must publish an anti-abuse policy that is publicly accessible and actionable

3. WHOIS and RDAP: Enabling Security Investigations

WHOIS — and its modern successor RDAP (Registration Data Access Protocol) — is the database of domain name registration information. For security researchers, law enforcement, and abuse handlers, accurate WHOIS/RDAP data is an essential investigative tool for tracing malicious domains to their operators.

ICANN’s security contribution here is twofold: it requires registrars to collect and maintain accurate registration data as a condition of accreditation, and it manages the policy framework that balances access to that data against privacy considerations (including GDPR compliance in Europe).

ICANN’s SSAC has published extensive advisories on the security implications of inaccurate WHOIS data, and ICANN’s Compliance team conducts regular WHOIS accuracy programs, issuing Registrar Notice of Non-Compliance to registrars with systematically inaccurate data. RDAP, deployed progressively since 2019, provides a more structured, machine-readable format for registration data — improving the speed and reliability of security investigations.

4. SSAC: The Security and Stability Advisory Committee

The SSAC — Security and Stability Advisory Committee — is ICANN’s dedicated technical security advisory body. Composed of independent security experts, researchers, and DNS specialists, SSAC provides authoritative advice to ICANN’s Board and community on security, stability, and resiliency threats to the internet’s naming and numbering systems.

SSAC produces advisory reports (SAC documents) that have defined the security landscape for DNS operators globally. Notable examples include:

• SAC 032 (2009) — Recommendations on DNSSEC deployment, widely cited as the framework for modern DNS signing practice
• SAC 048 (2011) — DNS Risk Management Framework, establishing how ICANN should assess and respond to DNS security risks
• SAC 072 (2015) — Recommendations on Registrar Compliance, driving improvements in the Registrar Accreditation Agreement
• SAC 105 (2019) — Mitigating the Risk of DNS Infrastructure Tampering — response to Sea Turtle DNS hijacking campaign
• SAC 115 (2021) — An Assessment of the DNS Abuse Landscape, informing the DNS Abuse Framework

5. Registrar Accreditation: Setting Security Standards for Domain Sellers

ICANN does not sell domain names directly. It accredits registrars — companies like GoDaddy, Namecheap, Google Domains, and thousands of others — to sell domain registrations to the public. Accreditation requires compliance with the Registrar Accreditation Agreement (RAA), which sets binding security standards that all registrars must meet.

The 2013 RAA upgrade introduced a suite of security improvements that directly improve internet security at the point of domain registration:

• Mandatory two-factor authentication for registrar staff accessing critical systems
• Obligation to implement measures to mitigate DNS abuse and respond to abuse reports
• Enhanced WHOIS data accuracy requirements with verification obligations
• Registrar lock and transfer authentication requirements to prevent unauthorized domain hijacking
• Data escrow obligations ensuring registrant data is not lost if a registrar fails
• Compliance audit program — ICANN conducts regular compliance checks against all accredited registrars

6. Security Coordination: Working With the Global Security Community

ICANN does not work in isolation. A critical part of how it improves internet security is through structured coordination with the global security ecosystem — law enforcement, national cybersecurity agencies, security researchers, and internet operations communities.

Key coordination mechanisms include:

• Law Enforcement Liaison — ICANN maintains formal relationships with Interpol, FBI, Europol, and national law enforcement to facilitate domain-related crime investigations
• Security Community Engagement — ICANN participates in M3AAWG (Messaging Malware Mobile Anti-Abuse Working Group), FIRST (Forum of Incident Response and Security Teams), and other security bodies
• Root Server System Advisory Committee (RSSAC) — advises ICANN on the security of the DNS root server system, which is the foundational infrastructure for global DNS resolution
• ICANN Security Blog — publishes threat intelligence, security advisories, and operational guidance for the DNS operator community
• ICANN Incident Response — ICANN maintains internal incident response capabilities and coordinates with the DNS operator community during major security incidents affecting the root zone or TLD infrastructure

ICANN’s Security Contributions: Key Facts at a Glance

Security Initiative	Impact & Detail
Root Zone DNSSEC signing	DNS Root Zone signed July 15, 2010 — foundational global trust anchor established
Root KSK Rollover (2018)	First-ever replacement of the Root Trust Anchor — coordinated globally without any DNS breakage
KSK ceremony oversight	Trusted Community Representatives from 6 global regions; publicly witnessed 4x per year
Registrar accreditation	2,000+ accredited registrars worldwide subject to security requirements in the RAA
DNS Abuse Framework (2021)	First comprehensive policy framework defining and addressing DNS abuse at registry/registrar level
SSAC advisory reports	100+ SAC documents published covering DNS security, DNSSEC, abuse, and system stability
ICANN Contractual Compliance	Ongoing investigation and enforcement of registrar and registry security obligations
RDAP deployment	Modern replacement for WHOIS providing structured, privacy-compliant security investigation data
Law enforcement coordination	Formal liaison with Interpol, FBI, Europol, and national agencies for DNS-related investigations
WHOIS accuracy program	Regular compliance audits; Registrars issued Notice of Non-Compliance for inaccurate data
New gTLD DNSSEC mandate	100% of ICANN-contracted new gTLD registries required to sign with DNSSEC
ICANN Security team	Dedicated security team monitors DNS root infrastructure, coordinates incident response globally

ICANN’s Security Policy Framework: The Documents That Drive Change

Policy Document	Security Provision
Registrar Accreditation Agreement (RAA) 2013	Binding security requirements for all 2,000+ ICANN-accredited registrars: WHOIS accuracy, abuse response, two-factor authentication, data escrow, transfer authentication
Registry Agreement — Spec 11	DNS abuse obligations for all new gTLD registry operators: published anti-abuse policy, abuse point of contact, DNSSEC requirement, technical capability standards
DNS Abuse Framework (2021)	Policy definitions and response standards for the five categories of DNS abuse: phishing, pharming, malware, botnets, and spam (when used to facilitate DNS abuse)
Root Zone DNSSEC Certification Practice Statement (CPS)	Detailed specification for KSK management, signing ceremonies, community oversight, and key rollover — the governance document for the world’s most critical cryptographic key
WHOIS Accuracy Program Specification	Requirements for registrar WHOIS data verification, obligations for responding to inaccuracy reports, and compliance audit framework
ICANN Security, Stability and Resiliency Framework	ICANN’s published framework for identifying, assessing, and responding to risks to the security, stability, and resiliency of the DNS and identifier systems globally
SSAC Advisory Reports (SAC Series)	Independent technical security advisories covering DNS vulnerabilities, DNSSEC deployment, registrar security, root server stability, and emerging threats
Contractual Compliance Procedures	ICANN’s enforcement framework for investigating and sanctioning registrar and registry non-compliance with security obligations — including accreditation termination

How to Engage With ICANN’s Security Programs — Practical Steps

ICANN’s security work is not a closed shop. Here is how different stakeholders can apply, participate, and contribute:

Enable DNSSEC on Your Domain Log in to your domain registrar’s control panel and activate DNSSEC signing. Publish your DS record in the parent TLD zone. Use the free DNSSEC Analyzer at dnssec-analyzer.verisignlabs.com to verify your full chain of trust is correctly configured end-to-end.

Report DNS Abuse to ICANN If you encounter a domain being used for phishing, malware, or botnets, report it through ICANN’s abuse reporting channels. Each accredited registrar is required to maintain a published abuse contact. ICANN’s Contractual Compliance team can be reached at contractcompliance@icann.org for unresolved registrar abuse issues.

Participate in SSAC and Security Policy SSAC work items are publicly announced. While SSAC membership requires appointment, you can: submit input during ICANN public comment periods on security-related consultations, participate in ICANN Public Meeting security sessions (free virtual access), and engage with the DNSO security working groups through icann.org/participate.

Apply for ICANN Fellowship (Security Focus) ICANN’s Fellowship Program provides funded participation for security professionals from developing regions. Apply at icann.org/fellowships. Emphasize your security expertise or interest in DNS security policy in your application statement. The fellowship gives you direct access to SSAC sessions, policy working groups, and the security community at ICANN Public Meetings.

Learn ICANN Security Fundamentals Free ICANN Learn (learn.icann.org) offers free courses on DNS security fundamentals, DNSSEC, and ICANN’s security framework. Complete the DNSSEC Fundamentals course for a foundation in root zone security, then explore the Introduction to ICANN course for the governance context. Both are free and certificate-bearing.

UNIQUE FEATURE:  The ICANN Internet Security Impact Map — What Each Pillar Protects

The ICANN Internet Security Impact Map

Here is a clear map of what each ICANN security initiative protects — and who benefits directly:

ICANN Initiative	What It Protects Against	Who Benefits Directly	Security Level
DNSSEC Root Zone KSK	DNS cache poisoning, BGP hijacking + DNS spoofing	All internet users globally	CRITICAL
DNS Abuse Framework	Phishing, malware distribution, botnet C2 via DNS	End users, businesses, brands	HIGH
Registrar RAA Security	Domain hijacking, unauthorized transfers, fraud	Domain owners, registrants	HIGH
WHOIS / RDAP Accuracy	Anonymous abuse, untraceable criminal infrastructure	Law enforcement, security teams	HIGH
SSAC Advisories	Emerging DNS threats, systemic vulnerability gaps	DNS operators, policymakers	MEDIUM-HIGH
Security Coordination	Cross-jurisdictional DNS abuse, critical infrastructure attacks	Governments, CERTs, ISPs	HIGH
RSSAC Root Server Sec.	Root server DDoS, operational failures at internet core	All internet users globally	CRITICAL
Contractual Compliance	Non-compliant registrars enabling abuse operations	Registrants, brands, users	MEDIUM-HIGH

Frequently Asked Questions

Q1: Does ICANN actually have the power to improve internet security, or is it just advisory?

ICANN has both hard power and soft power when it comes to internet security. Its hard power comes from its contractual authority: ICANN can require registrars and registry operators to implement security measures as a condition of accreditation and contract. Non-compliance can result in formal notices, financial sanctions, and ultimately termination of accreditation — with real commercial consequences. Its soft power comes from its convening authority: ICANN brings together the global security community through SSAC, public meetings, and working groups to develop security norms and best practices that influence how the entire DNS ecosystem operates.

Q2: What is the DNS Abuse Framework and why does it matter?

The DNS Abuse Framework, adopted by ICANN in 2021, is the first comprehensive policy document that defines DNS abuse and establishes minimum response standards for ICANN-contracted parties. It identifies five categories of DNS abuse: phishing, pharming, malware, botnets, and spam (when used to facilitate DNS abuse). Registries and registrars are contractually required to maintain anti-abuse policies, provide abuse reporting contacts, and respond to documented abuse reports. Before the Framework, there was significant inconsistency in how operators defined and responded to DNS abuse. The Framework creates a baseline of accountability across the entire ICANN-contracted domain name industry.

Q3: How does ICANN coordinate with law enforcement on internet security?

ICANN maintains a dedicated Law Enforcement Liaison function that provides a formal communication channel between ICANN and law enforcement agencies globally — including Interpol, the FBI, Europol, and national cybercrime agencies. Through this channel, law enforcement can request technical information about ICANN’s operations, raise DNS-related security concerns, and coordinate on systemic issues affecting internet infrastructure security. ICANN also participates in law enforcement liaison at its three annual Public Meetings, where dedicated sessions bring together law enforcement representatives and the DNS operator community to address security challenges.

Q4: Can individuals report DNS abuse directly to ICANN?

Individuals can report DNS abuse issues to ICANN through several channels. For registrar non-compliance issues — where a registrar is failing to respond to documented abuse reports — complaints can be submitted to ICANN’s Contractual Compliance team at contractcompliance@icann.org. For issues related to WHOIS data inaccuracy, ICANN’s WHOIS accuracy program provides a reporting mechanism. For domain-level abuse (phishing, malware, etc.), the most effective first step is reporting directly to the domain’s registrar, which is contractually required to maintain and respond to an abuse contact. ICANN also points users to the Anti-Phishing Working Group (APWG) and other specialized abuse clearinghouses.

Q5: How does ICANN’s security work affect people in developing countries?

ICANN’s security contributions have significant and disproportionate impact in developing countries. DNS hijacking and abuse attacks have historically targeted developing nation internet infrastructure, government systems, and financial services — particularly in Africa, the Middle East, and Latin America (as documented in the Sea Turtle campaign of 2019). ICANN’s DNSSEC mandate for contracted gTLDs, its DNS Abuse Framework, and its security coordination work create a global security baseline that benefits operators and users in all regions. Additionally, ICANN’s Fellowship Program specifically funds participation from developing country security professionals in ICANN policy processes, ensuring that the security interests of the Global South are represented in the policies that govern the global internet.

The Internet Is Safer Because of ICANN. You Can Help Make It Safer Still.

ICANN’s security work — from signing the DNS Root Zone to enforcing anti-abuse policies across 2,000+ registrars — creates the foundational security layer that protects billions of internet users every day. But ICANN cannot do it alone. Every domain owner, network operator, and policy advocate who engages with ICANN’s security programs makes the global internet safer for everyone.

Your Security Actions Start Here

• Enable DNSSEC on your domain — verify at dnssec-analyzer.verisignlabs.com
• Report DNS abuse to your registrar and ICANN Compliance at contractcompliance@icann.org
• Apply for ICANN Fellowship at icann.org/fellowships — engage in security policy directly
• Take free ICANN Learn security courses at learn.icann.org — DNSSEC Fundamentals
• Read SSAC advisories at icann.org/groups/ssac/documents — the security community speaks
• Participate in ICANN public comments on DNS security policy at icann.org/public-comments

Internet security is not someone else’s problem. If you use the internet, ICANN’s security work affects you. Now you know how it works — and how to be part of it.

© 2026 IG Insight Blog. This article is published for educational and informational purposes.