NS1 Limited
15⁄F, 6 Knutsford Terrace, Tsim Sha Tsui
Hong Kong HK
HK
+852 3520 2635
Mr. Edmon Chung
Director Representative
+852 3520 2635
info@tld.asia
Ms. Rebecca Chan
Company Secretary
+852 3520 2635
rebecca@dot.asia
Corporation
Hong Kong
Attachments are not displayed on this form.
Namesphere Holdings Limited
Namesphere Holdings Limited | Director |
Chan Yuk Ying Rebecca | Company Secretary |
Namesphere Holdings Limited |
box
Attachments are not displayed on this form.
The Registry anticipates the introduction of this TLD without operational or rendering problems other than general Universal TLD Acceptance issues. The Registry engaged ARI Registry Services (ARI) and DotAsia Organisation to conduct investigation into the operational and rendering issues of the TLD. ARI has extensive experience have worked with many ccTLDs, including IDN ccTLDs. DotAsia oversees the policies and governance of “.Asia”, and has strong experience with the introduction of new gTLDs, including knowledge in Universal Acceptance issues. Evaluation of the potential operational and rendering issues for this TLD was delegated to ARI. ARI has executed a suite of tests to evaluate any issues arising from the use of the TLD string. ARI configured a test environment that consisted of DNS software, web server software, and an email server configured for sample domains in this TLD. Where possible, ARI attempted to test many equivalent applications, however the number of and different versions of applications means that testing was limited to the most common environments. The tests executed by ARI indicate that the introduction of this TLD has no operational or rendering problems other than that it is subject to the same issues already experienced by TLDs in the root, which are neither new nor unique. A summary of these common issues is provided below. - Some applications make assumptions about known valid TLDs and fail to recognize new TLDs - Some Non-IDN aware applications require the user to provide input in A-labels - Some IDN aware applications present the user with the domain name using A-labels instead of U-labels - Some IDN aware applications fail to render IRIs in a manner consistent with user expectations. To mitigate these issues, ARI and DotAsia will work with the Registry to ensure that maintainers of applications are made aware of the delegation and operation of this TLD. When relevant, we will refer the maintainers to the verification code produced by ICANN in the area for Universal Acceptance of All Top Level Domains such that operational issues can be mitigated for other TLDs. The steps the Registry will take to mitigate these issues should be more than adequate. Thus, we do not believe this TLD raises stability concerns and there is no reason that it should be denied on an operational and rendering issues bases.
.box is about the making the Internet (the cloud) personal.
Personal computers (PC) fundamentally changed the way we approached and view work as well as organize our life. The Internet profoundly changed the way we communicate and consume information. An important commonality of the two is how open, accessible technology enabled the decentralized empowerment of users. Before the PC, the industry was dominated by mainframes; before the Internet, proprietary networks competed for technical supremacy. Today, the “big brothers” are driving users towards massive online databases, i.e. cloud computing, albeit distributed technically is centralized in administration.
The .box TLD aspires to be a namespace promoting the use of personalized cloud technologies to connect personal devices, such as desktop PCs, laptops, mobile, tablets, etc., to form one’s own personal cloud without being tied to proprietary centralized clouds. While dedicated to personal cloud, .box is for the businesses too. We believe, much like PCs have changed the workplace, personal cloud technologies will support workplace development as well.
The vision of the .box Registry is to promote a decentralized empowerment of users by bringing the full capabilities of a user centric Internet to personalized devices.
The mission and purposes of the Registry are:
1. To operate an economically viable TLD registry in a secure and stable infrastructure with high performance, high scalability and high availability;
2. To promote the use of the .box TLD in support of the decentralized spirit of the Internet by supporting technologies that allow users to leverage their own devices for a personal network; and,
3. To be a socially responsible TLD registry with a high level of integrity in the protection of rights of others, privacy and consumer confidence in the development of the .box TLD.
The .box Registry believes that the name “box” is versatile and can be used by persons and businesses for activities such as setting up their own devices on their .box domain as storage that is accessible by other devices (storage box), accessing their home TV (set top box), or even home appliances (ice box) and other machines (juke box, music box, etc.)
In addition, to its mission and vision, as a new gTLD, the Registry believes in its responsibility as a responsible industry participant to advance competition, enhance consumer trust and promote consumer choice with the development of the TLD:
A. Advance Constructive Competition
The .box TLD brings a new dimension of personal domains to promote competition among TLDs as well as competition among domain registrars and resellers in targeting the personal domain market. In the past, the general market approach for personal domains drives towards vanity domains or the establishment of your personalized identity online. The .box TLD is about connecting users with their own network of connected devices, e.g. interconnectivity between one’s cell phone, laptop, tablet, home computers, etc.
B. Enhance Consumer Trust
The .box TLD is about supporting the prosumer movement by providing a namespace to support more technically sophisticated users to utilize domain names in managing and accessing their own network of connected devices. By promoting the concept and advocating the development of user friendly technologies in support of such capabilities, the Registry believes in enhancing the media and Internet literacy of Internet users. In turn, the Registry believes that with more technically aware users, that would in itself drive better consumer trust to the Internet including the DNS.
Furthermore, this could raise the awareness of more Internet users about Internet governance issues, and allow the community to engage with them for their participation in the international discussions, including at ICANN. This would also help drive consumer trust in the system by bringing them to and making them aware of their ability to participate in policy discussions about the Internet.
C. Promote Consumer Choice
The .box vision counters the prevailing concept of the centralized cloud by promoting consumer choice of utilizing their own devices to establish their own personal cloud. Besides promoting choice of TLD and domain names, the .box TLD believes in bringing the choice of operating one’s own personal network rather than depending on managed cloud services.
From Wikipedia (http:⁄⁄en.wikipedia.org⁄wiki⁄Cloud_computing):
“Cloud computing is the delivery of computing as a service rather than a product, whereby shared resources, software, and information are provided to computers and other devices as a utility (like the electricity grid) over a network (typically the Internet).
Cloud computing entrusts services (typically centralized) with a userʹs data, software and computation on a published application programming interface (API) over a network. It has considerable overlap with software as a service (SaaS).
End users access cloud based applications through a web browser or a light weight desktop or mobile app while the business software and data are stored on servers at a remote location. Cloud application providers strive to give the same or better service and performance than if the software programs were installed locally on end-user computers.”
An important aspect is the “typically centralized” nature of what us currently considered cloud computing. The vision of the .box TLD is to bring this capability to end users by enabling themselves to use cloud technologies to share services between their own devices. The Registry believes that while a TLD on its own may not be able to bring these technologies to end users, the advocacy of the .box domain can encourage users to start by connecting their own devices to their own .box domain as a shared network storage box of files.
1. Goals of the TLD
The .box domain aspires to be the domain of choice for users interested in connecting their own devices (e.g. mobile phones, laptop, tablet, home computer) as a personal network (personal cloud). The area of specialty for the .box domain is in the personal cloud space. With the growing interest in cloud computing, a central goal of the Registry is to advocate the decentralization of cloud technologies to personal network of devices. The .box domain plays an important role in this concept by providing users a domain that they can identify as their own.
With the full support of ARI as the registry back-end services provider, the TLD aims to operate at world class service levels delivering registry services to its registrars, registrants as well as general internet users a high capacity and high availability platform.
The Registry, through the support from its Registry Front-End Services Provider, Namesphere, which is a spin-off of the DotAsia Organisation, sets a noble goal in building itself as a reputable initiative that is economically viable and one which participates in the global community as a responsible netizen, upholding a high level of integrity and respecting the rights of others.
2. Differentiation and Innovation
An important differentiation of the .box TLD is in the target audience and its advocacy of the personal cloud concept. As a TLD registry, we are focused on providing a secure and stable platform for which applications and other solutions can be built upon. A core mission of the TLD is to encourage innovations in the direction of the decentralized spirit of the Internet, which we also believe to be an important environment for fostering creativity and development.
3. Improving User Experience
As a TLD targeted towards the consumer market, improving user experience is at the core vision of the Registry. The Registry believes that the advocacy of personal cloud technologies will in turn improve the user experience of domain names and Internet technologies overall. As a short, stylish and memorable TLD, the Registry believes that it can build a strong user experience for consumer domain registrants.
4. Registration Policies Supporting the Goals to Drive User Benefits
Upon Go Live of the registry, the TLD will be an open registry accepting registrations from individuals and businesses around the world. To uphold its reputation as a socially responsible TLD, beyond the basic ICANN requirements, the Registry is committed to put in place a comprehensive Sunrise and Startup process (Q29) as well as effective Abuse Prevention (Q28) and Rights Protection Mechanisms (Q29) to strengthen the orderly and stable introduction of the TLD.
Furthermore, the Registry is committed to developing supportive policies to promote the goals stipulated, including policies to strengthen the rights of registrants while balancing other interests to avoid abuse.
5. Privacy and Confidentiality Protection
Privacy and confidentiality is critical to a domain namespace targeted to consumers. As a socially responsible operator, the Registry is dedicated to ensuring that the privacy users and confidentiality of information is protected. The Registry, leveraging the infrastructure supported by its Registry Back-End Services provider, ARI, maintains a highly secure environment physically and technically to ensure that confidential information are not leaked.
The Registry is also committed to developing and implementing policies that complies with privacy laws in the locality it operates out of and can be compatible with privacy laws of registrars and registrants of the registry. The Registry understands that there is no guarantee of compatibility of such laws especially given the global nature of the DNS and of the Internet at large, and is committed to dedicate itself, especially through its partner DotAsia (through Namesphere, as the Registry Front-End Services Provider for the Registry), to participate in the global Internet Governance discourse on the subject.
The Registry is committed to introducing the .box TLD in an orderly manner to minimize the social costs and maximize the social value of the TLD. Following the successful launch of the .ASIA TLD, and leveraging the experience and knowledge from the DotAsia (through Namesphere), the Registry is committed to developing and implementing a comprehensive startup process that would include, besides Sunrise and Landrush processes, a Multi-Category Pioneer Domains Program.
The Pioneer Domains Program will be designed to curb abusive registrations, whereby reducing social costs, as well as to promote the adoption of the TLD, to maximize the social value of the TLD. An important goal of the program is to allow for the introduction of showcase domains under the TLD in a well structured manner, while ensuring that the protection of the rights of others is maintained. The implementation of showcase domains support the development of positive foundation of usage of the TLD. More detailed explanation of the overall startup process is included in #29.
In response to the question specifically:
1. Mechanisms for Resolving Multiple Applications to a Domain
A comprehensive Sunrise and Landrush program will be put in place at the launch of the TLD. As an important stakeholder of the Registry, DotAsia (through Namesphere) will be lending its experience and knowledge in the development of an appropriate Sunrise and Landrush program that includes mechanisms for resolving multiple applications to a domain when the TLD is first launched. More detailed explanation of the approach is included in #29. In short, during the Sunrise and Landrush processes, a first come first served model will not be used as previous launches has demonstrated that such mechanism creates undue tension, chaos and frustration in the process. Applications for domains will be received within a designated time period and all applications received within such period will be considered to be received at the same time. All applicants will be verified first for their eligibility against the Sunrise and Landrush policies respectively. If there is only one successfully verified application for a particular domain, then it will be allocated directly. If there is more than one successfully verified application an auction will be held to resolve the contention.
During regular operations of the registry (upon GoLive and after Sunrise and Landrush), domain registrations will be accepted on a first-come-first-served basis. In cases of contention, the Registry will not prohibit the use of secondary market mechanisms for interested registrants to resolve the contention. Registrant transfers will be administered by accredited registrars without intervention by the Registry. In the cases of contention against abusive registrations, the Registry will adhere to the UDRP and URS procedures.
When a domain name registration is deleted and after completing the lifecycle according to ICANN requirements, the domain name will be re-released to the available pool and registrations will be accepted on a first-come-first-served basis. If activities to snatch names from this “dropzone” becomes contentious, the Registry is prepared to work closely with the community to provide better mechanisms to resolve contentions where appropriate.
2. Cost Benefits for Registrants
The registry intends to implement periodic cost reduction programs to encourage the adoption of the TLD by registrants. Such cost reduction programs can also be targeted towards key segments of the market in relation to the mission and vision of the Registry explained above. Based on the experience of DotAsia (through Namesphere), rebate programs that essentially lower the costs for registrants are one of the most effective ways to drive the adoption of a new TLD. Cost reduction oriented programs are included in the financial projections provided for #45-50.
Introductory programs will be important to drive awareness and interest in the TLD as well. These should include not only broad price discounts but also targeted programs. Based on DotAsia’s past experience, targeted programs, such as Home Market Growth programs are effective in raising the awareness for targeted segments. Such programs can also come in the form of special price reduction promos or rebate type programs.
Besides price reduction programs, other cost benefits can also be introduced to registrants. For example, DotAsia also pioneered the offering of free gift redemption programs to spark interest from registrants as well as to drive the cost benefits for adoption of the TLD. For example, it may be possible for the .box registry to offer free devices, e.g. tablets, that is integrated with the .box domain name registered by a user.
3. Contractual Commitments to Registrants
The Registry will abide by the ICANN Registry Agreement requirements as well as ICANN Consensus Policies, including to offer domain registrations for periods of one to ten years at the discretion of the registrar upon GoLive (when normal first-come-first-served registrations begin). During Sunrise and Landrush the Registry will request multi-year initial registrations. The Registry does not plan to implement contractual commitments to registrars regarding the magnitude of price escalation unless such contractual elements have reached community consensus, but is committed to providing a stable environment for registrations, including a stable pricing for registrars.
Besides policies and rules implemented, the Registry believes that prudent operations as an economically viable and socially responsible TLD operator in itself is an important mitigation of increased social costs as a new gTLD is being introduced. The Registry will leverage the knowledge and expertise from its technology provider and DotAsia to ensure that a substantial portion of the costs for operating the registry is managed in variable costs leveraging the economies of scale from already established operations and focus on delivering value to registrants and consumers with the introduction of the .box TLD and its mission and features.
Measures to curb abusive registrations will also be put in place to avoid costs from the community caused by such activities. Further details are included in the response to #28. Furthermore, security measures explained in #30 and #31 help reinforce a robust registry system to guard against DDOS and other malicious attacks which have implications to social costs. As explained, above and beyond the compliance with the Trademark Clearing House (TMCH) requirements, startup policies will be put in place to address issues around reserved names (#22) as well as trademark, copyright and intellectual property concerns (#29).
No
Attachments are not displayed on this form.
No
The Registry is committed to following the GAC advice and Specification 5 of the New gTLD Agreement in the protection of geographic names for registrations under the TLD.
More specifically, the Registry commits to:
a) Adopt, before the new gTLD is introduced, appropriate procedures for blocking, at no cost and upon demand of governments, public authorities or IGOs, names with national or geographic significance at the second level of the TLD.
b) Ensure procedures to allow governments, public authorities or IGOs to challenge abuses of names with national or geographic significance at the second level of the TLD
Building on the experience from .INFO and .ASIA in their handling of country and government related names, the Registry will develop and establish policies for:
1) obtaining and maintaining a list of names with national or geographic significance to be reserved (at no cost to governments) upon the demand of governments, public authorities or IGOs;
2) the process for registrants to apply for and for the Registry to obtain consent from the respective government, public authorities or IGOs in the releasing of such reserved geographic names; and
The procedures may be similar to the management of governmental reserved names for .ASIA (Section 3.4 of http:⁄⁄dot.asia⁄policies⁄DotAsia-Reserved-Names--COMPLETE-2007-08-10.pdf -- also attached for reference). In summary:
I) The Registry will adhere to the New gTLD Registry Agreement Specification 5 requirements regarding 2. Two-Character Labels as well as 5. Country and Territory Names;
II) Before the launch of the TLD, the Registry will also proactively reach out to governments around the world, especially through GAC members (and ccTLD managers where appropriate), to solicit from them their demand for reserving any names with national or geographic significance at the second level of the TLD;
III) The Registry will develop mechanisms and maintain a list of governmental reference contacts, especially through correspondence with GAC members and ccTLD managers where appropriate. The corresponding reference contact(s) will be contacted in case a registration request is received for a governmental reserved name. If the consent from the governmental contact is received, the registration request will be approved. The domain will nevertheless remain in the reserved names list so that in case the registration lapses, the domain will not be released into the available pool, but will require the same approval process to be registered.
IV) The Registry will maintain an ongoing process for adding and updating governmental reserved names as they are demanded by governments, public authorities or IGOs.
In accordance with Specification 5 of the New gTLD Registry Agreement, the registry operator must initially reserve all geographic names at the second level, and at all other levels within the TLD at which the registry operator provides for registrations.
ARI supports this requirement by using the following internationally recognised lists to develop a comprehensive master list of all geographic names that are initially reserved:
– The 2-letter alpha-2 code of all country and territory names contained on the ISO 3166-1 list, including all reserved and unassigned codes [http:⁄⁄www.iso.org⁄iso⁄support⁄country_codes⁄iso_3166_code_lists⁄iso-3166-1_decoding_table.htm].
– The short form (in English) of all country and territory names contained on the ISO 3166-1 list, including the European Union, which is exceptionally reserved on the ISO 3166-1 List, and its scope extended in August 1999 to any application needing to represent the name European Union [http:⁄⁄www.iso.org⁄iso⁄support⁄country_codes⁄iso_3166_code_lists⁄iso-3166-1_decoding_table.htm#EU].
– The United Nations Group of Experts on Geographical Names, Technical Reference Manual for the Standardisation of Geographical Names, Part III Names of Countries of the World. This lists the names of 193 independent States generally recognised by the international community in the language or languages used in an official capacity within each country and is current as of August 2006 [http:⁄⁄unstats.un.org⁄unsd⁄geoinfo⁄ungegn%20tech%20ref%20manual_M87_combined.pdf].
– The list of UN member states in six official UN languages prepared by the Working Group on Country Names of the United Nations Conference on the standardisation of Geographical Names [http:⁄⁄unstats.un.org⁄unsd⁄geoinfo⁄UNGEGN⁄docs⁄9th-uncsgn-docs⁄econf⁄9th_UNCSGN_e-conf-98-89-add1.pdf].
Names on this reserved list in ARI’s registry system are prevented from registration.
The following applies to all Domain Names contained within the registry’s reserved list:
– Attempts to register listed Domain Names will be rejected.
– WhoIs queries for listed Domain Names will receive responses indicating their reserved status.
– Reserved geographic names will not appear in the TLD zone file.
– DNS queries for reserved domain names will result in an NXDOMAIN response.
Furthermore, the Registry will actively participate in the development of appropriate process and policies for governments, public authorities or IGOs to challenge abuses of names with national or geographic significance. As an important stakeholder in the Registry, DotAsia Organisation (through Namesphere) will be supporting the efforts as well. DotAsia has been a pioneer of protective measures for new gTLDs, especially in its handling of governmental reserved names and its engagement with different stakeholders to develop rapid suspension policies, which provided part of the genesis of what is now standardized for new gTLDs as the URS (Uniform Rapid Suspension) process. Similar administrative processes may be explored and developed for supporting challenge processes for abuses of names with national or geographic significance.
ARI Registry Services (ARI) and DotAsia Organisation (through Namesphere) are respectively the Registry Back-End and Registry Front-End services provider for the TLD. This response describes the registry services for our TLD, as jointly provided by ARI and Namesphere.
1 INTRODUCTION
ARI’s Managed TLD Registry Service is a complete offering, providing all of the required registry services. What follows is a description of each of those services. Namesphere on the other hand provides a comprehensive registry front-end service in the development of appropriate policies, administrative procedures and the liaising of registrars, ICANN policy and compliance, and the enforcement of a socially responsible approach of the registry in its delivery of services.
2 REGISTRY SERVICES
The following sections describe the registry services provided. Each of these services has, where required, been designed to take into account the requirements of consensus policies as documented here:
[http:⁄⁄www.icann.org⁄en⁄resources⁄Registrars⁄consensus-policies]
At the time of delegation into the root this TLD will not be offering any unique Registry services, other than the fact that it will be offering IDN registrations in accordance with the CDNC IDN Variant policies.
2.1 Receipt of Data from Registrars
The day-to-day functions of the registry, as perceived by Internet users, involves the receipt of data from Registrars and making the necessary changes to the SRS database. Functionality such as the creation, renewal and deletion of domains by Registrars, on behalf of registrants, is provided by two separate systems:
– An open protocol-based provisioning system commonly used by Registrars with automated domain management functionality within their own systems.
– A dedicated website providing the same functionality for user interaction.
Registrants (or prospective registrants) who wish to manage their existing domains or credentials, register new domains or delete their domains will have their requests carried out by Registrars using one of the two systems described below.
ARI operates Extensible Provisioning Protocol (EPP) server software and distributes applicable toolkits to facilitate the receipt of data from Registrars in a common format. EPP offers a common protocol for Registrars to interact with SRS data and is favoured for automating such interaction in the Registrar’s systems. In addition to the EPP server, Registrars have the ability to use a web-based management interface (SRS Web Interface), which provides functions equivalent to the EPP server functionality.
2.1.1 EPP
The EPP software allows Registrars to communicate with the SRS using a standard protocol. The EPP server software is compliant with all appropriate RFCs and will be updated to comply with any relevant new RFCs or other new standards, as and when they are finalised. All standard EPP operations on SRS objects are supported.
Specifically, the EPP service complies with the following standards:
– RFC 5730 Extensible Provisioning Protocol (EPP).
– RFC 5731 Extensible Provisioning Protocol (EPP) Domain Name Mapping.
– RFC 5732 Extensible Provisioning Protocol (EPP) Host Mapping.
– RFC 5733 Extensible Provisioning Protocol (EPP) Contact Mapping.
– RFC 5734 Extensible Provisioning Protocol (EPP) Transport over TCP.
– RFC 5910 Domain Name System (DNS) Security Extensions for the Extensible Provisioning Protocol (EPP).
– RFC 3915 Domain Registry Grace Period Mapping for the Extensible Provisioning Protocol (EPP).
– Extensions to ARI’s EPP service comply with RFC 3735 Guidelines for Extending the Extensible Provisioning Protocol (EPP).
2.1.1.1 Security for EPP Service
To avoid abuse and to mitigate potential fraudulent operations, the EPP server software uses a number of security mechanisms that restrict the source of incoming connections and prescribe the authentication and authorisation of the client. Connections are further managed by command rate limiting and are restricted to only a certain number for each Registrar, to help reduce unwanted fraudulent and other activities. Additionally, secure communication to the EPP interface is required, lowering the likelihood of the authentication mechanisms being compromised.
The EPP server has restrictions on the operations it is permitted to make to the data within the registry database. Except as allowed by the EPP protocol, the EPP server cannot update the credentials used by Registrars for access to the SRS. These credentials include those used by Registrars to login to ARI’s SRS Web Interface and the EPP service.
Secure communication to the EPP server is achieved via the encryption of EPP sessions. The registry system and associated toolkits support AES 128 and 256 via TLS.
The Production and Operational Testing and Evaluation (OTE) EPP service is protected behind a secure firewall that only accepts connections from registered IP addresses. Registrars are required to supply host IP addresses that they intend to use to access the EPP service.
Certificates are used for encrypted communications with the registry. Registrars require a valid public⁄private key pair signed by the ARI CA to verify authenticity. These certificates are used to establish a TLS secure session between client and server.
EPP contains credential elements in its specification which are used as an additional layer of authentication. In accordance with the EPP specification, the server does not allow client sessions to carry out any operations until credentials are verified.
The EPP server software combines the authentication and authorisation elements described above to ensure the various credentials supplied are associated with the same identity. This verification requires that:
– The username must match the common name in the digital certificate.
– The certificate must be presented from a source IP listed against the Registrar whose common name appears in the certificate.
– The username and password must match the user name and password listed against the Registrar’s account with that source IP address.
To manage normal operations and prevent an accidental or intentional Denial of Service, the EPP server can be configured to rate limit activities by individual Registrars.
2.1.1.2 Stability Considerations
The measures that restrict Registrars to a limit of connections and operations for security purposes also serve to keep the SRS and the EPP server within an acceptable performance and resource utilisation band. Therefore, scaling the service is an almost linear calculation based on well-defined parameters.
The EPP server offers consistent information between Registrars and the SRS Web Interface. The relevant pieces of this information are replicated to the DNS within seconds of alteration, thus ensuring that a strong consistency between the SRS and DNS is maintained at all times.
2.1.2 SRS Web Interface
The registry SRS Web Interface offers Registrars an alternative SRS interaction mechanism to the EPP server. Available over HTTPS, this interface can be used to carry out all operations which would otherwise occur via EPP, as well as many others. Registrars can use the SRS Web Interface, the EPP server interface or both – with no loss of consistency within the SRS.
2.1.2.1 Security and Consistency Considerations for SRS Web Interface
The SRS Web Interface contains measures to prevent abuse and to mitigate fraudulent operations. By restricting access, providing user level authentication and authorisation, and protecting the communications channel, the application limits both the opportunity and scope of security compromise.
Registrars are able to create individual users that are associated with their Registrar account. By allocating the specific operations each user can access, Registrars have full control over how their individual staff members interact with the SRS. Users can be audited to identify which operations were conducted and to which objects those operations were applied.
A secure connection is required before credentials are exchanged and once authenticated. On login, any existing user sessions are invalidated and a new session is generated, thereby mitigating session-fixation attacks and reducing possibilities that sessions could be compromised.
2.1.3 Securing and Maintaining Consistency of Registry-Registrar Interaction Systems
ARI ensures all systems through which Registrars interact with the SRS remain consistent with each other and apply the same security rules. Additionally, ARI also ensures that operations on SRS objects are restricted to the appropriate entity. For example:
– In order to initiate a transfer a Registrar must provide the associated domain password (authinfo) which will only be known by the registrant and the current sponsoring Registrar.
– Only sponsoring Registrars are permitted to update registry objects.
All operations conducted by Registrars on SRS objects are auditable and are identifiable to the specific Registrar’s user account, IP address and the time of the operation.
2.2 Disseminate Status Information of TLD Zone Servers to Registrars
The status of TLD zone servers and their ability to reflect changes in the SRS is of great importance to Registrars and Internet users alike. ARI will ensure that any change from normal operations is communicated to the relevant stakeholders as soon as is appropriate. Such communication might be prior to the status change, during the status change and⁄or after the status change (and subsequent reversion to normal) – as appropriate to the party being informed and the circumstance of the status change.
Normal operations are those when:
– DNS servers respond within SLAs for DNS resolution.
– Changes in the SRS are reflected in the zone file according to the DNS update time SLA.
The SLAs are those from Specification 10 of the Registry Agreement.
A deviation from normal operations, whether it is registry wide or restricted to a single DNS node, will result in the appropriate status communication being sent.
2.2.1 Communication Policy
ARI maintains close communication with Registrars regarding the performance and consistency of the TLD zone servers.
A contact database containing relevant contact information for each Registrar is maintained. In many cases, this includes multiple forms of contact, including email, phone and physical mailing address. Additionally, up-to-date status information of the TLD zone servers is provided within the SRS Web Interface.
Communication using the Registrar contact information discussed above will occur prior to any maintenance that has the potential to effect the access to, consistency of, or reliability of the TLD zone servers. If such maintenance is required within a short time frame, immediate communication occurs using the above contact information. In either case, the nature of the maintenance and how it affects the consistency or accessibility of the TLD zone servers, and the estimated time for full restoration, are included within the communication.
That being said, the TLD zone server infrastructure has been designed in such a way that we expect no down time. Only individual sites will potentially require downtime for maintenance; however the DNS service itself will continue to operate with 100% availability.
2.2.2 Security and Stability Considerations
ARI restricts zone server status communication to Registrars, thereby limiting the scope for malicious abuse of any maintenance window. Additionally, ARI ensures Registrars have effective operational procedures to deal with any status change of the TLD nameservers and will seek to align its communication policy to those procedures.
2.3 Zone File Access Provider Integration
Individuals or organisations that wish to have a copy of the full zone file can do so using the Zone Data Access service. This process is still evolving; however the basic requirements are unlikely to change. All registries will publish the zone file in a common format accessible via secure FTP at an agreed URL.
ARI will fully comply with the processes and procedures dictated by the Centralised Zone Data Access Provider (CZDA Provider or what it evolves into) for adding and removing Zone File access consumers from its authentication systems. This includes:
– Zone file format and location.
– Availability of the zone file access host via FTP.
– Logging of requests to the service (including the IP address, time, user and activity log).
– Access frequency.
2.4 Zone File Update
To ensure changes within the SRS are reflected in the zone file rapidly and securely, ARI updates the zone file on the TLD zone servers using software compliant with RFC 2136 (Dynamic Updates in the Domain Name System (DNS UPDATE)) and RFC 2845 (Secret Key Transaction Authentication for DNS (TSIG)).
This updating process follows a staged but rapid propagation of zone update information from the SRS, outwards to the TLD zone servers – which are visible to the Internet. As changes to the SRS data occur, those changes are updated to isolated systems which act as the authoritative primary server for the zone, but remain inaccessible to systems outside ARI’s network. The primary servers notify the designated secondary servers, which service queries for the TLD zone from the public. Upon notification, the secondary servers transfer the incremental changes to the zone and publicly present those changes.
The protocols for dynamic update are robust and mature, as is their implementation in DNS software. The protocols’ mechanisms for ensuring consistency within and between updates are fully implemented in ARI’s TLD zone update procedures. These mechanisms ensure updates are quickly propagated while the data remains consistent within each incremental update, regardless of the speed or order of individual update transactions. ARI has used this method for updating zone files in all its TLDs including the .au ccTLD, pioneering this method during its inception in 2002. Mechanisms separate to RFC 2136-compliant transfer processes exist; to check and ensure domain information is consistent with the SRS on each TLD zone server within 10 minutes of a change.
2.5 Operation of Zone Servers
ARI maintains TLD zone servers which act as the authoritative servers to which the TLD is delegated.
2.5.1 Security and Operational Considerations of Zone Server Operations
The potential risks associated with operating TLD zone servers are recognised by ARI such that we will perform the steps required to protect the integrity and consistency of the information they provide, as well as to protect the availability and accessibility of those servers to hosts on the Internet. The TLD zone servers comply with all relevant RFCs for DNS and DNSSEC, as well as BCPs for the operation and hosting of DNS servers. The TLD zone servers will be updated to support any relevant new enhancements or improvements adopted by the IETF.
The DNS servers are geographically dispersed across multiple secure data centres in strategic locations around the world. By combining multi-homed servers and geographic diversity, ARI’s zone servers remain impervious to site level, supplier level or geographic level operational disruption.
The TLD zone servers are protected from accessibility loss by malicious intent or misadventure, via the provision of significant over-capacity of resources and access paths. Multiple independent network paths are provided to each TLD zone server and the query servicing capacity of the network exceeds the extremely conservatively anticipated peak load requirements by at least 10 times, to prevent loss of service should query loads significantly increase.
As well as the authentication, authorisation and consistency checks carried out by the Registrar access systems and DNS update mechanisms, ARI reduces the scope for alteration of DNS data by following strict DNS operational practices:
– TLD zone servers are not shared with other services.
– The primary authoritative TLD zone server is inaccessible outside ARI’s network.
– TLD zone servers only serve authoritative information.
– The TLD zone is signed with DNSSEC and a DNSSEC Practice⁄Policy Statement published.
2.6 Dissemination of Contact or Other Information
Registries are required to provide a mechanism to identify the relevant contact information for a domain. The traditional method of delivering this is via the WhoIs service, a plain text protocol commonly accessible on TCP port 43. ARI also provides the same functionality to users via a web-based WhoIs service. Functionality remains the same with the web-based service, which only requires a user to have an Internet browser.
Using the WhoIs service, in either of its forms, allows a user to query for domain-related information. Users can query for domain details, contact details, nameserver details or Registrar details.
A WhoIs service, which complies with RFC 3912, is provided to disseminate contact and other information related to a domain within the TLD zone.
2.6.1 Security and Stability Considerations
ARI ensures the service is available and accurate for Internet users, while limiting the opportunity for its malicious use. Many reputation and anti-abuse services rely on the availability and accuracy of the WhoIs service, however the potential for abuse of the WhoIs service exists.
Therefore, certain restrictions are made to the access of WhoIs services, the nature of which depend on the delivery method – either web-based or the traditional text-based port 43 service. In all cases, there has been careful consideration given to the benefits of WhoIs to the Internet community, as well as the potential harm to registrants – as individuals and a group – with regard to WhoIs access restrictions.
The WhoIs service presents data from the registry database in real time. However this access is restricted to reading the appropriate data only. The WhoIs service does not have the ability to alter data or to access data not related to the WhoIs service. The access limitations placed on the WhoIs services prevent any deliberate or incidental denial of service that might impact other registry services.
Restrictions placed on accessing WhoIs services do not affect legitimate use. All restrictions are designed to target abusive volume users and to provide legitimate users with a fast and available service. ARI has the ability to ‘whitelist’ legitimate bulk users of WhoIs, to ensure they are not impacted by standard volume restrictions.
The data presentation format is consistent with the canonical representation of equivalent fields, as defined in the EPP specifications and ICANN agreement.
2.6.1.1 Port 43 WhoIs
A port 43-based WhoIs service complying with RFC 3912 is provided and will be updated to meet any other relevant standards or best practice guidelines related to the operation of a WhoIs service.
While the text-based service can support thousands of simultaneous queries, it has dynamic limits on queries per IP address to restrict data mining efforts. In the event of identified malicious use of the service, access from a single IP address or address ranges can be limited or blocked.
2.6.1.2 Web-based WhoIs
ARI’s web-based WhoIs service provides information consistent with that contained within the SRS.
The web-based WhoIs service contains an Image Verification Check (IVC) and query limits per IP address. These restrictions strike a balance between acceptable public usage and abusive use or data mining. The web-based WhoIs service can blacklist IP addresses or ranges to prevent abusive use of the service.
2.7 IDNs – Internationalised Domain Names
An Internationalised Domain Name (IDN) allows registrants to register domains in their native language and have it display correctly in IDN aware software. This includes allowing a language to be read in the manner that would be common for its readers. For example, an Arabic domain would be presented right to left for an Arabic IDN aware browser.
The inclusion of IDNs into the TLD zones is supported by ARI. All the registry services, such as the EPP service, SRS Web Interface and RDPS (web and port 43), support IDNs. However there are some stability and security considerations related to IDNs which fall outside the general considerations applicable individually to those services.
2.7.1 Stability Considerations Specific to IDN
To avoid the intentional or accidental registration of visually similar chars, and to avoid identity confusion between domains, there are several restrictions on the registration of IDNs.
2.7.1.1 Prevent Cross Language Registrations
Domains registered within a particular language are restricted to only the chars of that language. This avoids the use of visually similar chars within one language which mimic the appearance of a label within another language, regardless of whether that label is already within the DNS or not.
2.7.1.2 Inter-language and Intra-language Variants to Prevent Similar Registrations
ARI restricts child domains to a specific language and prevents registrations in one language being confused with a registration in another language, for example Cyrillic а (U+0430) and Latin a (U+0061).
2.8 DNSSEC
DNSSEC provides a set of extensions to the DNS that allow an Internet user (normally the resolver acting on a user’s behalf) to validate that the DNS responses they receive were not manipulated en-route.
This type of fraud, commonly called ‘man in the middle’, allows a malicious party to misdirect Internet users. DNSSEC allows a domain owner to sign their domain and to publish the signature, so that all DNS consumers who visit that domain can validate that the responses they receive are as the domain owner intended.
Registries, as the operators of the parent domain for registrants, must publish the DNSSEC material received from registrants, so that Internet users can trust the material they receive from the domain owner. This is commonly referred to as a ‘chain of trust’. Internet users trust the root (operated by IANA), which publishes the registries’ DNSSEC material, therefore registries inherit this trust. Domain owners within the TLD subsequently inherit trust from the parent domain when the registry publishes their DNSSEC material.
In accordance with new gTLD requirements, the TLD zone will be DNSSEC signed and the receipt of DNSSEC material from Registrars for child domains is supported in all provisioning systems.
2.8.1 Stability and Operational Considerations for DNSSEC
2.8.1.1 DNSSEC Practice Statement
ARI’s DNSSEC Practice Statement is included in our response to Question 43. The DPS following the guidelines set out in the draft IETF DNSOP DNSSEC DPS Framework document.
2.8.1.2 Receipt of Public Keys from Registrars
The public key for a child domain is received by ARI from the Registrar via either the EPP or SRS Web Interface. ARI uses an SHA-256 digest to generate the DS Resource Record (RR) for inclusion into the zone file.
2.8.1.3 Resolution Stability
DNSSEC is considered to have made the DNS more trustworthy; however some transitional considerations need to be taken into account. DNSSEC increases the size and complexity of DNS responses. ARI ensures the TLD zone servers are accessible and offer consistent responses over UDP and TCP.
The increased UDP and TCP traffic which results from DNSSEC is accounted for in both network path access and TLD zone server capacity. ARI will ensure that capacity planning appropriately accommodates the expected increase in traffic over time.
ARI complies with all relevant RFCs and best practice guides in operating a DNSSEC-signed TLD. This includes conforming to algorithm updates as appropriate. To ensure Key Signing Key Rollover procedures for child domains are predictable, DS records will be published as soon as they are received via either the EPP server or SRS Web Interface. This allows child domain operators to rollover their keys with the assurance that their timeframes for both old and new keys are reliable.
3 APPROACH TO SECURITY AND STABILITY
Stability and security of the Internet is an important consideration for the registry system. To ensure that the registry services are reliably secured and remain stable under all conditions, ARI takes a conservative approach with the operation and architecture of the registry system.
By architecting all registry services to use the least privileged access to systems and data, risk is significantly reduced for other systems and the registry services as a whole should any one service become compromised. By continuing that principal through to our procedures and processes, we ensure that only access that is necessary to perform tasks is given. ARI has a comprehensive approach to security modelled of the ISO27001 series of standards and explored further in the relevant questions of this response.
By ensuring all our services adhering to all relevant standards, ARI ensures that entities which interact with the registry services do so in a predictable and consistent manner. When variations or enhancements to services are made, they are also aligned with the appropriate interoperability standards.
We have engaged ARI Registry Services (ARI) to deliver services for this TLD. ARI provide registry services for a number of TLDs including the .au ccTLD. For more background information on ARI please see the attachment ‘Q24 – ARI Background & Roles.pdf’. This response describes the SRS as implemented by ARI.
1 INTRODUCTION
ARI has demonstrated delivery of an SRS with exceptional availability, performance and reliability. ARI are experienced running mission critical SRSs and have significant knowledge of the industry and building and supporting SRSs.
ARI’s SRS has successfully supported a large group of Registrars for ASCII and IDN based TLDs. The system is proven to sustain high levels of concurrency, transaction load, and system uptime. ARI’s SRS meets the following requirements:
– Resilient to wide range of security & availability threats
– Consistently exceeds performance & availability SLAs
– Allows capacity increase with minimal impact to service
– Provides fair & equitable provisioning for all Registrars
2 CAPACITY
ARI’s SRS was built to sustain 20M domain names. Based on ARI’s experience running a ccTLD registries and industry analysis, ARI were able to calculate the conservative characteristics of a registry this size.
Through conservative statistical analysis of the .au registry and data presented in the May 2011 ICANN reports for the .com & .net, .org, .mobi, .info, .biz and .asia [http:⁄⁄www.icann.org⁄en⁄resources⁄registries⁄reports] we know there is:
– An average of 70 SRS TPS per domain, per month
– A ratio of 3 query to 2 transform txs
This indicates an expected monthly transaction volume of 1,400M txs (840M query and 560M transforms).
Through statistical analysis of the .au registry and backed up by the data published in the .net RFP responses [http:⁄⁄archive.icann.org⁄en⁄tlds⁄net-rfp⁄net-rfp-public-comments.htm] we also know:
– The peak daily TPS is 6% of monthly total
– The peak 5 min is 5% of the peak day
Thus we expect a peak EPP tx rate of 14,000 TPS (5,600 transform TPS and 8,400 query TPS)
Through conservative statistical analysis of the .au registry we know:
– The avg no. contacts⁄domain is 3.76
– The avg no. hosts⁄domain is 2.28
This translates into a requirement to store 75.2M contacts and 45.6M hosts.
Finally through real world observations of the .au registry, which has a comprehensive web interface when compared to those offered by current gTLD registries, we know there is an avg of 0.5 HTTP requests⁄sec to the SRS web interface per Registrar. We also know that this behaviour is reasonably flat. To support an estimated 1000 Registrars, would require 500 requests⁄second.
For perspective on the conservativeness of this, the following was taken from data in the May 2011 ICANN reports referenced above:
– .info: ~7.8M names peaks at ~1,400 TPS (projected peak TPS of ~3,600 with 20M)
– .com: ~98M names peaks at ~41,000 TPS (projected peak TPS of ~8,300 TPS with 20M)
– .org: ~9.3M names, peaks at ~1,400 TPS (projected peak TPS of ~3,100 with 20M)
After performing this analysis the projected TPS for .com was still the largest value.
ARI understand the limitations of this method but it serves as a best estimate of probable tx load. ARI has built overcapacity of resources to account for limitations of this method, however as numbers are more conservative than real world observations, we are confident this capacity is sufficient.
This TLD is projected to reach 17,648 domains at its peak volume and will generate 12.3536 EPP TPS. This will consume 0.09% of the resources of the SRS infrastructure. As is evident ARI’s SRS can easily accommodate this TLD’s growth plans. See attachment ‘Q24 – Registry Scale Estimates & Resource Allocation.xlsx’ for more information.
ARI expects to provide Registry services to 100 TLDs and a total of 12M domains by end of 2014. With all the TLDs and domains combined, ARI’s SRS infrastructure will be 60% utilized. The SRS infrastructure capacity can be easily scaled as described in Q32
ARI benchmarked their SRS infrastructure and used the results to calculate the required computing resources for each of the tiers within the architecture; allowing ARI to accurately estimate the required CPU, IOPS, storage and memory requirements for each server, and the network bandwidth & packet throughput requirements for the anticipated traffic. These capacity numbers were then doubled to account for unanticipated traffic spikes, errors in predictions, and headroom for growth. Despite doubling numbers, effective estimated capacity is still reported as 20M. The technical resource allocations are explored in Q32.
3 SRS ARCHITECTURE
ARI’s SRS has the following major components:
– Network Infrastructure
– EPP Application Servers
– SRS Web Interface Application Servers
– SRS Database
Attachment ‘Q24 – SRS.pdf’ shows the SRS systems architecture and data flows. Detail on this architecture is in our response to Q32. ARI provides two distinct interfaces to the SRS: EPP and SRS Web. Registrar SRS traffic enters the ARI network via the redundant Internet link and passes (via the firewall) to the relevant application server for the requested service (EPP or SRS Web). ARI’s EPP interface sustains high volume and throughput domain provisioning transactions for a large number of concurrent Registrar connections. ARI’s SRS Web interface provides an alternative to EPP with a presentation centric interface and provides reporting and verification features additional to those provided by the EPP interface.
3.1 EPP
ARI’s EPP application server is based on EPP as defined in RFCs 5730 – 5734. Registrars send XML based transactions to a load balanced EPP interface which forwards to one of the EPP application servers. The EPP application server then processes the XML and converts the request into database calls that retrieve or modify registry objects in the SRS database. The EPP application server tier comprises of three independent servers with dedicated connections to the registry database. Failure of any one of these servers will cause Registrar connections to automatically re-establish with one of the remaining servers. Additional EPP application servers can be added easily without any downtime. All EPP servers accept EPP both IPv4 & IPv6.
3.2 SRS Web
The SRS Web application server is a Java web application. Registrars connect via the load balancer to a secure HTTP listener running on the web servers. The SRS web application converts HTTPs requests into database calls which query or update objects in the SRS database. The SRS Web application server tier consists of two independent servers that connect to the database via JDBC. If one of these servers is unavailable the load balancer re-routes requests to the surviving server. Additional servers can be added easily without any downtime. These servers accept both IPv4 & IPv6.
3.3 SRS Database
The SRS database provides persistent storage for domains and supporting objects. It offers a secure way of storing and retrieving objects provisioned within the SRS and is built on the Oracle 11g Enterprise Edition RDBMS. The SRS Database tier consists of four servers clustered using Oracle Real Application Clusters (RAC). In the event of failure of a database server, RAC will transparently transition its client connections to a surviving database host. Additional servers can be added easily without any downtime.
3.4 Number of Servers
EPP Servers – The EPP cluster consists of 3 servers that can more than handle the anticipated 20M domains. This TLD will utilize 0.09% of this capacity at its peak volume. As the utilisation increases ARI will add additional servers ensuring the utilisation doesn’t exceed 50% of total capacity. Adding a new server to the cluster can be done live without downtime.
SRS Web Servers – The SRS Web cluster consists of 2 servers that can more than handle the anticipated 20M domains. This TLD will utilize 0.09% of this capacity at its peak volume. As the utilisation increases ARI will add additional servers ensuring the utilisation doesn’t exceed 50% of total capacity. Adding a new server to the cluster can be done live without downtime.
SRS DB Servers – The SRS DB cluster consists of 4 servers that can more than handle the anticipated 20M domains. This TLD will utilize 0.09% of this capacity at its peak volume. As the utilisation increases ARI will add additional servers ensuring the total utilisation doesn’t exceed 50% of total capacity. Adding a new server to the cluster can be done live without downtime.
3.5 SRS Security
ARI adopts a multi-layered security solution to protect the SRS. An industry leading firewall is deployed behind the edge router and is configured to only allow traffic on the minimum required ports and protocols. Access to the ARI EPP service is restricted to a list of known Registrar IPs.
An Intrusion Detection device is in-line with the firewall to monitor and detect suspicious activity.
All servers are configured with restrictive host based firewalls, intrusion detection, and SELinux. Direct root access to these servers is disabled and all access is audited and logged centrally.
The SRS database is secured by removal of non-essential features and accounts, and ensuring all remaining accounts have strong passwords. All database accounts are assigned the minimum privileges required to execute their business function.
All operating system, database, and network device accounts are subject to strict password management controls such as validity & complexity requirements.
Registrar access to the SRS via EPP or the Web interface is authenticated and secured with multi-factor authentication (NIST Level 3) and digital assertion as follows:
– Registrar’s source IP must be allowed by the front-end firewalls. This source IP is received from the Registrar via a secure communication channel from within the SRS Web interface
– Registrar must use a digital certificate provided by ARI
– Registrar must use authentication credentials that are provided by encrypted email
All communication between the Registrar and the SRS is encrypted using at least 128 bit encryption which been designated as ‘Acceptable’ till ‘2031 and beyond’ by NIST Special Publication 800-57.
3.6 SRS High Availability
SRS availability is of paramount. Downtime is eliminated or minimised where possible. The infrastructure contains no single points of failure. N+1 redundancy is used as a minimum, which not only protects against unplanned downtime but also allows ARI to execute maintenance without impacting service.
Redundancy is provided in the network with hot standby devices & multiple links between devices. Failure of any networking component is transparent to Registrar connections.
N+N redundancy is provided in the EPP and SRS Web application server tiers by the deployment of multiple independent servers grouped together as part of a load-balancing scheme. If a server fails the load balancer routes requests to the remaining servers.
N+N redundancy is provided in the database tier by the use of Oracle Real Application Cluster technology. This delivers active⁄active clustering via shared storage. This insulates Registrars from database server failure.
Complete SRS site failure is mitigated by the maintenance of a remote standby site – a duplicate of the primary site ready to be the primary if required.
The standby site database is replicated using real time transaction replication from the main database using Oracle Data Guard physical standby. If required the Data Guard database can be activated quickly and service resumes at the standby site.
3.7 SRS Scalability
ARI’s SRS scales efficiently. At the application server level, additional computing resource can be brought on-line rapidly by deploying a new server online. During benchmarking this has shown near linear.
The database can be scaled horizontally by adding a new cluster node into the RAC cluster online. This can be achieved without disruption to connections. The SRS has demonstrated over 80% scaling at the database level, but due to the distributed locking nature of Oracle RAC, returns are expected to diminish as the number of servers approaches double digits. To combat this ARI ensures that when the cluster is ‘scaled’ more powerful server equipment is added rather than that equal to the current members. Capacity can be added to the SAN at any time without downtime increasing storage and IOPs.
3.8 SRS Inter-operability and Data Synchronisation
The SRS interfaces with a number of related registry systems as part of normal operations.
3.8.1 DNS Update
Changes made in the SRS are propagated to the DNS via an ARI proprietary DNS Update process. This process runs on the ‘hidden’ primary master nameserver and waits on a queue. It is notified when the business logic inserts changes into the queue for processing. The DNS Update process reads these queue entries and converts them into DNS update (RFC2136) commands that are sent to the nameserver. The process of synchronising changes to SRS data to the DNS occurs in real-time.
3.8.2 WhoIs
The provisioned data supporting the SRS satisfies WhoIs queries. Thus the WhoIs and SRS share data sets and the WhoIs is instantaneously updated. Under normal operating conditions the WhoIs service is provided by the infrastructure at the secondary site in order to segregate the load and protect SRS from WhoIs demand (and vice versa). WhoIs queries that hit the standby site will query data stored in the standby database – maintained in near real-time using Oracle Active Data Guard. If complete site failure occurs WhoIs and SRS can temporarily share the same operations centre at the same site (capacity numbers are calculated for this).
3.8.3 Escrow
A daily Escrow extract process executes on the database server via a dedicated database account with restricted read-only access. The results are then transferred to the local Escrow Communications server by SSH.
4 OPERATIONAL PLAN
ARI follow defined policies⁄procedures that have developed over time by running critical registry systems. Some principals captured by these are:
– Conduct all changes & upgrades under strict and well-practised change control procedures
– test, test and test again
– Maintain Staging environments as close as possible to production infrastructure⁄configuration
– Eliminate all single points of failure
– Conduct regular security reviews & audits
– Maintain team knowledge & experience via skills transfer⁄training
– Replace hardware when no longer supported by vendor
– Maintain spare hardware for all critical components
– Execute regular restore tests of all backups
– Conduct regular capacity planning exercises
– Monitor everything from multiple places but ensure monitoring is not ‘chatty’
– Employ best of breed hardware & software products & frameworks (such as ITIL, ISO27001 and Prince2)
– Maintain two distinct OT&E environments to support pre-production testing for Registrars
5 SLA, RELIABILITY & COMPLIANCE
ARI’s SRS adheres to and goes beyond the scope of Specification 6 and Specification 10 of the Registry Agreement. ARI’s EPP service is XML compliant and XML Namespace aware. It complies with the EPP protocol defined in RFC5730, and the object mappings for domain, hosts & contacts are compliant with RFC 5731, 5732 & 5733 respectively. The transport over TCP is compliant with RFC5734. The service also complies with official extensions to support DNSSEC, RFC5910, & Redemption Grace Period, RFC 3915.
ARI’s SRS is sized to sustain a peak transaction rate of 14,000 TPS while meeting strict internal Operational Level Agreements (OLAs). The monthly-based OLAs below are more stringent than those in Specification 10 (Section 2).
EPP Service Availability: 100%
EPP Session Command Round Trip Time (RTT): 〈=1000ms for 95% of commands
EPP Query Command Round Trip Time (RTT): 〈=500ms for 95% of commands
EPP Transform Command Round Trip Time (RTT): 〈=1000ms for 95% of commands
SRS Web Interface Service Availability: 99.9%
ARI measure the elapsed time of every query, transform and session EPP transaction, and calculate the percentage of commands that fall within OLA on a periodic basis. If percentage value falls below configured thresholds on-call personnel are alerted.
SRS availability is measured by ARI’s monitoring system which polls both the EPP and SRS Web services status. These checks are implemented as full end to end monitoring scripts that mimic user interaction, providing a true representation of availability. These ‘scripts’ are executed from external locations on the Internet.
6 RESOURCES
This function will be performed by ARI. ARI staff are industry leading experts in domain name registries with the experience and knowledge to deliver outstanding SRS performance.
The SRS is designed, built, operated and supported by the following ARI departments:
– Products and Consulting Team (7 staff)
– Production Support Group (27 staff)
– Development Team (11 staff)
A detailed list of the departments, roles and responsibilities in ARI is provided in attachment ‘Q24 – ARI Background & Roles.pdf’. This attachment describes the functions of the teams and the number and nature of staff within.
The number of resources required to design, build, operate and support the SRS does not vary significantly with, and is not linearly proportional to, the number or size of TLDs that ARI provides registry services to.
ARI provides registry backend services to 5 TLDs and has a vast experience in estimating the number of resources required to support a SRS.
Based on past experience ARI estimates that the existing staff is adequate to support an SRS that supporting at least 50M domains. Since this TLD projects 17,648 domains, 0.04% of these resources are allocated to this TLD. See attachment ‘Q24 – Registry Scale Estimates & Resource Allocation.xlsx’ for more information.
ARI protects against loss of critical staff by employing multiple people in each role. Staff members have a primary role plus a secondary role for protection against personnel absence. Additionally ARI can scale resources as required, trained resources can be added to any of the teams with a 2 month lead time.
The Products and Consulting team is responsible for product management of the SRS solution including working with clients and the industry to identify new features or changes required. The team consists of:
– 1 Products and Consulting Manager
– 1 Product Manager
– 1 Technical Product Manager
– 4 Domain Name Industry Consultants
The Production Support Group (PSG) is responsible for the design, deployment and maintenance of the SRS infrastructure including capacity planning and monitoring as well as security aspects – ensuring the SRS services are available and performing at the appropriate level and operating correctly. The team consists of:
– Production Support Manager
– Service Desk:
– 1 Level 1 Support Team Lead
– 8 Customer Support Representatives (Level 1 support)
– 1 Level 2 Support Team Lead
– 4 Registry Specialists (Level 2 support)
– Operations (Level 3 support):
– 1 Operations Team Lead
– 2 Systems Administrators
– 2 Database Administrators
– 2 Network Engineers
– Implementation:
– 1 Project Manager
– 2 Systems Administrators
– 1 Database Administrator
– 1 Network Engineer
The development team is responsible for implementing changes and new features into the SRS as well as bug fixing and complex issue diagnosis. The team consists of:
– 1 Development Manager
– 2 Business Analysts
– 6 Developers
– 2 Quality Analysts
These resources sufficiently accommodate the needs of this TLD, and are included in ARI’s fees as described in our Financial responses.
We have engaged ARI Registry Services (ARI) to deliver services for this TLD. ARI provide registry services for a number of TLDs including the .au ccTLD. For more background information on ARI please see the attachment ‘Q24 – ARI Background & Roles.pdf’. This response describes the SRS as implemented by ARI.
1 INTRODUCTION
ARI has demonstrated delivery of an SRS with exceptional availability, performance and reliability. ARI are experienced running mission critical SRSs and have significant knowledge of the industry and building and supporting SRSs.
ARI’s SRS has successfully supported a large group of Registrars for ASCII and IDN based TLDs. The system is proven to sustain high levels of concurrency, transaction load, and system uptime. ARI’s SRS meets the following requirements:
– Resilient to wide range of security & availability threats
– Consistently exceeds performance & availability SLAs
– Allows capacity increase with minimal impact to service
– Provides fair & equitable provisioning for all Registrars
2 CAPACITY
ARI’s SRS was built to sustain 20M domain names. Based on ARI’s experience running a ccTLD registries and industry analysis, ARI were able to calculate the conservative characteristics of a registry this size.
Through conservative statistical analysis of the .au registry and data presented in the May 2011 ICANN reports for the .com & .net, .org, .mobi, .info, .biz and .asia [http:⁄⁄www.icann.org⁄en⁄resources⁄registries⁄reports] we know there is:
– An average of 70 SRS TPS per domain, per month
– A ratio of 3 query to 2 transform txs
This indicates an expected monthly transaction volume of 1,400M txs (840M query and 560M transforms).
Through statistical analysis of the .au registry and backed up by the data published in the .net RFP responses [http:⁄⁄archive.icann.org⁄en⁄tlds⁄net-rfp⁄net-rfp-public-comments.htm] we also know:
– The peak daily TPS is 6% of monthly total
– The peak 5 min is 5% of the peak day
Thus we expect a peak EPP tx rate of 14,000 TPS (5,600 transform TPS and 8,400 query TPS)
Through conservative statistical analysis of the .au registry we know:
– The avg no. contacts⁄domain is 3.76
– The avg no. hosts⁄domain is 2.28
This translates into a requirement to store 75.2M contacts and 45.6M hosts.
Finally through real world observations of the .au registry, which has a comprehensive web interface when compared to those offered by current gTLD registries, we know there is an avg of 0.5 HTTP requests⁄sec to the SRS web interface per Registrar. We also know that this behaviour is reasonably flat. To support an estimated 1000 Registrars, would require 500 requests⁄second.
For perspective on the conservativeness of this, the following was taken from data in the May 2011 ICANN reports referenced above:
– .info: ~7.8M names peaks at ~1,400 TPS (projected peak TPS of ~3,600 with 20M)
– .com: ~98M names peaks at ~41,000 TPS (projected peak TPS of ~8,300 TPS with 20M)
– .org: ~9.3M names, peaks at ~1,400 TPS (projected peak TPS of ~3,100 with 20M)
After performing this analysis the projected TPS for .com was still the largest value.
ARI understand the limitations of this method but it serves as a best estimate of probable tx load. ARI has built overcapacity of resources to account for limitations of this method, however as numbers are more conservative than real world observations, we are confident this capacity is sufficient.
This TLD is projected to reach 17,648
domains at its peak volume and will generate 12.3536
EPP TPS. This will consume 0.09
% of the resources of the SRS infrastructure. As is evident ARI’s SRS can easily accommodate this TLD’s growth plans. See attachment ‘Q24 – Registry Scale Estimates & Resource Allocation.xlsx’ for more information.
ARI expects to provide Registry services to 100 TLDs and a total of 12M domains by end of 2014. With all the TLDs and domains combined, ARI’s SRS infrastructure will be 60% utilized. The SRS infrastructure capacity can be easily scaled as described in Q32
ARI benchmarked their SRS infrastructure and used the results to calculate the required computing resources for each of the tiers within the architecture; allowing ARI to accurately estimate the required CPU, IOPS, storage and memory requirements for each server, and the network bandwidth & packet throughput requirements for the anticipated traffic. These capacity numbers were then doubled to account for unanticipated traffic spikes, errors in predictions, and headroom for growth. Despite doubling numbers, effective estimated capacity is still reported as 20M. The technical resource allocations are explored in Q32.
3 SRS ARCHITECTURE
ARI’s SRS has the following major components:
– Network Infrastructure
– EPP Application Servers
– SRS Web Interface Application Servers
– SRS Database
Attachment ‘Q24 – SRS.pdf’ shows the SRS systems architecture and data flows. Detail on this architecture is in our response to Q32. ARI provides two distinct interfaces to the SRS: EPP and SRS Web. Registrar SRS traffic enters the ARI network via the redundant Internet link and passes (via the firewall) to the relevant application server for the requested service (EPP or SRS Web). ARI’s EPP interface sustains high volume and throughput domain provisioning transactions for a large number of concurrent Registrar connections. ARI’s SRS Web interface provides an alternative to EPP with a presentation centric interface and provides reporting and verification features additional to those provided by the EPP interface.
3.1 EPP
ARI’s EPP application server is based on EPP as defined in RFCs 5730 – 5734. Registrars send XML based transactions to a load balanced EPP interface which forwards to one of the EPP application servers. The EPP application server then processes the XML and converts the request into database calls that retrieve or modify registry objects in the SRS database. The EPP application server tier comprises of three independent servers with dedicated connections to the registry database. Failure of any one of these servers will cause Registrar connections to automatically re-establish with one of the remaining servers. Additional EPP application servers can be added easily without any downtime. All EPP servers accept EPP both IPv4 & IPv6.
3.2 SRS Web
The SRS Web application server is a Java web application. Registrars connect via the load balancer to a secure HTTP listener running on the web servers. The SRS web application converts HTTPs requests into database calls which query or update objects in the SRS database. The SRS Web application server tier consists of two independent servers that connect to the database via JDBC. If one of these servers is unavailable the load balancer re-routes requests to the surviving server. Additional servers can be added easily without any downtime. These servers accept both IPv4 & IPv6.
3.3 SRS Database
The SRS database provides persistent storage for domains and supporting objects. It offers a secure way of storing and retrieving objects provisioned within the SRS and is built on the Oracle 11g Enterprise Edition RDBMS. The SRS Database tier consists of four servers clustered using Oracle Real Application Clusters (RAC). In the event of failure of a database server, RAC will transparently transition its client connections to a surviving database host. Additional servers can be added easily without any downtime.
3.4 Number of Servers
EPP Servers – The EPP cluster consists of 3 servers that can more than handle the anticipated 20M domains. This TLD will utilize 0.09
% of this capacity at its peak volume. As the utilisation increases ARI will add additional servers ensuring the utilisation doesn’t exceed 50% of total capacity. Adding a new server to the cluster can be done live without downtime.
SRS Web Servers – The SRS Web cluster consists of 2 servers that can more than handle the anticipated 20M domains. This TLD will utilize 0.09
% of this capacity at its peak volume. As the utilisation increases ARI will add additional servers ensuring the utilisation doesn’t exceed 50% of total capacity. Adding a new server to the cluster can be done live without downtime.
SRS DB Servers – The SRS DB cluster consists of 4 servers that can more than handle the anticipated 20M domains. This TLD will utilize 0.09
% of this capacity at its peak volume. As the utilisation increases ARI will add additional servers ensuring the total utilisation doesn’t exceed 50% of total capacity. Adding a new server to the cluster can be done live without downtime.
3.5 SRS Security
ARI adopts a multi-layered security solution to protect the SRS. An industry leading firewall is deployed behind the edge router and is configured to only allow traffic on the minimum required ports and protocols. Access to the ARI EPP service is restricted to a list of known Registrar IPs.
An Intrusion Detection device is in-line with the firewall to monitor and detect suspicious activity.
All servers are configured with restrictive host based firewalls, intrusion detection, and SELinux. Direct root access to these servers is disabled and all access is audited and logged centrally.
The SRS database is secured by removal of non-essential features and accounts, and ensuring all remaining accounts have strong passwords. All database accounts are assigned the minimum privileges required to execute their business function.
All operating system, database, and network device accounts are subject to strict password management controls such as validity & complexity requirements.
Registrar access to the SRS via EPP or the Web interface is authenticated and secured with multi-factor authentication (NIST Level 3) and digital assertion as follows:
– Registrar’s source IP must be allowed by the front-end firewalls. This source IP is received from the Registrar via a secure communication channel from within the SRS Web interface
– Registrar must use a digital certificate provided by ARI
– Registrar must use authentication credentials that are provided by encrypted email
All communication between the Registrar and the SRS is encrypted using at least 128 bit encryption which been designated as ‘Acceptable’ till ‘2031 and beyond’ by NIST Special Publication 800-57.
3.6 SRS High Availability
SRS availability is of paramount. Downtime is eliminated or minimised where possible. The infrastructure contains no single points of failure. N+1 redundancy is used as a minimum, which not only protects against unplanned downtime but also allows ARI to execute maintenance without impacting service.
Redundancy is provided in the network with hot standby devices & multiple links between devices. Failure of any networking component is transparent to Registrar connections.
N+N redundancy is provided in the EPP and SRS Web application server tiers by the deployment of multiple independent servers grouped together as part of a load-balancing scheme. If a server fails the load balancer routes requests to the remaining servers.
N+N redundancy is provided in the database tier by the use of Oracle Real Application Cluster technology. This delivers active⁄active clustering via shared storage. This insulates Registrars from database server failure.
Complete SRS site failure is mitigated by the maintenance of a remote standby site – a duplicate of the primary site ready to be the primary if required.
The standby site database is replicated using real time transaction replication from the main database using Oracle Data Guard physical standby. If required the Data Guard database can be activated quickly and service resumes at the standby site.
3.7 SRS Scalability
ARI’s SRS scales efficiently. At the application server level, additional computing resource can be brought on-line rapidly by deploying a new server online. During benchmarking this has shown near linear.
The database can be scaled horizontally by adding a new cluster node into the RAC cluster online. This can be achieved without disruption to connections. The SRS has demonstrated over 80% scaling at the database level, but due to the distributed locking nature of Oracle RAC, returns are expected to diminish as the number of servers approaches double digits. To combat this ARI ensures that when the cluster is ‘scaled’ more powerful server equipment is added rather than that equal to the current members. Capacity can be added to the SAN at any time without downtime increasing storage and IOPs.
3.8 SRS Inter-operability and Data Synchronisation
The SRS interfaces with a number of related registry systems as part of normal operations.
3.8.1 DNS Update
Changes made in the SRS are propagated to the DNS via an ARI proprietary DNS Update process. This process runs on the ‘hidden’ primary master nameserver and waits on a queue. It is notified when the business logic inserts changes into the queue for processing. The DNS Update process reads these queue entries and converts them into DNS update (RFC2136) commands that are sent to the nameserver. The process of synchronising changes to SRS data to the DNS occurs in real-time.
3.8.2 WhoIs
The provisioned data supporting the SRS satisfies WhoIs queries. Thus the WhoIs and SRS share data sets and the WhoIs is instantaneously updated. Under normal operating conditions the WhoIs service is provided by the infrastructure at the secondary site in order to segregate the load and protect SRS from WhoIs demand (and vice versa). WhoIs queries that hit the standby site will query data stored in the standby database – maintained in near real-time using Oracle Active Data Guard. If complete site failure occurs WhoIs and SRS can temporarily share the same operations centre at the same site (capacity numbers are calculated for this).
3.8.3 Escrow
A daily Escrow extract process executes on the database server via a dedicated database account with restricted read-only access. The results are then transferred to the local Escrow Communications server by SSH.
4 OPERATIONAL PLAN
ARI follow defined policies⁄procedures that have developed over time by running critical registry systems. Some principals captured by these are:
– Conduct all changes & upgrades under strict and well-practised change control procedures
– test, test and test again
– Maintain Staging environments as close as possible to production infrastructure⁄configuration
– Eliminate all single points of failure
– Conduct regular security reviews & audits
– Maintain team knowledge & experience via skills transfer⁄training
– Replace hardware when no longer supported by vendor
– Maintain spare hardware for all critical components
– Execute regular restore tests of all backups
– Conduct regular capacity planning exercises
– Monitor everything from multiple places but ensure monitoring is not ‘chatty’
– Employ best of breed hardware & software products & frameworks (such as ITIL, ISO27001 and Prince2)
– Maintain two distinct OT&E environments to support pre-production testing for Registrars
5 SLA, RELIABILITY & COMPLIANCE
ARI’s SRS adheres to and goes beyond the scope of Specification 6 and Specification 10 of the Registry Agreement. ARI’s EPP service is XML compliant and XML Namespace aware. It complies with the EPP protocol defined in RFC5730, and the object mappings for domain, hosts & contacts are compliant with RFC 5731, 5732 & 5733 respectively. The transport over TCP is compliant with RFC5734. The service also complies with official extensions to support DNSSEC, RFC5910, & Redemption Grace Period, RFC 3915.
ARI’s SRS is sized to sustain a peak transaction rate of 14,000 TPS while meeting strict internal Operational Level Agreements (OLAs). The monthly-based OLAs below are more stringent than those in Specification 10 (Section 2).
EPP Service Availability: 100%
EPP Session Command Round Trip Time (RTT): 〈=1000ms for 95% of commands
EPP Query Command Round Trip Time (RTT): 〈=500ms for 95% of commands
EPP Transform Command Round Trip Time (RTT): 〈=1000ms for 95% of commands
SRS Web Interface Service Availability: 99.9%
ARI measure the elapsed time of every query, transform and session EPP transaction, and calculate the percentage of commands that fall within OLA on a periodic basis. If percentage value falls below configured thresholds on-call personnel are alerted.
SRS availability is measured by ARI’s monitoring system which polls both the EPP and SRS Web services status. These checks are implemented as full end to end monitoring scripts that mimic user interaction, providing a true representation of availability. These ‘scripts’ are executed from external locations on the Internet.
6 RESOURCES
This function will be performed by ARI. ARI staff are industry leading experts in domain name registries with the experience and knowledge to deliver outstanding SRS performance.
The SRS is designed, built, operated and supported by the following ARI departments:
– Products and Consulting Team (7 staff)
– Production Support Group (27 staff)
– Development Team (11 staff)
A detailed list of the departments, roles and responsibilities in ARI is provided in attachment ‘Q24 – ARI Background & Roles.pdf’. This attachment describes the functions of the teams and the number and nature of staff within.
The number of resources required to design, build, operate and support the SRS does not vary significantly with, and is not linearly proportional to, the number or size of TLDs that ARI provides registry services to.
ARI provides registry backend services to 5 TLDs and has a vast experience in estimating the number of resources required to support a SRS.
Based on past experience ARI estimates that the existing staff is adequate to support an SRS that supporting at least 50M domains. Since this TLD projects 17,648
domains, 0.04
% of these resources are allocated to this TLD. See attachment ‘Q24 – Registry Scale Estimates & Resource Allocation.xlsx’ for more information.
ARI protects against loss of critical staff by employing multiple people in each role. Staff members have a primary role plus a secondary role for protection against personnel absence. Additionally ARI can scale resources as required, trained resources can be added to any of the teams with a 2 month lead time.
The Products and Consulting team is responsible for product management of the SRS solution including working with clients and the industry to identify new features or changes required. The team consists of:
– 1 Products and Consulting Manager
– 1 Product Manager
– 1 Technical Product Manager
– 4 Domain Name Industry Consultants
The Production Support Group (PSG) is responsible for the design, deployment and maintenance of the SRS infrastructure including capacity planning and monitoring as well as security aspects – ensuring the SRS services are available and performing at the appropriate level and operating correctly. The team consists of:
– Production Support Manager
– Service Desk:
– 1 Level 1 Support Team Lead
– 8 Customer Support Representatives (Level 1 support)
– 1 Level 2 Support Team Lead
– 4 Registry Specialists (Level 2 support)
– Operations (Level 3 support):
– 1 Operations Team Lead
– 2 Systems Administrators
– 2 Database Administrators
– 2 Network Engineers
– Implementation:
– 1 Project Manager
– 2 Systems Administrators
– 1 Database Administrator
– 1 Network Engineer
The development team is responsible for implementing changes and new features into the SRS as well as bug fixing and complex issue diagnosis. The team consists of:
– 1 Development Manager
– 2 Business Analysts
– 6 Developers
– 2 Quality Analysts
These resources sufficiently accommodate the needs of this TLD, and are included in ARI’s fees as described in our Financial responses.
We have engaged ARI Registry Services (ARI) to deliver services for this TLD. ARI provide registry services for a number of TLDs including the .au ccTLD. For more background information on ARI please see the attachment ‘Q26 – ARI Background & Roles.pdf’. This response describes the WhoIs interface as implemented by ARI.
1 INTRODUCTION
ARI’s WhoIs service is for all domain names, contacts, nameservers and Registrars provisioned in the registry database. This response describes the port 43 and web interfaces of WhoIs, security controls to mitigate abuse, compliance with bulk access requirements for registration data, and the architecture delivering the service.
2 PORT 43 WHOIS SERVICE
WhoIs is on TCP port 43 in accordance with RFC3912. Requests are made in semi-free text format and ended by CR & LF. The server responds with a semi-free text format, terminating the response by connection close.
To support IDNs and Localised data we assume the query is encoded in UTF-8 and sends responses encoded in UTF-8. UTF-8 is backwards compatible with the ASCII charset and its use is consistent with the IETF policy on charsets as defined in BCP 18 [http:⁄⁄tools.ietf.org⁄html⁄bcp18].
2.1 Query Format
By default WhoIs searches domains. To facilitate the queries of other objects keywords must be used. Supported keywords are:
– Domain
– Host⁄Nameserver
– Contact
– Registrar
Keywords are case-insensitive. The rest of the input is the search string. Wildcard chars may be used in search strings to match zero or more chars (%), or match exactly one char(_). Wildcard chars must not be in the first 5 chars.
2.2 Response Format
The response follows a semi-structured format of object-specific data, followed by query-related meta-information, then a disclaimer.
The object-specific data is represented by key⁄value pairs, beginning with the key, followed by a colon and a space then the value terminated by an ASCII CR & LF. Where no object is found ‘No Data Found’ is returned.
The meta-information is used to identify data freshness and indicate when limits have been exceeded. It appears on one line within ‘〉〉〉’ and ‘〈〈〈’ chars.
The legal disclaimer is presented without leading comment marks wrapped at 72 chars. This format is consistent with that in the registry agreement.
2.3 Domain Data
Domain data is returned in response to a query with the keyword omitted, or with the ‘domain’ keyword. Domain queries return information on domains that are provisioned in the registry database.
The IDN domains may be specified in either the ASCII-compatible encoded form or the Unicode form. Clients are expected to perform any mappings, in conformance with relevant guidelines such as those specified in RFC5894 and UTS46.
Variant domains may be specified in the search string and WhoIs will match (using case-insensitive comparison) and return information for the primary registered domain.
For queries containing wildcard chars, if only one domain name is matched its details are returned, if more than one domain name is matched then the first 50 matched domain names are listed.
2.3.1 Internationalised Domain Names
The WhoIs response format, prescribed in Specification 4, does not provide a mechanism to identify active variant domain names. ARI will include active variant domain names in WhoIs responses until a common approach for handling and display of variant names is determined.
2.3.2 Reserved Domain Names
Domain names reserved from allocation will have a specific response that indicates the domain is not registered but also not available.
2.4 Nameserver Data
Nameserver data is returned in response to a query where the ‘nameserver’ or ‘host’ keywords have been used. Nameserver queries return information on hosts that are provisioned in the registry.
The search string for a nameserver query can be either a hostname or IP. Queries using the hostname produce one result unless wildcards are used. Queries using the IP produce one or more results depending on the number of hostnames that match that address. Queries for the hostname are matched case-insensitively.
The quad-dotted notation is expected for IPv4 and the RFC3513 – IPv6 Addressing Architecture format for IPv6. Wildcards cannot be used for IP queries.
2.5 Contact Data
Contact data is returned in response to a query where the ‘contact’ keyword was used. Contact queries return information on contacts that are provisioned in the registry.
The search string for a contact query is the contact identifier. Contact identifiers are matched using a case-insensitive comparison. Wildcards cannot be used.
2.6 Registrar Data
Registrar data is returned in response to a query where the ‘Registrar’ keyword was used. Registrar queries return information on Registrar objects that are provisioned in the registry.
The search string for a Registrar query can be name or IANA ID. Queries using the name or the IANA ID produce only one result. Queries for the name are matched using a case-insensitive comparison. Wildcards cannot be used.
2.7 Non-standard Data
The SRS supports domain-related data beyond that above. It may include information used to claim eligibility to participate in the sunrise process, or other arbitrary data collected using the Key-Value Mapping to the EPP. This information will be included in the WhoIs response after the last object-specific data field and before the meta-information.
3 WEB-BASED WHOIS SERVICE
WhoIs is also available via port 80 using HTTP, known as Web-based WhoIs. This interface provides identical query capabilities to the port 43 interface via an HTML form.
4 SECURITY CONTROLS
WhoIs has an in-built mechanism to blacklist malicious users for a specified duration. Blacklisted users are blocked by source IP address and receive a specific blacklisted notification instead of the normal WhoIs response.
Users may be blacklisted if ARI’s monitoring system determines excessive use. A whitelist is used to facilitate legitimate use by law enforcement agencies and other reputable entities.
5 BULK ACCESS
The registry system complies with the requirements for the Periodic Access to Thin Registration Data and Exceptional Access to Thick Registration Data as described in Specification 4.
5.1 Periodic Access to Thin Registration Data
ARI shall provide ICANN with Periodic Access to Thin Registration Data. The data will contain the following elements as specified by ICANN. The format of the data will be consistent with the format specified for Data Escrow. The Escrow Format prescribes an XML document encoded in UTF-8. The generated data will be verified to ensure that it is well formed and valid.
The data will be generated every Monday for transactions committed up to and on Sunday unless otherwise directed by ICANN. The generated file will be made available to ICANN using SFTP. Credentials, encryption material, and other parameters will be negotiated between ARI and ICANN using an out-of-band mechanism.
5.2 Exceptional Access to Thick Registration Data
If requested by ICANN, ARI shall provide exceptional access to thick registration data for a specified Registrar. The date will contain full information for the following objects:
– Domain names sponsored by the Registrar
– Hosts sponsored by the Registrar
– Contacts sponsored by the Registrar
– Contacts linked from domain names sponsored by the Registrar
As above the format of the data will be consistent with the format specified for Data Escrow. And will be made available to ICANN using SFTP.
6 CAPACITY
ARI’s WhoIs infrastructure is built to sustain 20M domain names. Based on ARI’s experience running a high volume ccTLD registry (.au) and industry analysis, ARI were able to calculate the conservative characteristics of a registry of this size.
Through conservative statistical analysis of the .au registry and data presented in the May 2011 ICANN reports for the .com & .net, .org, .mobi, .info, .biz and .asia [http:⁄⁄www.icann.org⁄en⁄resources⁄registries⁄reports] we know there is:
– An average of 30 SRS txs per domain, per month.
Which indicates an expected monthly transaction volume of 600M txs?
Through statistical analysis of the .au registry and backed up by the data published in the .net RFP responses [http:⁄⁄archive.icann.org⁄en⁄tlds⁄net-rfp⁄net-rfp-public-comments.htm] we also know:
– The peak daily transactions is 6% of the monthly total
– The peak 5 min is 5% of the peak day
Thus we expect a peak WhoIs tx rate of WhoIs 6,000 TPS.
For perspective on the conservativeness of this, the following numbers were taken from data in the May 2011 ICANN reports referenced above:
– .info ~7.8M domain names, peaks at ~1,300 TPS (projected peak TPS of ~3,400 with 20M names).
– .mobi ~1M domain names, peaks at ~150 TPS (projected peak TPS of ~3,000 TPS with 20M names).
– .org ~9.3M domain names, peaks at ~1,300 TPS (projected peak TPS of ~2,800 with 20M names).
ARI understand the limitations of these calculations but they serve as a best estimate of probable transaction load. ARI has built overcapacity of resources to account for limitations of this method, however as conservative numbers were used and these are greater than real world observations, we are confident these capacity numbers are sufficient.
ARI benchmarked their WhoIs infrastructure and used the results to calculate the required computing resources for each of the tiers within the WhoIs architecture – allowing ARI to accurately estimate the required CPU, IOPS, storage and memory requirements for each server within the architecture, as well as the network bandwidth and packet throughput requirements for the anticipated WhoIs traffic. These capacity numbers were then doubled to account for unanticipated traffic spikes, errors in predictions and head room for growth. The technical resource allocations are explored in question 32.
This TLD is projected to reach 17,648 domains at its peak volume and will generate 5.2944 WhoIs transactions per second. This will consume 0.09% of the resources of the WhoIs infrastructure. As is evident ARI’s WhoIs can easily accommodate this TLD’s growth plans. See attachment ‘Q26 – Registry Scale Estimates & Resource Allocation.xlsx’ for more information.
ARI expects to provide Registry services to 100 TLDs and a total of 12M domains by end of 2014. With all the TLDs and domains combined, ARI’s WhoIs infrastructure will be only 60% utilized. The WhoIs infrastructure capacity can also be easily scaled as described in question 32
7 ARCHITECTURE
WhoIs uses a database separate from the SRS database as it operates from the secondary site such that network and database resources are decoupled from the operation of the SRS. Oracle Data Guard ensures the two databases are synchronised in real-time. The WhoIs service is operated live from the SRS ‘failover’ site, with the SRS ‘primary’ site serving as the ‘failover’ site for the WhoIs service. Both sites have enough capacity to run both services simultaneously, however by separating them, in normal operating modes headroom above the already over provisioned capacity is available. The architecture and data flow diagrams are described below and shown in the attachment ‘Q26 – WhoIs.pdf’.
Traffic enters the network from the Internet through border routers and then firewalls. All traffic destined for this service except for TCP ports 43, 80 & 443 is blocked. Load balancers forward the request to one of the application servers running ARI built WhoIs software. Each server is connected to the database cluster through another firewall further restricting access to the. Each server uses a restricted Oracle user that has read only access to the registry data and can only access the data that is relevant to the WhoIs queries. This ensures that in the unlikely event of an application server compromise the effects are limited.
All components are configured and provisioned to provide N+1 redundancy. Multiple Internet providers with separate upstream bandwidth suppliers are used. At least one additional component of all hardware exists, enabling maintenance without downtime. This configuration provides a service exceeding the availability requirements in Specification 10.
The use of load balancing allows addition of application servers with no downtime. From a database perspective, the ability to scale is enabled by utilising Oracle RAC database clustering. The entire service, including routers, firewalls and application is IPv6 compatible and WhoIs is offered on both IPv4 and IPv6. Detail about this architecture is available in our response to Question 32.
7.1 Synchronisation
The WhoIs database is synchronised with the SRS database using Oracle Data Guard. Committed transactions in the SRS database are reflected in the WhoIs database in real-time. Should synchronisation break, WhoIs continues to operate with the latest available data until the issue is reconciled. The channel between the two sites consists of two independent dedicated point to point links as well as the Internet. Replication traffic flows via the dedicated links or if both links fail replication traffic flows over Internet tunnels.
7.2. Interconnectivity with Other Services
The WhoIs service is not directly interconnected with other registry services or systems. The software has been developed to provide the WhoIs service exclusively and retrieve response information from a database physically separate to the SRS transactional database. This database is updated as described in ‘Synchronisation’ above. Although for smaller system the WhoIs and SRS can be configured to use the same data store. The WhoIs servers log every request to a central repository that is logically separate from the WhoIs database. This repository is used for query counts, detection of data mining and statistical analysis on query trends.
7.3 IT and Infrastructure Resources
The WhoIs service is provided utilizing Cisco networking equipment, IBM servers & SAN. They are described in the attachment ‘Q26 – WhoIs.pdf’. For more information on the architecture including server specifications and database capabilities please see Questions 32 & 33.
8 COMPLIANCE
Compliance with WhoIs RFCs is achieved through design and QA. The WhoIs interface was designed to conform to the RFCs as documented and independent test cases have been developed.
QA processes provide confidence that any changes to the service don’t result in regression of the WhoIs. Automated build processes execute test suites that ensure every facet of the WhoIs service (including malformed input, commands sequencing and synchronisation, and boundary values) is covered and compliant with RFCs. These tests are executed prior to the committing of code and nightly. The final deliverable is packaged and tested again to ensure no defects were introduced in the packaging of the software.
New versions of the WhoIs follow a deployment schedule. The new version is deployed into an OT&E environment for Registrar integration testing. Registrars who rely on WhoIs functionality are encouraged during this stage to test their systems operate without change. After a fixed time in OT&E without issue, new versions are scheduled for production deployment. This ensures incompatibilities with RFCs that made it through QA processes are detected in test environments prior to reaching production.
ARI is committed to providing a WhoIs service that integrates with third party tools and as such tests are conducted using these tools such as jWhoIs, a popular UNIX command line WhoIs client. Any issues identified during integration fall into 1 of the following categories:
– Third-party tool not compliant with the WhoIs specification
– WhoIs service not compliant
– Both third-party tool and WhoIs service are compliant, however another operational issue causes a problem
Defects are raised and follow the change management. Change requests may also be raised to promote integration of third-party tools and to meet common practice.
9 RESOURCES
This function will be performed by ARI. The WhoIs system is supported by a number of ARI departments:
– Products and Consulting Team (7 staff)
– Production Support Group (27 staff)
– Development Team (11 staff)
– Legal, Abuse and Compliance Team (6 staff)
A detailed list of the departments, roles and responsibilities in ARI is provided as attachment ‘Q26 – ARI Background & Roles.pdf’. This attachment describes the functions of the above teams and the exact number and nature of staff within.
The number of resources required to design, build, operate and support the SRS does not vary significantly with, and is not linearly proportional to, the number or size of TLDs that ARI provides registry services to.
ARI provides registry backend services to 5 TLDs and has a wealth of experience in estimating the number of resources required to support a registry system.
Based on past experience ARI estimates that the existing staff is adequate to support a registry system that supports in excess of 50M domains. Since this TLD projects 17,648 domains, 0.04% of these resources are allocated to this TLD. See attachment ‘Q26 – Registry Scale Estimates & Resource Allocation.xlsx’ for more information.
ARI protects against loss of critical staff by employing multiple people in each role. Staff members have a primary role plus a secondary role for protection against personnel absence. Additionally ARI can scale resources as required. Additional trained resources can be added to any of the above teams with a 2 month lead time.
The products and consulting team is responsible for product management of the WhoIs solution including working with clients and the industry to identify new features or changes required to the system. The team consists of:
– 1 Products and Consulting Manager
– 1 Product Manager
– 1 Technical Product Manager
– 4 Domain Name Industry Consultants
ARI employ a development team responsible for the maintenance and continual improvement of the WhoIs software. The team consists of:
– 1 Development Manager
– 2 Business Analysts
– 6 Developers
– 2 Quality Analysts
ARI’s Production Support Team ensures the successful operation of the WhoIs system. The team comprises Database Administrators, Systems Administrators and Network Administrators. This team routinely checks and monitors bandwidth, disk and CPU usages to plan and respond to expected increases in the volume of queries, and perform maintenance of the system including security patches and failover and recovery testing. The team consists of:
– Production Support Manager
– Service Desk:
– 1 Level 1 Support Team Lead
– 8 Customer Support Representatives (Level 1 support)
– 1 Level 2 Support Team Lead
– 4 Registry Specialists (Level 2 support)
– Operations (Level 3 support)
– 1 Operations Team Lead
– 2 Systems Administrators
– 2 Database Administrators
– 2 Network Engineers
– Implementation
– 1 Project Manager
– 2 Systems Administrators
– 1 Database Administrators
– 1 Network Engineers
ARI’s registry provides abuse monitoring detection mechanisms to block data mining. ARI support staff may be contacted to remove blacklisted users during which they may be referred to the Legal, Abuse and Compliance Team for evaluation of their activities. Additionally the support team in conjunction with the Legal, Abuse and Compliance team administer requests for listing on the whitelist. The team consists of:
– 1 Legal Manager
– 1 Legal Counsel
– 4 Policy Compliance Officers
These resources sufficiently accommodate the needs of this TLD, and are included in ARI’s fees as described in our Financial responses.
We have engaged ARI Registry Services (ARI) to deliver services for this TLD. ARI provide registry services for a number of TLDs including the .au ccTLD. For more background information on ARI please see the attachment ‘Q27 – ARI Background & Roles.pdf’. This response describes the Registration Lifecycle as implemented by ARI.
1 INTRODUCTION
The lifecycle described matches current gTLD registries. All states, grace periods and transitions are supported by the EPP protocol as described in RFC5730 – 5734 & the Grace Period Mapping published in RFC3915. An overview is in attachment ‘Q27 – Registration Lifecycle.pdf’.
2 REGISTRATION PERIODS
The registry supports registration up to 10 years and renewals for 1 to 10 years. The total current validity period can’t exceed 10 years.
Transfers under part A of the ICANN Policy on Transfer of Registrations between Registrars (Adopted 7 November 2008) extend registration by 1 year. The period truncates to 10 years if required.
3 STATES
The states that a domain can exist in are: Registered, Pending Transfer, Redemption, Pending Restore & Pending Delete.
All domain name statuses (RFC3915, 5730-5734 and 5910) are covered below
3.1 Registered
EPP Status: ok
In DNS: Yes
Allowed Operations: Update, Renew, Transfer (request) & Delete
The default state of a domain – no pending operations. The sponsoring Registrar may update the domain.
3.2 Pending Transfer
EPP Status: pendingTransfer
In DNS: Yes
Allowed Operations: Transfer (cancel, reject, approve)
Another Registrar has requested transfer of the domain and it is not yet completed All transform operations, other than those to cancel, reject, or approve the transfer are rejected.
3.3 Redemption
EPP Status: pendingDelete
RGP Status: redemptionPeriod
In DNS: No
Allowed Operations: Restore (request)
Domain has been deleted. The sponsor may request restoration of the domain. The domain continues to be withheld from the DNS unless it is restored. No transform operations other than restore are allowed.
3.4 Pending Restore
EPP Status: pendingDelete
RGP Status: pendingRestore
In DNS: Yes
Allowed Operations: Restore (report)
A restore request is pending. The sponsor must submit a restore report. The domain is provisioned the DNS. No transform operations other than the restore report are allowed.
3.5 Pending Delete
EPP Status: pendingDelete
RGP Status: pendingDelete
In DNS: No
Allowed Operations: None
The Redemption Grace Period has lapsed and the domain is pending purge from the registry. This state prohibits the sponsor from updating, restoring or modifying the domain. This status applies for 5 days. At the end of this period the domain is purged from the database and made available for registration.
4 GRACE PERIODS
The registry system supports 4 grace periods: add, renew, auto-renew, and transfer, described below with consideration for overlap of grace periods. States described here are additional to those above.
4.1 Add Grace Period
Length: 5 days
RGP Status: addPeriod
Allows for the no-cost cancellation of a domain registrations resulting from typing mistakes and other errors by Registrars and registrants – beginning on the creation of a domain and lasting for 5 days. When the following operations are performed during this period these rules apply:
– Delete: the sponsoring Registrar, who must have created the domain, may delete the domain and receive a refund. The domain is deleted with immediate effect. The refund is subject to the Add Grace Period Limits consensus policy. Excess deletions over 50 or 10% of creates (whichever is greater), are not subject to a refund, except in extraordinary circumstances.
– Renew: the sponsor may renew the domain but does not receive any refund for the initial registration fee. The Registrar is charged for the renewal operation. The total period for the domain is the sum of the initial period in the create and any renewal term, limited to a 10 year maximum.
– Transfer: Under ICANN policy a transfer can’t occur during the Add Grace Period or at any other time in the first 60 days after the initial registration. The registry system enforces this, rejecting such requests.
– Bulk Transfers: Under Part B of the ICANN Policy on Transfer of Registrations between Registrars, a bulk transfer can occur during the Add Grace Period. Any bulk transfer causes the Add Grace Period to not apply.
The Add Grace Period does not have any impact on other commands.
4.2 Renew Grace Period
Length: 5 days
RGP Status: renewPeriod
Allows the sponsoring Registrar to undo a renewal via the deletion of a domain – beginning on the receipt of a renewal command and lasting for 5 days. If any of the following operations are performed during this period these rules apply:
– Delete: the sponsoring Registrar, who must have initiated the renewal, may delete the domain and receive a renewal fee refund. The extension to the registration period caused by the preceding renew is reversed and unless the domain is also in the Add Grace Period, the domain enters the Redemption state. If also in the Add Grace Period it is deleted with immediate effect and availability for registration.
– Renew: the sponsoring Registrar, who must have performed the initial renew, can subsequently renew the domain again, causing a second independent Renewal Grace Period to start. The Registrar is charged for the operation and the total registration period for the domain is extended by the renewal term, limited to the 10 year maximum.
– Transfer: an approved transfer command ends the current Renew Grace Period without a refund and begins a Transfer Grace Period.
– Bulk Transfers: bulk transfers cause the Renew Grace Period to end without a refund, consequently registration periods are not changed.
The Renew Grace Period has no impact on other commands.
4.3 Auto-Renew Grace Period
Length: 45 days
RGP Status: autoRenewPeriod
Auto-Renew Grace Period allows for domains to remain in the DNS past registration expiration while giving adequate time for the sponsoring Registrar to obtain intention of renewal from the registrant.
This period begins on the expiration of the domain and lasts for 45 days. If any of the following are performed during this period these rules apply:
– Delete: the sponsoring Registrar, who must be the sponsor when the Auto-Renew Grace Period commenced, may delete the domain and receive an auto-renew fee refund. The registration period auto-renew extension is reversed and the domain enters the Redemption state.
– Renew: the sponsoring Registrar, who must be the sponsor when the auto-renew occurred, can renew the domain again causing an independent Renewal Grace Period to begin. The Registrar is charged and the registration period is extended by the renewal term, limited to the 10 year maximum.
– Transfer: an approved transfer command ends the current Auto-Renew Grace Period with a refund to the losing Registrar and begins a Transfer Grace Period. The registration period auto-renew extension is reversed and the registration is extended by the period specified in the transfer.
– Bulk Transfers: bulk transfers cause the Auto-Renew Grace Period to end without a refund consequently registration periods are not changed.
The Auto-Renew Grace Period does not have any impact on other commands.
4.4 Transfer Grace Period
Length: 5 days
RGP Status: transferPeriod
Transfer Grace Period allows the sponsoring Registrar to undo the registration period extension (due to a transfer command), via the deletion of a domain. This period begins on a transfer completion and lasts for 5 calendar days. If the following are performed during the period these rules apply:
– Delete: the sponsoring Registrar, who must have initiated the transfer, may delete the domain and receive a transfer fee refund. The extension to the registration period of the preceding transfer is reversed and the Redemption state is entered.
– Renew: the sponsoring Registrar can renew the domain thus causing an independent Renewal Grace Period to begin. The Registrar is charged and the registration period for the domain is extended by the renewal term, limited to the 10 year maximum.
– Transfer: under Part A of the ICANN Policy on Transfer of Registrations between Registrars a transfer may not occur during the 60 day period after transfer (except in special circumstances). The registry system enforces this – effects of transfer do not require consideration. Should a special situation require transfer back to the losing Registrar, this is dealt with by taking into account the specific situation. The registry system does not allow this without intervention by registry staff.
– Bulk Transfers: bulk transfers cause the Transfer Grace Period to end without a refund; consequently registration periods are not changed.
The Transfer Grace Period does not have any impact on other commands.
4.5 Redemption Grace Period
Length: 30 days
RGP Status: as described in Redemption state
Redemption Grace Period refers to the period of time the domain spends in the Redemption state, starting after a domain is deleted. The Redemption state description provides information on operations during this period.
4.6 Overlap of Grace Periods
The 4 possible overlapping grace periods are:
– Add Grace Period with 1 or more Renew Grace Periods.
– Renew Grace Period with 1 or more other Renew Grace Periods.
– Transfer Grace Period with 1 or more Renew Grace Periods.
– Auto-Renew Grace Period with 1 or more Renew Grace Periods.
These are treated independently with respect to timelines however action that is taken has the combined effects of all grace periods still current.
4.6.1 Transfer Clarification
If several billable operations, including a transfer, are performed on a domain and it is deleted in the operations’ grace periods, only those operations performed after⁄including the latest transfer are eligible for refund.
5 TRANSITIONS
5.1 Available 〉 Registered
Triggered by the receipt of a create command to register the domain. The sponsoring Registrar is charged for the creation amount. This transition begins the Add Grace Period.
5.2 Registered 〉 Pending Transfer
Triggered by the receipt of a request transfer command. The transfer must result in domain registration extension – the gaining Registrar is charged for the transfer. Requests to transfer the domain within 60 days of creation or a previous transfer are rejected. As per ‘4.4 Transfer Grace Period’, exceptions specified in ICANN’s Transfer Policy apply – dealt with individually.
5.3 Pending Transfer 〉 Registered
Triggered by 1 of 4 operations:
– Operation 1 (Cancel): during the Pending Transfer period the gaining Registrar may cancel the transfer by issuing a cancel transfer command. The gaining Registrar is refunded the transfer fee, the registration period remains unchanged and all existing grace periods at the time of transfer request remain in effect.
– Operation 2 (Reject): during the Pending Transfer period the losing Registrar may reject the transfer by issuing a reject transfer command. The gaining Registrar is refunded the transfer. The registration period remains unchanged and all grace periods existing at the time of transfer request remain in effect if not elapsed.
– Operation 3 (Approve): During the Pending Transfer period the losing Registrar may approve the transfer by issuing an approve transfer command. If the transfer was requested during the Auto-Renew Grace Period, the extension to the registration period is reversed and the losing Registrar is refunded the auto-renew. The registration period is extended by the amount specified in the transfer request. This begins the Transfer Grace Period.
– Operation 4 (Auto-Approve): If after 5 days, no action has been taken, the system approves the transfer. If the transfer was requested during the Auto-Renew Grace Period the extension to the registration period is reversed and the losing Registrar is refunded the auto-renew. The registration period is extended by the amount specified in the transfer request. This begins the Transfer Grace Period.
5.4 Registered 〉 Deleted
On receipt of a delete command if the domain is in the Add Grace Period, it is purged from the Database and immediately available for registration. Renew Grace Period may also be in effect.
5.5 Registered 〉 Redemption
On receipt of a delete command if the domain is not in the Add Grace Period, it transitions to the Redemption Period state and all grace periods in effect are considered.
5.6 Redemption 〉 Pending Restore
On receipt of a restore command if the Redemption Period has not lapsed, the domain transitions to the Pending Restore state. The domain is provisioned in the DNS. The sponsoring Registrar is charged a fee for the restore request.
5.7 Pending Restore 〉 Registered
During the Pending Restore period the sponsoring Registrar may complete the restore via a restore report containing the WhoIs information – submitted prior to the deletion, the WhoIs information at the time of the report, and the reason for the restoration.
5.8 Pending Restore 〉 Redemption
Seven calendar days after the transition to the Pending Restore state, if no restore report is received the domain transitions to the Redemption state, which begins a new redemption period. The domain is removed from the DNS. The restore has no refund.
5.9 Redemption 〉 Pending Delete
Thirty calendar days after the transition to the Redemption state, if no restore request is received the domain transitions to the Pending Delete state.
5.10 Pending Delete 〉 Deleted
Five calendar days after the transition to the Pending Delete state, the domain is removed from the Database and is immediately available for registration.
6 LOCKS
Locks may be applied to the domain to prevent specific operations occurring. The sponsoring Registrar may set the locks prefixed with ‘client’ while locks prefixed with ‘server’ are added and removed by the registry operator. Locks are added and removed independently but they can be combined to facilitate the enforcement of higher processes, such as ‘Registrar Lock’, and outcomes required as part of UDRP. All locks are compatible with EPP RFCs. The available locks are:
– clientDeleteProhibited, serverDeleteProhibited – Requests to delete the object are rejected
– clientHold, serverHold – DNS information is not published
– clientRenewProhibited, serverRenewProhibited – Requests to renew the object are rejected. Auto-renew is allowed
– clientTransferProhibited, serverTransferProhibited – Requests to transfer the object are rejected
– clientUpdateProhibited, serverUpdateProhibited – Requests to update the object are rejected, unless the update removes this status
7 SPECIAL CONSIDERATIONS
7.1 ICANN-Approved Bulk Transfers
ICANN-Approved Bulk Transfers do not follow the typical transfer lifecycle. Existing grace periods are invalidated and no refunds are credited to the losing Registrar. The prohibition of transfer period on domains created or transferred within 60 days does not apply.
7.2 Uniform Rapid Suspension
In the Uniform Rapid Suspension (URS) process, as described in the ‘gTLD Applicant Guidebook’ 11th January 2012, the following modification to the above processes is required.
Remedy allows for the addition of a year to the registration period, limited to the 10 year maximum. During this time no transform operations may be performed other than to restore the domain as allowed by Appeal. At the expiration of the registration period the domain is not automatically renewed, but proceeds to the Redemption state as per the lifecycle described above, and it is not eligible for restoration.
8 UPDATE⁄DNS
The update command does not impact the state of the domain through the Registration Lifecycle, however the command can be used to add and remove delegation information, which changes the DNS state of the domain.
A domain is required to have 2 or more nameservers published in the DNS. An update that results in a domain having less than 2 nameservers removes the domain from the DNS. An exception is when 1 nameserver remains assigned to a domain due to deletion of its other nameservers due to purge of their parent domain. The next update that modifies delegation information ends the exception and from then on the domain requires 2 nameservers be in the DNS.
9 RESOURCES
This function will be performed by ARI. ARI’s registry performs all time-based transitions automatically and enforces all other business rules – without requiring human resources for normal operation. If changes to the automatic behaviours or restrictions enforced by the policy system are required, ARI has a development team for this.
Domain Name Lifecycle aspects requiring human resources to manage are included in the ARI outsourcing include:
– Processing Add Grace Period exemptions as requested by Registrars.
– Processing restore reports provided by Registrars.
– Meeting the registry operator’s obligations under ICANN’s Transfer Dispute Policy.
– Performing exception processing in the case of approved transfers during the 60 day transfer prohibition window.
The Registration Lifecycle is designed, built, operated and supported by these ARI departments:
– Products and Consulting Team (7 staff)
– Legal, Abuse and Compliance Team (6 staff)
– Development Team (11 staff)
A detailed list of the departments, roles and responsibilities in ARI is provided as attachment ‘Q27 – ARI Background & Roles.pdf’. This attachment describes the functions of the above teams and the exact number and nature of staff within.
The number of resources required to design, build, operate and support the SRS does not vary significantly with, and is not linearly proportional to, the number or size of TLDs that ARI provides registry services to.
ARI provides registry backend services to 5 TLDs and has a wealth of experience in estimating the number of resources required to support a registry system.
Based on past experience ARI estimates that the existing staff is adequate to support a registry system that supports in excess of 50M domains. Since this TLD projects 17,648 domains, 0.04% of these resources are allocated to this TLD. See attachment ‘Q27 – Registry Scale Estimates & Resource Allocation.xlsx’ for more information.
ARI protects against loss of critical staff by employing multiple people in each role. Staff members have a primary role plus a secondary role for protection against personnel absence. Additionally ARI can scale resources as required. Additional trained resources can be added to any of the above teams with a 2 month lead time.
The Products and Consulting team is responsible for product management of the Registration Lifecycle, including working with clients and the industry to identify new features or changes required to the system. The team consists of:
– 1 Products and Consulting Manager
– 1 Product Manager
– 1 Technical Product Manager
– 4 Domain Name Industry Consultants
Most manual tasks fall to the Legal, Abuse and Compliance team, with staff experienced in development of policy for policy rich TLD environments. They have the required legal and industry background to perform this function. The team consists of:
– 1 Legal Manager
– 1 Legal Counsel
– 4 Policy Compliance Officers
The automated aspects of the Registration lifecycle are supported by ARI’s Domain Name Registry software. ARI has a development team for maintenance and improvement of the software. The team consist of:
– 1 Development Manager
– 2 Business Analysts
– 6 Developers
– 2 Quality Analysts
Information on these roles is in Resources in our response to Question 31. These resources sufficiently accommodate the needs of this TLD, and are included in ARI’s fees as described in our Financial responses.
We have engaged ARI Registry Services (ARI) to deliver services for this TLD. ARI provide registry services for a number of TLDs including the .au ccTLD. For more background information on ARI please see the attachment ‘Q28 – ARI Background & Roles.pdf’. The Registry works closely with DotAsia Organisation (through Namesphere, as the registry front-end services provider) to develop and implement additional measures to improve abuse prevention and mitgation. DotAsia is the operator for the .ASIA gTLD and is a pioneer in the development of registry level policies to mitigate against abusive registrations.
1 INTRODUCTION
The efforts that will be undertaken in this TLD to minimise abusive registrations and other activities that have a negative impact on Internet users are described below. We will be utilising the Anti-Abuse Service of our managed registry service provider, ARI. This service includes the implementation of our comprehensive Anti-Abuse Policy. This policy, developed in consultation with ARI, clearly defines abusive behaviour and identifies particular types of abusive behaviour and the mitigation response to such behaviour.
2 OVERVIEW
We have engaged ARI to deliver registry services for this TLD. ARI will, owing to their extensive industry experience and established anti-abuse operations, implement and manage on our behalf various procedures and measures adopted to mitigate the potential for abuse, identify abuse and handle identified abuse. ARI will forward to us all matters requiring determination by the registry operator which fall beyond the scope of ARI’s Anti-Abuse Service. This is described below in the context of the implementation of our Anti-Abuse Policy.
Despite utilisation of ARI’s Anti-Abuse Service, we are nonetheless cognisant of our responsibility to minimise abusive registrations and other activities that have a negative impact on Internet users in the TLD. In recognition of this responsibility, we will play an instrumental role in overseeing the implementation of the Anti-Abuse Service by ARI. We will also have contractual commitments in the form of SLA’s in place to ensure that ARI’s delivery of the Anti-Abuse Service is aligned with our strong commitment to minimise abuse in our TLD.
That strong commitment is further demonstrated by our adoption of many of the requirements proposed in the ‘2011 Proposed Security, Stability and Resiliency Requirements for Financial TLDs’ (at http:⁄⁄www.icann.org⁄en⁄news⁄correspondence⁄aba-bits-to-beckstrom-crocker-20dec11-en.pdf) (the ‘BITS Requirements). We acknowledge that these requirements were developed by the financial services sector in relation to financial TLDs, but nevertheless believe that their adoption in this TLD (which is not financial-related) results in a more robust approach to combating abuse.
Consistent with Requirement 6 of the BITS Requirements, we will certify to ICANN on an annual basis our compliance with our Registry Agreement.
Please note that the various policies and practices that we have implemented to minimise abusive registrations and other activities that affect the rights of trademark holders are specifically described in our response to Question 29.
3 POLICY
In consultation with ARI we have developed a comprehensive Anti-Abuse Policy, which is the main instrument that captures our strategy in relation to abuse in the TLD.
3.1 Definition of Abuse
Abusive behaviour in a TLD may relate to the core domain name-related activities performed by Registrars and registries including, but not limited to:
– The allocation of registered domain names.
– The maintenance of and access to registration information.
– The transfer, deletion, and reallocation of domain names.
– The manner in which the registrant uses the domain name upon creation.
Challenges arise in attempting to define abusive behaviour in the TLD due to its broad scope. Defining abusive behaviour by reference to the stage in the domain name lifecycle in which the behaviour occurs presents difficulty given that a particular type of abuse may occur at various stages of the life cycle.
With this in mind, ARI has fully adopted the definition of abuse developed by the Registration Abuse Policies Working Group (Registration Abuse Policies Working Group Final Report 2010, at http:⁄⁄gnso.icann.org⁄issues⁄rap⁄rap-wg-final-report-29may10-en.pdf), which does not focus on any particular stage in the domain name life cycle.
Abusive behaviour in a TLD may be defined as an action that:
– causes actual and substantial harm, or is a material predicate of such harm.
– is illegal or illegitimate, or is otherwise considered contrary to the intention and design of the mission⁄purpose of the TLD.
In applying this definition the following must be noted:
1. The party or parties harmed, and the severity and immediacy of the abuse, should be identified in relation to the specific alleged abuse.
2. The term ʺharmʺ is not intended to shield a party from fair market competition.
3. A predicate is a related action or enabler. There must be a clear link between the predicate and the abuse, and justification enough to address the abuse by addressing the predicate (enabling action).
For example, WhoIs data can be used in ways that cause harm to domain name registrants, intellectual property (IP) rights holders and Internet users. Harmful actions may include the generation of spam, the abuse of personal data, IP infringement, loss of reputation or identity theft, loss of data, phishing and other cybercrime-related exploits, harassment, stalking, or other activity with negative personal or economic consequences. Examples of predicates to these harmful actions are automated email harvesting, domain name registration by proxy⁄privacy services to aid wrongful activity, support of false or misleading registrant data, and the use of WhoIs data to develop large email lists for commercial purposes. The misuse of WhoIs data is therefore considered abusive because it is contrary to the intention and design of the stated legitimate purpose of WhoIs data.
3.2 Aims and Overview of Our Anti-Abuse Policy
Our Anti-Abuse Policy will put registrants on notice of the ways in which we will identify and respond to abuse and serve as a deterrent to those seeking to register and use domain names for abusive purposes. The policy will be made easily accessible on the Abuse page of our registry website which will be accessible and have clear links from the home page along with FAQs and contact information for reporting abuse.
Consistent with Requirements 15 and 16 of the BITS Requirements, our policy:
– Defines abusive behaviour in our TLD.
– Identifies types of actions that constitute abusive behaviour, consistent with our adoption of the RAPWG definition of ‘abuse’.
– Classifies abusive behaviours based on the severity and immediacy of the harm caused.
– Identifies how abusive behaviour can be notified to us and the steps that we will take to determine whether the notified behaviour is abusive.
– Identifies the actions that we may take in response to behaviour determined to be abusive.
Our RRA will oblige all Registrars to do the following in relation to the Anti-Abuse Policy:
– comply with the Anti-Abuse Policy; and
– include in their registration agreement with each registrant an obligation for registrants to comply with the Anti-Abuse Policy and each of the following requirements:
‘operational standards, policies, procedures, and practices for the TLD established from time to time by the registry operator in a non-arbitrary manner and applicable to all Registrars, including affiliates of the registry operator, and consistent with ICANNʹs standards, policies, procedures, and practices and the registry operator’s Registry Agreement with ICANN. Additional or revised registry operator operational standards, policies, procedures, and practices for the TLD shall be effective upon thirty days notice by the registry operator to the Registrar. If there is a discrepancy between the terms required by this Agreement and the terms of the Registrar’s registration agreement, the terms of this Agreement shall supersede those of the Registrar’s registration agreement’.
Our RRA will additionally incorporate the following BITS Requirements:
– Requirement 7: Registrars must certify annually to ICANN and us compliance with ICANN’s Registrar Accreditation Agreement (RAA) our Registry-Registrar Agreement (RRA).
– Requirement 9: Registrars must provide and maintain valid primary contact information (name, email address, and phone number) on their website.
– Requirement 14: Registrars must notify us immediately regarding any investigation or compliance action, including the nature of the investigation or compliance action by ICANN or any outside party (eg law enforcement, etc.) along with the TLD impacted.
– Requirement 19: Registrars must disclose registration requirements on their website.
We will re-validate our RRAs at least annually, consistent with Requirement 10.
3.3 Anti-Abuse Policy
Our Anti-Abuse Policy is as follows:
Anti-Abuse Policy
Introduction:
The abusive registration and use of domain names in the TLD is not tolerated given that the inherent nature of such abuses creates security and stability issues for all participants in the Internet environment.
Definition of Abusive Behaviour:
Abusive behaviour is an action that:
– causes actual and substantial harm, or is a material predicate of such harm; or
– is illegal or illegitimate, or is otherwise considered contrary to the intention and design of the mission⁄purpose of the TLD.
A ‘predicate’ is an action or enabler of harm.
‘Material’ means that something is consequential or significant.
Examples of abusive behaviour falling within this definition:
– Spam: the use of electronic messaging systems to send unsolicited bulk messages. The term applies to e-mail spam and similar abuses such as instant messaging spam, mobile messaging spam, and the spamming of web sites and Internet forums. An example, for purposes of illustration, would be the use of email in denial-of-service attacks.
– Phishing: the use of a fraudulently presented web site to deceive Internet users into divulging sensitive information such as usernames, passwords or financial data.
– Pharming: the redirecting of unknowing users to fraudulent web sites or services, typically through DNS hijacking or poisoning, in order to deceive Internet users into divulging sensitive information such as usernames, passwords or financial data.
– Wilful distribution of malware: the dissemination of software designed to infiltrate or cause damage to devices or to collect confidential data from users without the owner’s informed consent.
– Fast Flux hosting: the use of DNS to frequently change the location on the Internet to which the domain name of an Internet host or nameserver resolves in order to disguise the location of web sites or other Internet services, or to avoid detection and mitigation efforts, or to host illegal activities. Fast flux hosting may only be used with prior permission of the registry operator.
– Botnet command and control: the development and use of a command, agent, motor, service or software which is implemented: (1) to remotely control the computer or computer system of an Internet user without their knowledge or consent, (2) to generate direct denial of service (DDOS) attacks.
– Distribution of child pornography: the storage, publication, display and⁄or dissemination of pornographic materials depicting individuals under the age of majority in the relevant jurisdiction.
– Illegal access to other computers or networks: the illegal accessing of computers, accounts, or networks belonging to another party, or attempt to penetrate security measures of another individual’s system (hacking). Also, any activity that might be used as a precursor to an attempted system penetration.
Detection of Abusive Behaviour:
Abusive behaviour in the TLD may be detected in the following ways:
– By us through our on-going monitoring activities and industry participation.
– By third parties (general public, law enforcement, government agencies, industry partners) through notification submitted to the abuse point of contact on our website, or industry alerts.
Reports of abusive behaviour will be notified immediately to the Registrar of record.
Handling of abusive behaviour:
When abusive behaviour is detected in our TLD through notification by a third party, a preliminary assessment will be performed in order to determine whether the notification is legitimately made. Applying the definitions of types of abusive behaviours identified in this policy, we will classify each incidence of legitimately reported abuse into one of two categories based on the probable severity and immediacy of harm to registrants and Internet users. These categories are provided below and are defined by reference to the action that may be taken by us. The examples of types of abusive behaviour falling within each category are illustrative only.
Category 1:
Probable Severity or Immediacy of Harm: Low
Examples of types of abusive behaviour: Spam, Malware
Mitigation steps:
1. Investigate
2. Notify registrant
Category 2:
Probable Severity or Immediacy of Harm: Medium to High
Examples of types of abusive behaviour: Fast Flux Hosting, Phishing, Illegal Access to other Computers or Networks, Pharming, Botnet command and control
Mitigation steps:
1. Suspend domain name
2. Investigate
3. Restore or terminate domain name
In the event that we receive specific instructions regarding a domain name from a law enforcement agency, government or quasi-governmental agency utilising the expedited process for such agencies, our mitigation steps will be in accordance with those instructions provided that they do not result in the contravention of applicable law. In addition, we will take all reasonable efforts to notify law enforcement agencies of abusive behaviour in our TLD which we believe may constitute evidence of a commission of a crime, eg distribution of child pornography.
Note that these expected actions are intended to provide a guide to our response to abusive behaviour rather than any guarantee that a particular action will be taken.
The identification of abusive behaviour in the TLD, as defined above, shall give us the right, but not the obligation, to take such actions in accordance with the following text in the RRA, which provides that the registry operator:
‘reserves the right to deny, cancel or transfer any registration or transaction, or place any domain name(s) on registry lock, hold or similar status, or instruct Registrars to take such an action as we deem necessary in our discretion to;
1. protect the integrity and stability of the registry;
2. comply with any applicable laws, government rules or requirements, requests of law enforcement, or dispute resolution process;
3. avoid any liability, civil or criminal, on the part of the registry operator, as well as its affiliates, subsidiaries, officers, directors, and employees, per the terms of the registration agreement; and
4. correct mistakes made by the registry operator or any Registrar in connection with a domain name registration.
We reserve the right to place upon registry lock, hold or similar status a domain name during resolution of a dispute.
We also reserve the right to deny registration of a domain name to a registrant who has repeatedly engaged in abusive behaviour in our TLD or any other TLD.
Registrars only and not Resellers may offer proxy registration services to private individuals using the domain name for non-commercial purposes.
We may amend or otherwise modify this policy to keep abreast of changes in consensus policy or new and emerging types of abusive behaviour in the Internet.
Registrar’s failure to comply with this Anti-Abuse Policy shall constitute a material breach of the RRA, and shall give rise to the rights and remedies available to us under the RRA.
4 ABUSE PREVENTION AND MITIGATION
This section describes the implementation of our abuse related processes regarding:
– Building awareness of the Anti-Abuse Policy.
– Mitigating the potential for abusive behaviour.
– Identifying abusive behaviour.
– Handling abusive behaviour.
4.1. Awareness of Policy
The Anti-Abuse Policy will be published on the Abuse page of our registry website, which will be accessible and have clear links from the home page. In addition, the URL to the Abuse page will be included in all email correspondence to the registrant, thereby placing all registrants on notice of the applicability of the Anti-Abuse Policy to all domain names registered in our TLD. The Abuse page will, consistent with Requirement 8 of the BITS Requirements, provide registry contact information (name, email address, and phone number) to enable the public to communicate with us about TLD policies. The Abuse page will emphasise and evidence our commitment to combating abusive registrations by clearly identifying what our policy on abuse is and what effect our implementation of the policy may have on registrants. We anticipate that this clear message, which communicates our commitment to combating abusive registrations, will serve to minimise abusive registrations in our TLD.
4.2 Pre-emptive – Mitigating of the Potential for Abuse
The following practices and procedures will be adopted to mitigate the potential for abusive behaviour in our TLD.
4.2.1 ICANN Prescribed Measures
In accordance with our obligations as a registry operator, we will comply with all requirements in the ‘gTLD Applicant Guidebook’. In particular, we will comply with the following measures prescribed by ICANN which serve to mitigate the potential for abuse in the TLD:
– DNSSEC deployment, which reduces the opportunity for pharming and other man-in-the-middle attacks. We will encourage Registrars and Internet Service Providers to deploy DNSSEC capable resolvers in addition to encouraging DNS hosting providers to deploy DNSSEC in an easy-to-use manner in order to facilitate deployment by registrants. DNSSEC deployment is further discussed in the context of our response to Question 43.
– Prohibition on Wild Carding as required by section 2.2 of Specification 6 of the Registry Agreement.
– Removal of Orphan Glue records (discussed below in ‘4.2.8 Orphan Glue Record Management’).
4.2.2 Increasing Registrant Security Awareness
In accordance with our commitment to operating a secure and reliable TLD, we will attempt to improve registrant awareness of the threats of domain name hijacking, registrant impersonation and fraud, and emphasise the need for and responsibility of registrants to keep registration (including WhoIs) information accurate. Awareness will be raised by:
– Publishing the necessary information on the Abuse page of our registry website in the form of videos, presentations and FAQ’s.
– Developing and providing to registrants and resellers Best Common Practices that describe appropriate use and assignment of domain auth Info codes and risks of misuse when the uniqueness property of this domain name password is not preserved.
The increase in awareness renders registrants less susceptible to attacks on their domain names owing to the adoption of the recommended best practices thus serving to mitigate the potential for abuse in the TLD. The clear responsibility on registrants to provide and maintain accurate registration information (including WhoIs) further serves to minimise the potential for abusive registrations in the TLD.
4.2.3 Mitigating the Potential for Abusive Registrations that Affect the Legal Rights of Others
Many of the examples of abusive behaviour identified in our Anti-Abuse Policy may affect the rights of trademark holders. While our Anti-Abuse Policy addresses abusive behaviour in a general sense, we have additionally developed specific policies and procedures to combat behaviours that affect the rights of trademark holders at start-up and on an ongoing basis. These include the implementation of a trademark claims service and a sunrise registration service at start-up and implementation of the UDRP, URS and PDDRP on an ongoing basis. The implementation of these policies and procedures serves to mitigate the potential for abuse in the TLD by ensuring that domain names are allocated to those who hold a corresponding trademark.
These policies and procedures are described in detail in our response to Question 29.
4.2.4 Safeguards Against Allowing for Unqualified Registrations
The eligibility restrictions for this TLD are outlined in our response to Question 18.
Eligibility restrictions will be implemented contractually through our RRA, which will require Registrars to include the following in their Registration Agreements:
– Registrant warrants that it satisfies eligibility requirements.
Where applicable, eligibility restrictions will be enforced through the adoption of the Charter Eligibility Dispute Resolution Policy or a similar policy, and Registrars will be obliged to require in their registration agreements that registrants agree to be bound by such policy and acknowledge that a registration may be cancelled in the event that a challenge against it under such policy is successful.
Providing an administrative process for enforcing eligibility criteria and taking action when notified of eligibility violations mitigates the potential for abuse. This is achieved through the risk of cancellation in the event that it is determined in a challenge procedure that eligibility criteria are not satisfied.
4.2.5 Registrant Disqualification
As specified in our Anti-Abuse Policy, we reserve the right to deny registration of a domain name to a registrant who has repeatedly engaged in abusive behaviour in our TLD or any other TLD.
Registrants, their agents or affiliates found through the application of our Anti-Abuse Policy to have repeatedly engaged in abusive registration will be disqualified from maintaining any registrations or making future registrations. This will be triggered when our records indicate that a registrant has had action taken against it an unusual number of times through the application of our Anti-Abuse Policy. Registrant disqualification provides an additional disincentive for qualified registrants to maintain abusive registrations in that it puts at risk even otherwise non-abusive registrations, through the possible loss of all registrations.
In addition, nameservers that are found to be associated only with fraudulent registrations will be added to a local blacklist and any existing or new registration that uses such fraudulent NS record will be investigated.
The disqualification of ‘bad actors’ and the creation of blacklists mitigates the potential for abuse by preventing individuals known to partake in such behaviour from registering domain names.
4.2.6 Restrictions on Proxy Registration Services
Whilst it is understood that implementing measures to promote WhoIs accuracy is necessary to ensure that the registrant may be tracked down, it is recognised that some registrants may wish to utilise a proxy registration service to protect their privacy. In the event that Registrars elect to offer such services, the following conditions apply:
– Proxy registration services may only be offered by Registrars and NOT resellers.
– Registrars must ensure that the actual WhoIs data is obtained from the registrant and must maintain accurate records of such data.
– Registrars must provide Law Enforcement Agencies (LEA) with the actual WhoIs data upon receipt of a verified request.
– Proxy registration services may only be made available to private individuals using the domain name for non-commercial purposes.
These conditions will be implemented contractually by inclusion of corresponding clauses in the RRA as well as being published on the Abuse page of our registry website. Individuals and organisations will be encouraged through our Abuse page to report any domain names they believe violate the above restrictions, following which appropriate action may be taken by us. Publication of these conditions on the Abuse page of our registry website ensures that registrants are aware that despite utilisation of a proxy registration service, actual WhoIs information will be provided to LEA upon request in order to hold registrants liable for all actions in relation to their domain name. The certainty that WhoIs information relating to domain names which draw the attention of LEA will be disclosed results in the TLD being less attractive to those seeking to register domain names for abusive purposes, thus mitigating the potential for abuse in the TLD.
4.2.7 Registry Lock
Certain mission-critical domain names such as transactional sites, email systems and site supporting applications may warrant a higher level of security. Whilst we will take efforts to promote the awareness of security amongst registrants, it is recognised that an added level of security may be provided to registrants by ‘registry locking’ the domain name thereby prohibiting any updates at the registry operator level. The registry lock service will be offered to all Registrars who may request this service on behalf of their registrants in order to prevent unintentional transfer, modification or deletion of the domain name. This service mitigates the potential for abuse by prohibiting any unauthorised updates that may be associated with fraudulent behaviour. For example, an attacker may update nameservers of a mission-critical domain name, thereby redirecting customers to an illegitimate website without actually transferring control of the domain name.
Upon receipt of a list of domain names to be placed on registry lock by an authorised representative from a Registrar, ARI will:
1. Validate that the Registrar is the Registrar of record for the domain names.
2. Set or modify the status codes for the names submitted to serverUpdateProhibited, serverDeleteProhibited and⁄or serverTransferProhibited depending on the request.
3. Record the status of the domain name in the Shared Registration System (SRS).
4. Provide a monthly report to Registrars indicating the names for which the registry lock service was provided in the previous month.
4.2.8 Orphan Glue Record Management
The ARI registry SRS database does not allow orphan records. Glue records are removed when the delegation point NS record is removed. Other domains that need the glue record for correct DNS operation may become unreachable or less reachable depending on their overall DNS service architecture. It is the registrant’s responsibility to ensure that their domain name does not rely on a glue record that has been removed and that it is delegated to a valid nameserver. The removal of glue records upon removal of the delegation point NS record mitigates the potential for use of orphan glue records in an abusive manner.
4.2.9 Promoting WhoIs Accuracy
Inaccurate WhoIs information significantly hampers the ability to enforce policies in relation to abuse in the TLD by allowing the registrant to remain anonymous. In addition, LEAs rely on the integrity and accuracy of WhoIs information in their investigative processes to identify and locate wrongdoers. In recognition of this, we will implement a range of measures to promote the accuracy of WhoIs information in our TLD including:
– Random monthly audits: registrants of randomly selected domain names are contacted by telephone using the provided WhoIs information by a member of the ARI Abuse and Compliance Team in order to verify all WhoIs information. Where the registrant is not contactable by telephone, alternative contact details (email, postal address) will be used to contact the registrant, who must then provide a contact number that is verified by the member of the ARI Policy Compliance team. In the event that the registrant is not able to be contacted by any of the methods provided in WhoIs, the domain name will be cancelled following five contact attempts or one month after the initial contact attempt (based on the premise that a failure to respond is indicative of inaccurate WhoIs information and is grounds for terminating the registration agreement).
– Semi-annual audits: to identify incomplete WhoIs information. Registrants will be contacted using provided WhoIs information and requested to provide missing information. In the event that the registrant fails to provide missing information as requested, the domain name will be cancelled following five contact attempts or one month after the initial contact attempt.
– Email reminders: to update WhoIs information to be sent to registrants every 6 months.
– Reporting system: a web-based submission service for reporting WhoIs accuracy issues available on the Abuse page of our registry website.
– Analysis of registry data: to identify patterns and correlations indicative of inaccurate WhoIs (eg repetitive use of fraudulent details).
Registrants will continually be made aware, through the registry website and email reminders, of their responsibility to provide and maintain accurate WhoIs information and the ramifications of a failure to do so or respond to requests to do so, including termination of the Registration Agreement.
The measures to promote WhoIs accuracy described above strike a balance between the need to maintain the integrity of the WhoIs service, which facilitates the identification of those taking part in illegal or fraudulent behaviour, and the operating practices of the registry operator and Registrars, which aim to offer domain names to registrants in an efficient and timely manner.
Awareness by registrants that we will actively take steps to maintain the accuracy of WhoIs information mitigates the potential for abuse in the TLD by discouraging abusive behaviour given that registrants may be identified, located and held liable for all actions in relation to their domain name.
4.2.9.1. Additional Measures for Whois Accuracy
As a Chinese IDN TLD, it is reasonable to expect that a significant portion of the registrations will come from China. The Registry is therefore committed to harmonize with local requirements and regulations for domain registrations. For users from Mainland China registering a domain through a Mainland Chinese Registrar: If the Registrant is a real person, he⁄she must submit the following information: real name, email, fixed telephone, mobile phone, ID card number, and the valid ID card (two sides) in the form of electronic file (without any manual modification) or the passport (the first page) in the form of electronic file (without any manual modification). If the Registrant is an organization, it must submit the following additional information: valid enterprise business license or other valid qualification certificates in the form of digital photo file (without any manual modification), company address, and the ID card (two sides) or other valid certificates of company’s legal representative or contact in the form of electronic file (without any manual modification). This requirement will be fulfilled by Accredited Registrars operating out of Mainland China and enforced by Chinese regulatory bodies.
Any Registrant information updated by the Registrant shall undergo the same auditing procedures before taking effect. These measures ensures a high level of Whois accuracy and are put in place, especially for mainland China registrations. Because a majority of registrations can be expected to come from China, the Registry expects that this measure would significantly enhance Whois accuracy for the Registry.
4.3 Reactive – Identification
The methods by which abusive behaviour in our TLD may be identified are described below. These include detection by ARI and notification from third parties. These methods serve to merely identify and not determine whether abuse actually exists. Upon identification of abuse, the behaviour will be handled in accordance with ‘4.4 Abuse Handling’.
Any abusive behaviour identified through one of the methods below will, in accordance with Requirement 13 of the BITS Requirements, be notified immediately to relevant Registrars.
4.3.1 Detection – Analysis of Data
ARI will routinely analyse registry data in order to identify abusive domain names by searching for behaviours typically indicative of abuse. The following are examples of the data variables that will serve as indicators of a suspicious domain name and may trigger further action by the ARI Abuse and Compliance Team:
– Unusual Domain Name Registration Practices: practices such as registering hundreds of domains at a time, registering domains which are unusually long or complex or include an obvious series of numbers tied to a random word (abuse40, abuse50, abuse60) may, when considered as a whole, be indicative of abuse.
– Domains or IP addresses identified as members of a Fast Flux Service Network (FFSN): ARI uses the formula developed by the University of Mannheim and tested by participants of the Fast Flux PDP WG to determine members of this list. IP addresses appearing within identified FFSN domains, as either NS or A records shall be added to this list.
– An Unusual Number of Changes to the NS record: the use of fast-flux techniques to disguise the location of web sites or other Internet services, to avoid detection and mitigation efforts, or to host illegal activities is considered abusive in the TLD. Fast flux techniques use DNS to frequently change the location on the Internet to which the domain name of an Internet host or nameserver resolves. As such an unusual number of changes to the NS record may be indicative of the use of fast-flux techniques given that there is little, if any, legitimate need to change the NS record for a domain name more than a few times a month.
– Results of WhoIs audits: The audits conducted to promote WhoIs accuracy described above are not limited to serving that purpose but may also be used to identify abusive behaviour given the strong correlation between inaccurate WhoIs data and abuse.
– Analysis of cross-validation of registrant WhoIs data against WhoIs data known to be fraudulent.
– Analysis of Domain Names belonging to a registrant subject to action under the Anti-Abuse Policy: in cases where action is taken against a registrant through the application of the Anti-Abuse Policy, we will also investigate other domain names by the same registrant (same name, nameserver IP address, email address, postal address etc).
4.3.2 Abuse Reported by Third Parties
Whilst we are confident in our abilities to detect abusive behaviour in the TLD owing to our robust ongoing monitoring activities, we recognise the value of notification from third parties to identify abuse. To this end, we will incorporate notifications from the following third parties in our efforts to identify abusive behaviour:
– Industry partners through ARI’s participation in industry forums which facilitate the sharing of information.
– LEA through a single abuse point of contact (our Abuse page on the registry website, as discussed in detail below) and an expedited process (described in detail in ‘4.4 Abuse Handling’) specifically for LEA.
– Members of the general public through a single abuse point of contact (our Abuse page on the registry website).
4.3.2.1 Industry Participation and Information Sharing
ARI is a member of the Registry Internet Safety Group (RISG), whose mission is to facilitate data exchange and promulgate best practices to address Internet identity theft, especially phishing and malware distribution. In addition, ARI coordinates with the Anti-Phishing Working Group (APWG) and other DNS abuse organisations and is subscribed to the NXdomain mailing list. ARI’s strong participation in the industry facilitates collaboration with relevant organisations on abuse-related issues and ensures that ARI is responsive to new and emerging domain name abuses.
The information shared as a result of this industry participation will be used to identify domain names registered or used for abusive purposes. Information shared may include a list of registrants known to partake in abusive behaviour in other TLDs. Whilst presence on such lists will not constitute grounds for registrant disqualification, ARI will investigate domain names registered to those listed registrants and take action in accordance with the Anti-Abuse Policy. In addition, information shared regarding practices indicative of abuse will facilitate detection of abuse by our own monitoring activities.
4.3.2.2 Single Abuse Point of Contact on Website
In accordance with section 4.1 of Specification 6 of the Registry Agreement, we will establish a single abuse point of contact (SAPOC) responsible for addressing and providing a timely response to abuse complaints concerning all names registered in the TLD through all Registrars of record, including those involving a reseller. Complaints may be received from members of the general public, other registries, Registrars, LEA, government and quasi-governmental agencies and recognised members of the anti-abuse community.
The SAPOC’s accurate contact details (email and mailing address as well as a primary contact for handling inquiries related to abuse in the TLD) will be provided to ICANN and published on the Abuse page of our registry website, which will also include:
– All public facing policies in relation to the TLD, including the Anti-Abuse Policy.
– A web-based submission service for reporting inaccuracies in WhoIs information.
– Registrant Best Practices.
– Conditions that apply to proxy registration services and direction to the SAPOC to report domain names that violate the conditions.
As such, the SAPOC may receive complaints regarding a range of matters including but not limited to:
– Violations of the Anti-Abuse Policy.
– Inaccurate WhoIs information.
– Violation of the restriction of proxy registration services to individuals.
The SAPOC will be the primary method by which we will receive notification of abusive behaviour from third parties. It must be emphasised that the SAPOC will be the initial point of contact following which other processes will be triggered depending on the identity of the reporting organisation. Accordingly, separate processes for identifying abuse exist for reports by LEA⁄government and quasi-governmental agencies and members of the general public. These processes will be described in turn below.
4.3.2.2.1 Notification by LEA of Abuse
We recognise that LEA, governmental and quasi-governmental agencies may be privy to information beyond the reach of others which may prove critical in the identification of abusive behaviour in our TLD. As such, we will provide an expedited process which serves as a channel of communication for LEA, government and quasi-governmental agencies to, amongst other things, report illegal conduct in connection with the use of the TLD.
The process will involve prioritisation and prompt investigation of reports identifying abuse from those organisations. The steps in the expedited process are summarised as follows:
1. ARI’s Abuse and Compliance Team will identify relevant LEA, government and quasi-governmental agencies who may take part in the expedited process, depending on the mission⁄purpose and jurisdiction of our TLD. A means of verification will be established with each of the identified agencies in order to verify the identity of a reporting agency utilising the expedited process.
2. We will publish contact details on the Abuse page of the registry website for the SAPOC to be utilised by only those taking part in the expedited process.
3. All calls to this number will be responded to by the ARI Service Desk on a 24⁄7 basis. All calls will result in the generation of a ticket in ARI’s case management system (CMS).
4. The identity of the reporting agency will be identified using the established means of verification (ARIʹs Security Policy has strict guidelines regarding the verification of external parties over the telephone). If no means of verification has been established, the report will be immediately escalated to the ARI Abuse and Compliance Team. Results of verification will be recorded against the relevant CMS ticket.
6. Upon verification of the reporting agency, the ARI Service Desk will obtain the details necessary to adequately investigate the report of abusive behaviour in the TLD. This information will be recorded against the relevant CMS ticket.
7. Reports from verified agencies may be provided in the Incident Object Description Exchange Format (IODEF) as defined in RFC 5070. Provision of information in the IODEF will improve our ability to resolve complaints by simplifying collaboration and data sharing.
8. Tickets will then be forwarded to the ARI Abuse and Compliance Team to be dealt with in accordance with ‘4.4 Abuse Handling’.
4.3.2.2.2 Notification by General Public of Abuse
Abusive behaviour in the TLD may also be identified by members of the general public including but not limited to other registries, Registrars or security researchers. The steps in this notification process are summarised as follows:
1. We will publish contact details on the Abuse page of the registry website for the SAPOC (note that these contact details are not the same as those provided for the expedited process).
2. All calls to this number will be responded to by the ARI Service Desk on a 24⁄7 basis. All calls will result in the generation of a CMS ticket.
3. The details of the report identifying abuse will be documented in the CMS ticket using a standard information gathering template.
4. Tickets will be forwarded to the ARI Abuse and Compliance Team, to be dealt with in accordance with ‘4.4 Abuse Handling’.
4.4 Abuse Handling
Upon being made aware of abuse in the TLD, whether by ongoing monitoring activities or notification from third parties, the ARI Abuse and Compliance Team will perform the following functions:
4.4.1 Preliminary Assessment and Categorisation
Each report of purported abuse will undergo an initial preliminary assessment by the ARI Abuse and Compliance Team to determine the legitimacy of the report. This step may involve simply visiting the offending website and is intended to weed out spurious reports, and will not involve the in-depth investigation needed to make a determination as to whether the reported behaviour is abusive.
Where the report is assessed as being legitimate, the type of activity reported will be classified as one of the types of abusive behaviour as found in the Anti-Abuse Policy by the application of the definitions provided. In order to make this classification, the ARI Abuse and Compliance Team must establish a clear link between the activity reported and the alleged type of abusive behaviour such that addressing the reported activity will address the abusive behaviour.
While we recognise that each incident of abuse represents a unique security threat and should be mitigated accordingly, we also recognise that prompt action justified by objective criteria are key to ensuring that mitigation efforts are effective. With this in mind, we have categorised the actions that we may take in response to various types of abuse by reference to the severity and immediacy of harm. This categorisation will be applied to each validated report of abuse and actions will be taken in accordance with the table below. It must be emphasised that the actions to mitigate the identified type of abuse in the table are merely intended to provide a rough guideline and may vary upon further investigation.
Category 1
Probable Severity or Immediacy of Harm: Low
Examples of types of abusive behaviour: Spam, Malware
Mitigation steps:
1. Investigate
2. Notify registrant
Category 2
Probable Severity or Immediacy of Harm: Medium to High
Examples of types of abusive behaviour: Fast Flux Hosting, Phishing, Illegal Access to other Computers or Networks, Pharming, Botnet command and control
Mitigation steps:
1. Suspend domain name
2. Investigate
3. Restore or terminate domain name
The mitigation steps for each category will now be described:
4.4.2 Investigation – Category 1
Types of abusive behaviour that fall into this category include those that represent a low severity or immediacy of harm to registrants and Internet users. These generally include behaviours that result in the dissemination of unsolicited information or the publication of illegitimate information. While undesirable, these activities do not generally present such an immediate threat as to justify suspension of the domain name in question. We will contact the registrant to instruct that the breach of the Anti-Abuse Policy be rectified. If the ARI Abuse and Compliance Team’s investigation reveals that the severity or immediacy of harm is greater than originally anticipated, the abusive behaviour will be escalated to Category 2 and mitigated in accordance with the applicable steps. These are described below. The assessment made and actions taken will be recorded against the relevant CMS ticket.
4.4.3 Suspension – Category 2
Types of abusive behaviour that fall into this category include those that represent a medium to high severity or immediacy of harm to registrants and Internet users. These generally include behaviours that result in intrusion into other computers’ networks and systems or financial gain by fraudulent means. Following notification of the existence of such behaviours, the ARI Abuse and Compliance Team will suspend the domain name pending further investigation to determine whether the domain name should be restored or cancelled. Cancellation will result if, upon further investigation, the behaviour is determined to be one of the types of abuse defined in the Anti-Abuse Policy. Restoration of the domain name will result where further investigation determines that abusive behaviour, as defined by the Anti-Abuse Policy, does not exist. Due to the higher severity or immediacy of harm attributed to types of abusive behaviour in this category, ARI will, in accordance with their contractual commitment to us in the form of SLA’s, carry out the mitigation response within 24 hours by either restoring or cancelling the domain name. The assessment made and actions taken will be recorded against the relevant CMS ticket.
Phishing is considered to be a serious violation of the Anti-Abuse Policy owing to its fraudulent exploitation of consumer vulnerabilities for the purposes of financial gain. Given the direct relationship between phishing uptime and extent of harm caused, we recognise the urgency required to execute processes that handle phish domain termination in a timely and cost effective manner. Accordingly, the ARI Abuse and Compliance Team will prioritise all reports of phishing from brand owners, anti-phishing providers or otherwise and carry out the appropriate mitigation response within 12 hours in accordance with the SLA’s in place between us and ARI. In addition, since a majority of phish domains are subdomains, we believe it is necessary to ensure that subdomains do not represent an unregulated domain space to which phishers are known to gravitate. Regulation of the subdomain space is achieved by holding the registrant of the parent domain liable for any actions that may occur in relation to subdomains. In reality, this means that where a subdomain determined to be used for phishing is identified, the parent domain may be suspended and possibly cancelled, thus effectively neutralising every subdomain hosted on the parent. In our RRA we will require that Registrars ensure that their Registration Agreements reflect our ability to address phish subdomains in this manner.
4.4.4 Executing LEA Instructions
We understand the importance of our role as a registry operator in addressing consumer vulnerabilities and are cognisant of our obligations to assist LEAs, government and quasi-governmental agencies in the execution of their responsibilities. As such, we will make all reasonable efforts to ensure the integration of these agencies into our processes for the identification and handling of abuse by, amongst other things:
1. Providing expedited channels of communication (discussed above).
2. Notifying LEA of abusive behaviour believed to constitute evidence of a commission of a crime eg distribution of child pornography.
3. Sharing all available information upon request from LEA utilising the expedited process, including results of our investigation.
4. Providing bulk WhoIs information upon request from LEA utilising the expedited process.
5. Acting on instructions from a verified reporting agency.
It is anticipated that these actions will assist agencies in the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of laws imposing penalties. The relevant agencies are not limited to those enforcing criminal matters but may also include those enforcing civil matters in order to eliminate consumer vulnerabilities.
Upon notification of abusive behaviour by LEA, government or quasi– governmental agencies through the expedited process and verification of the reporting agency, a matter will be immediately communicated to us for our consideration. If we do not instruct ARI to refer the matter to us for our resolution, the CMS ticket will be forwarded to the ARI Abuse and Compliance Team, which will take one of the following actions:
1. The reported behaviour will be subject to preliminary assessment and categorisation as described above. The reported behaviour will then be mitigated based on the results of the categorisation. A report describing the manner in which the notification from the agency was handled will be provided to the agency within 24 hours. This report will be recorded against the relevant CMS ticket.
OR
2. Where specific instructions are received from the reporting agency in the required format, ARI will act in accordance with those instructions provided that they do not result in the contravention of applicable law. ARI will, in accordance with their contractual commitment to us in the form of SLA’s, execute such instructions within 12 hours. The following criteria must be satisfied by the reporting agency at this stage:
a. The request must be made in writing to ARI using a Pro Forma document on the agency’s letterhead. The Pro Forma document will be sent to the verified agency upon request.
b. The Pro Forma document must be delivered to ARI by fax.
c. The Pro Forma document must:
i. Describe in sufficient detail the actions the agency seeks ARI to take.
ii. Provide the domain name⁄s affected.
iii. Certify that the agency is an ‘enforcement body’ for the purposes of the Privacy Act 1988 (Cth) or local equivalent.
iv. Certify that the requested actions are required for the investigation and⁄or enforcement of relevant legislation which must be specified.
v. Certify that the requested actions are necessary for the agency to effectively carry out its functions.
Following prompt execution of the request, a report will be provided to the agency in a timely manner. This report will be recorded against the relevant CMS ticket.
Finally, whilst we do not anticipate the occurrence of a security situation owing to our robust systems and processes deployed to combat abuse, we are aware of the availability of the Expedited Registry Security Request Process to inform ICANN of a present or imminent security situation and to request a contractual waiver for actions we might take or have taken to mitigate or eliminate the security concern.
5 RESOURCES
This function will be performed by ARI. Abuse services are supported by the following departments:
– Abuse and Compliance Team (6 staff)
– Development Team (11 staff)
– Service Desk (14 staff)
A detailed list of the departments, roles and responsibilities in ARI is provided as attachment ‘Q28 – ARI Background & Roles.pdf’. This attachment describes the functions of the above teams and the exact number and nature of staff within.
The number of resources required to design, build, operate and support the SRS does not vary significantly with, and is not linearly proportional to, the number or size of TLDs that ARI provides registry services to.
ARI provides registry backend services to 5 TLDs and has a wealth of experience in estimating the number of resources required to support a registry system.
Based on past experience ARI estimates that the existing staff is adequate to support a registry system that supports in excess of 50M domains. Since this TLD projects 17,648 domains, 0.04% of these resources are allocated to this TLD. See attachment ‘Q28 – Registry Scale Estimates & Resource Allocation.xlsx’ for more information.
ARI protects against loss of critical staff by employing multiple people in each role. Staff members have a primary role plus a secondary role for protection against personnel absence. Additionally ARI can scale resources as required.
ARI’s Anti-Abuse Service serves to prevent and mitigate abusive behaviour in the TLD as well as activities that may infringe trademarks. These responsibilities will be undertaken by three teams. ARI’s Development Team will be responsible for developing the technical platforms and meeting technical requirements needed to implement the procedures and measures adopted to mitigate the potential for abuse, identify abuse and handle identified abuse. ARI’s Abuse and Compliance Team will be responsible for the ongoing implementation of measures to minimise abusive registrations and other activities that have a negative impact on Internet users. ARI’s Service Desk will be responsible for responding to reports of abuse received through the abuse point of contact on the registry’s website and logging these in a ticket in ARI’s case management system.
The responsibilities of these teams relevant to the initial implementation and ongoing maintenance of our measures to minimise abusive registrations and other activities that affect the rights of trademark holders are described in our response to Question 29.
All of the responsibilities undertaken by ARI’s Development Team, Abuse and Compliance Team, and Service Desk are inclusive in ARI’s Managed TLD Registry services fee, which is accounted for as an outsourcing cost in our response to Question 47. The resources needs of these teams have been determined by applying the conservative growth projections for our TLD (which are identified in our response to Question 48) to the team’s responsibilities at start-up and on an ongoing basis.
5.1 ARI Development Team
All tools and systems needed to support the initial and ongoing implementation of measures adopted to mitigate the potential for abuse, identify abuse and handle identified abuse will be developed and maintained by ARI. ARI has a software development department dedicated to this purpose which will ensure that the tools are fit for purpose and adjusted as requirements change.
ARI’s Development Team participate actively in the industry; this facilitates collaboration with relevant organisations on abuse related issues and ensures that the ARI Development Team is responsive to new and emerging domain name abuses and the tools and systems required to be built to address these abuses. This team consists of:
– 1 Development Manager
– 2 Business Analysts
– 6 Developers
– 2 Quality Analysts
5.2 ARI Abuse and Compliance Team
ARI’s Abuse and Compliance Team will be staffed by six full-time equivalent positions. These roles will entail the following:
Policy Compliance Officers: A principal responsibility of the Policy Compliance Officers will be handling notifications of abuse through the SAPOC. This will involve managing the expedited process, identifying and categorising suspected abuse according to our Anti-Abuse Policy, and carrying out the appropriate mitigation response for all categorised abuses. When abuse is identified, Policy Compliance Officers will investigate other domain names held by a registrant whose domain name is subject to a mitigation response. They will maintain a list of and disqualify registrants found to have repeatedly engaged in abusive behaviour. They will also be responsible for analysing registry data in search of behaviours indicative of abuse, reviewing industry lists in search of data that may identify abuse in the TLD.
Another key responsibility of Policy Compliance Officers will be implementing measures to promote WhoIs accuracy (including managing and addressing all reports of inaccurate WhoIs information received from the web submission service) and verifying the physical address provided by a registrant against various databases for format and content requirements for the region.
Policy Compliance Officers will act on the instructions of verified LEA and Dispute Resolution Providers and participate in ICANN and industry groups involved in the promulgation of policies and best practices to address abusive behaviour. They will escalate complaints and issues to the Legal Manager when necessary and communicate with all relevant stakeholders (Registrars, registrants, LEA, general public) as needed in fulfilling these responsibilities. This role will be provided on a 24⁄7 basis, supported outside of ordinary business hours by ARI’s Service Desk.
Policy Compliance Officers will be required to have the following skills⁄qualifications: customer service⁄fault handling experience, comprehensive knowledge of abusive behaviour in a TLD and related policies, Internet industry knowledge, relevant post-secondary qualification, excellent communication and professional skills, accurate data entry skills, high-level problem solving skills, and high-level computer skills.
Legal Manager: The Legal Manager will be responsible for handling all potential disputes arising in connection with the implementation of ARI’s Anti-Abuse service and related policies. This will involve assessing escalated complaints and issues, liaising with Legal Counsel and the registry operator, resolving disputes and communicating with all relevant stakeholders (Registrars, registrants, LEA, general public) as needed in fulfilling these responsibilities. The Legal Manager will be responsible for forwarding all matters requiring determination by the registry operator which fall outside the scope of ARI’s Anti-Abuse functions. The Legal Manager will be required to have the following skills⁄qualifications: legal background (in particular, intellectual property⁄information technology law) or experience with relevant tertiary or post-graduate qualifications, dispute resolution experience, Internet industry experience, strong negotiation skills, excellent communication and professional skills, good computer skills, high-level problem solving skills.
Legal Counsel: A qualified lawyer who will be responsible for all in-house legal advice, including responding to LEA and dealing with abusive behaviour.
The team consists of:
– 4 Policy Compliance Officers
– 1 Legal Manager
– 1 Legal Counsel
5.3 ARI Service Desk
ARI’s Service Desk will be staffed by 14 full-time equivalent positions. Responsibilities of Service Desk relevant to ARI’s Anti-Abuse Service include the following: responding to notifications of abuse through the abuse point of contact and expedited process for LEA, logging notifications as a ticket in ARI’s case management system, notifying us of a report received through the expedited process for LEA, government and quasi-governmental agencies, and forwarding tickets to ARI’s Abuse and Compliance team for resolution in accordance with the Anti-Abuse Policy.
For more information on the skills and responsibilities of these roles please see the in-depth resources section in response to Question 31.
Based on the projections and the experience of ARI, the resources described here are more than sufficient to accommodate the needs of this TLD.
The use of these resources and the services they enable is included in the fees paid to ARI which are described in the financial responses.
The Registry is committed to a comprehensive strategy on Rights Protection Mechanisms (RPM). The Registry works closely with DotAsia Organisation (through Namesphere) and draws from the successful experience and knowledge of the RPM measures implemented for the .ASIA, especially in its acclaimed Sunrise process and its contributions to rapid suspension policies.
29.1 Sunrise and Startup Processes
A comprehensive Sunrise and startup process is the key to successful RPMs. A successful Sunrise program not only provides priority to rights holders, but also sends a clear message to the market that the TLD is serious about RPMs, thereby further deterring abusive registrations.
The Sunrise process provides for the introduction of the TLD in an orderly and equitable manner. Its purpose is to give reasonable protection and priority to stakeholders and certain prior rights holders, as well as to deter abusive and bad faith registrations. The Sunrise policies are also designed to facilitate reliability for ICANN Accredited Registrars and fair competition amongst registrants. It is intended to create a stable and effective launch and registration process for the benefit of various stakeholders and the Internet community at large.
Learning from the successful experience of the .ASIA sunrise, which achieved 0 disputes and also 100% satisfaction (satisfied or very satisfied) in an online poll of Intellectual Property Rights (IPR) practitioners, the Registry will implement a thorough and multi-phased Sunrise and startup process similar to that of the .ASIA registry.
A comprehensive set of Sunrise policies will be put in place in addition to the standard Sunrise and Trademark Claims services as specified in SPECIFICATION 7: MINIMUM REQUIREMENTS FOR RIGHTS PROTECTION MECHANISMS, of the New gTLD Registry Agreement. The Sunrise policies will follow a similar framework of the .ASIA Sunrise Policies (http:⁄⁄dot.asia⁄policies⁄DotAsia-Sunrise-Policies--COMPLETE-2007-08-10.pdf), in so far as it does not conflict with the specification 7.
29.1.1 Standard Sunrise and Trademark Claims Services
As a basic commitment, the Registry will implement the requirements from Specification 7 of the New gTLD Registry Agreement, and in accordance to the relevant Trademark Clearing House (TMCH) Sunrise and Trademark Claims services.
For this standard Sunrise, the Registry will establish, at a minimum, the eligibility requirements verified by Clearinghouse data, and incorporate a Sunrise Dispute Resolution ⁄ Challenge Policy. The standard Sunrise eligibility requirements include: (i) ownership of a mark that satisfies the criteria set forth in section 7.2 of the Trademark Clearing House specifications, (ii) description of international class of goods or services covered by registration; (iii) representation that all provided information is true and correct; and (iv) provision of data sufficient to document rights in the trademark.
The Registry believes that these form only the very basic layer of RPM and will therefore add significant measures on top of the standard process to ensure that prior rights of others are not abused.
In terms of Sunrise, Specification 7 and the TMCH descriptions only provide a basic framework for Trademark holders to protect names that are identical to their trademark. The Registry believes that additional protection is important and can be efficiently and effectively put in place with a multi-phased Sunrise program. Further discussion about this is included in 29.1.4 below.
29.1.2 Auction Process
An important part of the success of the .ASIA Sunrise program is the use of auction in the resolution of contention. It is known that many Trademarks are similar or identical because of the different jurisdictions and different classes. Therefore, it is inevitable that there would be some competition among rights holders to certain names. A complete Sunrise program requires a contention resolution mechanism that works to reduce the tension of competition and resolve the issue in a stable and orderly manner.
When the .ASIA Sunrise Auction process was first introduced, the community was worried about possible high prices in the auctions making it costly for trademark holders. The results of the process demonstrate however the original intent prevailed. If a pure first-come-first-served model is used, the tension at the opening of the registry at the Sunrise period would be extremely high. Also, because of the competition, the so-called FCFS approach essentially becomes a lottery and one that favours registrars with systems in closer proximity to the registry servers. The tension and the inherent unjust of the process caused thousands of disputes and litigation in previous launches of TLDs utilizing such an approach.
In the .ASIA Sunrise process, a total of about 30,000 applications were received. Out of which less than 2% ended up in an auction. Furthermore, only about 40% ended up in a contested auction (i.e. that there was more than 1 bid in the auction). What that means is that, while it demonstrated clearly that there is certainly competition among trademark holders, it only represents a very small portion. Also, when there was more than one verified applicant for a Sunrise domain and an auction is setup, many trademark holders elect not to bid for the name. Based on the understanding from DotAsia, it is found that many trademark holders do know that their mark is “shared” by other companies, perhaps in different jurisdiction or in different categories. Their motivation to participate in the Sunrise is to avoid abuse of their mark by other parties. Because in the Sunrise process, before an auction is held, each of the verified applicants will be given the information of the other verified applicants in the auction ahead of time. They therefore know who else is bidding for the name and can evaluate whether the other party may in fact abuse their mark. Knowing that the other party is another legitimate trademark holder who may not be abusing their mark, many of the trademark holders elected not to bid and let the other party win the auction with a nominal bid at $10.
What this illustrates is that the auction process is a very successful tool in reducing the stress of the people and the systems in the launch of a registry. Overall, the average winning price of the auctions in the .ASIA startup process was less than US$200. That represents a significant cost benefit for rights holders in comparison to possible litigation or alternative dispute resolution proceedings.
29.1.3 Sunrise Challenge (Dispute Resolution) Process
Besides a contention resolution process, an important part of any Sunrise process is a well developed Sunrise Challenge Process to ensure the integrity of the Sunrise program. The Sunrise Challenge Process is important such that after the allocation of a Sunrise name, there is a period of time where legitimate rights owners can challenge the legitimacy and eligibility of a registrant based on the Sunrise policies to a domain name.
Following again the .ASIA experience, a comprehensive Sunrise Challenge (Dispute Resolution) Process will be put in place and a dispute resolution provider will be selected to arbitrate disputes. A sample of the .ASIA Sunrise Challenge Process is included in the Attached. As part of the requirement of Specification 7 of the new gTLD Registry Agreement, An SDRP will be adopted to allow any party to raise a challenge on at least the four grounds identified in the Applicant Guidebook at TMCH s6.2.4. The remedy will be cancellation or deletion of a successfully challenged domain name. All registrants will be required to submit to proceedings under the SDRP, which will specify that SDRP claims may be raised after registration of a sunrise domain and will require that complaints clearly identify the challenger, the challenged domain, and the ground⁄s on which the complaint is based.
29.1.4 Additional Protection Mechanisms for Sunrise
In addition to the basic “identical” match of a Trademark to a domain name applied for during the Sunrise period, the Registry intends to follow the successful example of .ASIA to include additional types of matches, for example:
- Exceptions for registered mark (tm, sm, etc.) type or entity type (ltd, inc, etc.) identifiers
- Exceptions for the TLD string (i.e. allowing marks containing the TLD string to omit that substring)
- Considerations for commonly used short forms and omission of locality indications
- Acceptance of standard Romanization and Transliterations for Company Names
- Extended protection for trademarks + the class of the trademark (e.g. “BRAND Shoes” or “BRAND Computers”, etc.)
These considerations allow trademark holders priority registration opportunity to protect names that are important and related to them.
The Registry will also develop specialized phases targeted to provide priority registration periods for the community that the Registry will be primarily serving. For example, in the .ASIA Sunrise, Asian businesses and registered companies are allowed to participate in one of the phases of the Sunrise program ahead of the general availability of the domain. This allowed many Asian businesses who may not have a registered trademark to make use of the Sunrise process to protect their name.
Besides the multitude of provisions for rights holders to participate in the Sunrise process, another important feature of the success of the .ASIA Sunrise program is the inclusion of a built-in reconsideration process. Because of the many applications a trademark holder may need to be filing, especially considering in the future the many new gTLD launches, it is possible that clerical mistakes and errors could be made in the Sunrise application. The .ASIA Sunrise process included a built-in reconsideration and amendment process that was critical to the overall success of the program. The success rate of the .ASIA Sunrise applications was over 90% as compared to other previous Sunrise launches where the success rate may be closer to 50-60%.
This explains the high approval rating of the .ASIA Sunrise program and also the rationale for the Registry to learn from and follow the good example set by .ASIA in the development of its comprehensive Sunrise policies.
29.1.5 Proactive Outreach and Specialized Programs
Furthermore, on top of the Sunrise program, a Pioneer Domains Program will be put in place to provide even further protection for prior rights holders while maintaining a strong balance against users’ rights.
Two features of the Pioneer programs for rights holders include: 1) the ability to apply for typo or other variant forms of their trademark to improve protection; 2) the use of the Pioneer Domains Challenge process to protect against abuse.
Again, following from the success of the .ASIA startup processes, the Registry intends to put in place a Pioneer Domains Program similar to the .ASIA Pioneer Domains Program (http:⁄⁄pioneer.domains.asia⁄ascii⁄policies.html). Together with the Pioneer Domains Program, a Pioneer Domains Challenge Process will be put in place (http:⁄⁄pioneer.domains.asia⁄ascii⁄challenge.html).
In short, the Pioneer Domains Program invites potential registrants to submit proposals, explaining how they would use and promote the domain name. Each proposal will require an application fee and prior acknowledgment and acceptance of relevant terms and conditions. Evaluation criteria will take into account the applicantʹs business plan, marketing expertise, and the manner and purposes for which the proposed site would be operated. For Trademark applicants, the evaluation criteria is based on the trademarks filed and the rights holder can also apply for variations relevant to their mark.
29.1.6 Additional RPM Considerations
In addition to the RPMs mandated by the Applicant Guidebook, certain requirements proposed in the ‘2011 Proposed Security, Stability and Resiliency Requirements for Financial TLDs’ (at http:⁄⁄www.icann.org⁄en⁄news⁄correspondence⁄aba-bits-to-beckstrom-crocker-20dec11-en.pdf) (the ‘BITS Requirements) will be adopted. We acknowledge that these requirements were developed by the financial services sector in relation to financial TLDs, but nevertheless believe that their adoption in this TLD (which is not financial-related) results in a more robust approach to combating abuse. The following requirements will be adopted:
Req. 6: annual certification to ICANN of compliance with the Registry Agreement.
Req. 8: provision and maintenance of valid Registry Operator primary contact information (name, email address, and phone number) on the registry website.
Req. 10: re-validation of Registry-Registrar Agreements at least annually.
Req. 13: immediate notification to Registrars regarding any RPM investigation or compliance action including the nature of the investigation or compliance action by ICANN or any outside party.
The Registry-Registrar Agreement (RRA) will additionally impose upon Registrars the following requirements:
Req. 7: Annual certification to ICANN compliance with the Registrar Accreditation Agreement (RAA).
Req. 9: Provision and maintenance of valid primary contact information (name, email address, and phone number) on Registrar’s website.
Req. 19: Disclosure of registration requirements on Registrar’s website.
29.2 UDRP, URS and other Suspension Processes
While the Startup process, including the multi-phased Sunrise program provides a proactive process for prior rights holders to protect their names under the TLD in a priority registration process, RPMs after the allocation and delegation of a second level domain under the TLD is equally important.
29.2.1 UDRP Implementation
The Registry will comply with and put in place mechanisms to ensure the enforcement of UDRP decisions. These include provisions within the Registry-Registrar Agreements (RRA) with Accredited Registrars to ensure that they have adequate provisions in their Registration agreement with registrants to submit to UDRP proceedings, as well as to work closely with Accredited registrars in the implementation of UDRP decisions and required actions through the URS process.
29.2.2 URS Implementation
The URS is a new RPM the implementation of which is mandated in all new gTLDs. The URS is targeted at providing a rapid takedown solution to clear-cut cases of cybersquatting. It is intended to have a deterrent effect and reduce the number of UDRP disputes. The URS is intended to supplement and not replace the UDRP, and the Applicant Guidebook foreshadows (at URS ss8.6 & 13) the likelihood of URS claimants also commencing UDRP claims. For this reason the URS Implementation Plan considers potential interaction between URS and UDRP stakeholders. The following stakeholders are involved in implementation of the URS:
– URS claimants
– Registrants
– Registrars
– Registry operator
– ARI
– URS provider⁄s
– URS Examiner
The roles of these stakeholders are described below by reference to:
– URS Implementation Plan
– Contractual implementation
The URS Implementation Plan identifies certain aspects of implementation that are not clearly addressed in the Applicant Guidebook. For example, the Guidebook does not specify how from an operational perspective suspension of a domain name will transform to another status (e.g., transfer of a domain following a successful UDRP challenge); we assume that such a status change would only occur upon expiry of a registration but acknowledge the potential for further development of URS policy to allow for change of status as a result of a subsequent UDRP decision. In addition to identifying such gaps, the URS Implementation Plan identifies our proposed method of addressing these. Furthermore, understanding that a fundamental aim of the URS is expediency, all steps in the Implementation Plan below will be undertaken as soon as practical but without compromising security or accuracy.
29.2.2.1 Implementation
URS Implementation Plan
1. As an initial step, ARI will notify to each URS provider an email address for all URS-related filings and other correspondence. On an ongoing basis, ARI’s Abuse and Compliance Team will monitor this address for communications from URS providers. ARI will validate all correspondence received from a URS provider.
2. ARI will within 24 hours of receipt of a URS Notice of Complaint lock the domain name⁄s the subject of complaint by restricting all changes to the registration data, including transfer and deletion of the domain name. The domain name will continue to resolve while in this locked status.
3. ARI will immediately notify the URS provider in the manner requested by the URS provider once the domain name⁄s have been locked.
4. Upon receipt of a favourable URS Determination ARI will lock the domain name the subject of the Determination for the balance of the registration period and redirect the nameservers to an informational web page provided by the URS provider. While a domain name is locked, ARI will continue to display all of the WhoIs information of the original registrant except for the redirection of the nameservers and (subject to future policy development taking into account the transfer of a URS-locked domain name following a successful UDRP challenge) the additional statement that the domain will not be able to be transferred, deleted or modified for the life of the registration.
5. Upon receipt of notification from the URS provider of termination of a URS proceeding ARI will promptly unlock the domain and return full control to the registrant.
6. Where a default has occurred (in accordance with the Applicant Guidebook at URS s6.1) and a Determination has been made in favour of the complainant, in the event that ARI receives notice from a URS provider that a Response has been filed in accordance with s6.4, ARI will as soon as practical restore a domain name to resolve to the original IP address while preserving its locked status until a Determination from de novo review is notified to ARI.
7. ARI will ensure that no changes are made to the resolution of a domain name the subject of a successful URS Determination until expiry of the registration or the additional registration year unless otherwise instructed by UDRP provider.
8. ARI will make available to successful URS complainants an optional extension of the registration period for one additional year at commercial rates. We understand that this requirement has been based on the provision in the Expired Domain Deletion Policy (3.7.5.7 of the 2009 RAA), under which there is no requirement to notify the complainant that a name is due to expire. From this we conclude that there is likewise no requirement on this TLD to notify a successful URS complainant that a name is due to expire.
9. The Applicant Guidebook specifies that renewal must be offered ‘at commercial rates’ but does not specify how and to whom the renewal payment should be made. If payment is to be made to a stakeholder other than the registry operator, it is not clear how this will be received by the registry operator. ARI’s Abuse and Compliance Team will be prepared and have the expertise and flexibility necessary to develop the technical and financial interfaces necessary to facilitate the receipt of renewal fees by ARI.
Contractual Implementation
The following features of the URS Implementation Plan described above will be executed by inclusion of corresponding clauses in the RRA:
– In the event that a registrant does not submit an answer to a URS complaint in accordance with the Applicant Guidebook at URS s6.1 (default), Registrars must prevent registrants from making changes to the WhoIs information of a registration in default.
– Registrars must prevent changes to a domain in locked status to ensure that both the Registrar’s systems and registry’s systems contain the same information for the locked domain.
– Registrars must not take any action relating to a URS proceeding except as in accordance with a validated communication from ARI or a URS provider.
29.2.3 Other Suspension Programs
In addition to the basic dispute and suspension programs, the Abuse Prevention Mechanisms as described in #28 as well as the geographical names reservation processes described in #22, the Registry, following the footsteps of the .ASIA Registry as well, will explore appropriate suspension mechanisms and challenge processes to further improve the protection to prior rights holders.
For example, .ASIA has completed an MoU with the International Federation Against Copyrights Theft Greater China (IFACT-GC), and has explored extensively and works closely with the Anti-Phishing Working Group on possible alternative rapid suspension processes against gross copyright infringement and phishing sites. These discussions also helped inform some of the discussions that lead to the development of the URS.
Given the focus of the TLD, the Registry will also consider and explore adopting other relevant forums for domain dispute resolution. For example, the Registry may explore the adoption of relevant ccTLD dispute resolution processes or any other industry arbitration processes relevant to the use to broaden the protection of the legitimate prior rights of others in the registration of domain names in the TLD. These measures will be put in place in addition to and definitely not in replacement of the basic requirements of submitting to UDRP, URS and other ICANN policies.
29.2.4 Post-Delegation Dispute Resolution Process (PDDRP)
While the Registry is confident that its processes and policies will be effective in curbing abusive registrations, and that it has the knowledge and capabilities to implement and enforce such measures, the Registry is fully prepared to work with ICANN should a PDDRP be initiated.
The Registry fully submits to the process and, along with its Backend Registry Services Provider as well as Front End Registry Services Provider, will comply with all ICANN requirements through a PDDRP.
29.2.5 ARI Abuse and Compliance Team
ARI’s Abuse and Compliance Team will be staffed by five full-time equivalent positions:
– 4 Policy Compliance Officers
– 1 Legal Manager
Policy Compliance Officers will be responsible for managing sunrise and landrush applications, supporting the SDRP, TM Claims Service, URS, UDRP and Trademark PDDRP, managing communications with the TMCH, receiving, assessing and managing trademark infringement complaints received through the single abuse point of contact, escalating complaints and issues to the Legal Manager when necessary and communicating with all relevant stakeholders (Registrars, registrants, trademark holders, general public) as needed in fulfilling these responsibilities. This role will be provided on a 24⁄7 basis supported outside of ordinary business hours by ARI’s Service Desk. Policy Compliance Officers will be required to have the following skills⁄qualifications: customer service⁄fault handling experience, complete knowledge of all RPMs offered by the TLD and related policies, Internet industry knowledge, relevant post-secondary qualification, excellent communication and professional skills, accurate data entry skills, high-level problem solving skills, and high-level computer skills.
The Legal Manager will be responsible for handling all potential disputes arising in connection with RPMs and related policies. This will involve assessing complaints and issues, liaising with legal counsel and management, resolving disputes and communicating with all relevant stakeholders (Registrars, registrants, trademark holders, general public) as needed in fulfilling these responsibilities. The Legal Manager will be required to have the following skills⁄qualifications: legal background (in particular, intellectual property⁄information technology law) or experience with relevant tertiary or post-graduate qualifications, dispute resolution experience, Internet industry experience, excellent communication, negotiation, problem solving and professional skills and good computer skills.
For more information on the skills and responsibilities of these roles, please see the in-depth resources section in response to Question 31. Based on the projections and the experience of ARI, the resources described here are more than sufficient to accommodate the needs of this TLD.
29.3 Meeting & Exceeding Requirements
29.3.1 Capabilities and Knowledge
The Registry is supported by Namesphere as the Front-End Services provider, and works closely with DotAsia Organisation (through Namesphere) to develop the Sunrise and Startup processes as well as agreements and other administrative proceedings to ensure effective, efficient and implementable enforcement of such policies and processes.
DotAsia has significant knowledge and expertise in the development and successful implementation of Sunrise and RPM policies, as demonstrated by the successful launch of the .ASIA TLD. A dedicated team comprised of DotAsia, the Registry and our Registry Back-End Services Provider will be convened to ensure that policy as well as technical capabilities are in place to support the RPMs.
29.3.2 Compliance with Specification 7
The Registry is committed to comply with Specification 7 of the New gTLD Registry Agreement, and plans to implement additional RPM on top of the basic requirements of Specification 7.
29.3.3 Plans for Meeting Compliance with Contractual Requirements
The Registry, along with its Front-End Services Provider and Back-End Services Provider will work to ensure that contractual compliance is met. Besides the basic requirements in Specification 7, the Registry intends to consult with ICANN through the process as additional RPMs are put in place to ensure that they also comply with contractual requirements. With the strong experience from our partners, especially from DotAsia, the Registry can be assured that it will meet and comply with all the ICANN contractual requirements.
The following will be memorialized and be made binding via the Registry-Registrar and Registrar-Registrant Agreements:
The registry may reject a registration request or a reservation request, or may delete, revoke, suspend, cancel, or transfer a registration or reservation under the following criteria:
a. to enforce registry policies and ICANN requirements; each as amended from time to time;
b. that is not accompanied by complete and accurate information as required by ICANN requirements and⁄or registry policies or where required information is not updated and⁄or corrected as required by ICANN requirements and⁄or registry policies;
c. to protect the integrity and stability of the registry, its operations, and the TLD system;
d. to comply with any applicable law, regulation, holding, order, or decision issued by a court, administrative authority, or dispute resolution service provider with jurisdiction over the registry;
e. to establish, assert, or defend the legal rights of the registry or a third party or to avoid any civil or criminal liability on the part of the registry and⁄or its affiliates, subsidiaries, officers, directors, representatives, employees, contractors, and stockholders;
f. to correct mistakes made by the registry or any accredited registrar in connection with a registration; or
g. as otherwise provided in the Registry-Registrar Agreement and⁄or the Registrar-Registrant Agreement.
29.3.4 Consistency with Technical, Operational and Financial Approach
The use of pendingCreate along with other registry system features ensure that Sunrise and other startup processes could be processed in a standards based manner. In addition, DotAsia has helped to work out an open EPP extension for the implementation of Sunrise applications:
These EPP Extensions include:
• An 〈ipr:name〉 element that indicates the name of Registered Mark.
• An 〈ipr:number〉 element that indicates the registration number of the IPR.
• An 〈ipr:ccLocality〉 element that indicates the origin for which the IPR is established (a national or international trademark registry).
• An 〈ipr:entitlement〉 element that indicates whether the applicant holds the trademark as the original “OWNER”, “CO-OWNER” or “ASSIGNEE”.
• An 〈ipr:appDate〉 element that indicates the date the Registered Mark was applied for.
• An 〈ipr:regDate〉 element that indicates the date the Registered Mark was issued and registered.
• An 〈ipr:class〉 element that indicates the class of the registered mark.
• An 〈ipr:type〉 element that indicates the Sunrise phase the application applies for.
Note that some of these extensions might be subject to change based on ICANN-developed requirements for the Trademark Clearinghouse and also specific implementation of the Sunrise process at the Registry.
29.3.5 Committed Resource to Carry out plans
Both ARI and Namesphere as the Registry Back-End and Registry Front-End Services provider respectively have teams prepared and dedicated with capacity and capability to implement a comprehensive Sunrise and Startup process as well as the additional RPM measures that the Registry intends to put in place.
29.3.6 Rights Protection as A Core Objective
Based on the in depth discussion and commitment to the multitude of RPM features as well as a multi-phased startup process to ensure the stable and orderly introduction of the TLD, the Registry believes that it has demonstrated its commitment to rights protection as a core objective.
Beyond RPMs, the comprehensive geographical names protection program as explained in #22 further demonstrates the dedication of the Registry towards the protection of the prior rights of others.
29.3.7 Effective Mechanisms in Addition to Requirements in Registry Agreement
The policies and processes proposed by the Registry are proven and time tested to be effective in curbing abusive registrations. The .ASIA sunrise processes were highly regarded by the industry and yielded 100% satisfaction rating from an online poll of Intellectual Property Rights practitioners.
Much of the approach has been tested and proven successful through the launch of the .ASIA TLD. The success of the process can be observed by the imitation or following of the processes, including the multi-phased startup, the auction based contention resolution, as well as the Pioneer Domains Program (i.e. an Request for proposal -- RFP -- type process) are now commonly used processes when a TLD is launched or certain section of names are released by a TLD (e.g. 1 and 2 character names in existing gTLDs).
We have engaged ARI Registry Services (ARI) to deliver services for this TLD. ARI provide registry services for a number of TLDs including the .au ccTLD. For more background information on ARI please see the attachment ‘Q30a – ARI Background & Roles.pdf’. This response describes Security as implemented by ARI under direction from the registry operator taking into account any specific needs for this TLD.
1 SECURITY POLICY SUMMARY
ARI operates an ISO27001 compliant Information Security Management System (ISMS) for Domain Name Registry Operations; see attachment ‘Q30a – SAI Global Certificate of Compliance.pdf’. The ISMS is an organisation-wide system encompassing all levels of Information Security policy, procedure, standards, and records. Full details of all the policies and procedures included in the ISMS are included in the attachment to Question 30b.
1.1 The ISMS
ARI’s ISMS’s governing policy:
– Defines the scope of operations to be managed (Domain Name Registry Operations).
– Designates the responsible parties (COO, CTO and Information Security Officer) for governance, Production Support Group for implementation and maintenance, and other departments for supporting services.
– Requires a complete Risk Assessment (a developed Security Threat Profile for the Service – in this case registry services for the TLD – and a Risk Analysis tracing threats and vulnerabilities through to Risks) and Risk Treatment Plan (each major risk in the Risk Assessment references the Statement of Applicability indicating controls to be implemented, responsible parties, and the effectiveness metrics for each).
– Includes a series of major sub policies governing security, which include but are not limited to:
– ICT acceptable use policy and physical security policies.
– PSG Security Policy which outlines the registry operations policies, the management of end-user devices, classification of networks and servers according to the classification of information they contain, networking, server & database configuration and maintenance guidelines, vulnerability and patch management, data integrity controls, access management, penetration testing, third party management, logging and monitoring, and cryptography.
– Requires ongoing review:
– Of risks, threats, the Risk Treatment Plan, client requirements and commitments, process and policy compliance, process and policy effectiveness, user etc.
– Regular internal and external penetration testing & vulnerability scanning.
– Ad-hoc review raised during normal operations, common sources being change management processes, scheduled maintenance or project debriefs, and security incidents.
– Yearly review cycle which includes both internal and external audits, including external surveillance audits for compliance.
– Additional yearly security controls assessment reviews, which include analysis of the security control implementations themselves (rather than compliance with any particular standard).
– At 24 month intervals, external penetration testing of selected production services.
– periodic ISO reaccreditation
ARI’s ISMS encompasses the following ARI standards:
– Configuration standards for operating systems, networking devices and databases based on several key publications, including those released by NIST (eg SP800-123, SP800-44v2, SP-800-40, SP800-41) and the NSA, staff testing and experience, and vendor supplied standards.
– Security Incident Classification, which identifies the various classifications of security incidents and events to ensure that events that qualify as security incidents.
– Information Classification and Handling which specifies the information classification scheme and the specific requirements of handling, labelling, management and destruction for each level of classification.
1.2 SECURITY PROCESSES
Processes are used to implement the policies. These include, but are not limited to:
1.2.1 Change Management
This includes change management and its sub-processes for access management, software deployment, release of small changes and scheduled maintenance. This process includes:
– The classification of changes and the flow into sub processes by classification.
– The release and deployment process for change control into production environments, outlining peer review, testing steps, approval points, checklist sets, staging requirements and communication requirements.
– The software release and deployment process with its specific testing and staged rollout requirements.
– The scheduled maintenance process and its various review points.
1.2.2 Incident Management
This includes incident management process and its sub-process for unplanned outages. These outline:
– How incidents are managed through escalation points, recording requirements, communication requirements etc.
– The unplanned outage procedure which applies directly to situations where the registry itself or other critical services are unexpectedly offline.
1.2.3 Problem Management
The goal of problem management is to drive long term resolution of underlying causes of incidents. This process centres on finding and resolving the root causes of incidents. It defines escalation points to third parties or other ARI departments such as Development, as well as verification of the solution prior to problem closure.
1.2.4 Security Incident Management
This process deals with the specific handling of security incidents. It outlines the requirements and decision points for managing security incidents. Decision points, escalation points to senior management and authorities are defined, along with evidence-gathering requirements, classification of incidents and incident logging.
1.2.5 Access Management
This process handles all access changes to systems. HR must authorize new users, and access changes are authorized by departmental managers and approved by the Information Security Officer.
When staff leave or significantly change roles, a separation process is followed which ensures all access that may have been granted during their employment (not just their initially granted access) is checked and where appropriate, revoked.
Finally, quarterly review of all access is undertaken by the ISO, reviewing and approving or rejecting (with an action ticket) as appropriate.
2 ARI’s SECURITY INFRASTRUCTURE SOLUTIONS
ARI has developed a layered approach to IT security infrastructure. At a high level, some of the layers are as follows:
– DDoS countermeasures are employed outside ARI networks. These include routing traps for DDoS attacks, upstream provider intervention, private peering links and third party filtering services.
– Routing controls at the edge of the network at a minimum ensures that only traffic with valid routing passes into ARI networks.
– Overprovisioning and burstable network capabilities help protect against DoS and DDoS attacks.
– Network firewalls filter any traffic not pre-defined by network engineering staff as valid.
– Application layer firewalls then analyse application level traffic and filter any suspicious traffic. Examples of these would be an attempt at SQL injection, script injection, cross-site scripting, or session hijacking.
– Server firewalls on front-end servers again filter out any traffic that is not strictly defined by systems administrators during configuration as valid traffic.
– Only applications strictly necessary for services are running on the servers.
– These applications are kept up-to-date with the latest security patches, as are all of the security infrastructure components that protect them or that they run on.
– ARI infrastructure is penetration-tested by external tools and contracted security professionals for vulnerabilities to known exploits.
– ARI applications are designed, coded and tested to security standards such as OWASP and penetration-tested for vulnerabilities to common classes of exploits by external tools and contracted security professionals.
– ARI configures SELinux on its production servers. Specific details of this configuration is confidential; essentially any compromised application is extremely limited in what it can do.
– Monitoring is used to detect security incidents at all layers of the security model. Specifically:
– Network Intrusion Detection systems are employed to monitor ARI networks for suspicious traffic.
– ARI maintains its own host-based Intrusion Detection system based on tripwire, which has now undergone four years of development. Specific details are confidential, but in summary, the system can detect any unusual activity with respect to configuration, program files, program processes, users, or network traffic.
– More generic monitoring systems are used as indicators of security incidents. Any behaviour outside the norm across over 1,100 individual application, database, systems, network and environmental checks is investigated.
– Capacity management components of the monitoring suite are also used to detect and classify security incidents. Some examples are:
– Network traffic counts, packet counts and specific application query counts.
– Long term trend data on network traffic vs. specific incident windows.
– CPU, Storage, Memory and Process monitors on servers.
– A second layer of hardware firewalling separates application and middle tier servers from database servers.
– Applications only have as much access to database information as is required to perform their function.
– Finally, database servers have their own security standards, including server-based firewalls, vulnerability management for operating system and RDBMS software, and encryption of critical data.
2.1 Physical Security Infrastructure
ARI maintains a series of physical security infrastructure measures including but not limited to biometric and physical key access control to secured areas and security camera recording, alarm systems and monitoring.
3 COMMITMENTS TO REGISTRANTS
We commit to the following:
– Safeguarding the confidentiality, integrity and availability of registrant’s data.
– Compliance with the relevant regulation and legislation with respect to privacy.
– Working with law enforcement where appropriate in response to illegal activity or at the request of law enforcement agencies.
– Maintaining a best practice information security management system that continues to be ISO27001-compliant.
– Validating requests from external parties requesting data or changes to the registry to ensure the identity of these parties and that their request is appropriate. This includes requests from ICANN.
– That access to DNS and contact administrative facilities requires multi-factor authentication by the Registrar on behalf of the registrant.– That Registry data cannot be manipulated in any fashion other than those permitted to authenticated Registrars using the EPP or the SRS web interface. Authenticated Registrars can only access Registry data of domain names sponsored by them.
– A Domain transfer can only be done by utilizing the AUTH CODE provided to the Domain Registrant.
– Those emergency procedures are in place and tested to respond to extraordinary events affecting the integrity, confidentiality or availability of data within the registry.
4 AUGMENTED LEVEL OF SECURITY
This TLD is a generic TLD and as such requires security considerations that are commensurate with its purpose. Our goal with this TLD is to provide registrants with adequate protections against unauthorized changes to their names, without making the registration process too onerous and thus increasing costs.
The following attributes describe the security with respect to the TLD:
– ARI, follows the highest security standards with respect to its Registry Operations. ARI is ISO 27001 certified and has been in the business of providing a Registry backend for 10 years. ARI have confirmed their adherence to all of the security standards as described in this application. As per recommendation 24 this ensures that the technical implementations do not compromise elevated security standards
– Registrant will only be permitted to make changes to their domain name after a authenticating to their Registrar.
– Registrants will only be able to access all interfaces for domain registration and management via HTTPS. A reputed digital certificate vendor will provide the SSL certificate of the secure site.
– Registrar identity will be manually verified before they are accredited within this TLD. This will include verification of corporate identity, identity of individuals involved ⁄ mentioned, and verification of contact information
– Registrars will only be permitted to connect with the SRS via EPP after a multi-factor authentication that validates their digital identity. This is described further ahead.
– Registrars will only be permitted to use a certificate signed by ARI to connect with the Registry systems. Self-signed certificates will not be permitted.
– The Registry is DNSSEC enabled and the TLD zone will be DNSSEC enabled. This is described in detail in our response to question 43. The following additional requirements will exist for Registrars who want to get accredited to sell this TLD:
– Registrars must support DNSSEC capabilities within its control panels.
– If the Registrar provides Managed DNS services to Registrants within this TLD they must provide the option for DNSSEC. This ensures that DNSSEC is deployed at each zone and subsequent sub-zones at Registry, Registrar and Registrant level as per recommendation 26.
– Registrar access to all Registry Systems will be via TLS and secured with multi-factor authentication as per recommendation 27. This is described in detail in our responses to Question 24 and Question 25.
– Registrant access to all Registrar and Registry Systems will be via TLS and secured with multi-factor authentication as per recommendation 28. This is described in detail in our response to Question 25, Question 27 and Question 29.
– All communication between the Registrar or the Registrars systems and the registry system is encrypted using at least 128 bit encryption which been designated as ‘Acceptable’ till ‘2031 and beyond’ by NIST Special Publication 800-57. This includes the following communication:
– Secure websites and control panels provided by the Registrar to the Registrant.
– Ticketing systems provided by the Registrar to the Registrant.
– Web and EPP interfaces provided by ARI to the Registrars.
– Ticketing systems provided by ARI to the Registrar.
– Any communication between the Registrant, Registrar and Registry that is deemed as critical or contains credentials or sensitive information.
Where these requirements put controls on Registrars these will be enforced through the RRA.
5 RESOURCES
This function will be performed by ARI. The following resources are allocated to performing the tasks required to deliver the services described:
– Executive Management Team (4 staff)
– Production Support Group (27 staff)
ARI has ten years’ experience designing, developing, deploying, securing and operating critical Registry systems, as well as TLD consulting and technology leadership.
As a technology company, ARI’s senior management are technology and methodology leaders in their respective fields who ensure the organisation maintains a focus on technical excellence and hiring, training and staff management.
Executive Management is heavily involved in ensuring security standards are met and that continued review and improvement is constantly undertaken. This includes the:
– Chief Operations Officer
– Chief Technology Officer
A detailed list of the departments, roles and responsibilities in ARI is provided as attachment ‘Q30a – ARI Background & Roles.pdf’. This attachment describes the functions of the above teams and the exact number and nature of staff within.
The number of resources required to design, build, operate and support the SRS does not vary significantly with, and is not linearly proportional to, the number or size of TLDs that ARI provides registry services to.
ARI provides registry backend services to 5 TLDs and has a wealth of experience in estimating the number of resources required to support a registry system.
Based on past experience ARI estimates that the existing staff is adequate to support a registry system that supports in excess of 50M domains. Since this TLD projects 17,648 domains, 0.04% of these resources are allocated to this TLD. See attachment ‘Q30a – Registry Scale Estimates & Resource Allocation.xlsx’ for more information.
ARI protects against loss of critical staff by employing multiple people in each role. Staff members have a primary role plus a secondary role for protection against personnel absence. Additionally ARI can scale resources as required. Additional trained resources can be added to any of the above teams with a 2 month lead time.
The Production Support Group is responsible for the deployment and operation of TLD registries.
The group consists of:
– Production Support Manager (also the ISO)
– Service Desk:
– 1 Level 1 Support Team Lead
– 8 Customer Support Representatives (Level 1 support)
– 1 Level 2 Support Team Lead
– 4 Registry Specialists (Level 2 support)
– Operations (Level 3 support):
– 1 Operations Team Lead
– 2 Systems Administrators
– 2 Database Administrators
– 2 Network Engineers
– Implementation:
– 1 Project Manager
– 2 Systems Administrators
– 1 Database Administrators
– 1 Network Engineers
ARI employs a rigorous hiring process and screening (Police background checks for technical staff and Australian Federal Government ‘Protected’ level security clearances for registry operations staff).