DENIC requests verification of domain owner data
Owners of .de domains are receiving an email from DENIC asking for verification. This is not a scam, but a consequence of NIS-2.
(Image: LongQuattro/Shutterstock.com)
DENIC eG, responsible for .de domains, is starting to verify domain contact data and is sending emails with calls to action to domain owners. The timing for the measure, which has been planned for a long time, is unfavorable because the verification begins immediately after a serious configuration error in DNSSEC entries. Emails related to DENIC with a call to action to urgently verify something now could appear as a sophisticated phishing campaign that uses a current event as a free rider.
In conversation with heise online, Tom Keller from the DENIC board confirms that the domain registry is currently sending these emails and does not intend to postpone the measure. The trigger is the implementation of the European NIS 2 directive, for which several laws and ordinances have been amended in Germany, primarily the BSI Act.
Incorrect Addresses
For DENIC, the NIS 2 regulation imposes the requirement to verify domain contact data in case of doubt. DENIC follows a risk-based approach and does not directly ask all domain owners to verify. Instead, DENIC has searched the database for incorrect addresses. A single-digit percentage of data that needs to be verified was noticed. To comply with the law, name (and legal form for legal entities), postal address, phone number, and email address must be stored and verified.
Domain owners are asked via email to check their data record. The first emails will initially come from the respective registrar who manages the domain for the customer. Later, a reminder will come from DENIC itself. Depending on the sender, different deadlines apply within which you must take action. If the provider reports, you have 30 days to respond. It becomes serious when the message comes from DENIC itself. Then there is a deadline of 7 days. If you exceed this deadline, the domain will be temporarily removed from the .de zone, meaning it will no longer be accessible. If you wait 90 days, it will be deleted and the domain contract will be terminated.
Nevertheless, with messages of this type, it is important to remain calm first so as not to fall for potential free riders. DENIC points out that all its emails come from the domain denic.de. They do not ask for login data. It is best not to click on links in such emails, but to open your provider's portal in the usual way. In the first step, you must check your contact details with your provider. Then you can start a verification. Various methods are available for this. These include PostIdent, Photo-Ident, and Video-Ident, as well as uploading official documents or verification via a postal verification code.
Public and Non-Public Data
The NIS 2 regulation also imposes another requirement that domain owners should respond to, even if they have not received a request: non-personal data about domains must be publicly accessible, while personal information must not be. Domain owners can therefore control which information is publicly available via Whois queries: information about companies, associations, and other organizations registered under ORG is published, while information registered under PERSON is not. Anyone who owns a domain should check with their registrar which details are stored under the keys PERSON and ORG and move the information to the correct place.
(jam)
