Skip to main content
Resources

Security Response Waiver (SRW) Requests for Registry Operators

Please note that the English language version of all translated content and documents are the official versions and that translations in other languages are for informational purposes only.

The Security Response Waiver (SRW) service was established for gTLD registries to request a contractual waiver for actions it might take, or has taken, to mitigate or eliminate a present or imminent security incident to a gTLD and/or the DNS. A contractual waiver is an exemption from compliance with a specific provision of the Registry Agreement for the time period necessary to respond to the incident. The SRW has been designed to allow operational security to be maintained around an incident while keeping relevant parties (e.g., ICANN org, other affected providers) informed as appropriate.

In August 2021, ICANN org expanded the Expedited Registry Security Response (ERSR) service to enable registrars to submit waiver requests. As a result, the ERSR service was renamed the Security Response Waiver (SRW) service.

A registry may request this service when one or more of the following incidents occur:

  • A malicious activity involving the DNS of such scale and severity that it threatens systematic security, stability, and resiliency of a gTLD or the DNS.
  • An occurrence with the potential to cause a temporary or long-term failure of one or more of the critical functions of a gTLD registry as defined in ICANN's Registry Transition Process.
  • An unauthorized disclosure, alteration, insertion, or destruction of registry data, or the unauthorized access to or disclosure of information or resources on the Internet by systems operating in accordance with all applicable standards.
  • A court order from a law enforcement agency with jurisdiction over the registry which requires the registry to take action due to a specific security threat.

The SRW service is exclusively for security incidents requiring immediate action by the registry. This service is not intended to replace requests that should be made through the Registry Services Evaluation Policy (RSEP).

Registry SRW Process

ICANN org recognizes registries may be required to take immediate action to prevent or address an incident in some instances due to extraordinary circumstances. In such cases, registries should submit an SRW request as soon as possible so that ICANN org may respond with a retroactive waiver if appropriate.

There are three phases in the SRW process:

  1. Submit SRW Request: Registries may initiate an SRW request by submitting a Security Response Waiver case via the Naming Services portal. In the submission, the registry must:

    1. Indicate whether action has already been taken.
    2. Indicate if action is urgent and the waiver is required prior to taking action.
    3. Provide a description of the incident and details on how the registry plans to respond, or has responded to, the incident.
    4. Include the provision(s) of the Registry Agreement the registry is requesting to waive.
  2. Review of SRW Request: ICANN org will review the SRW request and provide a response. ICANN org may request additional information, if necessary, to ensure a comprehensive review and consideration of the SRW request. The requestor will be asked to provide such information expeditiously. On a case-by-case basis, ICANN org may contact the registry and/or an external authority (e.g., law enforcement agency, security researcher, etc.) to confirm the incident.
  3. Determination and Response: ICANN org will respond in writing within 15 calendar days of receipt of all required information with either (i) a waiver or retroactive waiver, if appropriate, (ii) an update to an existing waiver, (iii) a determination that the request is in scope of an existing waiver, or (iv) a determination that a waiver will not be granted, including rationale. If indicated within the submission that action is urgent and the waiver is required prior to taking action, registries will receive an expedited response from ICANN org.

Following a response to an SRW request, ICANN org, in collaboration with the affected registry, may develop an After Action Report that may be made publicly available. If an After Action Report is to be published, ICANN org and the affected registry will jointly review which sections of the SRW request and After Action Report should be redacted to ensure confidential and proprietary information is protected.

Summary Analysis of SRW Requests: 2019-2020

This section provides information on the outcomes of requests for Security Response Waivers (SRWs), including those previously referred to as Expedited Registry Security Requests (ERSRs). ICANN org plans to update the below data on an annual basis.

Annual Number of Requests Processed

Waivers Issued 2019 2020
Total number of requests received 4 4
Number of generic top-level domains (gTLDs) covered by requests 8 6
Number of new waivers issued 1 4
Number of waivers not granted 0 0
Number of requests deemed in scope of an existing waiver 3 0
Number of requests resulted in an update to an existing waiver 0 0

Request Details

Metrics 2019 2020
Approximate number of domain names subject to the request* 5,600 domain names 1,600 domain names
Number of requests made in advance of action taken on the domain names 4 3
Number of requests made after action was taken on the domain names 0 1

* Note: These numbers do not include ongoing actions such as those taken by registry operators, law enforcement agencies, and closed court orders.

Average Processing Duration

The below metrics show the average time it took for ICANN org to process a request from submission of a fully completed questionnaire through to the registry operator receiving a response from ICANN org.

Waiver Response 2019 2020
Issuance of the waiver 2 business days 4 business days
Notification the waiver is not granted N/A N/A
Notification the request in scope of an existing waiver 1 business day N/A
Issuance of updated existing waiver N/A N/A

Archive

This webpage was updated in May 2022 as part of improvements made to the service. The archived Expedited Registry Security Response (ERSR) webpage is available here.

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."