Executive Summary

This is a joint bid between the Internet Multicasting Service (IMS) and the Internet Software Consortium (ISC). We are both public benefit corporations with a long history of operating public works and creating freely available software for key infrastructure services on the Internet.

The .org Top Level Domain (TLD) is the home for the noncommercial organizations of the world, and we would operate the .org registry service as a public trust:

• We have designed a rock-solid service in strategic exchange points throughout the world. We will build this service on our existing infrastructure and operate a stable, high-performance, high-availability registry service for the .org TLD.
• We will operate this service with strong support for registrars, the registrants in the .org TLD, the general Internet community, ICANN, and our other constituencies.
• We will build on our deep familiarity with the subject area and our extensive experience in provisioning complex Internet services. We will provide a smooth transition with no break in service.
• The .org TLD registry service that will support all IETF recommended protocols. Our software, including packages for registry servers, registrar clients, Whois, namespace management, and secure DNS solutions will be freely available with no restrictions in source and binary form.
• We will work with our extensive network of partners throughout the world to provide substantial input to the standards process and advances in core technologies.
• We will work with our extensive network of partners around the world to differentiate .org make this TLD a home for the noncommercial organizations of the world.

IMS and ISC have provided important contributions to Internet infrastructure and have worked together closely for years. Our team is in place and builds on substantial past experience:

• We produce BIND, the software used to provide DNS service on the vast majority of key Internet servers.
• We operate the "F" root server and serve DNS for 21 TLDs.
• We have extensive experience with large, complex databases and were responsible for implementing and operating Internet databases from the ITU, the U.S. Patent and Trademark Office, and the U.S. Securities and Exchange Commission.
• We have built large global communities, such as the Internet 1996 World Exposition, a yearlong event that deployed over US$100m in in-kind contributions to enhance global Internet connectivity and stability. The Exposition included the participation of people from 85 countries and received over 5 million visitors from 130 countries.
• Our team is well known for advancing the state of the art in Internet services and applications, including tpc.int, HTCP, the DNS, and BEEP.

Revenue generated from the operation of the registry will first cover core operations, then service debt, and then fund public works projects for the benefit of .org registrants and core Internet infrastructure. No funds will be used for unrelated programs and we have no shareholders. An experienced board of directors, a public process, and extensive reporting will provide full accountability and transparency for the operation of this registry.

We will provide ICANN with tools that will spur greater competition in the marketplace for registry services and support innovation in related areas.

Table of Contents

1. General Information About the Applicant

Internet Multicasting Service, Inc.
P.O. Box 217
Stewarts Point, CA 95480
United States
Email: carl@media.org
Phone: +1.707.847.3720
Facsimile: +1.415.680.1556
URI: http://not.invisible.net/

Our partner in this application is:

Internet Software Consortium, Inc.
950 Charter Street
Redwood City, CA 94063
United States
Email: paul@isc.org
Facsimile: +1.650.779.7055
Phone: +1.650.779.7000
URI: http://www.isc.org

The Internet Multicasting Service is a not-for-profit, public-benefit corporation that conceives and implements large public works projects and new services on the Internet for the benefit of the general public:

• As an independent initiative, IMS posted the full text of all U.S. Securities and Exchange public reports and ran the service for two years. At the conclusion of the two-year operation, IMS transitioned the service to the SEC, which operates it today as one of the U.S. government's busiest WWW and FTP services. IMS also ran a service with the full text of all U.S. Patents until the USPTO was able to get their own service up and running and currently maintains a 50-gigabyte public archive of U.S. government databases.
• IMS ran the first radio station on the Internet, including the operation of the first large-scale streaming and audio services on the net. The service provided 24-hour/day streaming content, including gateways from the U.S. Public Radio Satellite System and live feeds from the National Press Club and the floor of the U.S. Congress. IMS helped pioneer live broadcast production of events including an extensive presence at events such as Interop, INET, the IETF, the United Nations 50th Anniversary, and performances from arts venues such as the Kennedy Center and the Lincoln Center.
• IMS conceived and ran the Internet 1996 World Exposition, one of the first large global community events on the Internet. With partners in the Netherlands, Japan, and many other countries, the event involved thousands of people in the planning and implementation and included a full-time secretariat of 6 people coordinated by NIKHEF in Amsterdam. The world fair's infrastructure included the operation of the first international DS3-based Internet circuits, and required the deployment of over 2 terabytes of disk on machine clusters located in 8 countries.
• IMS has long provided program management for an advanced development program that has provided a steady stream of innovative ideas for the net. IMS coordinated the tpc.int project, the first public use of the Internet to carry telephony traffic on a large scale. IMS provides a home for the development of BEEP[34] and other emerging technologies.

The Internet Software Consortium is a not-for-profit, public-benefit corporation that produces core software and operates core infrastructure for the benefit of the general public:

• ISC produces BIND, the freely available software that is used to run most of the Domain Name System. BIND version 8 is mature production software used on most of the world's major computers including most of the Internet's root nameservers. BIND version 9 is new production software now shipped with several UNIX and LINUX distributions as the default enterprise nameserver application.
• ISC produces several other notable software packages, including the leading freely available DHCP implementation and INN, a complete freely available Usenet system.
• ISC runs the "F" Root Server and provides TLD DNS hosting for 19 ccTLDs, 3 legacy gTLDs, and the root.
• ISC provides hosting for the Lynx Web Browser, the NetBSD Foundation, the OpenLDAP Foundation, the IETF User Services Area, the XFree86 Project, and the Linux Kernel Archives.
• ISC sponsors the widely quoted Domain Name Survey.

From 1993 to 1997, ISC was under the fiscal sponsorship of the Internet Multicasting Service. ISC was incorporated in 1997 and began accepting funds in 1998.

The Internet Multicasting Service (IMS) is a Delaware Corporation (File 2335603) chartered in 1993. The Federal Employer ID of IMS is 52-1827912. IMS was classified as a 501(c)(3) non-profit in 1993 by the IRS and received a final 5-year 501(c)(3) ruling in 1998. IMS is registered in the State of California as corporation number C2369286 and has been granted exemption from state franchise and income taxes under section 23701(d) of the California Revenue and Taxation Code. IMS is a non-profit public benefit corporation and is not organized for the private gain of any person. The charter of the Internet Multicasting Service is "the creation and operation of public works on the global Internet computer network, including the creation and operation of new services, multimedia content and database, and network protocols for the benefit of the general public and the public Internet infrastructure."

The Internet Software Consortium is registered in the State of California as corporation number C2063422. ISC is a non-profit public benefit corporation and is not organized for the private gain of any person. The specific purpose of the ISC is "supporting the development of freely-available computer software programs which implement core Internet protocols and standards."

The D-U-N-S Number for the Internet Multicasting Service is 82-508-2589.

The D-U-N-S Number for the Internet Software Consortium is 02-368-9651.

IMS pays 3.5 Full Time Equivalent employees and has additional contractors and volunteers.

ISC pays 6.3 Full Time Equivalent employees and has additional contractors and volunteers.

The directors of the Internet Multicasting Service are Rick Adams, Dave Farber, Daniel Karrenberg, Carl Malamud, Rebecca Malamud, Marshall T. Rose, and Pindar Wong.

The officers of the Internet Multicasting Service are Carl Malamud and Rebecca Malamud. They will be the program managers for the .org program.

The directors of the Internet Software Consortium are Teus Hagen, Evi Nemeth, Paul Vixie, and Stephen Wolff.

The officers of the Internet Software Consortium are Paul Vixie, and Lynda McGinley. The program managers for the .org program will be Paul Vixie and Suzanne Woolf.

Neither IMS nor ISC have any stockholders. Both are public benefit corporations.

Carl Malamud (carl@media.org)
Internet Multicasting Service, Inc.
P.O. Box 217
Stewarts Point, CA 95480
United States
Phone: +1.707.847.3720
Facsimile: +1.415.680.1556
URI: http://not.invisible.net/

C10. Intentionally omitted.

2. Statement of Capabilities of the Applicant and Contracted Service Providers

2.1 [C12] Outsourcing

We will not outsource any of the functions listed above. To provide a single point of accountability for ICANN, the Internet Multicasting Service will serve as prime contractor. However, as evidenced in the attached Joint Statement of Authority, and by our long history of working together, this should be considered a joint bid between two established non-profit organizations.

2.2 [C13] Services and Facilities

Applicant will perform all functions. Note, however, [C18.5] Specific Cooperation Required from VeriSign

2.3 [C14] Scope and Terms of Contracts

As stated in [C13] Services and Facilities, applicant will perform all such functions.

2.4 [C15] Abilities of the Applicant

Our ability to operate a TLD registry of significant scale is based on:

• Significant past experience operating critical infrastructure on the Internet. Our services operate with an extremely high degree of service responsiveness and reliability.
• Our experience in coordinating large-scale community efforts and operating large-scale services with demanding requirements.

Specifically:

The services we build and operate require very high degrees of stability, performance, in a highly complex operating environment.

• We build and operate services at the center of the Internet. The "F" Root Server is operated with a high effective availability using proven clustering techniques and serves a peak of around 6,000 queries per second. We have been operating this service since 1993.
• We have significant operating experience inside of key exchange points (indeed our team has designed several of the most important exchange points). We understand routing, the DNS, and how to work with exchange points, transit providers, ISPs, large end nets, and all other elements of the core Internet infrastructure.
• We've worked with the most demanding database applications, including those with very high hit rates from the net. Our EDGAR and Patent databases were the largest WAIS databases on the net at the time. We have also built and run some of the largest XML-based databases in the world, including a full transformation of EDGAR into XML. Our experience working with very large databases spans 20 years, starting with the first Ingres relational databases and includes significant operational experience with current systems, including XML databases, full-text engines, and relational databases.
• We are experienced software developers who have produced numerous packages in widespread use on the net. Our BIND and DHCP packages are in use throughout the world in commercial and noncommercial organizations, spanning end-user to critical infrastructure applications. We produce well-documented, well-maintained, freely available code that is used by developers and operators throughout the world.
• We are intimately familiar with the DNS. In addition to running the "F" Root Server and hosting other TLDs, our team has made significant contributions to the evolution of the DNS and we understand how to work with all the other players that keep this global service running. We work on a daily basis with gTLD registries, registrars, ccTLDs, root server operators, transit providers, and corporate networks.

We are used to serving many constituencies. In addition to our experience working with software developers and operators around the world, we have worked with many kinds of communities and stakeholders.

• Even in rapidly changing regulatory environments, we keep the trains running on time. Our core focus is stability of Internet services. For example, even while the policy around U.S. government databases on the Internet was in great flux, there was no break in EDGAR service for users.
• Our software, such as BIND, is produced in a world where technology evolves rapidly as the standards bodies incorporate new ideas and operators accumulate real-world experiences. We actively participate in bodies such as the IETF, RIPE, WIDE, and NANOG and are able to keep production services operating with rock-solid stability, yet still have them evolve over time.
• Our team has significant operational experience working with ICANN, the IANA, the registrars, the registries, the IESG, and the IAB.
• Our team has significant operational experience running services for end users, particularly services that attract new end users. Our radio, government database, and world's fair services all brought the Internet to new classes of users. We will use our ability to create new and work within existing global communities to help differentiate the .org TLD.

Our team is well known for advancing the state of the art. We'll do that with the .org registry in particular and registries in general.

• For over 10 years, our team has worked together closely to bring new advances to the net, including the use of the public Internet for transmission of facsimiles and radio programs, access to government data, the production of live streaming events, and many other innovations.
• All of our past projects have been operational services, but we also understand that it is crucial to document what we do so that others can provide those services themselves. We are active participants in the standards-making process, and our team has published a large number of RFCs[19], Internet-Drafts[38], books[48], and web sites.[65] We will use those talents to help differentiate the .org TLD and to participate in a variety of standards efforts.
• Our Core Technologies Program will be used to spur innovation in this field. As part of this bid, we are also releasing two new Internet-Drafts in the field of namespace management, an effort directly relevant to the future of Whois services for end users and for core infrastructure functions such as the IANA.

Our program managers have held senior management positions with full responsibility for large organizations in industry, government and public service:

• We have a 10-year history of managing 501(c)(3) non-profits that provide public works projects on the Internet.
• We have held CEO, board-level, and senior management positions in industry.
• We have worked at ICANN, the IANA, and have held management positions in the IETF.
• Our experience working with U.S. government databases has made us very familiar with the policy making environment in Washington, and we have long experience working with policy bodies in the European Community, Asia, and other regions of the world, as well as with international bodies such as the ITU.
• Public services are in the public eye, and we have extensive experience in formulating messages that people can understand. We are very familiar in working in the media, on the net, and in person to explain what we do and listen to what people want.
• We have extensive experience with large, complex transitions. Our program managers helped transition legacy systems from organizations such as the SEC and the ITU onto the Internet. We also have experience transitioning our own services over to new organizations.

The Internet is a global network and our team our team has extensive international experience:

• We work closely with Internet coordination bodies around the world, including APNIC, RIPE, WIDE and many others.
• We are used to working with global communities of users, and will use those skills to make .org an attractive home for the noncommercial organizations of the world.
• Our bid anticipates placing service nodes in exchange points throughout the world. We have operated in these exchange points for many years and have the work experience and the personal relations to make our .org registry service a globally distributed service.

Our team has the experience and ability to operate as a public trust a rock-solid and responsive .org registry service. We will help differentiate .org, making it a home for noncommercial organizations. All of our work will be freely available, spurring innovation and competition in the registry and registrar markets.

3. Technical Plan (Including Transition Plan)

3.1 Summary

This technical plan for the design and implementation of the .org registry was constructed in accordance with the guidance provided by "gTLD Registry Best Practices" and the ".org Proposal Form". Additional detail required for implementation, but not requested specifically in the RFP has been separated from the main text for clarity, and is included in appendices.

The .org registry will initially be operated as a "thin" registry, but with a core registry schema that will accommodate both thin and thick registry models. We will implement a transition from the initial thin registry to a thick registry in conjunction with ICANN and the registrar community, as described in [C18] Transition Plan.

Our plan for initial deployment and transition of Shared Registration System (SRS) protocols is described in [C18] Transition Plan, and accommodates VeriSign's Extensible Provisioning Protocol (EPP) and Registry-Registrar Protocol (RPP) RRP deployment plans to ensure that the impact on gTLD registrars is minimized.

Software created to operate the registry, including software which provides RRP and EPP client and server functionality, will be released under an open-source license and will be made available for use by other registries and by registrars.

All services will be designed where possible to be provided multilingually in languages chosen to best serve the registrar community. A strong support structure for registrars and other interested parties is provided.

3.2 [C17.1] General Description of Proposed Facilities and Systems

We will operate the .org registry on a dedicated technical and support infrastructure, including new hardware, separate co-location and bandwidth contracts, and a dedicated technical staff of 10-12 professionals in customer support, systems administration, and software development. The technical plan makes extensive use of the team's expertise in the design, implementation, and operation of advanced server systems and networks, highly available public services such as the DNS, custom network applications, and advanced performance monitoring.

The central site, housing customer support, management, and software development activities, will be at ISC's primary location in Redwood City, California. This location has abundant suitable space at preferred rates, the local availability of excellent Internet connectivity, and close proximity to the San Francisco Bay Area talent pool of trained, experienced technical personnel. Improvements to the property, primarily in HVAC, electrical capacity, and telecom, will support our customer support center, development and other activities, with room to grow as needed for relatively low cost.

The production sites that will be supporting services for registrars and the public will be located at well-known, well-connected Internet co-location facilities. In the first year, two production sites in addition to the central site in Redwood City will support .org. As loads stabilize and DNS for .org is transitioned away from VeriSign's servers and towards ours, additional satellite installations will be deployed in other strategic locations to improve reachability and performance.

In recognition of the volatility of the co-location and bandwidth markets at this time, final determinations have not been made as to the locations of the production servers. A number of facilities would meet our requirements, which include highest quality security and reliability, ample space, low-latency and high bandwidth transit facilities, and the availability of many large, well-connected peering partners. Initial locations will be on east and west coasts of the United States, with additional facilities at suitable locations in Europe, Asia, South America, and Africa, with specific locations determined by the best connectivity for the largest number of users and customers.

The major production sites will consist of systems dedicated to public information services, to registrar services, and to database services, along with a redundant pair of servers supplying non-Internet access for "out-of- band" management of the servers, routers, and switches via modem and serial connection. The HP Alphaservers specified are well-known for speed, high capacity, and reliability, and the model specified, DS20L, are significantly over-provisioned for the anticipated loads (see [C17.10] Peak Capacities). Tru64 is a UNIX variant that has been in production use for highly available network services for many years and is interoperable with any standards-compliant UNIX and standards-compliant network service.

High-availability features of the hardware specified include redundant power supplies, hot-swappable disk, redundant Ethernet ports with failover capabilities, dual connections from each server into fully redundant Ethernet switches, and dual connections from each switch into a fully redundant pair of routers configured for automatic failover between them. A dual power RAID5 store between the database servers provides for highly reliable disk capacity. The maintenance policy will provide for on-site spares for both disk and power supplies. In addition, we remove the chance that maintenance access to the installation could be cut off by a network failure of any kind by including a full "out-of-band management" kit of dedicated redundant servers. This provides the ability to dial in to the installation and reach any of the servers or network gear via a serial connection in the unlikely event that it's entirely unreachable via the network.

Support services specified to enhance the availability and reliability of each production installation includes support contracts on the hardware, "eyes and hands" contracts with the facilities where they are housed, and 24x7 on-call availability of server system and network specialists on staff.

Facilities for the production systems are specified as carrier-grade, including dual entrance for fiber providers, redundant power, high availability HVAC, and access control requiring biometric identification of visitors or escorted access.

Production software is specified as open source where possible, including well-known standards-compliant implementations of relational databases, DNS, systems monitoring and management, and secure access. Systems development will also be based on established open-source tools. (Additional detail on our software architecture and tools will be included in responses to follow.)

Network access is specified to include diverse Internet access from initial launch. The technical team's experience with the connectivity needs and strategies of ISPs have led to an architecture that makes extensive use of BGP peering with ISPs to improve reachability to far reaches of the Internet and to reduce the costs associated with paid transit.

3.2.1 Functional Specification

The .org registry has been designed and implemented using a component model, using documented and consistent APIs between modules which will allow individual components to undergo development, testing and upgrade with a substantial degree of independence from the system as a whole. This approach, combined with community review and participation through open-source licensing and publication of all components, will lead to an optimally stable and secure infrastructure.

3.2.1.1 Provision of Services

3.2.1.2 Transaction Security

Periodic database dumps stored according to the general backup and data security policy will allow reconstruction of the registry database to be performed in the event of catastrophic failure. Additional facilities have been implemented to ensure that transactions performed against the database following a database dump can also be preserved, providing a mechanism to facilitate complete disaster recovery.

3.2.1.3 Active Service Monitoring

3.2.1.4 Event Monitoring

3.3 [C17.2] Registry-Registrar Model and Protocol

3.3.1 General Approach

The principal guiding objective for the design of initial registry-registrar interactions is that the transition from the VeriSign .org registry to our registry should be as simple as possible for registrars to accommodate, and hence that changes in registrar systems should be reduced to the smallest set possible. For this reason the initial registry-registrar model and interface specification has been made as similar as possible to that currently operated by VeriSign.

The initial interfaces provided to registrars for manipulation of the .org registry will be the RRP[1], with a planned transition to EPP[14] as described in [C18] Transition Plan.

The initial live set of data incorporated into the registry will similarly match that maintained by the VeriSign registry. This implies a "thin" registry model.

The registry schema (see [C17.3] Database Capabilities, will support the superset of requirements of the existing VeriSign registry data set, those requirements imposed by RRP and EPP ([14], [15], [16] and [17]), and the requirements of a thick (contact-populated) register.

A managed, gradual transition from a thin registry to a thick registry (one in which contact information is stored in the register) will be carried out as described in [C18] Transition Plan.

3.3.2 RRP Implementation

We are prepared to go live with an implementation of RRP that will satisfy all the mandatory requirements specified in [1]. However, we will also require VeriSign to disclose details of their live, production SRS infrastructure in such a way that our initial SRS implementation will conform as closely as possible to that used by existing VeriSign registrars.

Registrars may perform the following registration service procedures using RRP to communicate with the .org registry:

• Determine if a domain name has been registered.
• Register a domain name.
• Renew the registration of a domain name.
• Cancel the registration of a domain name.
• Update the nameservers of a domain name.
• Transfer a domain name from another registrar.
• Examine the status of domain names that the registrar has registered.
• Modify the status of domain names that the registrar has registered.
• Determine if a nameserver has been registered.
• Register a nameserver.
• Update the IP addresses of a nameserver.
• Delete a nameserver.
• Examine the status of nameservers that the registrar has registered.

This is the complete set of operations defined in RRP 1.1.0.

The WFR (waiting for authentication retry) and WFC (waiting for command) states in the RRP state machine will include timeouts, which will be specified in documentation made available to registrars. The RRP server will disconnect from the client if the specified timeout in WFR or WFC is exceeded.

The RRP implementation will allow specification of nameservers associated with other top-level domains for .org registration.

The RRP implementation will support a default initial registration period for domains, which will be used in the event that the registration period is not specified in a request to register a domain. This period, together with the range of acceptable values for a specified registration period will be specified in documentation made available to registrars.

The .org registry will notify a potential losing registrar when another registrar has made a transfer request. See Message Passing to Registrars for a description of message passing from the .org registry to registrars.

The .org registry may automatically approve transfers on behalf of potential losing registrars ("default approval") when the potential losing registrar fails to acknowledge the transfer request with an RRP transfer approval or rejection command within a certain time period. The time period used will be specified in documentation made available to registrars.

3.3.3 EPP Implementation

We are prepared to deploy an EPP service will satisfy all the mandatory requirements specified in [14], [15], [16], and [18]. Object service availability will initially be limited to domain names [15], and hosts [16], in accordance with the "thin" register model. As described in RRP Implementation for RRP, specific details of our deployment of EPP in phase II of our transition plan will be made available following advice from VeriSign on their EPP deployment plans, so as to minimize the Operational Test & Evaluation (OT&E) and systems implementation burdens for .org registrars.

3.3.4 Message Passing to Registrars

It is sometimes necessary for the registry systems to send messages to registrar systems, for example to notify a potential losing registrar of a transfer request. It is not possible to send these messages using RRP.

The .org registry will support the following message-passing mechanisms:

• Plain-text e-mail, in a near-identical format to those currently sent by VeriSign (see Registry/Registrar E-Mail Templates for format specifications).
• A summary archive, accessible via HTTPS and SCP, which include details of the date stamps and content of all messages passed from the registry to the registrar in the preceding calendar month.
• The EPP <poll> command, once EPP is deployed (see + [C18] Transition Plan).

3.3.5 Registrar Portal

The .org registry will provide an authenticated portal, accessible over HTTPS, to registrars. This portal will provide:

• Access to relevant documentation.
• Access to support information.
• The ability to customize the individual registry-registrar interface, such as specifying a message-passing mechanism and viewing message history (see Message Passing to Registrars).
• The ability to view a transaction log specific to the registrar's interaction with the registry.
• The ability to update the registrar's contact information.
• The ability for a registrar to manage, and delete domains; initiate and approve transfers, process renewals, create and update nameservers. The portal will not allow for domain creation, domains may only be created via the supported protocols.
• The ability to retrieve daily, and monthly reports.

3.4 [C17.3] Database Capabilities

The database schema for the register accommodates the superset of requirements imposed by the VeriSign register inherited at transition, RRP, EPP, a thin (contact-free) register and a thick (contact-populated) register model.

The registry database will be implemented on an RDBMS platform which is SQL-capable, and supports real-time replication between diverse registry sites, row-level locking, transaction rollback, ACID semantics, ANSI SQL support, Unicode support, triggers, stored procedures, and hot backup. The provision of a database access layer across the registry components will allow a registry based on our software to be built around a variety of different database products and on different operating platforms.

Database Size

• The RAID5 array will be initially sized at 200 Gbytes, which we estimate to be roughly 40 times larger than necessary to store the present .org database and all associated meta data.

Throughput

• The capacity in number of transactions per second of a database is related to the hardware and software platform where the database resides. The two protocols we propose to use, RRP and EPP, have very different styles of transactions; however they both result in similar database transactions. Our estimates of a reasonable capacity for the database from our operational experience in building OLTP systems are:
  • Query Transactions: 1,000,000/day
  • Write Transactions: 5,000,000/day
  • Check Transactions: 9,000,000/day

Scalability

• We have provisioned the hardware and database disk space capacity to handle 20% growth over each of the next 5 years and still use less than 10% of available resources. Should we find a need to extend the size of the database, the file system and SQL database can be extended to span new storage as needed.

Procedures for Object Creation, Editing, and Deletion

• All object operations will be performed through the protocols served by the front-end protocol servers, i.e., RRP or EPP for registrars. Customer Support will have the capability through a management console to assist customers with previously encountered problems and questions, such as a request to revive a mistakenly deleted domain name.
• All operations are logged. Operations through a management console require privileged access and second sign-on verification code through the use of a Supervisor or Manager PIN code.
• Engineering may have special access to the database for unique one-time operations that may be applied through direct SQL manipulation. An example of one of these circumstances is when a registrar is purchased by another registrar and 50,000 domains must be transferred from one registrar ID to another. Such a transaction would be handled by engineering through direct database manipulation. All one-time engineering modifications will be tested in a mirrored test environment before any bulk changes are applied to the production system.

Change Notifications

• Reports of all changes to objects managed by a registrar will be made available to the registrar through daily and monthly reports.

Registrar Transfer Procedures

• There are multiple sets of transfer procedures, depending on the SRS protocol being used. Transfer procedures associated with different SRS protocols support different capabilities, but efforts will be made to establish transfer procedures and policies such that any available SRS protocol will provide registrars with full functionality. See [C18] Transition Plan for SRS protocol transition plans.

Grace Period Implementation

• In the application of grace periods we will implement policy that favors the registrar not the Registry in areas that effect the financial requirements for monies on account with the registry.
• When domains are about to auto renew a 45-day grace period is applied to the debit to the registrars account. We will apply the debit for the domain at the time the domain is renewed or at the end of the 45-day auto renew grace period.
• A 5-day grace period applies to newly created domains. If the domain is deleted within 5 days the registrar is credited for the deleted domain. There are several proposals dealing with Domain Deletion and revival policies developed by ICANN. We will implement what is decided in this policy area.
• The registry will enforce a 60-day waiting period before a newly created domain can be transferred from one registrar to another.

Reporting Capabilities. The following reports will be made available to each active registrar through the web portal (via the HTTPS protocol) and via SFTP or SCP. The reports will use XML for their format.

• The Domains Report will list all domains currently associated with the registrar and all relevant Domain related fields such as Domain Status, Nameservers, and, when relevant, contacts.
• The Nameservers report will list all associated nameservers with a domain and the corresponding IP Addresses. It will also list any orphaned A records.
• The Contacts report will list any orphaned Contacts.
• The Transfers report will list all incoming and outgoing transfers and their current status.
• The Transaction report will list the daily transactions and the object they were applied to.

3.5 [C17.4] Zone File Generation

These procedures may not be fully implemented until we have full control of authoritative nameservers for .org. For notes on compatibility with VeriSign's procedures, see below and [C17.5] Zone File Distribution and Publication. "Zone data" in this context can refer to the full set of zone data or to data offered as an incremental update, in accordance with documented DNS standards for each.

We intend to maintain a 5-minute update frequency for any given change 95% of the time. Additionally, at least once a week a full zone file will be generated and loaded onto our servers. At least once a day we will verify that the incremental changes and a full extract of zone data match.

A companion report will explicitly flag all changes as adds, drops, or modifications to aid systems support staff in spotting unusual patterns of activity.

The generated .org zone file will include the following resource records:

• A single SOA record.
• A number of NS and A records, up to a maximum of 13 each, for the authoritative, public DNS servers for .org.
• One NS record for each unique (domain, nameserver) tuple, for domains with associated status values of ACTIVE, LOCK, CLIENT-LOCK and PENDING-TRANSFER.
• One A record for each required glue record. We will implement, on a reasonable schedule, glue-generation and pruning criteria specified by ICANN.

The incremental update to the zone will be generated by extracting from the database, at each zone update cycle, the zone data that has changed in the database since the last such cycle. The zone data thus generated from database changes will be checked against expected activity, with large changes in size or content (more than 2% change in total size or in the contents of more than 0.1% of the total delegations) to be flagged and the automatic process halted until review of the cause of the discrepancy can be performed by senior level systems staff.

Our expectations of normal activity in this zone are based upon previous experience with other critical DNS zones. During the prelaunch phase we expect that daily examination of the activity actually occurring in .org will allow us to considerably refine these expectations and our reporting thresholds.

Once the zone data has been generated, signed, and passed the automatic integrity checks, it will be loaded onto a non-public nameserver for a final verification pass. The availability of the zone for transfers and queries will be verified at this time.

When the test-load of the zone has been verified, it will be transferred to the published master. This system will not be a publicly known server and will not be used to resolve public queries against the .org zone. It will be a configuration usually described as a "hidden primary" or "distribution master", in which the only nameservers that can reach it are those configured as slaves for the .org zone and the only work it will do is the transfer of the zone to those appropriately configured slaves.

This configuration is operationally indifferent between the use of VeriSign's nameservers, the use of our nameservers, and the use of third parties for publication of the .org zone. All that is required is access control coordination between the operators so that all slaves have permission to gather the zone from the master (see note below on TSIG). However, our turnaround times are based on the ability to do DNS IXFR as the update mechanism; full zone transfer will be dramatically slower.

The NOTIFY extension to the DNS will be used to speed convergence between a new copy of the zone at the registry and that cached on the slaves.

It is extremely unlikely but not impossible that a seriously damaged version of the zone will pass the integrity checks and be loaded into publicly available slaves. Monitoring of both helpdesk activity and the operation of the slave nameservers, including regular automated tests of the availability and integrity of the zone on the slaves, will assist in identifying this should it ever occur. The recovery procedure includes:

1. Regenerate the previous, operationally acceptable version of the zone with a new serial number.
2. Force the normal update process with the newly revised zone, by manual intervention of a senior systems staff member.
3. Verify receipt of the recovered zone by the slaves as soon as practical.
4. Examine and resolve problems with the broken zone.

This would not allow for a perfect recovery because bad data may still be cached elsewhere among clients in the net. There is no way for the registry to prevent this owing to the way DNS works. However, it can be mitigated by fast detection of a flawed zone, fast action to back out the newest set of updates, and fast convergence among the slaves on the reversion to the old zone data under a new serial number.

3.5.1 A Note on TSIG and DNSSEC

A critical component of our strategy for operating .org is the ability to sign the zone in accordance with the protocol extensions documented in RFC 2535[2] and RFC 2845[33]. This commitment is undertaken both in the belief that this technology is critical to the future usefulness of the DNS and in accordance with our commitment to furthering the development of Internet technology through implementation and test. We have to date contributed heavily to the development of these protocol extensions, from protocol design to implementation and interoperability test activities.

The TSIG component of the DNS security standards has been stable for some time now and is beginning to see significant use among DNS operators. It is used to sign zone transfers between nameservers and we anticipate being able to use it to sign transfers of .org to slave servers at the launch of our service.

TSIG requires the use of a "shared secret" key and good time synchronization between servers, which in turn imposes a requirement for a basic level of coordination between separate operators for the same zone. We do not anticipate a problem in reaching an agreement with VeriSign, in accordance with their current practices and those of other registries, for the management of TSIG keys during the period in which their nameservers will be part of the authoritative server set for .org.

DNSSEC standardization for data signatures is incomplete, as the technology remains subject to the usual cycles of protocol refinement, implementation, test, and protocol tweaking. A critical phase of prelaunch will be to finalize our processes for signing the .org zone around the current state of standardization and implementation at that time. The process will include:

• A process for managing the relationship between the .org registry and its delegated zones regarding information exchange. A large remaining area of uncertainty in the final standardization of DNSSEC surrounds the specifics of a parent signing a delegation as unsecured or signing a reference to a child's zone key. We will in this area implement the current technology as consistent with other constraints, including interoperability with existing client DNS software and the performance limitations inherent in the current standard on the time it takes to sign a zone and the size of the resulting signed zone. We will also contribute code and developer time to the ongoing effort to implement, test, and refine the standard.
• Generation and propagation of keys for the .org zone.
• Cooperation with other registries and interested parties in developing Best Practices and operational documentation for registrars and ISPs on how to use zone signatures for delegations in .org. Such documentation is within the charter of the IETF DNSOP WG and will be offered accordingly.
• Development of key management procedures for the zone keys for .org, including publication, rollover, and access control. There is little available experience or guidance as yet in the community for balancing security, scalability, and operations concerns in such areas as determining