Registry Data Escrow Specification
Internet Corporation for Assigned Names and Numbers
12025 Waterfront Drive, Suite 300
United States of America
90292
Los Angeles
+1.310.823.9358
gustavo.lozano@icann.org
Applications
data escrow
registry
This document specifies the format and contents of data escrow
deposits targeted primarily for domain name registries. The
specification is designed to be independent of the underlying
objects that are being escrowed and therefore it could also be used for
purposes other than domain name registries.
Introduction
Registry Data Escrow is the process by which a registry periodically submits data
deposits to a third-party called an escrow agent. These deposits comprise the
minimum data needed by a third-party to resume operations if the registry
cannot function and is unable or unwilling to facilitate an
orderly transfer of service.
For example, for a domain name registry or registrar, the data to be deposited
would include all the objects related to registered domain names, e.g.,
names, contacts, name servers, etc.
The goal of data escrow is higher resiliency of registration services, for the benefit of Internet users. The beneficiaries of a registry are not just those registering information there, but also the users of services relying on the registry data.
In the context of domain name registries, registration data escrow is
a requirement for generic top-level domains (e.g., Specification 2 of the ICANN Base Registry Agreement, see ) and some country code top-level
domain managers are also currently escrowing data.
There is also a similar requirement for ICANN-accredited
domain registrars.
This document specifies a format for data escrow deposits independent of the objects being escrowed. An independent specification is required for each type of registry/set of objects that is expected to be escrowed.
The format for data escrow deposits is specified using the Extensible Markup Language (XML) 1.0 as described in and XML Schema notation as described in and .
Readers are advised to read the terminology section carefully to understand the precise meanings of Differential and Incremental Deposits as the definitions used in this document are different from the definitions typically used in the domain of data backups.
Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14 when, and only when, they
appear in all capitals, as shown here.
Deposit.
Deposits can be of three kinds: Full, Differential or Incremental. For all kinds of deposits, the
universe of registry objects to be considered for data escrow are those objects necessary in order to
offer the registry services.
Differential Deposit. Contains data that reflects all transactions involving the database
that were not reflected in the last previous Full, Incremental or Differential Deposit, as the case may
be. Differential Deposit files will contain information from all database objects that were added,
modified or deleted since the previous deposit was completed as of its defined Timeline Watermark.
Domain Name. See definition of Domain name in .
Escrow Agent. The organization designated by the registry or the third-party beneficiary to receive and
guard data escrow deposits from the registry.
Full Deposit. Contains the registry data that reflects the current and complete registry
database and will consist of data that reflects the state of the registry as of a defined
Timeline Watermark for the deposit.
Incremental Deposit. Contains data that reflects all transactions involving the database that were not
reflected in the last previous Full Deposit. Incremental Deposit files will contain information from
all database objects that were added, modified or deleted since the previous Full Deposit was completed
as of its defined Timeline Watermark.
If the Timeline Watermark of an Incremental Deposit were to cover (i.e., one or more Incremental or Differential Deposits exist for the period between the Timeline Watermark of a Full and an Incremental or Differential Deposit) the Timeline Watermark of another Incremental or Differential Deposit since the last Full Deposit, the more recent deposit MUST contain all the transactions of the earlier deposit.
Registrar. See definition of Registrar in .
Registry. See definition of Registry in .
Third-Party Beneficiary. Is the organization that, under extraordinary circumstances, would receive the
escrow deposits the registry transferred to the escrow agent. This organization could be a backup
registry, registry regulator, contracting party of the registry, etc.
Timeline Watermark. Point in time on which to base the collecting of database objects for a deposit.
Deposits are expected to be consistent to that point in time.
Top-Level Domain. See definition of Top-Level Domain (TLD) in .
Problem Scope
In the past few years, the issue of registry continuity has been carefully considered in the gTLD and
ccTLD space. Various organizations have carried out risk analyses and developed business continuity plans to
deal with those risks, should they materialize.
One of the solutions considered and used, especially in the gTLD space, is Registry Data Escrow as a
way to ensure the continuity of registry services in the extreme case of registry failure.
So far, almost every registry that uses Registry Data Escrow has its own specification. It is
anticipated that more registries will be implementing escrow especially with an increasing number of domain
registries coming into service, adding complexity to this issue.
It would seem beneficial to have a standardized specification for Registry Data Escrow that can be used
by any registry to submit its deposits.
While the domain name industry has been the main target for this specification, it has been designed to be as general as possible.
Specifications covering the objects used by registration organizations shall identify the format and contents of the deposits a
registry has to make, such that a different registry would be able to rebuild the registration
services of the former, without its help, in a timely manner, with minimum disruption to its users.
Since the details of the registration services provided vary from registry to registry, specifications covering the objects
used by registration organizations shall provide mechanisms that allow its extensibility to accommodate variations and
extensions of the registration services.
Given the requirement for confidentiality and the importance of accuracy of the information that is handled in order to offer
registration services, parties using this specification shall define confidentiality and integrity mechanisms for handling
the registration data.
Specifications covering the objects used by registration organizations shall not include in the specification
transient objects that can be recreated by the new registry, particularly those of delicate confidentiality,
e.g., DNSSEC KSK/ZSK private keys.
Details that are a matter of policy should be identified as such for the benefit of the implementers.
Non-technical issues concerning data escrow, such as whether to escrow data and under which purposes the data may
be used, are outside of scope of this document.
Parties using this specification shall use a signaling mechanism to control the transmission, reception and validation of data escrow deposits. The definition of such a signaling mechanism is out of the scope of this document.
Conventions Used in This Document
The XML namespace prefix "rde" is used for the namespace "urn:ietf:params:xml:ns:rde-1.0", but implementations MUST NOT depend on it;
instead, they should employ a proper namespace-aware XML parser and serializer to interpret and output the XML documents.
The XML namespace prefix "rdeObj1" and "rdeObj2" with the corresponding namespaces "urn:example:params:xml:ns:rdeObj1-1.0" and
"urn:example:params:xml:ns:rdeObj2-1.0" are used as example data escrow objects.
Date and Time
Numerous fields indicate "dates", such as the creation and expiry
dates for objects. These fields SHALL contain timestamps indicating
the date and time in UTC, specified in Internet Date/Time Format
(see , Section 5.6) with the time-offset specified as "Z".
Protocol Description
The following is a format for data escrow deposits as produced by a
registry. The deposits are represented in XML. Only
the format of the objects deposited is defined. Nothing is prescribed about the method used to transfer such
deposits between the registry and the escrow agent or vice versa.
The protocol intends to be object agnostic allowing the "overload" of abstract elements using
the "substitutionGroup" attribute of the XML Schema element to define the actual elements of an object to be escrowed.
The specification for each object to be escrowed MUST declare the identifier to be
used to reference the object to be deleted or added/modified.
Root element <deposit>
The container or root element for a Registry Data Escrow deposit is <deposit>.
The <deposit> element contains the following attributes:
-
A REQUIRED "type" attribute that is used to identify the kind of deposit:
-
FULL: Full.
-
INCR: Incremental.
-
DIFF: Differential.
-
A REQUIRED "id" attribute that is used to uniquely identify the escrow deposit.
Each registry is responsible for maintaining its own escrow deposits' identifier
space to ensure uniqueness.
-
A "prevId" attribute that can be used to identify the previous
Incremental, Differential or Full Deposit. This attribute is REQUIRED
in Differential Deposits ("DIFF" type), is OPTIONAL in Incremental
Deposits ("INCR" type), and is not used in Full Deposits ("FULL"
type).
-
An OPTIONAL "resend" attribute that is incremented
each time the escrow deposit failed the verification procedure at the receiving party
and a new escrow deposit needs to be generated by the registry for that specific date.
The first time a deposit is generated the attribute is either omitted or MUST be "0".
If a deposit needs to be generated again, the attribute MUST be set to "1", and so on.
The <deposit> element contains the following the child elements:
Child <watermark> element
A REQUIRED <watermark> element contains the date-time corresponding to
the Timeline Watermark of the deposit.
Child <rdeMenu> element
This element contains auxiliary information of the data escrow deposit.
A REQUIRED <rdeMenu> element contains the following child elements:
-
A REQUIRED <version> element that identifies the RDE protocol version, this value MUST be 1.0.
-
One or more <objURI> elements that contain namespace URIs
representing the <contents> and <deletes> element objects.
Child <deletes> element
For Differential Deposits, this element contains the list of objects that have
been deleted since the previous deposit of any type. For Incremental
Deposits, this element contains the list of objects that have been deleted
since the previous Full Deposit.
This section of the deposit MUST NOT be present in Full Deposits.
Child <contents> element
For Full Deposits this element contains all objects. For Differential
Deposits, this element contains the list of objects that have been added or
modified since the previous deposit of any type. For Incremental Deposits,
this element contains the list of objects that have been added or modified
since the previous Full Deposit.
Rebuilding the registry from data escrow deposits
When applying Incremental or Differential Deposits (when rebuilding
the registry from data escrow deposits), the relative order of the
<deletes> and <contents> elements is important because dependencies
may exist between the objects. All the <deletes> elements MUST be applied
first, in the order that they appear. All the <contents> elements
MUST be applied next, in the order that they appear.
If an object is present in the <contents> or <deletes> section of several deposits (e.g. Full and Differential) the registry data from the latest deposit (as defined by the Timeline Watermark) SHOULD be used when rebuilding the registry. An object SHOULD NOT exist multiple times either in the <contents> or <deletes> elements in a single deposit.
When rebuilding a
registry, the
<deletes> section MUST be ignored if present in a Full Deposit.
Formal Syntax
RDE is specified in XML Schema notation. The formal syntax presented
here is a complete schema representation of RDE suitable for
automated validation of RDE XML instances.
The BEGIN and END tags are not part of the schema; they are used to note
the beginning and ending of the schema for URI registration purposes.
RDE Schema
Registry Data Escrow schema
END]]>
Internationalization Considerations
Data escrow deposits are represented in XML, which provides native support for encoding information
using the Unicode character set and its more compact representations including UTF-8. Conformant XML
processors recognize both UTF-8 and UTF-16. Though XML includes provisions to identify and use other
character encodings through use of an "encoding" attribute in an <?xml?> declaration, use of UTF-8
is RECOMMENDED.
IANA Considerations
This document uses URNs to describe XML namespaces and XML schemas
conforming to a registry mechanism described in .
Two URI assignments have been registered by the IANA.
Registration request for the RDE namespace:
- URI: urn:ietf:params:xml:ns:rde-1.0
- Registrant Contact: IESG <regext@ietf.org>
- Note to RFC Editor: Please remove the email address from the RFC after IANA records it.
- XML: None. Namespace URIs do not represent an XML specification.
Registration request for the RDE XML schema:
- URI: urn:ietf:params:xml:schema:rde-1.0
- Registrant Contact: IESG <regext@ietf.org>
- Note to RFC Editor: Please remove the email address from the RFC after IANA records it.
- See the "Formal Syntax" section of this document.
Implementation Status
Note to RFC Editor: Please remove this section and the reference to RFC 7942 before publication.
This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in RFC 7942 . The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist.
According to RFC 7942 , "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit".
Implementation in the gTLD space
Organization: ICANN
Name: ICANN Registry Agreement
Description: the ICANN Base Registry Agreement requires Registries, Data Escrow Agents, and ICANN to implement this specification. ICANN receives daily notifications from Data Escrow Agents confirming that more than 1,200 gTLDs are sending deposits that comply with this specification. ICANN receives on a weekly basis per gTLD, from more than 1,200 gTLD registries, a Bulk Registration Data Access file that also complies with this specification. In addition, ICANN is aware of Registry Service Provider transitions using data files that conform to this specification.
Level of maturity: production.
Coverage: all aspects of this specification are implemented.
Version compatibility: versions 03 - 08 are known to be implemented.
Contact: gustavo.lozano@icann.org
URL: https://www.icann.org/resources/pages/registries/registries-agreements-en
Security Considerations
This specification does not define the security mechanisms to be used in the transmission of the data escrow
deposits, since it only specifies the minimum necessary to enable the rebuilding of a registry from
deposits without intervention from the original registry.
Depending on local policies, some elements, or, most likely, the whole deposit will be considered confidential. As such, the parties SHOULD take all the necessary precautions such as encrypting the data at rest and in transit to avoid inadvertent disclosure of private data. Regardless of the precautions taken by the parties regarding data at rest and in transit, authentication credentials MUST NOT be escrowed.
Authentication of the parties passing data escrow deposit files is also of the utmost importance. The
escrow agent MUST properly authenticate the identity of the registry before accepting data escrow
deposits. In a similar manner, the registry MUST authenticate the identity of the escrow agent
before submitting any data.
Additionally, the registry and the escrow agent MUST use integrity checking mechanisms to ensure the
data transmitted is what the source intended. Validation of the contents by the escrow agent is RECOMMENDED
to ensure not only that the file was transmitted correctly from the registry, but also that the contents are
"meaningful".
Note: if Transport Layer Security (TLS) is used when providing an escrow services, the recommendations in MUST be implemented.
Privacy Considerations
This specification defines a format that may be used to escrow personal data. The process of data escrow is governed by a legal document agreed by the parties, and such legal document must ensure that privacy-sensitive and/or personal data receives the required protection.
Acknowledgments
Special suggestions that have been incorporated into this document
were provided by James Gould, Edward Lewis, Jaap Akkerhuis, Lawrence Conroy, Marc Groeneweg,
Michael Young, Chris Wright, Patrick Mevzek, Stephen Morris, Scott Hollenbeck, Stephane Bortzmeyer,
Warren Kumari, Paul Hoffman, Vika Mpisane, Bernie Hoeneisen, Jim Galvin, Andrew Sullivan, Hiro Hotta,
Christopher Browne, Daniel Kalchev, David Conrad, James Mitchell, Francisco Obispo, Bhadresh Modi and
Alexander Mayrhofer.
Shoji Noguchi and Francisco Arias participated
as co-authors until version 07 providing invaluable support for this
document.
Change History
[[RFC Editor: Please remove this section.]]
Changes from 00 to 01
- Included DNSSEC elements as part of the basic <domain> element as defined in RFC 5910.
- Included RGP elements as part of the basic <domain> element as defined in RFC 3915.
- Added support for IDNs and IDN variants.
- Eliminated the <summary> element and all its subordinate objects, except <watermarkDate>.
- Renamed <watermarkDate> to <watermark> and included it directly under root element.
- Renamed root element to <deposit>.
- Added <authinfo> element under <registrar> element.
- Added <roid> element under <registrar> element.
- Reversed the order of the <deletes> and <contents> elements.
- Removed <rdeDomain:status> minOccurs="0".
- Added <extension> element under root element.
- Added <extension> element under <contact> element.
- Removed <period> element from <domain> element.
- Populated the "Security Considerations" section.
- Populated the "Internationalization Considerations" section.
- Populated the "Extension Example" section.
- Added <deDate> element under <domain> element.
- Added <icannID> element under <registrar> element.
- Added <eppParams> element under root element.
- Fixed some typographical errors and omissions.
Changes from 01 to 02
- Added definition for "canonical" in the "IDN variants Handling" section.
- Clarified that "blocked" and "reserved" IDN variants are optional.
- Made <rdeRegistrar:authInfo> optional.
- Introduced substitutionGroup as the mechanism for extending the protocol.
- Moved <eppParams> element to be child of <contents>.
- Text improvements in the Introduction, Terminology, and Problem Scope per Jay's suggestion.
- Removed <trDate> from <rdeDomain> and added <trnData> instead, which
include all the data from the last (pending/processed) transfer request.
- Removed <trDate> from <rdeContact> and added <trnData> instead, which
include all the data from the last (pending/processed) transfer request.
- Fixed some typographical errors and omissions.
Changes from 02 to 03
- Separated domain name objects from protocol.
- Moved <extension> elements to be child of <deletes> and <contents>,
additionally removed <extension> element from <rdeDomain>,<rdeHost>,
<rdeContact>,<rdeRegistrar> and <rdeIDN> elements.
- Modified the definition of <rde:id> and <rde:prevId>.
- Added <rdeMenu> element under <deposit> element.
- Fixed some typographical errors and omissions.
Changes from 03 to 04
- Removed <eppParams> objects.
- Populated the "Extension Guidelines" section.
- Fixed some typographical errors and omissions.
Changes from 04 to 05
- Fixes to the XSD.
- Extension Guidelines moved to dnrd-mappings draft.
- Fixed some typographical errors and omissions.
Changes from 05 to 06
- Fix resend definition.
Changes from 06 to 07
- Editorial updates.
- schemaLocation removed from RDE Schema.
Changes from 07 to 08
- Ping update.
Changes from 08 to 09
- Ping update.
Changes from 09 to 10
- Implementation Status section was added.
Changes from 10 to 11
- Ping update.
Changes from 11 to REGEXT 00
- Internet Draft (I-D) adopted by the REGEXT WG.
Changes from version REGEXT 00 to REGEXT 01
- Privacy consideration section was added.
Changes from version REGEXT 01 to REGEXT 02
- Updated the Security Considerations section to make the language normative.
- Updated the rde XML schema to remove the dependency with the eppcom namespace reference.
- Editorial updates.
- Remove the reference to RFC 5730.
- Added complete examples of deposits.
Changes from version REGEXT 02 to REGEXT 03
- The <contents> section changed from MUST to SHOULD, in order to accommodate an Incremental or Differential Deposit that only includes deletes.
- Editorial updates.
Changes from version REGEXT 03 to REGEXT 04
- Moved to the Normative References section.
Changes from version REGEXT 04 to REGEXT 05
- Changes based on the feedback provided here: https://mailarchive.ietf.org/arch/msg/regext/UNo6YxapgjyerAYv0223zEuzjFk
- The examples of deposits were moved to their own sections.
- <deposit> elements definition moved to section 5.1.
- The DIFF example was modified to make it more representative of a differential deposit.
Changes from version REGEXT 05 to REGEXT 06
- Normative references for XLM, XML Schema added.
- Text added to define that version MUST be 1.0.
- Normative SHOULD replaced should in the second paragraph in the security section.
Changes from version REGEXT 06 to REGEXT 07
- Registration contact changed in section 8.
Changes from version REGEXT 07 to REGEXT 08
- Changes based on the feedback provided here: https://mailarchive.ietf.org/arch/msg/regext/hDLz2ym4oR-ukA4Fm-QJ8FzaxxE
- Changes based on the feedback provided here: https://mailarchive.ietf.org/arch/msg/regext/780Xw-z1RMRb79nmZ6ABmRTo1fU
- Changes based on the feedback provided here: https://mailarchive.ietf.org/arch/msg/regext/YnPnrSedrCcgQ2AXbjBTuQzqMds
- Changes based on the feedback provided here: https://mailarchive.ietf.org/arch/msg/regext/BiV0NHi_k7cYwTiLdLwVgqEcFuo
Changes from version REGEXT 08 to REGEXT 09
- Changes based on the feedback provided here: https://mailarchive.ietf.org/arch/msg/regext/x_8twvi-MS4dDDRfAZfNJH92UaQ
- Changes based on the feedback provided here: https://mailarchive.ietf.org/arch/msg/regext/B3QTxUCWUE4R_QharAQlA3041j0
Changes from version REGEXT 09 to REGEXT 10
- Changes based on the feedback provided here: https://mailarchive.ietf.org/arch/msg/regext/UaMNvl1xh60ldjpqHHYc3TNsfhg
Example of a Full Deposit
Example of a Full Deposit with the two example objects rdeObj1 and rdeObj2:
2019-10-17T23:59:59Z
1.0
urn:example:params:xml:ns:rdeObj1-1.0
urn:example:params:xml:ns:rdeObj2-1.0
EXAMPLE
fsh8013-EXAMPLE
]]>
Example of a Differential Deposit
Example of a Differential Deposit with the two example objects rdeObj1 and rdeObj2:
2019-10-18T23:59:59Z
1.0
urn:example:params:xml:ns:rdeObj1-1.0
urn:example:params:xml:ns:rdeObj2-1.0
EXAMPLE2
sh8014-EXAMPLE
]]>
Example of a Incremental Deposit
Example of an Incremental Deposit with the two example objects rdeObj1 and rdeObj2:
2020-03-16T23:59:59Z
1.0
urn:example:params:xml:ns:rdeObj1-1.0
urn:example:params:xml:ns:rdeObj2-1.0
EXAMPLE1
fsh8013-EXAMPLE
EXAMPLE2
sh8014-EXAMPLE
]]>
References
Normative References
Key words for use in RFCs to Indicate Requirement Levels
In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.
Date and Time on the Internet: Timestamps
This document defines a date and time format for use in Internet protocols that is a profile of the ISO 8601 standard for representation of dates and times using the Gregorian calendar.
Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words
RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.
DNS Terminology
The Domain Name System (DNS) is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has sometimes changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document.
This document obsoletes RFC 7719 and updates RFC 2308.
Extensible Markup Language (XML) 1.0 (Fifth Edition) REC-xml-20081126
W3C.xml
XML Schema Part 1: Structures Second Edition REC-xmlschema-1-20041028
W3C.xmlschema-1
XML Schema Part 2: Datatypes Second Edition REC-xmlschema-2-20041028
W3C.xmlschema-2
Informative References
The IETF XML Registry
This document describes an IANA maintained registry for IETF standards which use Extensible Markup Language (XML) related items such as Namespaces, Document Type Declarations (DTDs), Schemas, and Resource Description Framework (RDF) Schemas.
Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) are widely used to protect data exchanged over application protocols such as HTTP, SMTP, IMAP, POP, SIP, and XMPP. Over the last few years, several serious attacks on TLS have emerged, including attacks on its most commonly used cipher suites and their modes of operation. This document provides recommendations for improving the security of deployed services that use TLS and DTLS. The recommendations are applicable to the majority of use cases.
Improving Awareness of Running Code: The Implementation Status Section
This document describes a simple process that allows authors of Internet-Drafts to record the status of known implementations by including an Implementation Status section. This will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature.
This process is not mandatory. Authors of Internet-Drafts are encouraged to consider using the process for their documents, and working groups are invited to think about applying the process to all of their protocol specifications. This document obsoletes RFC 6982, advancing it to a Best Current Practice.
Base Registry Agreement 2017-07-31
ICANN