How it Works: TLD Registry Protocols

Similar documents
Monitoring the DNS. Gustavo Lozano Event Name XX XXXX 2015

MEAC DNS Study. Fahd Batayneh MENOG 16 Istanbul March 2016

1 Proposed model for trademark claims. 2 Details of the proposed model

Development of Open Source RESTful WHOIS. Haikuo Zhang

Strengthening our Ecosystem through Stakeholder Collaboration. Jia-Rong Low, Sr Director, Asia 20 August 2015

Version 2.4 Final. TMDB System User Manual (Registrar)

DNS Basics. DNS Basics

FAQ (Frequently Asked Questions)

NIST Security Improvements. William C. Barker and Scott Rose October 22, 2015 M3AAWG 35 th General Meeting

Innovating with the Domain Name System: From Web to Cloud to the Internet of Things

IETF Update on RDAP. ICANN52 Singapore CCTLD Tech Day. Marc Blanchet Viagénie

Phone Systems Buyer s Guide

Best Practices in Domain Name Registry Solutions Understanding the Technical Requirements of ICANN's Applicant Guidebook

Specifications for Registrars' Interaction with Flexireg Domain Registration System

Pre Delegation Testing (PDT) Frequently Asked Questions (FAQ)

API Operational Test and Evaluation Platform (API OT&E platform) User manual. Version 2.0

DNSSEC. Introduction. Domain Name System Security Extensions. AFNIC s Issue Papers. 1 - Organisation and operation of the DNS

.Brand TLD Designation Application

Global Registry Services Registrar Frequently Asked Questions (FAQ) for TLDs using Afilias Technology

IANA Functions to cctlds Sofia, Bulgaria September 2008

Protecting your trademarks online. FACTS & FAQs

DNS Security FAQ for Registrants

AllSeen Summit 2015: IoT: Taking PKI Where No PKI Has Gone Before Presented by: Scott Rea DigiCert Sr. PKI Architect ALLSEEN ALLIANCE

Specifications for Registrars' Interaction with the Domain Registration System During Landrush and General Registration Periods

OpenSRS Domain Transfers Guide. October 23, 2008

Wireless Networks: Network Protocols/Mobile IP

.Masr IDN registry system. National Telecom Regulatory Authority Of EGYPT ( NTRA ) ( 20 Min )

General Launch Policy

Telephone Related Queries (TeRQ) IETF 85 (Atlanta)

Policy Overview and Definitions

Securing DNS Infrastructure Using DNSSEC

DNSSEC Deployment Activity in Japan - Introduction of DNSSEC Japan - Yoshiki Ishida, Yoshiro Yoneya, Tsuyoshi Toyono, Miki Takata DNSSEC Japan

2014 IANA FUNCTIONS CUSTOMER SERVICE SURVEY RESULTS. Survey by Ebiquity Report by Leo Vegoda & Marilia Hirano

Registrar Ramp Up Process. Prepared by Afilias

.alsace Launch Policy Sunrise - LRP - Landrush

Internationalization of Domain Names

.AXA Domain Policy. As of March 3, 2014

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

Internet Security and Resiliency: A Collaborative Effort

Domain Name Industry. Comparing ZA with the rest

IETF DPRIVE WG: Encrypting DNS

Apache web server: ConceI avanza0 (Lezione 2, Parte I) Emiliano Casalicchio (C)

1 Processing of personal data Information collected for use WHOIS search function Introduction Purpose...

Domain Name Registration Policies

NANOG DNS BoF. DNS DNSSEC IPv6 Tuesday, February 1, 2011 NATIONAL ENGINEERING & TECHNICAL OPERATIONS

The IANA Functions. An Introduction to the Internet Assigned Numbers Authority (IANA) Functions

.CO.NO Domain Information, Launch Schedule & FAQ

Registration Policy. 9 July Powered by. A Bombora Technologies Company

An introduction to IANA Presentation Notes

Architecture of So-ware Systems HTTP Protocol. Mar8n Rehák

SDNP.mw cctld DOMAIN REGISTRATION POLICY Ver 1.2 of 23 July 2015

2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008

Trends in.ro registration policy and procedures, transition to the EPP system

IANA Stewardship Transition & Enhancing ICANN Accountability

Statement of Work 2 Trademark Clearinghouse TMCH Sunrise and Claims Services

Root zone update for TLD managers Mexico City, Mexico March 2009

Network Performance Tools

mydnsipv6 Success Story

Privacy- Preserving P2P Data Sharing with OneSwarm. Presented by. Adnan Malik

Why Network Operators Should Get Involved in ICANN

Domain Name System. DNS is an example of a large scale client-server application. Copyright 2014 Jim Martin

.PROTECTION &.SECURITY POLICIES

CS 5150 So(ware Engineering System Architecture: Introduc<on

.hitachi Domain Name Registration Policies

Chapter 25 Domain Name System Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

2015 IANA Functions Customer Service Survey Results

Text. Registry Onboarding and TLD Startup

Next Steps In Accelerating DNSSEC Deployment

Glossary of Technical Terms Related to IPv6

Domain Name System Security

The Internet Ecosystem and ICANN!! Steve Stanford University, Center for Information and Society! 29 April 2013!

Cloudian The Storage Evolution to the Cloud.. Cloudian Inc. Pre Sales Engineering

How It Works: 101: Naming, Addressing, Routing ALAIN DURAND ICANN

Internet Bodies.

14. Privacy Policies Introduction

PRIVACY POLICY The type of web browser and operating system you have used:

Defining and Signaling Relationships Between Domains

Cape Girardeau Career Center CISCO Networking Academy Bill Link, Instructor. 2.,,,, and are key services that ISPs can provide to all customers.

ARTE TLD REGISTRATION POLICY

Code of Conduct Exemption Request Form

.RUHR Domain Name Registration Policy

Topics of Interest Iraklion, Greece June 2008

DOMAIN NAME DAY. + Helsinki; 14 th February; Nigel Hickson, ICANN

.BIO DOMAIN NAME POLICY v2.0 - Last Update: May 30, Starting Dot Ltd..BIO DOMAIN NAME POLICY - V1.0 - AS OF 30 MAY

DNSSEC Explained. Marrakech, Morocco June 28, 2006

Policy for the Registration of.hamburg Domain Names

Update on the Cloud Demonstration Project

Afilias Sunrise Dispute Resolution Policy (Ver. 1.0)

DNS Risks, DNSSEC. Olaf M. Kolkman and Allison Mankin. and 8 Feb 2006 Stichting NLnet Labs

.bbva TLD Registration Policy

Resilience improving features of MPLS, IPv6 and DNSSEC

Lesson 4 Web Service Interface Definition (Part I)

How To Write A Domain Name In Unix (Unicode) On A Pc Or Mac (Windows) On An Ipo (Windows 7) On Pc Or Ipo 8.5 (Windows 8) On Your Pc Or Pc (Windows

Whois Policy. June 2008

Version 1.00 Last updated: 25 June 2015 POLICIES

CentralNic Privacy Policy Last Updated: July 31, 2012 Page 1 of 12. CentralNic. Version 1.0. July 31,

WHITE PAPER. Best Practices DNSSEC Zone Management on the Infoblox Grid

Computer Networks. Examples of network applica3ons. Applica3on Layer

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System

Distributed Systems. 09. Naming. Paul Krzyzanowski. Rutgers University. Fall 2015

Transcription:

How it Works: TLD Registry Protocols Ed Lewis Steve Conte ICANN 53 21 June 2015

What is a Domain Name Registry? Database of domain names and associated informa0on in the top level domains of the Domain Name System (DNS) system Top- level domain (TLD) space o=en called a zone when discussing from a technical perspec0ve 3

Other Kinds of Registries Regional Internet Registries (RIRs) Network addresses and rou0ng informa0on Protocol parameter registries Internet Assigned Numbers Authority (IANA) Land ownership Motor vehicle ownership Gi= registries (e.g., wedding, baby) 4

Registries in the DNS Tree Root Zone. (root) Registry.TLD.otherTLD Domains domain.tld example.tld sample.othertld host.domain.tld 5

TLD Registry Relationship Registrant Reseller TLD Registry Registrar Registrar Registrant 6

From the Other Side Data Escrow Trademark Clearinghouse TLD Registry 7

Protocols of a TLD Registry 8

DNS Domain Name System

What is the DNS Protocol? A lookup, much akin to looking up someone's phone number in an old style phone book Query asks for informa0on (e.g., domain name, type) Response contains the informa0on or "no" 10

Significance of the DNS One of the earliest protocols Impacts design, asempts to improve Has proven to be resistant to replacement Domain Name Registries exist because of it Means to enter and manage data transferred 11

What DNS Means to a Registry Most important component in terms of resiliency Unlike other components, approaches cri0cal status Most used component, untold relying par0es High capacity for volume of use Senders of queries are anonymous 12

Registrar (Registrant Agent) Registra9on Interfaces IANA (Internet Assigned Numbers Authority) Registry Database DNS Server DNS 13

Components of the DNS Authorita0ve server What the registry operates Recursive server What issues queries to registry servers Stub/clients Individual users (people or automated systems) 14

DNS Server (Authorita9ve) DNS Recursive Server DNS Stub Clients 15

DNSSEC DNS Security Extensions

What does DNSSEC do? The end user rarely contacts the true source of DNS informa0on directly DNS data is stored in intermediate servers DNS data is transferred in the open End- to- end encryp0on, like HTTPS, isn't a solu0on Provide authen0city, completeness Within constraints of DNS 17

History of DNSSEC Developed in 1990's, workshops with operators through 2004 Internet Engineering Task Force (IETF) base documents published 2004 Dan Kaminsky's 2008 talk elevated priority The End Of The Cache As We Know It Black Hat Conference 2008 Since 2009 has been in opera0ons in TLDs and the root zone (2010) 18

Approach to DNSSEC Data is accompanied with a digital signature which can be validated with a public key Public key cryptography enables a scalable trust building framework A hierarchy matching the DNS tree enables a verifiable trust building framework 19

The Registry's Portion of DNSSEC Managing keys for the TLD Registering delega0on signer (DS) records from registrants Signing DS records and publishing Signing nega0ve answers ("no") Interac0ng with IANA to register TLD key material 20

IANA Root Registry Registrar (Registrant Agent) DNSSEC Func9ons Registry Database DNSSEC DNS Server 21

WhoIs

History of WhoIs Preda0ng even DNS Means to iden0fy the other end(s) of the network Simplis0c ques0on and answer At the 0me, no concerns about privacy, security, accuracy 23

WhoIs Protocol Definition Open a TCP connec0on to port 43 Send a ques0on Wait Receive an answer Close the connec0on 24

Registry Database WhoIs WhoIs Server WhoIs Client 25

Why is that a Problem? (WhoIs Challenges?) Ques0ons and answers undefined Free form is not good for interoperability Early so=ware assumed ASCII only No meta- answers, no "use some other server" Differen0ated access impossible No means to validate data in answers 26

WhoIs Sessions @ICANN53 Next Steps for WhoIs Accuracy Repor0ng Wednesday, 24 June 17:00 18:30 Auditorio Thick WhoIs Policy Implementa0on Mee0ng with the IRT Wednesday, 24 June 17:00 18:30 Re0ro B 27

EPP Extensible Provisioning Protocol

What it EPP? A business- to- business protocol between a registrar and registry Purpose is to edit the registra0on data base Add, delete registered names Add, delete, modify contacts Transfers Plus some other "maintenance" 29

History of EPP 2000-2003 developed in IETF Based on earlier protocols with the COM/NET registry 2003-2009 progressed to full standard Mandated for gtlds and stlds Gained acceptance among cctlds Current IETF WG to manage extension designated as standard 30

EPP Exclusivity EPP need not be exclusive A registry is technically able to use mul0ple protocols for this Policy might restrict (such as strict First Come First Served via registrars) 31

EPP Protocol Architecture Uses TLS or strongly secured transport layer Exchange is encoded in XML Server inside registry, clients at registrars EPP Registrar EPP Client EPP Server Registry Database 32

RDAP Registration Data Access Protocol

What is RDAP? Registra0on Data Access Protocol (RDAP) A query/response means to inspect a registra0on database Regardless of where it is hosted Biased towards registra0on not only domain names A layer on top of HTTPS Reuses much of web- developed technology 34

Components of RDAP Server So=ware to parse queries So=ware to access the database So=ware to prepare response Client Web browser API with specific abili0es Can perform authen0ca0on steps 35

History of RDAP Dissa0sfac0on with WhoIs led two RIRs to experiment with a Web- based approach Very successful From this, the story of RDAP is very much 0ed to Replacement of the WhoIs protocol Commonality of names and numbers The HTTPS protocol 36

Basic Description of RDAP Query over HTTPS, looks like a URL Like WhoIs, but formalized Response over HTTPS FormaSed data answering query, using "JSON" Like WhoIs, but formalized FormaSed redirec0on message Not in WhoIs To do: opera0onal profile 37

Features of RDAP Defined data model Expansion- friendly query and response formats Expansion beyond ASCII characters (I18N) Distribu0on of data sources Differen0ated access (authoriza0on model) Presumes an authen0ca0on model too Compa0bility with 2010- era so=ware engineering 38

RDAP Client RDAP RDAP Message Handler Registry Database 39

RDAP Sessions @ICANN53 Registra0on Data Access Protocol: What s Next? Wednesday, 24 June 14:15 15:30 Re0ro A 40

Data Escrow

Purpose of Data Escrow Store the registra0on database contents with a third party for safe keeping Why? Operator "business" failure Allows for restart of registry by another operator Stored by a third party with strict rules for access by anyone else E.g., ICANN can request the deposits under a slim set of circumstances 42

History of Data Escrow IETF Birds of Feather session Deemed uninteres0ng to the IETF This doesn't mean data escrow is unimportant The reason is that data escrow is technically very simple, but very specific and related to governing policy 43

Data Escrow Deposits Defined in two places Data "framework" in an Internet Dra= Timing of ac0ons in Specifica0on 2 of registry agreements A "dump" of the registry database XML version in one or more files Compressed/Encrypted Deposit made every day Full on Sunday; Incremental all other days of the week 44

Public Keys Sunday: Full File Deposit Other Days: Incremental Escrow Agent Registry Operator No0fica0on No0fica0on ICANN Public Keys 45

TMCH Trademark Clearinghouse

What is TMCH? Trademark Clearing House (TMCH) is an open but mostly ICANN- specific mechanism to address trademarks in domain names Limi0ng the discussion to registry- touching protocols Two phases, Sunrise and Trademark Claims Protocol built over HTTPS (secured Web) 47

TMCH in Sunrise Sunrise refers to opening of TLD to trademark holders first Registry supplies to a TMCH List of domain name registered Registry receives from a TMCH A list of marks no longer listed (revoked from a previously published list) 48

TMCH in Trademark Claims Claims refers to early days of a TLD when registra0ons of trademark "look alikes" result in no0ces Registry supplies to a Trademark Clearing House List of domain names registered matching the pre- registered trademarks Registry receives from a Trademark Clearing House A list of labels corresponding to pre- registered trademarks 49

(Sunrise) SMD Revoca0on List via HTTPS Registry (Claims) DNL List via HTTPS Trademark Clearing House Names effec0vely allocated... 50

Protocols of a TLD Registry 51

Engage with ICANN http://www.icann.org Thank You and Questions Reach us at: Email: edward.lewis@icann.org steve.conte@icann.org twitter.com/icann gplus.to/icann facebook.com/icannorg weibo.com/icannorg linkedin.com/company/icann flickr.com/photos/icann youtube.com/user/icannnews slideshare.net/icannpresentations 52

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information