Registry Data Escrow Specification
Internet Corporation for Assigned Names and Numbers
12025 Waterfront Drive, Suite 300Los AngelesCA90292United States of America+1.310.823.9358gustavo.lozano@icann.orgdata escrowregistryThis document specifies the format and contents of data escrow
deposits targeted primarily for domain name registries. The
specification is designed to be independent of the underlying
objects that are being escrowed, and therefore it could also be used for
purposes other than domain name registries.Introduction
Registry Data Escrow (RDE) is the process by which a registry periodically submits data
deposits to a third party called an escrow agent. These deposits comprise the
minimum data needed by a third party to resume operations if the registry
cannot function and is unable or unwilling to facilitate an
orderly transfer of service.
For example, for a domain name registry or registrar, the data to be deposited
would include all of the objects related to registered domain names, e.g.,
names, contacts, name servers.
The goal of data escrow is higher resiliency of registration services, for the benefit of Internet users. The beneficiaries of a registry are not just those registering information there but also the users of services relying on the registry data.
In the context of domain name registries, registration data escrow is
a requirement for generic Top-Level Domains (gTLDs) (e.g.,
Specification 2 of the ICANN Base Registry Agreement; see
), and
some country code TLD (ccTLD)
managers are also currently escrowing data.
There is also a similar requirement for ICANN-accredited
domain registrars.
This document specifies a format for data escrow deposits independent of the objects being escrowed. An independent specification is required for each type of registry/set of objects that is expected to be escrowed.
The format for data escrow deposits is specified using version
1.0 of the Extensible Markup Language (XML) as described in , and XML Schema notation as described in and .
Readers are advised to read ("Terminology") carefully to understand the precise meanings of Differential and Incremental Deposits, as the definitions used in this document are different from the definitions typically used in the domain of data backups.
TerminologyThe key words "MUST", "MUST NOT",
"REQUIRED", "SHALL",
"SHALL NOT", "SHOULD",
"SHOULD NOT",
"RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document
are to be interpreted as described in BCP 14
when, and only
when, they appear in all capitals, as shown here.
Deposit:
There are three kinds of deposits: Full, Differential, and
Incremental. For all three kinds of deposits, the
universe of registry objects to be considered for data escrow
is comprised of any objects required to offer the registry services.
Differential Deposit:
A Differential Deposit contains data that reflects all transactions involving the database
that were not reflected in the last previous Full, Incremental, or Differential Deposit, as the case may
be. Differential Deposit files will contain information from all database objects that were added,
modified, or deleted since the previous deposit was completed as of its defined Timeline Watermark.
Domain Name:
See the definition of "domain name" in .
Escrow Agent:
An escrow agent is the organization designated by the registry or the third-party beneficiary to receive and
guard data escrow deposits from the registry.
Full Deposit:
A Full Deposit contains the registry data that reflects the current and complete registry
database and will consist of data that reflects the state of the registry as of a defined
Timeline Watermark for the deposit.
Incremental Deposit:
An Incremental Deposit contains data that reflects all transactions involving the database that were not
reflected in the last previous Full Deposit. Incremental Deposit files will contain information from
all database objects that were added, modified, or deleted since the previous Full Deposit was completed
as of its defined Timeline Watermark. If the Timeline Watermark of an
Incremental Deposit were to cover the Timeline Watermark of another
Incremental or Differential Deposit since the last Full Deposit
(i.e., one or more Incremental or Differential Deposits exist for
the period between the Timeline Watermark of a Full Deposit and an
Incremental or Differential Deposit), the more recent deposit MUST
contain all of the transactions of the earlier deposit.
Registrar:
See the definition of "registrar" in .
Registry:
See the definition of "registry" in .
Third-Party Beneficiary:
A third-party beneficiary is the organization that, under extraordinary circumstances, would receive the
escrow deposits the registry transferred to the escrow agent. This organization could be a backup
registry, registry regulator, contracting party of the registry, etc.
Timeline Watermark:
The Timeline Watermark is the point in time on which to base the collecting of database objects for a deposit.
Deposits are expected to be consistent with that point in time.
Top-Level Domain (TLD):
See the definition of "Top-Level Domain" in .
Problem Scope
In the past few years, the issue of registry continuity has
been carefully considered in the gTLD and
ccTLD spaces. Various organizations have carried out risk analyses and developed business continuity plans to
deal with those risks, should they materialize.
One of the solutions considered and used, especially in the gTLD space, is Registry Data Escrow as a
way to ensure the continuity of registry services in the extreme case of registry failure.
So far, almost every registry that uses Registry Data Escrow has its own specification. It is
anticipated that more registries will be implementing escrow, especially with an increasing number of domain
registries coming into service, adding complexity to this issue.
It would seem beneficial to have a standardized specification for Registry Data Escrow that can be used
by any registry to submit its deposits.
While the domain name industry has been the main target for this specification, it has been designed to be as general as possible.
Specifications covering the objects used by registration organizations shall identify the format and contents of the deposits a
registry has to make, such that a different registry would be able to rebuild the registration
services of the former, without its help, in a timely manner and with minimum disruption to its users.
Since the details of the registration services provided vary from registry to registry, specifications covering the objects
used by registration organizations shall provide mechanisms that allow extensibility to accommodate variations and
extensions of the registration services.
Given the requirement for confidentiality and the importance of accuracy of the information that is handled in order to offer
registration services, parties using this specification shall define confidentiality and integrity mechanisms for handling
the registration data.
Specifications covering the objects used by registration organizations shall not include in the specification
transient objects that can be recreated by the new registry, particularly those of delicate confidentiality,
e.g., DNSSEC KSK/ZSK (Key Signing Key / Zone Signing Key) private keys.
Details that are a matter of policy should be identified as such for the benefit of the implementers.
Non-technical issues concerning data escrow, such as whether
to escrow data and for what purposes the data may
be used, are outside the scope of this document.
Parties using this specification shall use a signaling mechanism to control the transmission, reception, and validation of data escrow deposits. The definition of such a signaling mechanism is outside the scope of this document.
Conventions Used in This Document
The XML namespace prefix "rde" is used for the namespace
"urn:ietf:params:xml:ns:rde-1.0", but implementations MUST NOT depend on it;
instead, they should employ a proper namespace-aware XML parser
and serializer to interpret and output the XML documents.
The XML namespace prefixes "rdeObj1" and "rdeObj2", with the corresponding namespaces "urn:example:params:xml:ns:rdeObj1-1.0" and
"urn:example:params:xml:ns:rdeObj2-1.0", are used as example data escrow objects.
Date and Time
Numerous fields indicate "dates", such as the creation and expiry
dates for objects. These fields SHALL contain timestamps indicating
the date and time in UTC, specified in Internet Date/Time Format
(see ) with the time-offset parameter specified as "Z".
Protocol DescriptionThe format for data escrow deposits as produced by a registry is
defined below. The deposits are represented in XML ().
Only the format of the objects deposited is defined. This document
does not prescribe the method used to transfer such deposits between
the registry and the escrow agent or vice versa.The protocol intends to be object agnostic, allowing the "overload"
of abstract elements using the "substitutionGroup" attribute
of the XML Schema element to define
the actual elements of an object to be escrowed.
The specification for each object to be escrowed MUST declare the identifier to be
used to reference the object to be deleted or added/modified.
Root Element <deposit>
The container or root element for a Registry Data Escrow deposit is <deposit>.
The <deposit> element contains the following attributes:
A REQUIRED "type" attribute that is used to identify the kind of deposit:
FULL: Full.
INCR: Incremental.
DIFF: Differential.
A REQUIRED "id" attribute that is used to uniquely identify the escrow deposit.
Each registry is responsible for maintaining its own escrow deposits' identifier
space to ensure uniqueness.
A "prevId" attribute that can be used to identify the previous
Incremental, Differential, or Full Deposit. This attribute is REQUIRED
in Differential Deposits ("DIFF" type), is OPTIONAL in Incremental
Deposits ("INCR" type), and is not used in Full Deposits ("FULL"
type).
An OPTIONAL "resend" attribute that is incremented
each time the escrow deposit failed the verification procedure at the receiving party
and a new escrow deposit needs to be generated by the registry for that specific date.
The first time a deposit is generated, the
attribute either (1) is omitted or (2) MUST be "0".
If a deposit needs to be generated again, the attribute MUST be set to "1", and so on.
The <deposit> element contains the following child elements:
Child <watermark> Element
A REQUIRED <watermark> element
contains the date-time corresponding to
the Timeline Watermark of the deposit.Child <rdeMenu> Element
This element contains auxiliary information regarding the data escrow deposit.
A REQUIRED <rdeMenu> element contains the following child elements:
A REQUIRED <version> element that identifies the RDE protocol version. This value MUST be 1.0.
One or more <objURI> elements that contain namespace URIs
representing the <contents> and <deletes> element objects.
Child <deletes> ElementFor Differential Deposits, this element contains the list of objects that have
been deleted since the previous deposit of any type. For Incremental
Deposits, this element contains the list of objects that have been deleted
since the previous Full Deposit.
This section of the deposit MUST NOT be present in Full Deposits.
Child <contents> ElementFor Full Deposits, this element contains all objects. For Differential
Deposits, this element contains the list of objects that have been added or
modified since the previous deposit of any type. For Incremental Deposits,
this element contains the list of objects that have been added or modified
since the previous Full Deposit.
Rebuilding the Registry from Data Escrow Deposits
When applying Incremental or Differential Deposits (when rebuilding
the registry from data escrow deposits), the relative order of the
<deletes> and <contents> elements is important because dependencies
may exist between the objects. All of the <deletes> elements MUST be applied
first, in the order in which they appear. All of the <contents> elements
MUST be applied next, in the order in which
they appear.
If an object is present in the <contents> or
<deletes> section of several deposits (e.g., Full
and Differential), the registry data from the latest
deposit (as defined by the Timeline Watermark)
SHOULD be used when rebuilding the
registry. An object SHOULD NOT exist
multiple times in either the <contents> or
<deletes> elements in a single deposit.When rebuilding a
registry, the
<deletes> section MUST be ignored if present in a Full Deposit.Formal SyntaxRDE is specified in XML Schema notation. The formal syntax presented
here is a complete schema representation of RDE suitable for
automated validation of RDE XML instances.The <CODE BEGINS> and <CODE ENDS> tags are not part of the schema; they are used to note
the beginning and ending of the schema for URI registration purposes.RDE Schema
Registry Data Escrow schema
]]>Internationalization Considerations
Data escrow deposits are represented in XML, which provides native support for encoding information
using the Unicode character set and its more compact representations, including UTF-8. Conformant XML
processors recognize both UTF-8 and UTF-16. Though XML includes provisions to identify and use other
character encodings through the use of an "encoding" attribute
in an <?xml?> declaration, the use of UTF-8
is RECOMMENDED.
IANA Considerations
This document uses URNs to describe XML namespaces and XML schemas
conforming to a registry mechanism described in .
Two URI assignments have been registered by the IANA.
Registration for the RDE namespace:
URI:
urn:ietf:params:xml:ns:rde-1.0
Registrant Contact:
IESG
XML:
None. Namespace URIs do not represent an XML specification.
Registration for the RDE XML schema:
URI:
urn:ietf:params:xml:schema:rde-1.0
Registrant Contact:
IESG
See ("Formal Syntax") of this document.Security Considerations
This specification does not define the security mechanisms to be used in the transmission of the data escrow
deposits, since it only specifies the minimum necessary to enable the rebuilding of a registry from
deposits without intervention from the original registry.
Depending on local policies, some elements -- or, most likely,
the whole deposit -- will be considered confidential. As such, the parties SHOULD take all necessary precautions, such as encrypting the data at rest and in transit to avoid inadvertent disclosure of private data. Regardless of the precautions taken by the parties regarding data at rest and in transit, authentication credentials MUST NOT be escrowed.
Authentication of the parties passing data escrow deposit files is also of the utmost importance. The
escrow agent MUST properly authenticate the identity of the registry before accepting data escrow
deposits. Similarly, the registry MUST authenticate the identity of the escrow agent
before submitting any data.
Additionally, the registry and the escrow agent
MUST use integrity-checking mechanisms to
ensure that the
data transmitted is what the source intended. Validation of the contents by the escrow agent is RECOMMENDED
to ensure not only that the file was transmitted correctly from the registry but also that the contents are
"meaningful".
Privacy Considerations
This specification defines a format that may be used to escrow personal data.
The process of data escrow is governed by a legal document agreed upon by the
parties, and such a legal document must ensure that privacy-sensitive and/or personal data receives the required protection.
Example of a Full DepositExample of a Full Deposit with the two example objects rdeObj1 and rdeObj2:2019-10-17T23:59:59Z1.0urn:example:params:xml:ns:rdeObj1-1.0urn:example:params:xml:ns:rdeObj2-1.0EXAMPLEfsh8013-EXAMPLE]]>Example of a Differential DepositExample of a Differential Deposit with the two example objects rdeObj1 and rdeObj2:2019-10-18T23:59:59Z1.0urn:example:params:xml:ns:rdeObj1-1.0urn:example:params:xml:ns:rdeObj2-1.0EXAMPLE2sh8014-EXAMPLE]]>Example of an Incremental DepositExample of an Incremental Deposit with the two example objects rdeObj1 and rdeObj2:2020-03-16T23:59:59Z1.0urn:example:params:xml:ns:rdeObj1-1.0urn:example:params:xml:ns:rdeObj2-1.0EXAMPLE1fsh8013-EXAMPLEEXAMPLE2sh8014-EXAMPLE]]>ReferencesNormative ReferencesExtensible Markup Language (XML) 1.0 (Fifth Edition)REC-xml-20081126XML Schema Part 1: Structures Second EditionREC-xmlschema-1-20041028XML Schema Part 2: Datatypes Second EditionREC-xmlschema-2-20041028Informative ReferencesBase Registry AgreementICANNAcknowledgments
Special suggestions that were incorporated into this document
were provided by , , , , ,
, , , , , ,
, , , , , , ,
, , , , , , and
.
and participated
as coauthors through version 07 of
draft-arias-noguchi-registry-data-escrow (the precursor to
this document) and provided invaluable support for this
document.