Category: Information

Regulations for ‘.ad’ domain names registration (Official)

Regulation Doc Link : https://www.domini.ad/en/regulation

Overview

The General Regulations for Registration of .ad Domain Names establish the legal and operational framework for registering and managing .ad domain names, delegated to Andorra by IANA on January 9, 1996. Andorra Telecom, SAU, is designated as the registry operator under Law 42/2022 on digital economy, entrepreneurship, and innovation. The regulations reflect the policy shift effective October 22, 2024, opening .ad registration to all persons globally, with key changes including the use of accredited registrars and a first-come, first-served allocation model during the general availability period.

Key Chapters and Provisions

Chapter One: General Conditions

  • Article 1 (Objects): Defines the purpose of the regulations and identifies Andorra Telecom as the registry operator responsible for the .ad TLD.
  • Article 2 (Definitions): Clarifies terms such as “domain name,” “TLD,” “registrar,” “registrant,” and “general availability.” The transition and opening period (May 22 to October 22, 2024) facilitated the shift to the new model, followed by general availability.
  • Article 3 (Binding Nature): Applicants are bound by these regulations, registrar agreements, and the .ad Dispute Resolution Policy (PRDad).

Chapter Two: Allocation of .ad Domains

  • Article 4 (Syntax Rules): .ad domains must use alphanumeric characters (Latin alphabet, 0-9, hyphen) and Internationalised Domain Names (IDN) characters, with restrictions (e.g., no leading/trailing hyphens, max 63 characters).
  • Article 5 (First-Come, First-Served Basis): Post-transition, domains are allocated during general availability on a first-come, first-served basis, with no guarantee of availability.

Chapter Three: Eligibility Criteria

  • Article 6 (General Eligibility): Domains must be legitimate, not harm Andorra’s image, and align with their significance. Non-compliant domains may be rejected or canceled.
  • Article 7 (Special Eligibility): Geographic names, public institution names, and public service-related names are restricted to authorized Andorran public entities.
  • Article 8 (Reserved Names): The registry can reserve names and set conditions for their use, with discretion over publication.
  • Article 9 (Premium Names): Special-value names may have higher fees or be reserved for auction.

Chapter Four: Rules of Use

  • Article 10 (Liability): Registrants are fully responsible for domain use, including third-party misuse.
  • Article 11 (Conditions of Use): Domains must be used legitimately, in good faith, and not mislead, harm Andorra’s image, infringe rights, or support illegal activities (e.g., phishing, botnets). Violations may lead to suspension or cancellation.

Chapter Five: Life of the Domain Name

  • Article 12 (Length): Domains are valid for 1-10 years, with automatic annual renewal unless deleted. Grace periods include 5 days (creation), 45 days (renewal), and 30 days (recovery).
  • Article 13 (Voluntary Transfer): Domains can be transferred with registrar consent, subject to compliance.

Chapter Six: The Registry Operator

  • Article 14 (Role): Andorra Telecom sets transparent rules but does not act as a registrar; all registrations go through accredited registrars.
  • Article 15 (Remuneration): Fees are set by the registry, but registrars determine customer prices.
  • Article 16 (Internal Use): Andorra Telecom can self-assign domains for its operations, exempt from conflict resolution.
  • Article 17 (Non-Obligation to Supervise): The registry does not pre-validate registrations or guarantee availability.

Chapter Seven: The Registrars

  • Article 19 (Role): Accredited registrars manage registrations; direct applications to the registry are not allowed.
  • Article 20 (Accreditation): Andorran registrars need legal status and domain registration as a business activity; non-Andorran registrars require ICANN accreditation.
  • Article 21 (Portability): Registrants can switch registrars, with limited refusal grounds (e.g., fraud, non-payment).

Chapter Eight: Compliance and Dispute Resolution

  • Article 25 (Verification): The registry may investigate domain compliance, with a 15-day registrant response period; provisional measures or cancellation may follow.
  • Article 26 (PRDad): Disputes over trademarks, trade names, or public identifiers are resolved via WIPO’s PRDad process.

Chapter Nine: Domain Contact Information

  • Article 28 (Accuracy): Registrants must provide accurate contact details and update them promptly.
  • Article 29 (Data Protection): Contact data is processed for registration, made public via WHOIS/RDAP, and protected against misuse, per ICANN obligations.

Key Changes from Previous Policy

  • Eligibility: Previously restricted to Andorran entities or trademark holders; now open globally.
  • Registration Process: Shifted from direct registry registration to mandatory use of accredited registrars.
  • Duration: Minimum registration reduced from 2 years to 1 year, renewable up to 10 years.
  • Validation: Pre-approval eliminated; registration is now immediate during general availability.

Implications

The regulations facilitate broader access to .ad domains, aligning with global TLD trends, but introduce risks such as domain collisions (e.g., “corp.ad”) for organizations using .ad internally, as discussed in prior analyses. The registry’s discretionary powers and registrar model enhance oversight while shifting responsibility to registrants and registrars.

For full details, refer to the original document at https://www.domini.ad/.

The Domain Collision Vulnerability Arising from the Liberalization of the .ad Top-Level Domain

The proliferation of new top-level domains (TLDs) has introduced a significant security vulnerability known as domain collision, particularly affecting organizations that have historically used internal domain names in TLDs that were not previously available for public registration. This issue has been exacerbated by the recent liberalization of the .ad TLD, the country-code TLD for Andorra, which was opened to global registration without restrictions in late 2024. Prior to this change, many organizations, particularly those utilizing Microsoft’s Active Directory (AD) for network resource management and user authentication, adopted internal domain names such as “corp.ad” under the assumption that the .ad TLD was restricted and thus safe from external conflicts. However, with the .ad domain now freely available for registration by any entity worldwide, domain hunters—individuals or groups who register domains for speculative or malicious purposes—can easily exploit this situation, leading to severe security risks for affected organizations. This paper examines the domain collision vulnerability in the context of the .ad TLD’s policy shift, explores the specific risks associated with internal domains like “corp.ad,” and discusses the broader implications for organizational cybersecurity.

Background: Active Directory and Internal Domain Usage

Microsoft’s Active Directory is a widely used service that manages network resources, user authentication, and access control within corporate environments. When setting up an Active Directory domain, organizations must choose a domain name that uniquely identifies their internal network. Historically, to avoid conflicts with publicly registered domains, many organizations opted for domain names in TLDs that were either not yet delegated or were restricted to specific geographic or organizational use. The .ad TLD, being the country-code TLD for Andorra, was one such domain that was perceived as safe for internal use due to its previous registration restrictions, which limited ownership to Andorran entities or trademark holders.

For example, an organization might have chosen “corp.ad” as its internal Active Directory domain, assuming that the .ad TLD would not be available for public registration. This practice was common, as it provided a seemingly unique namespace that was unlikely to overlap with external domains. However, the assumption of perpetual restriction has proven faulty with the recent changes in the .ad domain’s registration policy.

The Domain Collision Vulnerability

Domain collision, also known as namespace collision, occurs when an internal domain name used within a private network overlaps with a publicly registered domain name on the global Domain Name System (DNS). This overlap can lead to several security risks:

  1. Information Leakage: Devices on the internal network may inadvertently send DNS queries for the internal domain to public DNS servers, potentially leaking sensitive information such as usernames, passwords, or internal network configurations.
  2. Man-in-the-Middle Attacks: If a malicious actor controls the public domain that matches the internal domain, they can intercept traffic intended for the internal network, allowing them to capture credentials or redirect users to malicious sites.
  3. Unauthorized Access: In some cases, the collision can enable external actors to access internal resources or services that were intended to be private.

The risk is particularly acute for organizations using Microsoft’s Active Directory, as AD relies heavily on DNS for name resolution and service discovery. If an internal AD domain like “corp.ad” is registered publicly by a third party, devices attempting to authenticate or access internal resources may instead connect to the public domain, exposing sensitive data or enabling unauthorized access.

The .ad TLD Policy Change and Its Implications

Prior to 2024, the .ad TLD was restricted to Andorran registrants or trademark holders, with each registration requiring pre-approval. However, in a significant policy shift, the .ad registry liberalized its registration process in two key phases:

  • May 22, 2024: The registry began requiring the use of accredited registrars for domain purchases, discontinuing direct registrations from the registry.
  • October 22, 2024: The registry opened the .ad TLD to any natural or legal person worldwide, without the need for trademark ownership or local presence, and removed the pre-validation requirement, allowing immediate domain registration.

This policy change has made it possible for anyone, including domain hunters, to register domains like “corp.ad” with minimal barriers. Domain hunters, who often register domains for resale or malicious purposes, can now easily acquire such domains, exploiting the domain collision vulnerability to target organizations that have used these names internally.

Specific Risks Associated with “CompanyName.ad”

The TLD domain “.ad” is particularly problematic because it is a generic and commonly used name for corporate internal networks. Many organizations, especially those that set up their Active Directory environments before the .ad TLD’s liberalization, may have adopted “CompanyName.ad” or similar variants (e.g., “internal.ad,” “hq.ad”) as their internal domain names. With the .ad TLD now open to public registration, multiple organizations could be affected if a single entity registers “CompanyName.ad” and exploits the collision.

The risks include:

  • Credential Theft: If internal devices attempt to authenticate against the public “CompanyName.ad” domain, usernames and passwords could be captured by the domain’s controller.
  • Traffic Interception: Internal traffic intended for the organization’s private network could be redirected to the public domain, allowing for man-in-the-middle attacks.
  • Service Disruption: Organizations may experience disruptions in internal services if DNS queries are resolved incorrectly due to the collision.

Moreover, because the .ad TLD is now globally accessible, the potential for widespread exploitation is significant. Unlike TLDs that are still restricted or have higher barriers to entry, the ease of registering .ad domains increases the likelihood of malicious actors targeting this vulnerability.

Broader Implications for Organizational Cybersecurity

The domain collision issue is not unique to the .ad TLD; it has been a known vulnerability exacerbated by the proliferation of new TLDs. As more TLDs become available for public registration, organizations that have relied on previously undelegated or restricted TLDs for their internal domains face increasing risks. The .ad case serves as a stark example of how changes in TLD registration policies can suddenly expose organizations to security threats that were previously mitigated by restrictive access.

Organizations using internal domains in TLDs that are now publicly available must take immediate action to mitigate these risks. Potential mitigation strategies include:

  • Renaming Internal Domains: Organizations can rename their Active Directory domains to use TLDs that are less likely to be registered publicly, such as those reserved for internal use (e.g., .internal).
  • Implementing Split DNS: By configuring split DNS, organizations can ensure that internal DNS queries are resolved locally, while external queries are handled by public DNS servers.
  • Monitoring and Defensive Registration: Organizations can monitor for registrations of their internal domain names in public TLDs and consider defensively registering these domains to prevent exploitation.

However, these measures can be costly and disruptive, particularly for large organizations with complex network infrastructures. The need for such actions underscores the importance of proactive domain management and the consideration of long-term TLD availability when designing internal network architectures.

Conclusion

The liberalization of the .ad TLD in 2024 has introduced a significant security risk for organizations that have used internal domain names like “corp.ad” in their Active Directory environments. The domain collision vulnerability, once a theoretical concern, has become a pressing issue as domain hunters and malicious actors can now easily register these domains and exploit the resulting namespace conflicts. This situation highlights the broader challenges posed by the expansion of the global domain name system and the need for organizations to adopt more resilient naming conventions and security practices. As the domain landscape continues to evolve, vigilance and adaptability will be essential to safeguarding internal networks from external threats.

The Evolution of Andorra’s .ad Top-Level Domain Registration Policy

Abstract

The .ad top-level domain (TLD), representing Andorra, underwent a significant policy revision in 2024, transitioning from a restrictive registration framework to a more liberalized system. Effective from October 22, 2024, the updated policy eliminates previous requirements for local presence or trademark ownership, mandates the use of accredited registrars, and adjusts registration periods. This paper examines the new .ad domain registration policy, identifies key changes from the prior framework, and evaluates the implications for accessibility and global adoption.

Introduction

Top-level domains (TLDs) serve as critical identifiers in the digital landscape, reflecting national identity and facilitating online presence. The .ad TLD, administered by Andorra Telecom, has historically been constrained by stringent eligibility criteria, limiting its use primarily to entities with a legal or trademark-based connection to Andorra. However, recent changes, fully implemented on October 22, 2024, mark a pivotal shift toward openness and flexibility. This paper aims to document the specifics of the new .ad registration policy, delineate its departures from the previous system, and assess its potential impact on the TLD’s role in the global domain market.

The New .ad Registration Policy

The revised .ad TLD registration policy, enacted following a transition period from May 22, 2024, to October 22, 2024, introduces several notable features:

  1. Eligibility Expansion:
  • The policy now permits any natural or legal person worldwide to register a .ad domain, irrespective of residency or trademark ownership (Andorra Telecom, 2024). This marks a departure from the prior requirement of Andorran presence or trademark registration with the Andorran Trademarks and Patents Office (OMPA).
  1. Registrar-Based Registration:
  • Registration is now exclusively facilitated through accredited registrars, a shift from direct registration with Andorra Telecom. This change, effective since May 22, 2024, allows both local and international registrars to participate, provided they meet accreditation standards set by the registry.
  1. Registration Duration and Renewal:
  • The minimum registration period has been reduced from two years to one year, with renewals permitted annually up to a maximum of 10 years (Andorra Telecom, 2024). Registrants may opt for manual or automatic renewals, subject to registrar policies.
  1. Regulatory Compliance:
  • Registrants must adhere to the .ad domain regulations, including eligibility (Articles 6 and 7) and usage stipulations (Articles 10 and 11), which prohibit misuse, confusion with public services, or infringement on intellectual property rights (Andorra Telecom, 2024).

Changes from the Previous Policy

The pre-2024 .ad registration framework imposed significant barriers to entry, contrasting sharply with the current policy. Table 1 summarizes the key differences:

Table 1: Comparison of Pre-2024 and Post-2024 .ad TLD Policies

AspectPre-2024 PolicyPost-2024 Policy (Effective October 22, 2024)
EligibilityRestricted to Andorran entities or trademark holdersOpen to all natural and legal persons globally
Trademark RequirementMandatory for non-residents, verified by OMPAEliminated
Registration ProcessDirect through Andorra TelecomVia accredited registrars
ValidationPre-approval requiredImmediate processing
Minimum RegistrationTwo yearsOne year, renewable up to 10 years
PricingStandardized by registryDetermined by individual registrars

References