23 Provide name and full description of all the Registry Services to be provided

Prototypical answer:

The British Broadcasting Corporation (BBC) plans to create and operate a new dot BBC Top Level Domain. This will be a standard but closed domain registry, with additions, changes and deletions being made solely by the BBC itself. The registry will operate initially through a single independent registrar who will interface with Nominet, the registry services provider, through their standard registry services outlined below.

Nominet, the registry services provider, will administer a comprehensive list of registry services all of which are developed, managed and maintained in house. The services Nominet will provide are:

- Operation of authoritative nameservers for dot BBC
- Dynamic updates to zone files
- Extensible Provisioning Protocol (EPP)
- Dissemination of zone files
- Whois service (port 43 and web based)
- Searchable Whois
- Domain Name System Security Extensions (DNSSEC)
- Billing
- Customer support
- Abuse prevention

All registry services will be supported and reachable over both Internet Protocol (IP) Version 4 (IPv4) and IP Version 6 (IPv6).

It should be noted that Internationalised Domain Names (IDNs) are not being implemented for dot BBC.


DNS operations

Nominet will operate authoritative nameservers for dot BBC. The DNS constellation consists of a ʹhiddenʹ master nameserver, DNSSEC signer, one primary Unicast DNS node, six slave Unicast DNS nodes and four primary Anycast nodes.


Dynamic updates to zone files

All changes to nameservers for domain names result in an update to the dot BBC zone file. All zone file changes are applied dynamically for the most rapid publishing to DNS. Propagation of updates through the nameserver network will be done using incremental zone transfer (IXFR).


EPP

An EPP system, compliant with Request for Comments (RFC) 5730 will be provided for the BBCʹs chosen registrar(s) to register and administer domain names, contacts and nameservers. The EPP server is provided over TCP and is compliant with RFC 5734. EPP connectivity is protected using the Secure Sockets Layer (SSL) protocol.

Registrars may register new domain names in dot BBC using the object definitions given in RFC 5731. Once a domain name is registered, the registrar of record will be able to update, renew, delete and query that domain name, using the respective operations as defined in RFC 5731. All registrars may issue domain check or domain transfer operations using the EPP system. If a domain transfer operation is requested, the correct authInfo value must be provided by the new registrar. The registrar of record is notified and has five days to prevent the transfer from occurring.

Registrars may also issue requests to create new contact and host objects, in compliance with RFC 5733 and 5732 respectively. Only the registrar of record may then issue requests to update, delete and query contact and host objects in line with those RFCs. A delete operation will only be successful if there are no domain names linked to the object. Host update operations will be successful only if all the domain names linked to the host are sponsored by that registrar.

All ICANN accredited registrars that have signed a dot BBC registrar agreement will be eligible to use the EPP system. The identity of registrars will be verified with SSL certificates - if a valid SSL certificate is not used, the server will close the connection and no operations will be possible.

Registrars may only transform or query domain names if they are the registrar of record. The exception is for transfer operations, which may be requested by all registrars if they have access to the authInfo field for the domain name. The registrar of record may prevent transfer operations from completing.

Nominetʹs EPP server is fully standards compliant and all operations described by RFC 5730, RFC 5731, RFC 5732 and RFC 5733 will be accepted by the server. All inputs to the server are checked for validity and action is taken if an input will adversely affect the service provision. All data fields are sanitised to prevent Structured Query Language (SQL) Injection attacks. Bind variables are always used for database query statements. If a connection is open but unused for more than a given time, it is closed. If a registrar opens more than a given number of connections then the oldest connection is closed.

Nominetʹs EPP service is hosted at a primary data centre and fully replicated at a secondary data centre to ensure stability. Failover procedures are well practiced and comply with BS 25999.

The dot UK service Nominet currently provides accepts RFC compliant commands and meets all of the SLAs within Specification 10 comfortably. In December 2011 Nominet handled an average daily load of more than 1.3 million EPP operations with a read-write ratio of 12 to 1. EPP availability has averaged at 99.9% over the 12 months to December 2011.


Dissemination of zone file data

Nominet will provide daily zone files to ICANNʹs Zone File Dissemination Partner using the format specified in RFC 1034 section 3.6.1 and RFC 1035 section 5. Transportation will be via a method agreed with them.


Zone server status updates

Nominet will update registrars on changes to zone server status using a variety of methods including:

- email updates
- zone server status web page
- RSS feeds
- Twitter updates


Whois Services

Nominet will provide a real time Whois service for domain names, nameserver data and for registrar data. The Whois may be accessed by any internet user either through a web-based portal or via the Port 43 service.

The Whois Service will accept Transmission Control Protocol (TCP) connections on port 43 at whois.nic.bbc. Queries, terminated as specified in RFC 3912 by a carriage return and line feed, will be accepted. If the domain name is registered in dot BBC then Whois information will be returned to the client. If it is not then an appropriate error message is returned.

The web-based Whois will be available at whois.nic.bbc. The user may enter the domain name, nameserver or registrar into a web form and will receive a response.

For both interfaces, if the request cannot be parsed as a domain name, nameserver or registrar then an appropriate error message will be returned.

The Whois service that Nominet currently provides for dot UK handles an average of between 800,000 and 1,000,000 lookups per day. Over the year to December 2011, the average monthly availability for this service was 99.99%. The server is designed to allow the limiting of requests from a single IP address to prevent denial of service. Nominet also monitors usage and performs statistical analysis to detect distributed abuse of the Whois.


Searchable Whois

Nominet will provide a searchable Whois service. This will be available on subscription to internet users. Nominet have provided this service for the dot UK domain name registry since 2006.

Nominetʹs searchable Whois allows for wildcard searches to be made on the domain name and registrant name. Results can be then exported as a comma separated values (CSV) file. Nominet will also offer the facility to allow users to set up to 20 search terms to be monitored automatically. Notifications will be sent by daily email if domain names are registered matching these search terms.


DNSSEC

The dot BBC zones will be signed using DNSSEC. Nominetʹs EPP server will support the DNSSEC extensions defined in RFC 5910 to allow DS records to be set in the zone.


Customer services

Nominet has a large customer support department from which it will provide support to the BBC, its chosen registrar(s), registrants and other stakeholders. Nominet has a team of 24 support advisors that manage both first and second-line support activities. This team is backed up by a third-line IT support team consisting of an additional 30+ staff. Support is provided by telephone, email, rss feeds and social media, with first and second line support available Monday to Friday (8am to 6pm) and additional emergency support available 24x7x365.


Billing system

Nominet has developed a customised billing system for domain names. Whenever a chargeable event, such as a registration or renewal, occurs in the registry, a record is made in the billing system. This feeds through to the monthly invoicing runs.

The billing system has an automated and fully configurable credit management system. The available credit or funds are audited for all registrars with warnings sent using email if they run low. The system may be configured to set any credit limit for registrar, including a zero limit to allow no credit.

Nominet also provide an online service for registrars to pay invoices and to put money on account.


Abuse prevention

Nominet has extensive abuse prevention policies and measures which include the following:
- technical solutions to enforce usage policies
- Sharing information with registrars about notifications from anti phishing companies such as Netcraft
- Registry⁄registrar agreement policies to enforce good practice
- Checking the quality of Whois data


Risk and business continuity planning

A comprehensive Risk Register, aligned to BS31100 is maintained by Nominet, the RSP, which anticipates and identifies the events which may produce uncertainty or negatively impact its operations and the achievement of its objectives. Risks are prioritised based on impact and likelihood, mitigating factors identified and remediation activities carried out. Risk owners and risk response owners are responsible for actively managing identified risks. The register is reviewed monthly by the Senior Management Team and bi-annually by the RSP’s Audit Committee.

The RSP has achieved BS25999 Business Continuity certification recognising its best practice approach to business continuity. It operates a full business continuity management system including a routine rehearsals schedule to ensure it can continue to operate in the most challenging situations safeguarding the registry and those that rely on it.


Stability

A registry service has an adverse effect on internet stability if it is not applicable with relevant authoritative standards or adversely affects the throughput, response time, consistency or coherence of responses to servers or end systems which are themselves operating in accordance with relevant authoritative standards.

Nominetʹs registry services will be fully stable as:
- They will full comply with all RFCs listed in specification 6 to the Registry Agreement
- All responses given will be consistent and coherent.
- Nominetʹs registry systems will be responsive, comfortably meeting all SLAs given in specification 10 to the Registry Agreement.


Security

To prevent the unauthorised disclosure or access to information or to registry systems architecture and to prevent the unauthorised disclosure, alteration, insertion or destruction of registry data, Nominet secures its registry systems in a number of ways including, but not restricted to:

- Securing of networks using SSL
- Access to different network segments (both internally and externally) is controlled through firewalls, and VPNs
- VPN access uses two factor authentication.
- Role based authentication of users providing the lowest level of access required to perform required functions
- Permanently manned reception and CCTV
- Geographically diverse datacentres
- Two factor authentication for physical entry to datacentres - one of which must be biometric
- Regular penetration testing by an independent organisation
- Regular vulnerability scanning by an independent organisation


Availability and continuity

All components making up Nominetʹs dot BBC Registry Services will be provided on duplicated load balanced servers. A minimum of two virtualised servers will be provisioned on separate server racks and configured to each handle half of the traffic. In the event of a problem with one server, the load balancers will automatically direct traffic to the other server. The servers will be set up so that in the event of the loss of one server, the remaining servers will have enough capacity to handle the traffic.

The architecture making up the dot BBC Registry Services will be fully provisioned upon Nominetʹs primary datacentre and replicated in full on the secondary datacentre. The database on the secondary datacentre will be replicated to within a few seconds of the primary.

This architecture allows Nominet to have standard operating procedures to enable transition within minutes if necessary and this procedure will be practiced on a monthly basis with the secondary datacentre becoming the primary and vice versa.

Similar gTLD applications: (6)