Back

23 Provide name and full description of all the Registry Services to be provided

gTLDFull Legal NameE-mail suffixDetail
.广东Guangzhou YU Wei Information Technology Co., Ltd.zodiac-corp.comView
23. Registry Services

The registry services complying with the requirements of ICANN, which are provided by the Back-End Service Provider for ʺ.STRINGʺ TLD mainly include Shared Registration System (SRS), Domain Name Service (DNS), Whois, Internationalized Domain Name (IDN) and DNS Security Extensions (DNSSEC). With full consideration having been given to specific problems related to security and stability, all the above services are customary registry services which meet corresponding Request for Comments (RFC) standards, so there will be no security and stability problems.

The applicant selects the Back-End Service Provider to be the provider of technology and operation services for ʺ.STRINGʺ registry. Through the self-deployed ʺBack-End Registry Service Platformʺ, the Back-End Service Provider provides the entrusted services for ʺ.STRINGʺ TLD. ʺBack-End Registry Service Platformʺ is deployed and operated by CNNIC to support services for all new gTLD registries who have the entrusted requirements such as ʺ.STRINGʺ. The platform is designed to support at least 2 million domain names. ʺBack-End Registry Service Platformʺ that is deployed, maintained and operated by the technicians from the Back-End Service Provider, provides registry with all information systems required for five critical functions (including resources such as IDC, software, hardware and bandwidth etc.).

The technology platform concerning ʺ.STRINGʺ registry services is consigned by the applicant to a third party—the Back-End Service Provider which will provide the platform and be in charge of its regular technical operation and maintenance management; the applicant will designate specialists to carry out technical coordination, supervise the work of the Back-End Service Provider, manage the keys concerning the above service, and authorize CNNIC to be responsible for the key administration and use of keys associated with the above services.

The Back-End Service Provider has set up information security management system (ISMS) for ccTLD and Chinese domain names in compliant with ISO27001. ISMS is viewed to be suitable for the information security management work for ʺ.STRINGʺ to provide sound security strategies and security guarantees for ʺ.STRINGʺ registry services in the aspects of physical equipment, network, system, application, data and audit. Please refer to the answer to Question 30 for more information.
  
23.1 SRS

23.1.1 Service Description

SRS performs the following functions:
  
(1) Receiving Registration Data Related to Domain Names and Name Servers from the Registrar
  
To support the registry-registrar separation mode adopted by ʺ.STRINGʺ; and to receive relevant registration data submitted to the applicant by registrars by providing registrars with data interfaces that meet the requirements of RFC 5730, RFC 5731, RFC 5732, RFC 5733 and RFC 5734.
  
(2) Management Functions Related to Registration Data:
  
To be specific, these functions include management of sessions, asynchronous messages, contacts, hosts, domain names, reserved name lists, registrars and status of the registry; performing automate⁄timed tasks; generating operation logs; performing financial operations, registration verifications; as well as bulk registration data access.
  
(3) Providing Interactive Interfaces for Other Related Services

(a) Providing with interfaces for DNS service to read registration data to enable it to generate the ʺ.STRINGʺ zone file.

(b) Providing with interfaces for Whois service to read registration data to enable it to respond to queries about registration information of ʺ.STRINGʺ.

(c) Providing with interfaces for the data escrow system to read registration data to enable it to process registration data into deposit files on a regular basis and submit them to the escrow agent.

(d) Providing with interfaces for the monitoring system to enable it to monitor the SRS in a real-time manner.
  
(e) Providing with the function of access to bulk data for ICANN in accordance with Specification 4 of the Registry Agreement.

(f) Connecting SRS to the Trade Mark Clearing House to search information of trade mark owners and decide whether to approve the registration application for a specific domain name based on the search result.

(g) Analyzing SRS log through monitoring system to provide data report function to generate monthly report required by ICANN.

23.1.2 Security Analysis

SRS adopts the following security mechanisms to ensure that there will be no unauthorized disclosure, alteration, insertion or destruction of registry data related to ʺ.STRINGʺ.
  
23.1.2.1 Physical Security Policy

7*24 operation and maintenance team monitors SRS in a real-time manner through the monitoring system. Host machine is placed in the lightening-proof, fire proof anti-theft and anti-static machine room with the video monitoring system. Fingerprint identification and access card reading devices are adopted to control the visit.
  
23.1.2.2 Network Security Policy

SRS adopts redundant system design. Each server adopts the Intranet IP address defined in RFC 1918, which is deployed in the service network. SRS registration database adopts Intranet IP addresses to prevent Internet users from accessing these servers.
  
23.1.2.3 System Security Policy

SRS system host periodically updates the operation system and application system. Remote operation to the system needs to be performed through bastion servers. Monitoring system monitors the use of host resources and service operations in a real-time manner, and once an abnormity is detected, gives off an alarm.
  
23.1.2.4 Application Security Policy
  
Application Security Strategy involves the following aspects:

(1) The login password of each registrar in the SRS is limited to 6-32 digits and the password is stored in an encrypted form.

(2) SRS connection between registrar and registry shall adopt SSL encryption mode. Each registrar is further required to adopt a different key.

(3) SRS restricts the login IP address of the registrar and only authorized IP addresses can be connected. Certificate of registrar will be verified the effectiveness.

(4) Connection will be automatically closed by the SRS if there is no operation within a specified period of time after the registrar successfully logs in.

(5) Bulk registration data access function is open to ICANN, whom we consult with the security mechanism and adopt measures such as IP restriction and security of data transmission.

23.1.2.5 Data Security Policy

(1) SRS related registration data is stored in registration database, read and write access of which is strictly restricted. DNS service, Whois service and data escrow system only has read access to SRS registration database.

(2) SRS registration database will be stored in local tape library for backup. Meanwhile data is also backed up into the local and remote secondary operation centers.

23.1.2.6 Auditing Security Policy

All operation records of SRS will be logged, and then analyzed and audited by the monitoring system.

23.1.3 Stability Analysis

(1) Analysis of Compliance with Relevant Standards

The implementation of SRS strictly complies with RFC 5730, RFC 5731, RFC 5732, RFC 5733, RFC 5734 and RFC 5910. In addition, the registration life cycle supported by SRS is in line with RFC 3915.
  
Considering the characteristics of IDN and ʺ.STRINGʺ’s nature of business, the applicant and the Back-End Service Provider made the following two extensions on the basis of EPP in accordance with the guidance of RFC 3735.
  
(a) Completely compliant with RFC 3735, made the extension of RFC 5731. In details, submitted the associated draft to make extension of the variants of Chinese domain names in support of bundle registration of variants.

(b) Completely compliant with RFC 3735, made the extension of RFC 5910. In details, submitted the associated draft to make extension of DNSSEC in support of the DS bulk registration for variants of Chinese domain names.
  

(2) Analysis of the Impact of SRS on Related Internet Servers or End Systems

(a) Impact on the Other Systems of ʺ.STRINGʺ Registry Services

   By adopting a redundant backup architecture (refer to the answer to Question 24), SRS guarantees its stability and reliability to meet the requirements of DNS service, Whois service, the monitoring system, bulk registration data access and the data escrow system for accessing SRS registration database.
  
(b) Impact on the Registrar’s Registration System of ʺ.STRINGʺ

   SRS service fully satisfies SLR prescribed in Specification 10 of the Registry Agreement to ensure that the registrar of ʺ.STRINGʺ can normally submit registration data.
  
23.2 DNS Service

23.2.1 Service Description

DNS service mainly includes management of DNS zone files and resolution of DNS.
  
(1) DNS Zone File Management Performs the Following Functions:

(a) Generation of TLD zone files of ʺ.STRINGʺ

   The authoritative master servers of DNS obtain the original resource records from the SRS registration database to generate original zone files and provide them to DNS service after the files are signed through DNSSEC.
  
(b) Update of TLD zone files of ʺ.STRINGʺ

   The zone files are updated in a level-by-level manner between the authoritative master servers of DNS and the name servers at all levels, which enables these name servers to obtain the latest TLD zone files of ʺ.STRINGʺ within the time limit specified in the SLA.
  
(c) Access to TLD zone files of ʺ.STRINGʺ

   Access by authorized third-party organizations or Internet users to TLD zone files of ʺ.STRINGʺ is made available.
  
(2) DNS Resolution Performs the Following Functions:

To provide resolution service for the domain name of ʺ.STRINGʺ, a TLD solution service platform is established whose name servers are distributed among multiple geographic locations and which supports IPv6 and DNSSEC by adopting Anycast and Unicast.
  
23.2.2 Security Analysis

DNS adopts the following security mechanisms to ensure that there will be no unauthorized disclosure, alteration, insertion or destruction of resolution data related to ʺ.STRINGʺ.
  
23.2.2.1 Physical Security Policy

7*24 operation and maintenance team monitors SRS in a real-time manner through the monitoring system. Host machine is placed in the lightening-proof, fire proof anti-theft and anti-static machine room with the video monitoring system. Fingerprint identification and access card reading devices are adopted to control the visit.
  
23.2.2.2 Network Security Policy

DNS is deployed in a service subnet. Specialized DOS⁄DDOS defense instrument is adopted to detect intrusion with Intrusion detection system (IDS). When suspicious Internet attack is detected, competent security specialists will be notified to handle the problem. ACL is configured in the egress router for controlling access to DNS name servers. Only DNS service ports and relevant management ports are opened; other service ports are closed.
  
23.2.2.3 System Security Policy

DNS system host periodically updates the operation system and application system. Remote operation to the system needs to be performed through bastion servers. Monitoring system monitors the use of host resources and service operations in a real-time manner, and once an abnormity is detected, gives off an alarm.
  
23.2.2.4 Application Security Policy

Application Security Strategy involves the following aspects:
  
(1) Setting up DNS primary masters which are not connected to the Internet and do not provide resolution service to ensure the security of original zone files of ʺ.STRINGʺ.

(2) The update of zone files between different levels of name servers is accomplished through IPsec encrypted communication, to ensure secure transmission of TLD zone files of ʺ.STRINGʺ.

(3) Establishing a monitoring system to ensure the integrity and consistency of data in zone file generation and transmission.

(4) Authenticating the identification of Internet users who attempt to access TLD zone files of ʺ.STRINGʺ and reject accessing these files who failed authentication or violate the terms and conditions on data use (refer to 2.1.5 of Specification 4, Registry Agreement).

23.2.2.5 Data Security Policy

Periodically backup zonefile and check the integrity of updated zonefile through technical means. Data is backed up into the local tape library periodically as well as into the local and remote secondary data center.

23.2.2.6 Audit Security Report

Monitoring system will collect and analyze DNS server log, and provide auditing reports.

23.2.3 Stability Analysis

(1) Analysis of compliance with relevant standards

DNS adopts the stable versions of BIND and NSD, two mainstream DNS software systems, and relevant security patches are timely updated.
  
   The design and deployment of DNS meet relevant RFC provisions (including RFC 1034, RFC 1035, RFC 1982, RFC 2181, RFC 2182, RFC 2671, RFC 3226, RFC 3596, RFC 3597, RFC 3901, RFC 4343, RFC 4472 and RFC 5966) and the technical requirements of IANA.
  
(2) Analysis of the impact of DNS on related Internet servers or end systems. The stability and reliability of DNS service are guaranteed through the adoption of a redundant backup architecture design(refer to the answer to Question 35) so that relevant SLR in Specification 10 of the Registry Agreement is fully satisfied and Internet users are able to resolve domain names of ʺ.STRINGʺ normally.

23.3 Whois Service

23.3.1 Service Description

Whois service performs the following functions:

(1) Providing Services in Response to Queries about Domain Registration Information

   Whois service gives response to queries about the information of registrars, hosts and domain names. Through Whois system (WhoisD and Whois Web), Internet users can know whether a domain name has been registered and its detailed information.
  
(2) Providing an Authorized Third Party with the Function of Bulk Access

Whois service provides authorized third parties with the function of bulk access, allowing bulk access to Whois data in a specific period of time.
  
(3) Providing Searchable Whois Service

Using a domain name, contacts and registrant’s name, postal address, registrar ID, name server name and name server’s IP address as key words, an authorized Internet user can perform searches based on a random combination of the key words through the AND⁄OR⁄NOT Boolean function.
  
23.3.2 Security Analysis

Whois service adopts the following security mechanisms to ensure that there will be no unauthorized disclosure, alteration, insertion or destruction of registry data related to ʺ.STRINGʺ.
  
23.3.2.1 Physical Security Policy

7*24 operation and maintenance team monitors SRS in a real-time manner through the monitoring system. Host machine is placed in the lightening-proof, fire proof anti-theft and anti-static machine room with the video monitoring system. Fingerprint identification and access card reading devices are adopted to control the visit.
  
23.3.2.2 Network Security Policy

Whois system is deployed in service subnet. Access of WhoisD system is open via Port 43 while access of Whois Web is open via Port 80.
  
23.3.2.3 System Security Policy

Whois system host periodically updates the operation system and application system. Remote operation to the system needs to be performed through bastion servers. Monitoring system monitors the use of host resources and service operations in a real-time manner, and once an abnormity is detected, gives off an alarm.
  
23.3.2.4 Application Security Policy

Application Security Policy mainly involves the following points:
  
(1) Whois Web servers are only used to transform Whois Web requests into WhoisD query requests and transmit such requests to WhoisD servers through load balancers. Then WhoisD servers are connected to Whois database to complete the response to Whois queries.

(2) For searchable Whois service, abuses of Whois information are prevented by adopting user access control and other preventive measures.

(3) Whois only permits Internet users’ queries and no alteration is permitted.

23.3.2.5 Data Security Policy

Whois database is created by replicating SRS registration database, and therefore, no operation of the Whois database will affect the core registration data of ʺ.STRINGʺ.

23.3.2.6 Audit Security Report

Monitoring system will collect and analyze DNS server log, and provide and issue auditing report.

23.3.3 Stability Analysis

(1) Analysis of Compliance with Relevant Standards

Strictly conforming to the Whois protocol in the RFC 3912, the Whois system uses TCP on port 43 for the communication between the client and Whois servers and, in strict accordance with RFC 3912 Protocol Model, uses ASCII CR and ASCII LF as the message separator.
  
(2) Analysis of Impact on Relevant Internet Servers and End Systems

By adopting a redundant backup architecture design (refer to the answer to Question 26), Whois guarantees its stability and reliability so that relevant SLR in Specification 10 of the Registry Agreement is fully satisfied.
  
The following restrictive measures are taken to further guarantee the availability and quality of Whois service.
  
(a) To restrict the number of online users (configurable) of Whois service;

(b) If the user does not make any query within a specified time limit (configurable), the connection will be automatically terminated;

(c) To prevent a user from over-frequently making queries, thus delaying the response to the queries of others, the frequency (configurable) of a user to access Whois data is restricted;

(d) The Whois database for Whois bulk access is created by replicating the SRS registration database, so Whois bulk access will not affect the stability of routine Whois service;

(e) Whois database for searchable Whois service is created by replicating the SRS registration database, so searchable Whois service will not affect the stability of routine Whois service.

23.4 Internationalized Domain Names (IDN)

23.4.1 Service Description

IDN service includes:
  
(1) Developing, releasing and maintaining Chinese IDN tables corresponding to ʺ.STRINGʺ.

(2) Formulating corresponding policies for registration of variants according to the characteristics of IDN variants.

(3) Extending relevant service systems of ʺ.STRINGʺ registry to support IDN.

(a) Shared Registration System (SRS)

SRS implements the registration extension of Chinese domain name variants based on EPP in accordance with RFC 3735 so that it supports the bundle registration of variants.
  
(b) DNS service

   Following RFC 3743 and RFC 4713, the DNS service is capable of resolving domain names in the form of traditional, simplified and variant Chinese.
  
(c) Whois Service

   Whois service of ʺ.STRINGʺ adopts the UTF-8 encoding format and supports both English and Chinese display of response information as well as display of activated variant Chinese domain names.
  
(d) DNSSEC

   SRS implements DNSSEC extension of Chinese domain name variants based on EPP in accordance with RFC 3735 to support DS bulk registration of variants.
  
23.4.2 Security Analysis

To address the problem of phishing due to similarity of internationalized domain names, an IDN anti-phishing detection system provided by the Back-End Service Provider is adopted, through which phishing domain names related to ʺ.STRINGʺ can be detected and then corresponding measures can be taken.
  
To address the problem of cybersquatting related to ʺ.STRINGʺ variant domain names, the applicant, in accordance with RFC 4713, has worked out policies for coping with variant domain names. When a registrant registers its original ʺ.STRINGʺ domain name for the first time, the applicant gives it full simplified and full traditional Chinese domain names on a free-of-charge basis and reserve all the variant domain names for the registrant. Registrants with special needs can activate all the variants to prevent others from cybersquatting.
  
23.4.3 Stability Analysis

(1) Analysis of Compliance with Relevant Standards

The Chinese IDN tables adopted by ʺ.STRINGʺ will be submitted to IANA in a standard format.
  
   The registry services related to ʺ.STRINGʺ fully satisfy IDNA standards formulated by IETF, such as RFC 3743, RFC 4713, RFC 5890, RFC 5891, RFC 5892, RFC 5893 and RFC 5894, and are in strict accordance with IDN guidelines by ICANN.
  
(2) Analysis of Impact on Relevant Internet Servers and End Systems

(a) Shared Registration System (SRS)

   The problem of variants of Chinese domain names may lead to occupation of more SRS resources, thus affecting the stability of SRS. To avoid such problems, ʺ.STRINGʺ extended the registration of traditional, simplified and variant Chinese domain names based on EPP in accordance with RFC 3735, to support bundle registration of variant Chinese domain names and to enable the domains in the same bundle to have the same registration attributes. As a result, the impact of the problem of variant Chinese domain names on the stability of SRS is reduced.
  
(b) DNS service

   In designing the capacity and performance of the DNS service system, full consideration was given to the expansion of zone files of ʺ.STRINGʺ TLD due to the existence of variant Chinese domain names. Servers with sufficient memory are used to avoid the impact of such expansion on the stability of DNS service.
  
(c) Whois Service

   Whois data is kept consistent with SRS registration data, so IDN will not affect the stability of Whois service.
  
(d) DNSSEC

   In designing the deployment of DNSSEC, full consideration was given to the expansion of zone files of ʺ.STRINGʺ TLD due to the existence of variant Chinese domain names. DNSSEC zone files are signed through hardware security Module (HSM) to avoid the impact of such expansion on the stability of DNSSEC.
  
23.5 Domain Name System Security Extensions (DNSSEC)

23.5.1 Service Description

The main purpose of DNSSEC service is to provide source verification for DNS data obtained by recursive servers so as to ensure that data are from the right authoritative servers and that no alteration is made to the data.
  
DNSSEC includes the following:
  
(1) Shared Registration System (SRS)

(a) According to RFC 5910, the extension of SRS supports DNSSEC registration.

(b) SRS implements DNSSEC extension of Chinese domain name variants based on EPP in accordance with RFC 3735 to support DS bulk registration of variants.

(2) DNS service

(a) Management of key generation and update of ʺ.STRINGʺ TLD.

(b) Signing zone files of ʺ.STRINGʺ TLD.

(c) Generating and submitting DS records of the top level domains and the second level domains of ʺ.STRINGʺ.

(3) Whois Service

   In compliance with Specification 4 of the Registry Agreement, the query results of Whois service contain information about whether zone files have been duly signed through DNSSEC.
  
(4) Policies

Formulating, releasing and maintaining DNSSEC Practice Statements (DPS) for implementing DNSSEC of ʺ.STRINGʺ TLD.

23.5.2 Security Analysis

The following security mechanisms are adopted for DNSSEC implementation to ensure that there will be no unauthorized disclosure, alteration, insertion or destruction of registry data related to ʺ.STRINGʺ.
  
23.5.2.1 Physical security policy

The HSM used for KSK signing is installed in a locked electro-magnetic shielding cabinet which can effectively prevent the interference of electro-magnetic signals from the outside. Furthermore, both the HSM and the cabinet are placed in a separate room with access control measures and only authorized persons may get access to the cabinet.
  
23.5.2.2 Network Security Policy

HSM is deployed in the sole subnet. Only specific server can access it to prevent Internet users from accessing these servers.
  
23.5.2.3 System Security Policy

Monitoring system is adopted to monitor operation situation of monitored devices in a real-time manner. When equipment is put out of use or eliminated, a demagnetizer would be used to delete all information so that no important information is leaked.
  
23.5.2.4 Application Security Policy

As one of the important measures for overcoming the security defects in the DNS system, DNSSEC uses public-key cryptography to add digital signatures to each RRset in zone files to further improve the security level of the DNS.
  
The security of DNSSEC depends on the proper management of the keys. Keys of ʺ.STRINGʺ TLD are divided into KSK and ZSK. KSK is only used to sign ZSK. All signature operations are completed in the HSM. ZSK is used to sign zone files and key rollovers should be finished within ZSK’s security life cycle.
  
NSEC3 is adopted in DNSSEC to avoid traverse of zone files of ʺ.STRINGʺ TLD.
  
23.5.2.5 Data Security Policy

All pairs of key (ZSK and KSK) are generated and directly saved in HSM. Private key is prohibited to access and read in any plain text, but is admitted to store and back up in an encrypted form in external storage media.
  
23.5.2.6 Audit Security Report

Monitoring system will collect resolution system file and log file of HSM, and present an auditing report after analyzing and auditing them.
  
23.5.3 Stability Analysis

(1) Analysis of Compliance with Relevant Standards

   The design and deployment of DNSSEC of ʺ.STRINGʺ meet all relevant RFC standards including RFC 4034, RFC 4035, RFC 5901, RFC 4641, RFC 5074 and RFC 5155, and follow the best practices described in RFC 4641 and its successors.
  
(2) Analysis of Impact on Relevant Internet Servers and End Systems

(a) Shared Registration System (SRS)

   As far as SRS service is concerned, the implementation of DNSSEC only requires that SRS support the registration of DS records; therefore, the stability of SRS will not be affected.
  
(b) DNS service

   In deploying the DNS service system of ʺ.STRINGʺ, full consideration has been given to the increase of load brought about by DNSSEC. By testing and analyzing the performance of DNSSEC, the hardware configuration of DNS servers has been improved and the network bandwidth has been increased (refer to the answer to Question 35), to ensure that the deployment of DNSSEC will not have any impact on DNS service of ʺ.STRINGʺ.
  
(c) Whois Service

   So far as Whois is concerned, the implementation of DNSSEC only requires that the query results of Whois service contain information about whether zone files have been duly signed through DNSSEC. So, the implementation of DNSSEC will not have any impact on the performance of Whois service.
gTLDFull Legal NameE-mail suffixDetail
.佛山Guangzhou YU Wei Information Technology Co., Ltd.zodiac-corp.comView
23. Registry Services

The registry services complying with the requirements of ICANN, which are provided by the Back-End Service Provider for ʺ.STRINGʺ TLD mainly include Shared Registration System (SRS), Domain Name Service (DNS), Whois, Internationalized Domain Name (IDN) and DNS Security Extensions (DNSSEC). With full consideration having been given to specific problems related to security and stability, all the above services are customary registry services which meet corresponding Request for Comments (RFC) standards, so there will be no security and stability problems.

The applicant selects the Back-End Service Provider to be the provider of technology and operation services for ʺ.STRINGʺ registry. Through the self-deployed ʺBack-End Registry Service Platformʺ, the Back-End Service Provider provides the entrusted services for ʺ.STRINGʺ TLD. ʺBack-End Registry Service Platformʺ is deployed and operated by CNNIC to support services for all new gTLD registries who have the entrusted requirements such as ʺ.STRINGʺ. The platform is designed to support at least 2 million domain names. ʺBack-End Registry Service Platformʺ that is deployed, maintained and operated by the technicians from the Back-End Service Provider, provides registry with all information systems required for five critical functions (including resources such as IDC, software, hardware and bandwidth etc.).

The technology platform concerning ʺ.STRINGʺ registry services is consigned by the applicant to a third party—the Back-End Service Provider which will provide the platform and be in charge of its regular technical operation and maintenance management; the applicant will designate specialists to carry out technical coordination, supervise the work of the Back-End Service Provider, manage the keys concerning the above service, and authorize CNNIC to be responsible for the key administration and use of keys associated with the above services.

The Back-End Service Provider has set up information security management system (ISMS) for ccTLD and Chinese domain names in compliant with ISO27001. ISMS is viewed to be suitable for the information security management work for ʺ.STRINGʺ to provide sound security strategies and security guarantees for ʺ.STRINGʺ registry services in the aspects of physical equipment, network, system, application, data and audit. Please refer to the answer to Question 30 for more information.
  
23.1 SRS

23.1.1 Service Description

SRS performs the following functions:
  
(1) Receiving Registration Data Related to Domain Names and Name Servers from the Registrar
  
To support the registry-registrar separation mode adopted by ʺ.STRINGʺ; and to receive relevant registration data submitted to the applicant by registrars by providing registrars with data interfaces that meet the requirements of RFC 5730, RFC 5731, RFC 5732, RFC 5733 and RFC 5734.
  
(2) Management Functions Related to Registration Data:
  
To be specific, these functions include management of sessions, asynchronous messages, contacts, hosts, domain names, reserved name lists, registrars and status of the registry; performing automate⁄timed tasks; generating operation logs; performing financial operations, registration verifications; as well as bulk registration data access.
  
(3) Providing Interactive Interfaces for Other Related Services

(a) Providing with interfaces for DNS service to read registration data to enable it to generate the ʺ.STRINGʺ zone file.

(b) Providing with interfaces for Whois service to read registration data to enable it to respond to queries about registration information of ʺ.STRINGʺ.

(c) Providing with interfaces for the data escrow system to read registration data to enable it to process registration data into deposit files on a regular basis and submit them to the escrow agent.

(d) Providing with interfaces for the monitoring system to enable it to monitor the SRS in a real-time manner.
  
(e) Providing with the function of access to bulk data for ICANN in accordance with Specification 4 of the Registry Agreement.

(f) Connecting SRS to the Trade Mark Clearing House to search information of trade mark owners and decide whether to approve the registration application for a specific domain name based on the search result.

(g) Analyzing SRS log through monitoring system to provide data report function to generate monthly report required by ICANN.

23.1.2 Security Analysis

SRS adopts the following security mechanisms to ensure that there will be no unauthorized disclosure, alteration, insertion or destruction of registry data related to ʺ.STRINGʺ.
  
23.1.2.1 Physical Security Policy

7*24 operation and maintenance team monitors SRS in a real-time manner through the monitoring system. Host machine is placed in the lightening-proof, fire proof anti-theft and anti-static machine room with the video monitoring system. Fingerprint identification and access card reading devices are adopted to control the visit.
  
23.1.2.2 Network Security Policy

SRS adopts redundant system design. Each server adopts the Intranet IP address defined in RFC 1918, which is deployed in the service network. SRS registration database adopts Intranet IP addresses to prevent Internet users from accessing these servers.
  
23.1.2.3 System Security Policy

SRS system host periodically updates the operation system and application system. Remote operation to the system needs to be performed through bastion servers. Monitoring system monitors the use of host resources and service operations in a real-time manner, and once an abnormity is detected, gives off an alarm.
  
23.1.2.4 Application Security Policy
  
Application Security Strategy involves the following aspects:

(1) The login password of each registrar in the SRS is limited to 6-32 digits and the password is stored in an encrypted form.

(2) SRS connection between registrar and registry shall adopt SSL encryption mode. Each registrar is further required to adopt a different key.

(3) SRS restricts the login IP address of the registrar and only authorized IP addresses can be connected. Certificate of registrar will be verified the effectiveness.

(4) Connection will be automatically closed by the SRS if there is no operation within a specified period of time after the registrar successfully logs in.

(5) Bulk registration data access function is open to ICANN, whom we consult with the security mechanism and adopt measures such as IP restriction and security of data transmission.

23.1.2.5 Data Security Policy

(1) SRS related registration data is stored in registration database, read and write access of which is strictly restricted. DNS service, Whois service and data escrow system only has read access to SRS registration database.

(2) SRS registration database will be stored in local tape library for backup. Meanwhile data is also backed up into the local and remote secondary operation centers.

23.1.2.6 Auditing Security Policy

All operation records of SRS will be logged, and then analyzed and audited by the monitoring system.

23.1.3 Stability Analysis

(1) Analysis of Compliance with Relevant Standards

The implementation of SRS strictly complies with RFC 5730, RFC 5731, RFC 5732, RFC 5733, RFC 5734 and RFC 5910. In addition, the registration life cycle supported by SRS is in line with RFC 3915.
  
Considering the characteristics of IDN and ʺ.STRINGʺ’s nature of business, the applicant and the Back-End Service Provider made the following two extensions on the basis of EPP in accordance with the guidance of RFC 3735.
  
(a) Completely compliant with RFC 3735, made the extension of RFC 5731. In details, submitted the associated draft to make extension of the variants of Chinese domain names in support of bundle registration of variants.

(b) Completely compliant with RFC 3735, made the extension of RFC 5910. In details, submitted the associated draft to make extension of DNSSEC in support of the DS bulk registration for variants of Chinese domain names.
  

(2) Analysis of the Impact of SRS on Related Internet Servers or End Systems

(a) Impact on the Other Systems of ʺ.STRINGʺ Registry Services

   By adopting a redundant backup architecture (refer to the answer to Question 24), SRS guarantees its stability and reliability to meet the requirements of DNS service, Whois service, the monitoring system, bulk registration data access and the data escrow system for accessing SRS registration database.
  
(b) Impact on the Registrar’s Registration System of ʺ.STRINGʺ

   SRS service fully satisfies SLR prescribed in Specification 10 of the Registry Agreement to ensure that the registrar of ʺ.STRINGʺ can normally submit registration data.
  
23.2 DNS Service

23.2.1 Service Description

DNS service mainly includes management of DNS zone files and resolution of DNS.
  
(1) DNS Zone File Management Performs the Following Functions:

(a) Generation of TLD zone files of ʺ.STRINGʺ

   The authoritative master servers of DNS obtain the original resource records from the SRS registration database to generate original zone files and provide them to DNS service after the files are signed through DNSSEC.
  
(b) Update of TLD zone files of ʺ.STRINGʺ

   The zone files are updated in a level-by-level manner between the authoritative master servers of DNS and the name servers at all levels, which enables these name servers to obtain the latest TLD zone files of ʺ.STRINGʺ within the time limit specified in the SLA.
  
(c) Access to TLD zone files of ʺ.STRINGʺ

   Access by authorized third-party organizations or Internet users to TLD zone files of ʺ.STRINGʺ is made available.
  
(2) DNS Resolution Performs the Following Functions:

To provide resolution service for the domain name of ʺ.STRINGʺ, a TLD solution service platform is established whose name servers are distributed among multiple geographic locations and which supports IPv6 and DNSSEC by adopting Anycast and Unicast.
  
23.2.2 Security Analysis

DNS adopts the following security mechanisms to ensure that there will be no unauthorized disclosure, alteration, insertion or destruction of resolution data related to ʺ.STRINGʺ.
  
23.2.2.1 Physical Security Policy

7*24 operation and maintenance team monitors SRS in a real-time manner through the monitoring system. Host machine is placed in the lightening-proof, fire proof anti-theft and anti-static machine room with the video monitoring system. Fingerprint identification and access card reading devices are adopted to control the visit.
  
23.2.2.2 Network Security Policy

DNS is deployed in a service subnet. Specialized DOS⁄DDOS defense instrument is adopted to detect intrusion with Intrusion detection system (IDS). When suspicious Internet attack is detected, competent security specialists will be notified to handle the problem. ACL is configured in the egress router for controlling access to DNS name servers. Only DNS service ports and relevant management ports are opened; other service ports are closed.
  
23.2.2.3 System Security Policy

DNS system host periodically updates the operation system and application system. Remote operation to the system needs to be performed through bastion servers. Monitoring system monitors the use of host resources and service operations in a real-time manner, and once an abnormity is detected, gives off an alarm.
  
23.2.2.4 Application Security Policy

Application Security Strategy involves the following aspects:
  
(1) Setting up DNS primary masters which are not connected to the Internet and do not provide resolution service to ensure the security of original zone files of ʺ.STRINGʺ.

(2) The update of zone files between different levels of name servers is accomplished through IPsec encrypted communication, to ensure secure transmission of TLD zone files of ʺ.STRINGʺ.

(3) Establishing a monitoring system to ensure the integrity and consistency of data in zone file generation and transmission.

(4) Authenticating the identification of Internet users who attempt to access TLD zone files of ʺ.STRINGʺ and reject accessing these files who failed authentication or violate the terms and conditions on data use (refer to 2.1.5 of Specification 4, Registry Agreement).

23.2.2.5 Data Security Policy

Periodically backup zonefile and check the integrity of updated zonefile through technical means. Data is backed up into the local tape library periodically as well as into the local and remote secondary data center.

23.2.2.6 Audit Security Report

Monitoring system will collect and analyze DNS server log, and provide auditing reports.

23.2.3 Stability Analysis

(1) Analysis of compliance with relevant standards

DNS adopts the stable versions of BIND and NSD, two mainstream DNS software systems, and relevant security patches are timely updated.
  
   The design and deployment of DNS meet relevant RFC provisions (including RFC 1034, RFC 1035, RFC 1982, RFC 2181, RFC 2182, RFC 2671, RFC 3226, RFC 3596, RFC 3597, RFC 3901, RFC 4343, RFC 4472 and RFC 5966) and the technical requirements of IANA.
  
(2) Analysis of the impact of DNS on related Internet servers or end systems. The stability and reliability of DNS service are guaranteed through the adoption of a redundant backup architecture design(refer to the answer to Question 35) so that relevant SLR in Specification 10 of the Registry Agreement is fully satisfied and Internet users are able to resolve domain names of ʺ.STRINGʺ normally.

23.3 Whois Service

23.3.1 Service Description

Whois service performs the following functions:

(1) Providing Services in Response to Queries about Domain Registration Information

   Whois service gives response to queries about the information of registrars, hosts and domain names. Through Whois system (WhoisD and Whois Web), Internet users can know whether a domain name has been registered and its detailed information.
  
(2) Providing an Authorized Third Party with the Function of Bulk Access

Whois service provides authorized third parties with the function of bulk access, allowing bulk access to Whois data in a specific period of time.
  
(3) Providing Searchable Whois Service

Using a domain name, contacts and registrant’s name, postal address, registrar ID, name server name and name server’s IP address as key words, an authorized Internet user can perform searches based on a random combination of the key words through the AND⁄OR⁄NOT Boolean function.
  
23.3.2 Security Analysis

Whois service adopts the following security mechanisms to ensure that there will be no unauthorized disclosure, alteration, insertion or destruction of registry data related to ʺ.STRINGʺ.
  
23.3.2.1 Physical Security Policy

7*24 operation and maintenance team monitors SRS in a real-time manner through the monitoring system. Host machine is placed in the lightening-proof, fire proof anti-theft and anti-static machine room with the video monitoring system. Fingerprint identification and access card reading devices are adopted to control the visit.
  
23.3.2.2 Network Security Policy

Whois system is deployed in service subnet. Access of WhoisD system is open via Port 43 while access of Whois Web is open via Port 80.
  
23.3.2.3 System Security Policy

Whois system host periodically updates the operation system and application system. Remote operation to the system needs to be performed through bastion servers. Monitoring system monitors the use of host resources and service operations in a real-time manner, and once an abnormity is detected, gives off an alarm.
  
23.3.2.4 Application Security Policy

Application Security Policy mainly involves the following points:
  
(1) Whois Web servers are only used to transform Whois Web requests into WhoisD query requests and transmit such requests to WhoisD servers through load balancers. Then WhoisD servers are connected to Whois database to complete the response to Whois queries.

(2) For searchable Whois service, abuses of Whois information are prevented by adopting user access control and other preventive measures.

(3) Whois only permits Internet users’ queries and no alteration is permitted.

23.3.2.5 Data Security Policy

Whois database is created by replicating SRS registration database, and therefore, no operation of the Whois database will affect the core registration data of ʺ.STRINGʺ.

23.3.2.6 Audit Security Report

Monitoring system will collect and analyze DNS server log, and provide and issue auditing report.

23.3.3 Stability Analysis

(1) Analysis of Compliance with Relevant Standards

Strictly conforming to the Whois protocol in the RFC 3912, the Whois system uses TCP on port 43 for the communication between the client and Whois servers and, in strict accordance with RFC 3912 Protocol Model, uses ASCII CR and ASCII LF as the message separator.
  
(2) Analysis of Impact on Relevant Internet Servers and End Systems

By adopting a redundant backup architecture design (refer to the answer to Question 26), Whois guarantees its stability and reliability so that relevant SLR in Specification 10 of the Registry Agreement is fully satisfied.
  
The following restrictive measures are taken to further guarantee the availability and quality of Whois service.
  
(a) To restrict the number of online users (configurable) of Whois service;

(b) If the user does not make any query within a specified time limit (configurable), the connection will be automatically terminated;

(c) To prevent a user from over-frequently making queries, thus delaying the response to the queries of others, the frequency (configurable) of a user to access Whois data is restricted;

(d) The Whois database for Whois bulk access is created by replicating the SRS registration database, so Whois bulk access will not affect the stability of routine Whois service;

(e) Whois database for searchable Whois service is created by replicating the SRS registration database, so searchable Whois service will not affect the stability of routine Whois service.

23.4 Internationalized Domain Names (IDN)

23.4.1 Service Description

IDN service includes:
  
(1) Developing, releasing and maintaining Chinese IDN tables corresponding to ʺ.STRINGʺ.

(2) Formulating corresponding policies for registration of variants according to the characteristics of IDN variants.

(3) Extending relevant service systems of ʺ.STRINGʺ registry to support IDN.

(a) Shared Registration System (SRS)

SRS implements the registration extension of Chinese domain name variants based on EPP in accordance with RFC 3735 so that it supports the bundle registration of variants.
  
(b) DNS service

   Following RFC 3743 and RFC 4713, the DNS service is capable of resolving domain names in the form of traditional, simplified and variant Chinese.
  
(c) Whois Service

   Whois service of ʺ.STRINGʺ adopts the UTF-8 encoding format and supports both English and Chinese display of response information as well as display of activated variant Chinese domain names.
  
(d) DNSSEC

   SRS implements DNSSEC extension of Chinese domain name variants based on EPP in accordance with RFC 3735 to support DS bulk registration of variants.
  
23.4.2 Security Analysis

To address the problem of phishing due to similarity of internationalized domain names, an IDN anti-phishing detection system provided by the Back-End Service Provider is adopted, through which phishing domain names related to ʺ.STRINGʺ can be detected and then corresponding measures can be taken.
  
To address the problem of cybersquatting related to ʺ.STRINGʺ variant domain names, the applicant, in accordance with RFC 4713, has worked out policies for coping with variant domain names. When a registrant registers its original ʺ.STRINGʺ domain name for the first time, the applicant gives it full simplified and full traditional Chinese domain names on a free-of-charge basis and reserve all the variant domain names for the registrant. Registrants with special needs can activate all the variants to prevent others from cybersquatting.
  
23.4.3 Stability Analysis

(1) Analysis of Compliance with Relevant Standards

The Chinese IDN tables adopted by ʺ.STRINGʺ will be submitted to IANA in a standard format.
  
   The registry services related to ʺ.STRINGʺ fully satisfy IDNA standards formulated by IETF, such as RFC 3743, RFC 4713, RFC 5890, RFC 5891, RFC 5892, RFC 5893 and RFC 5894, and are in strict accordance with IDN guidelines by ICANN.
  
(2) Analysis of Impact on Relevant Internet Servers and End Systems

(a) Shared Registration System (SRS)

   The problem of variants of Chinese domain names may lead to occupation of more SRS resources, thus affecting the stability of SRS. To avoid such problems, ʺ.STRINGʺ extended the registration of traditional, simplified and variant Chinese domain names based on EPP in accordance with RFC 3735, to support bundle registration of variant Chinese domain names and to enable the domains in the same bundle to have the same registration attributes. As a result, the impact of the problem of variant Chinese domain names on the stability of SRS is reduced.
  
(b) DNS service

   In designing the capacity and performance of the DNS service system, full consideration was given to the expansion of zone files of ʺ.STRINGʺ TLD due to the existence of variant Chinese domain names. Servers with sufficient memory are used to avoid the impact of such expansion on the stability of DNS service.
  
(c) Whois Service

   Whois data is kept consistent with SRS registration data, so IDN will not affect the stability of Whois service.
  
(d) DNSSEC

   In designing the deployment of DNSSEC, full consideration was given to the expansion of zone files of ʺ.STRINGʺ TLD due to the existence of variant Chinese domain names. DNSSEC zone files are signed through Hardware Security Module (HSM) to avoid the impact of such expansion on the stability of DNSSEC.
  
23.5 Domain Name System Security Extensions (DNSSEC)

23.5.1 Service Description

The main purpose of DNSSEC service is to provide source verification for DNS data obtained by recursive servers so as to ensure that data are from the right authoritative servers and that no alteration is made to the data.
  
DNSSEC includes the following:
  
(1) Shared Registration System (SRS)

(a) According to RFC 5910, the extension of SRS supports DNSSEC registration.

(b) SRS implements DNSSEC extension of Chinese domain name variants based on EPP in accordance with RFC 3735 to support DS bulk registration of variants.

(2) DNS service

(a) Management of key generation and update of ʺ.STRINGʺ TLD.

(b) Signing zone files of ʺ.STRINGʺ TLD.

(c) Generating and submitting DS records of the top level domains and the second level domains of ʺ.STRINGʺ.

(3) Whois Service

   In compliance with Specification 4 of the Registry Agreement, the query results of Whois service contain information about whether zone files have been duly signed through DNSSEC.
  
(4) Policies

Formulating, releasing and maintaining DNSSEC Practice Statements (DPS) for implementing DNSSEC of ʺ.STRINGʺ TLD.

23.5.2 Security Analysis

The following security mechanisms are adopted for DNSSEC implementation to ensure that there will be no unauthorized disclosure, alteration, insertion or destruction of registry data related to ʺ.STRINGʺ.
  
23.5.2.1 Physical security policy

The HSM used for KSK signing is installed in a locked electro-magnetic shielding cabinet which can effectively prevent the interference of electro-magnetic signals from the outside. Furthermore, both the HSM and the cabinet are placed in a separate room with access control measures and only authorized persons may get access to the cabinet.
  
23.5.2.2 Network Security Policy

HSM is deployed in the sole subnet. Only specific server can access it to prevent Internet users from accessing these servers.
  
23.5.2.3 System Security Policy

Monitoring system is adopted to monitor operation situation of monitored devices in a real-time manner. When equipment is put out of use or eliminated, a demagnetizer would be used to delete all information so that no important information is leaked.
  
23.5.2.4 Application Security Policy

As one of the important measures for overcoming the security defects in the DNS system, DNSSEC uses public-key cryptography to add digital signatures to each RRset in zone files to further improve the security level of the DNS.
  
The security of DNSSEC depends on the proper management of the keys. Keys of ʺ.STRINGʺ TLD are divided into KSK and ZSK. KSK is only used to sign ZSK. All signature operations are completed in the HSM. ZSK is used to sign zone files and key rollovers should be finished within ZSK’s security life cycle.
  
NSEC3 is adopted in DNSSEC to avoid traverse of zone files of ʺ.STRINGʺ TLD.
  
23.5.2.5 Data Security Policy

All pairs of key (ZSK and KSK) are generated and directly saved in HSM. Private key is prohibited to access and read in any plain text, but is admitted to store and back up in an encrypted form in external storage media.
  
23.5.2.6 Audit Security Report

Monitoring system will collect resolution system file and log file of HSM, and present an auditing report after analyzing and auditing them.
  
23.5.3 Stability Analysis

(1) Analysis of Compliance with Relevant Standards

   The design and deployment of DNSSEC of ʺ.STRINGʺ meet all relevant RFC standards including RFC 4034, RFC 4035, RFC 5901, RFC 4641, RFC 5074 and RFC 5155, and follow the best practices described in RFC 4641 and its successors.
  
(2) Analysis of Impact on Relevant Internet Servers and End Systems

(a) Shared Registration System (SRS)

   As far as SRS service is concerned, the implementation of DNSSEC only requires that SRS support the registration of DS records; therefore, the stability of SRS will not be affected.
  
(b) DNS service

   In deploying the DNS service system of ʺ.STRINGʺ, full consideration has been given to the increase of load brought about by DNSSEC. By testing and analyzing the performance of DNSSEC, the hardware configuration of DNS servers has been improved and the network bandwidth has been increased (refer to the answer to Question 35), to ensure that the deployment of DNSSEC will not have any impact on DNS service of ʺ.STRINGʺ.
  
(c) Whois Service

   So far as Whois is concerned, the implementation of DNSSEC only requires that the query results of Whois service contain information about whether zone files have been duly signed through DNSSEC. So, the implementation of DNSSEC will not have any impact on the performance of Whois service.