Back

28 Abuse Prevention and Mitigation

gTLDFull Legal NameE-mail suffixDetail
.bmwBayerische Motoren Werke Aktiengesellschaftthomsentrampedach.comView
BMW’s proposed use for the “.BMW” TLD will include robust protection mechanisms designed to preclude any abusive registrations within the space, since all domains will be reserved and registered only to BMW for the benefit of its clients and Internet users who wish to interact with BMW. There is no incentive for BMW to confuse users or otherwise use domains in bad faith, since BMW’s brand is inherently intertwined with all uses of “.BMW” domain names.

Accordingly, BMW will adopt a comprehensive system including the screening of second-level domain name strings, restriction of registration to a single-registrant model, and ongoing monitoring for appropriate use of websites active within the space. Furthermore, the Internal Domain Use⁄Registration Policy as described in Question 18 above will ensure a high level of security for the TLD.

BMW will additionally:

- Develop a trusted method of communication for all correspondence between BMW and the TLDʹs registrars, to ensure that all registrant contact information, including WHOIS records, is complete and remains current, and that all requests for registration within the space may be easily verified for authenticity
- Implement effective mechanisms for identifying and addressing abusive practices
- Establish a point of contact for third-party reporting of abusive practices
- Ensure accurate WHOIS data by implementing and enforcing a strict registration and validation policy. The Registry-Registrar Agreement will furthermore include the obligation of accredited registrars to validate and verify each registration request.
- Determine and implement a streamlined practice for addressing and removing orphan glue records
- Publish on its website and include as binding registry policy an Anti-Abuse Policy, described in detail below, which provides applicable definitions of abuse and outlining steps BMW will take to address any such situations


A. Point of Contact for Abuse Complaints

The abuse email inbox will be routinely and continuously monitored several times per day. Complainants will be provided with a responsive communication containing an auditable tracking or case number.

The abuse point of contact will be responsive and effective, tasked with answering email quickly, empowered to take effective action, and guided by well-defined written criteria. This role-based function will be performed by a team of trained and qualified staff provided by BMW’s legal team, which will ensure that the abuse point of contact has a broad familiarity with current industry knowledge and a high-level awareness of evolving online security risks. Initially, at least one designated employee from BMW’s trademark department who is currently involved in the management of BMW’s domain name portfolio, will be tasked with overseeing the TLD as part of his⁄her duties. One or more additional employees will be trained in the role as well, in order to provide “back up” assistance as needed. The abuse point of contact will be supported by Dr. Torsten Bettinger, Attorney at Law, from the Law Firm Bettinger Schneider Schramm, of Munich, Germany, with whom the abuse point of contact will consult and coordinate the correct management of disputes and reported abuse. The abuse point of contact will further consult with Thomsen Trampedach GmbH, as well as with the registry service provider in order to coordinate technical reactions necessary to respond to or mitigate abusive behavior in a timely manner. Dr. Torsten Bettinger is a UDRP Panelist with the WIPO Arbitration and Mediation Center and has a first-class knowledge of ICANN and its structure. Thomsen Trampedach GmbH is a Swiss-based domain name consulting company with long-term involvement in ICANN, experience advising large brands in all domain name related issues, and is qualified to assist and advise BMW’s on-hand staff. With regard to the estimated number of registrations and the Registration Restrictions, these allocated resources will be sufficient to handle the expected initial volume of abuse complaints. Abuse complaint metrics will be tracked and reviewed carefully each year, and adequate resources will be expended to ensure appropriate trending of those metrics, thus providing the abuse point of contact with sufficient resources.

Given BMW’s belief that infrastructure protection, rights protection, and user security are of paramount importance for a TLD owner, BMW expects to ensure sufficient resources for this critical role, and to do whatever is reasonably necessary to ensure a secure and trusted zone.


B. Anti-Abuse Policy

BMW will develop and implement upon launch of the TLD an Anti-Abuse Policy (AAP). The AAP will be made binding for all registrants by contractually obligating registrars through the Registry-Registrar Agreement to pass on the AAP as part of their registration agreements. The AAP will also be published prominently on the Registry website alongside the abuse point of contact and with instructions on how to best report any suspected violations of the AAP to the registry.

The AAP will be based on and expand upon existing registry policies to ensure best industry practice is followed. The goal of the AAP is to limit significant harm to internet users, to enable BMW or accredited registrars to investigate and to take action in case of malicious use of domain names and to deter registrants from engaging in illegal or fraudulent use of domain names.

BMW defines abuse as an action that causes actual and substantial harm, or is a material predicate of such harm, and is illegal, illegitimate, or otherwise contrary to BMW’s policy.

“Abuse” includes, but is not limited to, the following:

- Use of a domain to defraud or attempt to defraud members of the public in any way
- Use of a domain to distribute or publish hateful, defamatory, or derogatory content based on racial, ethnic, or political grounds, intended or generally able to cause or incite injury, damage or harm of any kind to any person or entity
- Use of a domain name to publish content threatening or invading the privacy or property rights of a third party
- Use of a domain name to publish content that infringes the trademarks, copyrights, patent rights, trade secrets or other intellectual property rights, or any other legal rights of BMW or any third party, or any action infringing on the named rights
- Violation of any applicable local, state, national or international law or regulation
- Use of a domain name for the promotion, involvement in or assisting in, illegal activity of any kind, as well as the promotion of business opportunities or investments that are not permitted under applicable law
- Advertisement or offer for sale any unlawful goods or services in breach of any national or international law or regulation
- Use of domain names to contribute to the sale or distribution of prescription medication without a valid prescription as well as the sale and distribution of unlicensed or unapproved medication
- Distribution of Child Pornography or other content depicting minors engaged in any activity of a sexual nature or which may otherwise harm minors
- Use of domain names to cause minors to view sexually explicit material
- Any use of domain names with regard to spam in any form, including through e-mail, instant messaging, mobile messaging, or the spamming of Web sites or Internet forums, as well as advertising for a domain name through spam
- Initiation or intentional participation in denial-of-service attacks (“DDoS attacks”)
- The use of domain names in phishing activities, tricking Internet users into divulging personal data such as usernames, passwords, or financial data
- The use of domain names in pharming , such as DNS hijacking and poisoning
- The use of domain names for the intentional distribution of spyware, botware, keylogger bots, viruses, worms, trojans or other forms of malware
- The use of a domain name in unauthorized fast flux hosting, disguising the location of internet addresses or Internet services. Fast flux hosting may be used only with prior permission of BMW
- The use of domain names to command and control botnets, i.e. a network of compromised computers or “zombies”
- The use of domain names in activities intended to gain illegal access to other computers or networks (“hacking”), as well as any activity to prepare for such system penetration

In accordance with best practices in current generic Top Level Domains, BMW reserves the right to either directly or through the issuing of a request to an accredited registrar deny, cancel or transfer any registration or transaction, or place any domain name(s) on registry lock, hold or similar status, that it deems necessary, in its discretion:

1. to protect the integrity and stability of the “.BMW” TLD and⁄or prevent the abuse of any “.BMW” domain name
2. to comply with any applicable laws, government rules or requirements, requests of law enforcement, or any dispute resolution process
3. to avoid any liability, civil or criminal, on the part of BMW, as well as its affiliates, subsidiaries, officers, directors, and employees
4. per the terms of the Registry Agreement or
5. to correct mistakes made by BMW, Registry Service Provider or any Registrar(s) in connection with a domain name registration

BMW also reserves the right to place a domain upon registry lock, hold or similar status name during resolution of an investigation or dispute.


C. Handling of Abuse Reports

All abuse reports received by the abuse point of contact will be tracked internally in a ticketing system to ensure accountability and ease of reference, and a tracking number will be provided to the reporter. Each report will be carefully reviewed and evaluated regarding its credibility, to determine whether the reported issue is an abuse concern and to assess the required action(s), if any. BMW will work in tandem with the sponsoring registrar(s) as well as the Registry Service Provider to rapidly address potential threats or abuse complaints, investigate all reasonable complaints, and take any appropriate action(s) thereto.

As standard practice, BMW will forward all credible and actionable reports, including the accompanying evidence, if any, to the sponsoring registrar, with a request to investigate the issue further and to take appropriate action. . In case the registrar determines in the course of the investigation that the use of the domain name violates the applicable terms of use, ICANN policies or the AAP, the registrar is expected to take action within reasonable time. BMW further reserves the right to act directly and immediately in cases of obvious and significant malicious conduct.

BMW will implement valid court orders or seizure warrants from courts, arbitration tribunals, or law enforcement agencies of applicable jurisdiction as a top priority. BMW will further work closely with law enforcement agencies if necessary.

Based upon the applicable registration policies and restrictions, BMW does not expect further measures to be required to effectively prevent or stop malicious use. In case of an unexpected volume of credible abuse complaints, BMW will take advantage of additional resources such as spam databases and blocklists, anti-phishing feeds, analysis of registration data, and DNS queries.


D. Orphan Glue Records

According to the ICANN SSAC paper SAC048 at: http:⁄⁄www.icann.org⁄en⁄committees⁄security⁄sac048.pdf orphan glue records are defined as follows:

“By definition, orphan records used to be glue records. A glue record becomes an ‘orphan’ when the delegation point NS record referencing it is removed without also removing the corresponding glue record. The delegation point NS record is sometimes referred to as the parent NS record.”

An orphan glue record can occur whenever a domain is placed in ServerHold or ClientHold status. In these cases, the domain is removed from the zone file but existing name servers of this domain will be kept in the zone file so that other sites which are still using these name servers are still kept functional.

Example:
“example.string” is deleted from the zone file by setting to ServerHold status, but “ns1.example.string” will be kept in the zone file.

D.1 Prevention of Orphan Glue Records During Domain Deletion

Deleting a domain name is only possible if there are no glue records used by other domains associated with the domain being deleted.

If there are glue records available but not used by other domains in the registry, the glue records will be deleted prior to the domain deletion. Whenever there are glue records available which are still in use, this has to be resolved first. If there are no glue records at all the domain can be deleted instantly.

Solving the problem of glue records for domains which are supposed to be deleted can be done by checking the zone file. The zone file reveals the domains which are using the name servers. Once the required information is available, the named registrars must be contacted and new name servers should be set for the remaining domains in order to release the glue records.

In cases where glue records are being used in a malicious way, the abuse point of contact has to be contacted. The abuse point of contact will check this issue and take any appropriate actions, which may result in removing relevant records from the zone file in case the abuse complaint is valid.


E. Preventive Countermeasures

Pharming is an abusive practice used to gain illegal access to personal and confidential internet user information by diverting internet traffic through the manipulation of the information between the recursive resolver name server and the client software (e.g. web browser) (DNS-cache poisoning). Since pharming is commonly accomplished by redirecting traffic at the recursive DNS level, mitigation is most effective at the ISP level.

However, as an added countermeasure, the Registry Service Provider (KSregistry) will sign the domain zone using DNSSEC, as detailed in our answer to question 35, allowing the relying party to establish a chain of trust from the DNS root down to the domain name, thus validating DNS queries in the zone.

Registrars will be encouraged to use a DNSSEC enabled DNS hoster and to provision the related delegation signers (originating from the DNS hoster) to KSregistry’s SRS via EPP. This way it will be possible for the relying party to validate DNS queries and to protect from DNS tampering to a certain degree.

DNSSEC is a set of records and protocol modifications that provide authentication of the signer of the DNS data, verification of integrity of the DNS data against modification, non-repudiation of DNS data that have been signed, and authenticated denial of existence of DNS records. DNS data secured with DNSSEC are cryptographically signed and incorporate asymmetric cryptography in the DNS hierarchy, whereby trust follows the same chain as the DNS tree, meaning that trust originates from the root and is delegated in the same way as the control of a domain. When a domain name in the TLD is requested by a browser, the signature is validated with the public key stored in the parent zone.


F. Promoting Accurate WHOIS Data

BMW is committed to maintaining the “.BMW” TLD space as a safe, secure online environment. A key component of such a plan is the creation and upkeep of accurate WHOIS records for the registry. As indicated in detail in the above answer to Question 26, BMW will develop strong safeguards to verify the accuracy and privacy of the data stored in the WHOIS database, and will ensure that such records will be publicly-available to the extent required by ICANN regulations.

The WHOIS records for this TLD will constitute a “thick” WHOIS, combining all applicable data and information for domain name registrants in a central location. The individual registrars offering this “.BMW” TLD domain names will be responsible, under the terms of the Registry-Registrar Agreement, for providing and promptly updating the WHOIS database with current, accurate and complete information. The Registry Service Provider will be responsible for monitoring such information and records to ensure that registrars comply with the contractual agreements to provide accurate data, including the use of field-valid telephone and fax numbers and the use of country names as defined under ISO 3166. BMW shall expressly reserve the right to cancel or suspend any domain name registrations within the space should a registrant fail to provide accurate or complete WHOIS information.
At all times, ICANN’s WHOIS Data Problem Reporting System (WDPRS) will be available to anyone wishing to file a complaint regarding the accuracy or sufficiency of WHOIS records within this TLD.


G. Registrant Authentication

This TLDʹs space will follow a single-registrant model, meaning that the only entity authorized to register domain names within the TLD is BMW. The Registry-Registrar Agreement will contain this provision, and accordingly, any registrar offering “.BMW” TLD domain name registrations will be aware of the single-registrant restriction. The registrar will be responsible for making sure that only authenticated registration requests will be submitted to the registry, ensuring the accuracy of the WHOIS. Effectively, this will ensure that all WHOIS data is 100% accurate and pre-validated.

BMW will accordingly maintain strict control over the registration and use of this TLDʹs domain names. Only authorized personnel will be able to release a name from reservation and register it for use through an ICANN-accredited registrar. Likewise, only authorized BMW personnel will be able to make DNS changes or alterations to the WHOIS data for the domain names. BMW will require multiple unique points of contact to request and⁄or approve update, transfer, and deletion requests, and will require notification of multiple, unique points of contact when a domain has been updated, transferred, or deleted.

These checks will include a clear, written policy detailing the steps by which such corporate authority may initiate the request for a domain name registration in the TLD. The concerned registrar(s) will have the ability to register domain names in this TLD only upon receipt of the proper corporate approval. Furthermore, there will be strict policies in place to prevent unauthorized changes to name servers, WHOIS or other DNS information, including registration of third- and higher-level subdomains.

In the event that BMW decides to license the use of this TLD domain names or subdomains to affiliates, additional levels of corporate approval may be required in order to ensure the proper use of such domain names.


H. Licensed Domain Names

BMW may, from time to time and in its sole discretion, elect to license the use of its TLD domain names to its affiliates. BMW will ensure that any such licensed affiliates will have only a limited license to use the allocated domain name, subject to continuing compliance with all policies in place during that time. Should BMW elect to offer such license arrangements, additional corporate approval may be required to ensure internal responsibility for overseeing and enforcing the terms of the license agreement.

Any licensee(s) must warrant they will not assign the license or sublicense any subdomain without

1. securing the sublicenseeʹs agreement to any and all terms required by BMW, including the Acceptable Use Policy and all other applicable policies
2. obtaining BMW’s prior consent in writing.


I. Ensuring Proper Access to Domain Functions

The Registry will be operated using a comprehensive and detailed authentication system designed to implement a wide range of registry functions for both internal operations and as external registrar access. Registrar access will be limited by IP address control lists and TLS⁄SSL certificates, as well as verification processes for proper authentication and appropriate limitations to restrict access to the sponsored objects.

Each domain name will be assigned a unique AUTH-INFO code. The AUTH-INFO code is a 6- to 16-character code assigned by the registrar at the time a domain is created and which can be modified by the registrar at any time. Its purpose is to aid in the identification of the domain owner so that proper authority can be established. For example, a registrar-to-registrar transfer can be initiated only by using the correct AUTH-INFO code, to ensure that domain updates (update contact information, transfer, or deletion) are undertaken by the authorized registrant. Access to the domain’s AUTH-INFO code, stored in the registry, is limited to the sponsoring registrar and is accessible only via encrypted, password-protected channels.

Further security measures are anticipated and will be implemented in the new space, but are currently treated as confidential for security reasons. Accordingly, a full explanation of these mechanisms may be found in the response to Question 30(b).
gTLDFull Legal NameE-mail suffixDetail
.allfinanzAllfinanz Deutsche Vermögensberatung Aktiengesellschaftthomsentrampedach.comView
ALLFINANZ’s proposed use for the .ALLFINANZ TLD will include robust protection mechanisms designed to preclude any abusive registrations within the space, since all domains will be reserved and registered only to ALLFINANZ for the benefit of its clients and Internet users who wish to interact with ALLFINANZ. There is no incentive for ALLFINANZ to confuse users or otherwise use domains in bad faith, since ALLFINANZ’s brand is inherently intertwined with all uses of .ALLFINANZ domain names.

Accordingly, ALLFINANZ will adopt a comprehensive system including the screening of second-level domain name strings, restriction of registration to a single-registrant model, and ongoing monitoring for appropriate use of websites active within the space. Furthermore, the Internal Domain Use⁄Registration Policy as described in Question 18 above will ensure a high level of security for the TLD.

ALLFINANZ will additionally:

- Develop a trusted method of communication for all correspondence between ALLFINANZ and the TLDʹs registrars, to ensure that all registrant contact information, including WHOIS records, is complete and remains current, and that all requests for registration within the space may be easily verified for authenticity.
- Implement effective mechanisms for identifying and addressing abusive practices.
- Establish a point of contact for third-party reporting of abusive practices.
- Ensure accurate WHOIS data by implementing and enforcing a strict registration and validation policy. The Registry-Registrar Agreement will furthermore include the obligation of accredited registrars to validate and verify each registration request.
- Determine and implement a streamlined practice for addressing and removing orphan glue records.
- Publish on its website and include as binding registry policy an Anti-Abuse Policy, described in detail below, which provides applicable definitions of abuse and outlining steps ALLFINANZ will take to address any such situations.


A. Point of Contact for Abuse Complaints

The abuse email inbox will be routinely and continuously monitored several times per day. Complainants will be provided with a responsive communication containing an auditable tracking or case number.

The abuse point of contact will be responsive and effective, tasked with answering email quickly, empowered to take effective action, and guided by well-defined written criteria. This role-based function will be performed by a team of trained and qualified staff provided by ALLFINANZ’s legal team, which will ensure that the abuse point of contact has a broad familiarity with current industry knowledge and a high-level awareness of evolving online security risks. Initially, at least one designated employee from ALLFINANZ’s legal department who is currently involved in the management of ALLFINANZ’s domain name portfolio, will be tasked with overseeing the TLD as part of his⁄her duties. One or more additional employees will be trained in the role as well, in order to provide “back up” assistance as needed. The abuse point of contact will be supported by Dr. Torsten Bettinger, Attorney at Law, from the Law Firm Bettinger Schneider Schramm, of Munich, Germany, with whom the abuse point of contact will consult and coordinate the correct management of disputes and reported abuse. The abuse point of contact will further consult with Thomsen Trampedach GmbH, as well as with the registry service provider in order to coordinate technical reactions necessary to respond to or mitigate abusive behavior in a timely manner. Dr. Torsten Bettinger is a UDRP Panelist with the WIPO Arbitration and Mediation Center and has a first-class knowledge of ICANN and its structure. Thomsen Trampedach GmbH is a Swiss-based domain name consulting company with long-term involvement in ICANN, experience advising large brands in all domain name related issues, and is qualified to assist and advise ALLFINANZ’s on-hand staff. With regard to the estimated number of registrations and the Registration Restrictions, these allocated resources will be sufficient to handle the expected initial volume of abuse complaints. Abuse complaint metrics will be tracked and reviewed carefully each year, and adequate resources will be expended to ensure appropriate trending of those metrics, thus providing the abuse point of contact with sufficient resources.


Given ALLFINANZ’s belief that infrastructure protection, rights protection, and user security are of paramount importance for a TLD owner, ALLFINANZ expects to ensure sufficient resources for this critical role, and to do whatever is reasonably necessary to ensure a secure and trusted zone.


B. Anti-Abuse Policy

ALLFINANZ will develop and implement upon launch of the TLD an Anti-Abuse Policy (AAP). The AAP will be made binding for all registrants by contractually obligating registrars through the Registry-Registrar Agreement to pass on the AAP as part of their registration agreements. The AAP will also be published prominently on the Registry website alongside the abuse point of contact and with instructions on how to best report any suspected violations of the AAP to the registry.

The AAP will be based on and expand upon existing registry policies to ensure best industry practice is followed. The goal of the AAP is to limit significant harm to internet users, to enable ALLFINANZ or accredited registrars to investigate and to take action in case of malicious use of domain names and to deter registrants from engaging in illegal or fraudulent use of domain names.

ALLFINANZ defines abuse as an action that causes actual and substantial harm, or is a material predicate of such harm, and is illegal, illegitimate, or otherwise contrary to ALLFINANZ’s policy.

“Abuse” includes, but is not limited to, the following:

- Use of a domain to defraud or attempt to defraud members of the public in any way
- Use of a domain to distribute or publish hateful, defamatory, or derogatory content based on racial, ethnic, or political grounds, intended or generally able to cause or incite injury, damage or harm of any kind to any person or entity
- Use of a domain name to publish content threatening or invading the privacy or property rights of a third party
- Use of a domain name to publish content that infringes the trademarks, copyrights, patent rights, trade secrets or other intellectual property rights, or any other legal rights of ALLFINANZ or any third party, or any action infringing on the named rights
- Violation of any applicable local, state, national or international law or regulation
- Use of a domain name for the promotion, involvement in or assisting in, illegal activity of any kind, as well as the promotion of business opportunities or investments that are not permitted under applicable law
- Advertisement or offer for sale any unlawful goods or services in breach of any national or international law or regulation
- Use of domain names to contribute to the sale or distribution of prescription medication without a valid prescription as well as the sale and distribution of unlicensed or unapproved medication
- Distribution of Child Pornography or other content depicting minors engaged in any activity of a sexual nature or which may otherwise harm minors
- Use of domain names to cause minors to view sexually explicit material
- Any use of domain names with regard to spam in any form, including through e-mail, instant messaging, mobile messaging, or the spamming of Web sites or Internet forums, as well as advertising for a domain name through spam
- Initiation or intentional participation in denial-of-service attacks (“DDoS attacks”)
- The use of domain names in phishing activities, tricking Internet users into divulging personal data such as usernames, passwords, or financial data
- The use of domain names in pharming , such as DNS hijacking and poisoning
- The use of domain names for the intentional distribution of spyware, botware, keylogger bots, viruses, worms, trojans or other forms of malware
- The use of a domain name in unauthorized fast flux hosting, disguising the location of internet addresses or Internet services. Fast flux hosting may be used only with prior permission of ALLFINANZ
- The use of domain names to command and control botnets, i.e. a network of compromised computers or “zombies”
- The use of domain names in activities intended to gain illegal access to other computers or networks (“hacking”), as well as any activity to prepare for such system penetration

In accordance with best practices in current generic Top Level Domains, ALLFINANZ reserves the right to either directly or through the issuing of a request to an accredited registrar deny, cancel or transfer any registration or transaction, or place any domain name(s) on registry lock, hold or similar status, that it deems necessary, in its discretion:

1. to protect the integrity and stability of the .ALLFINANZ TLD and⁄or prevent the abuse of any .ALLFINANZ domain name
2. to comply with any applicable laws, government rules or requirements, requests of law enforcement, or any dispute resolution process
3. to avoid any liability, civil or criminal, on the part of ALLFINANZ, as well as its affiliates, subsidiaries, officers, directors, and employees
4. per the terms of the Registry Agreement or
5. to correct mistakes made by ALLFINANZ, Registry Service Provider or any Registrar(s) in connection with a domain name registration

ALLFINANZ also reserves the right to place a domain upon registry lock, hold or similar status name during resolution of an investigation or dispute.


C. Handling of Abuse Reports

All abuse reports received by the abuse point of contact will be tracked internally in a ticketing system to ensure accountability and ease of reference, and a tracking number will be provided to the reporter. Each report will be carefully reviewed and evaluated regarding its credibility, to determine whether the reported issue is an abuse concern and to assess the required action(s), if any. ALLFINANZ will work in tandem with the sponsoring registrar(s) as well as the Registry Service Provider to rapidly address potential threats or abuse complaints, investigate all reasonable complaints, and take any appropriate action(s) thereto.

As standard practice, ALLFINANZ will forward all credible and actionable reports, including the accompanying evidence, if any, to the sponsoring registrar, with a request to investigate the issue further and to take appropriate action. . In case the registrar determines in the course of the investigation that the use of the domain name violates the applicable terms of use, ICANN policies or the AAP, the registrar is expected to take action within reasonable time. ALLFINANZ further reserves the right to act directly and immediately in cases of obvious and significant malicious conduct.

ALLFINANZ will implement valid court orders or seizure warrants from courts, arbitration tribunals, or law enforcement agencies of applicable jurisdiction as a top priority. ALLFINANZ will further work closely with law enforcement agencies if necessary.

Based upon the applicable registration policies and restrictions, ALLFINANZ does not expect further measures to be required to effectively prevent or stop malicious use. In case of an unexpected volume of credible abuse complaints, ALLFINANZ will take advantage of additional resources such as spam databases and blocklists, anti-phishing feeds, analysis of registration data, and DNS queries.


D. Orphan Glue Records:
According to the ICANN SSAC paper SAC048 at: http:⁄⁄www.icann.org⁄en⁄committees⁄security⁄sac048.pdf orphan glue records are defined as follows:

“By definition, orphan records used to be glue records. A glue record becomes an ‘orphan’ when the delegation point NS record referencing it is removed without also removing the corresponding glue record. The delegation point NS record is sometimes referred to as the parent NS record.”

An orphan glue record can occur whenever a domain is placed in ServerHold or ClientHold status. In these cases, the domain is removed from the zone file but existing name servers of this domain will be kept in the zone file so that other sites which are still using these name servers are still kept functional.

Example:

“example.string” is deleted from the zone file by setting to ServerHold status, but “ns1.example.string” will be kept in the zone file.

D.1 Prevention of Orphan Glue Records During Domain Deletion

Deleting a domain name is only possible if there are no glue records used by other domains associated with the domain being deleted.

If there are glue records available but not used by other domains in the registry, the glue records will be deleted prior to the domain deletion. Whenever there are glue records available which are still in use, this has to be resolved first. If there are no glue records at all the domain can be deleted instantly.

Solving the problem of glue records for domains which are supposed to be deleted can be done by checking the zone file. The zone file reveals the domains which are using the name servers. Once the required information is available, the named registrars must be contacted and new name servers should be set for the remaining domains in order to release the glue records.

In cases where glue records are being used in a malicious way, the abuse point of contact has to be contacted. The abuse point of contact will check this issue and take any appropriate actions, which may result in removing relevant records from the zone file in case the abuse complaint is valid.


E. Preventive Countermeasures

Pharming is an abusive practice used to gain illegal access to personal and confidential internet user information by diverting internet traffic through the manipulation of the information between the recursive resolver name server and the client software (e.g. web browser) (DNS-cache poisoning). Since pharming is commonly accomplished by redirecting traffic at the recursive DNS level, mitigation is most effective at the ISP level.

However, as an added countermeasure, the Registry Service Provider (KSregistry) will sign the domain zone using DNSSEC, as detailed in our answer to question 35, allowing the relying party to establish a chain of trust from the DNS root down to the domain name, thus validating DNS queries in the zone.

Registrars will be encouraged to use a DNSSEC enabled DNS hoster and to provision the related delegation signers (originating from the DNS hoster) to KSregistry’s SRS via EPP. This way it will be possible for the relying party to validate DNS queries and to protect from DNS tampering to a certain degree.

DNSSEC is a set of records and protocol modifications that provide authentication of the signer of the DNS data, verification of integrity of the DNS data against modification, non-repudiation of DNS data that have been signed, and authenticated denial of existence of DNS records. DNS data secured with DNSSEC are cryptographically signed and incorporate asymmetric cryptography in the DNS hierarchy, whereby trust follows the same chain as the DNS tree, meaning that trust originates from the root and is delegated in the same way as the control of a domain. When a domain name in the TLD is requested by a browser, the signature is validated with the public key stored in the parent zone.


F. Promoting Accurate WHOIS Data

ALLFINANZ is committed to maintaining the .ALLFINANZ TLD space as a safe, secure online environment. A key component of such a plan is the creation and upkeep of accurate WHOIS records for the registry. As indicated in detail in the above answer to Question 26, ALLFINANZ will develop strong safeguards to verify the accuracy and privacy of the data stored in the WHOIS database, and will ensure that such records will be publicly-available to the extent required by ICANN regulations.

The WHOIS records for this TLD will constitute a “thick” WHOIS, combining all applicable data and information for domain name registrants in a central location. The individual registrars offering this .ALLFINANZ TLD domain names will be responsible, under the terms of the Registry-Registrar Agreement, for providing and promptly updating the WHOIS database with current, accurate and complete information. The Registry Service Provider will be responsible for monitoring such information and records to ensure that registrars comply with the contractual agreements to provide accurate data, including the use of field-valid telephone and fax numbers and the use of country names as defined under ISO 3166. ALLFINANZ shall expressly reserve the right to cancel or suspend any domain name registrations within the space should a registrant fail to provide accurate or complete WHOIS information.

At all times, ICANN’s WHOIS Data Problem Reporting System (WDPRS) will be available to anyone wishing to file a complaint regarding the accuracy or sufficiency of WHOIS records within this TLD.


G. Registrant Authentication

This TLDʹs space will follow a single-registrant model, meaning that the only entity authorized to register domain names within the TLD is ALLFINANZ. The Registry-Registrar Agreement will contain this provision, and accordingly, any registrar offering .ALLFINANZ TLD domain name registrations will be aware of the single-registrant restriction. The registrar will be responsible for making sure that only authenticated registration requests will be submitted to the registry, ensuring the accuracy of the WHOIS. Effectively, this will ensure that all WHOIS data is 100% accurate and pre-validated.

ALLFINANZ will accordingly maintain strict control over the registration and use of this TLDʹs domain names. Only authorized personnel will be able to release a name from reservation and register it for use through an ICANN-accredited registrar. Likewise, only authorized ALLFINANZ personnel will be able to make DNS changes or alterations to the WHOIS data for the domain names. ALLFINANZ will require multiple unique points of contact to request and⁄or approve update, transfer, and deletion requests, and will require notification of multiple, unique points of contact when a domain has been updated, transferred, or deleted.

These checks will include a clear, written policy detailing the steps by which such corporate authority may initiate the request for a domain name registration in the TLD. The concerned registrar(s) will have the ability to register domain names in this TLD only upon receipt of the proper corporate approval. Furthermore, there will be strict policies in place to prevent unauthorized changes to name servers, WHOIS or other DNS information, including registration of third- and higher-level subdomains.

In the event that ALLFINANZ decides to license the use of this TLD domain names or subdomains to affiliates, additional levels of corporate approval may be required in order to ensure the proper use of such domain names.


H. Licensed Domain Names

ALLFINANZ may, from time to time and in its sole discretion, elect to license the use of its TLD domain names to its affiliates. ALLFINANZ will ensure that any such licensed affiliates will have only a limited license to use the allocated domain name, subject to continuing compliance with all policies in place during that time. Should ALLFINANZ elect to offer such license arrangements, additional corporate approval may be required to ensure internal responsibility for overseeing and enforcing the terms of the license agreement.

Any licensee(s) must warrant they will not assign the license or sublicense any subdomain without

1. securing the sublicenseeʹs agreement to any and all terms required by ALLFINANZ, including the Acceptable Use Policy and all other applicable policies
2. obtaining ALLFINANZ’s prior consent in writing.


I. Ensuring Proper Access to Domain Functions

The Registry will be operated using a comprehensive and detailed authentication system designed to implement a wide range of registry functions for both internal operations and as external registrar access. Registrar access will be limited by IP address control lists and TLS⁄SSL certificates, as well as verification processes for proper authentication and appropriate limitations to restrict access to the sponsored objects.

Each domain name will be assigned a unique AUTH-INFO code. The AUTH-INFO code is a 6- to 16-character code assigned by the registrar at the time a domain is created and which can be modified by the registrar at any time. Its purpose is to aid in the identification of the domain owner so that proper authority can be established. For example, a registrar-to-registrar transfer can be initiated only by using the correct AUTH-INFO code, to ensure that domain updates (update contact information, transfer, or deletion) are undertaken by the authorized registrant. Access to the domain’s AUTH-INFO code, stored in the registry, is limited to the sponsoring registrar and is accessible only via encrypted, password-protected channels.

Further security measures are anticipated and will be implemented in the new space, but are currently treated as confidential for security reasons. Accordingly, a full explanation of these mechanisms may be found in the response to Question 30(b).