Registry Lock
Introduction
Consultation is closed
- Submissions open: Wednesday 16 September 2020
- Submissions close: Wednesday 7 October 2020
The information below gives some background about the proposed Registry Lock. Please read the draft policy wording section to make your submission. The question we are asking is “Do you consider the policy wording accurately and adequately reflects the proposed Registry Lock service? You will also have an opportunity to provide any other comments or feedback relating to the Registry Lock proposed. You can skip to the policy wording and questions.
Note this current consultation is separate from the full .nz policy review due to timing impacts on business processes, product design, and product build. There will be another chance to have your say on the Registry Lock as part of the full .nz policy review in the next phase of the full review.
If you wish to contact us regarding the consultation, please email registrylock@internetnz.net.nz.
Overview
This policy consultation describes a proposed new wholesale service that InternetNZ is currently giving consideration to, as part of the .nz domain name space. It is a wholesale Registry Lock service, designed to offer improved security for registrants who choose to apply it to their .nz domain names. The wholesale Registry Lock would involve an additional cost, to be paid by the registrar.
As part of InternetNZ’s decision-making process, before making any final decision to implement the wholesale Registry Lock, InternetNZ wishes to consult with stakeholders, to seek feedback and better inform InternetNZ’s decision-making process.
In this policy consultation, we set out:
- what the wholesale Registry Lock is
- the circumstances in which it might be a useful addition to the .nz registry
- how registrants might access the Registry Lock (if they wish to do so)
- why a policy change is required to allow a Registry Lock to be made available
- the impact on various stakeholders
- the draft proposed additional wording to the .nz policy framework to accommodate the provision of the wholesale Registry Lock service.
We invite you to provide your feedback on any aspect of the proposal outlined in this consultation. We are particularly interested in feedback on the proposed changes to the .nz policies and whether the proposed wording provides the necessary clarity on what is changing to enable InternetNZ to offer the wholesale Registry Lock service as described.
Please note that the proposal described here is for the offer by InternetNZ of a wholesale Registry Lock service to registrars, for the registrar to then make available to their registrants, if the registrar wishes to do so. It will be a question for each registrar as to whether or not to offer a retail Registry Lock service to its registrants.
Please note that other, more widespread changes to the .nz policy framework are likely to be proposed after InternetNZ has considered the recommendations of the .nz Advisory Panel. Any proposed amendments to InternetNZ’s broader .nz policy framework resulting from the .nz Advisory Panel’s recommendations will be dealt with as part of a later consultation process. It is for this reason we are undertaking a separate consultation process relating to the wholesale Registry Lock at this time, and that we have proposed stand-alone provisions for Registry Lock, rather than integrating changes throughout the existing policies.
Registry Lock - what is it?
The wholesale Registry Lock service InternetNZ is proposing to offer to registrars (the Lock) is a security product that registrars can choose to offer as a retail product to registrants. It will provide an additional layer of security to protect against unauthorised changes to the registrant’s .nz domain name in the registry.
When the Lock is in place, it prevents any changes to a domain name’s information in the .nz registry being made, except where the registry has been instructed to remove the Lock by the registrant (or the registrant’s agent). This includes not being able to change:
- Any registrant, registrar, administrative or technical contact details
- The DNS records or any DNSSEC records held by the .nz registry
- The registrar of record (that is, transfers are not allowed)
- The delegation setting of the domain name (whether it is in the zone or not)
- The privacy settings of the domain name (whatever privacy status is in force is maintained).
Note that the Lock does not interfere with any of the powers of the Domain Name Commission under the .nz policy framework. They can take actions that would supersede the Registry Lock.
Registrants would opt into purchasing the retail Lock through their registrar (provided that the registrar elects to offer the Lock service). The registry would implement the Lock at the request of the registrar, and credentials would be issued to the registrant or their nominated agent after some identity checks. They then become trusted contacts associated with future Lock actions on the domain name. For the purpose of the rest of this consultation content, when the term registrant is used it will include both the registrant directly or their nominated agent.
To unlock the domain for a period of time in order to make changes, or to cancel the Lock on a domain altogether, a trusted contact would make a request to the registry directly. The registry carries out security checks against pre-issued credentials and actions the request once the request has been verified against the pre-issued credentials.
The key audiences for these types of opt-in locking services are those that manage domain names or portfolios of .nz domain names of significant brands or those domains where trust is of key importance.
The Registry Lock service being considered by InternetNZ, described here, is a wholesale service that InternetNZ will offer to registrars. It will be a decision for each registrar as to whether or not to offer the Lock as a retail service to its registrants, and the terms on which the retail Lock service will be offered to registrants (including the retail cost).
By virtue of the fact that the Registry Lock service will give rise to the need for interactions between each of the registrant, the registry and the registrar, to identify the parties’ respective roles and responsibilities, the Lock service will be supplied by InternetNZ under new Registry Lock services terms and conditions to be developed by InternetNZ to support this initiative.
How does Registry Lock help with security?
As with other areas of the Internet, threats to the DNS are increasing. Registry Lock services are becoming increasingly used globally as an out-of-band mitigation to address technical breaches. While no one security enhancement, including the Lock, can provide 100% mitigation against malicious activity, a registry lock adds another layer to the overall protection of a .nz domain name.
The Lock is intended to deliver a higher level of security by reducing the flexibility to change the domain name’s attributes. It will also require an out-of-band authentication to remove the Lock and allow changes in a way that is different to the usual business process (where the registrar has full authority to change any aspect of the name).
Some of the security situations the Lock can help to mitigate are:
- Compromise of a registrant’s systems where a bad actor obtains the relevant registrar portal login details for the domain name.
- They could make changes to nameservers, contacts and other registry related information for the domain in order to hijack the domain or disrupt other services that make use of the domain, such as email and websites.
- In this case a domain with an active Lock would reject any of these changes being made unless a trusted contact is also verified via an out-of-band method via phone and providing a predetermined security code.
- Compromise of a Registrar’s systems where a bad actor can make changes to one or several domain names in the Registry. In this case, locked domains will reject changes unless the extra out-of-band verification of trusted contacts is also performed in order to waive the Lock for a short window for valid changes to be made.
How would people sign up for Registry Lock?
The Lock service described here is a wholesale service to be offered by InternetNZ to registrars. The retail point of sale for the Lock for registrants would be the registrar. Registrars who choose to offer the retail Lock service would be able to initiate the implementation of a Lock if the registrar receives an instruction from the registrant to lock the domain name. Registrars will not be required to offer this additional service from the registry, it is opt-in. The decision whether or not to use the Lock in the case of a particular registrant is made by that registrant, provided also that to be able to use the Lock service, the registrant must use a registrar that offers the Lock service. It is anticipated that the wholesale Lock would be subscribed for annually by the registrar for a minimum term of 12 months and that the service will be renewed automatically at the end of each 12 month term.
Registrars would determine their own methods for making the service available to their customers and capturing the relevant information needed to initiate the Lock in the registry. This includes accurate contact information for the registrant or their nominated agent who will become a trusted contact for the domain name.
The registry then makes contact with the registrant either via the registrant contact information in the registry or via the information provided by the registrar. The only registry-to-registrant contact would then be to run the following process:
- Contacting the registrant or their agent to confirm the lock request was made to the registrar
- Establishing the out-of-band verification challenge process
- Running the verification process
- Change the locked status of the domain name
- A temporary or permanent unlock process would operate steps 3 and 4 above.
What would the impact be on key parties?
The following table highlights the impacts of the introduction of this service on some key parties in the .nz domain name space.
Party |
Impacts |
Registrants |
|
Registrars |
|
Registry |
|
DNCL |
|
Why is a policy change required?
In order to offer the Lock InternetNZ will need to make some changes to the .nz policies. These changes relate to:
- the ability of the registry to contact registrants directly, and to collect and hold registrant information, in each case as is relevant to the Lock service, and
- the transfer of domain names between registrars.
Dealing with registrants
The .nz policies currently prohibit the registry (InternetNZ) dealing directly with registrants. This was introduced in 2002 to protect the wholesale-only model of registration service and to prevent InternetNZ competing with registrars for retail business in the new Shared Registry System environment.
It is not possible to offer the Lock without the registry being able to contact the registrant directly and vice versa. The Lock service relies on setting up an out-of-band security mechanism between the registry and the registrant for the purpose of verifying a request and validating that an action related to the Lock is legitimate.
This means InternetNZ will need to make a change to the .nz policies to authorise the registry to contact a registrant for the purposes of operating the Lock and to collect and hold information about the registrant relevant to the Lock service.
Transfer of domains between registrars
The .nz policies require a domain name to be able to be transferred from one registrar to another at any time, on instructions of the registrant. This is to prevent a registrant being captured by a registrar, and to facilitate a competitive market. The Lock, when active, prevents the transfer of a domain name.
What we are proposing is that if a registrant of a locked domain wishes to transfer that domain to another registrar, the Lock will need to be removed permanently in order for this to happen – which means that the existing Lock arrangement must be cancelled outright by the registrant. Domains cannot be transferred to another registrar with a Lock intact, because not all registrars will be offering the service. The registrant may opt to relock the domain with their new registrar, but only if the Lock service is being offered by that registrar. This would be a completely new locking arrangement with the new registrar on such terms and conditions as are agreed between the registrant and that registrar. Therefore, if a registrant requires the Lock service, and not all registrars elect to offer the Lock service, there may be some limitations on which registrars that registrant can use and the registrant will need to enter into a new Lock arrangement with the new registrar. The terms under which a registrant who has subscribed for the retail Lock service can terminate that Lock service will be prescribed by the relevant registrar’s terms and conditions.
Wording of proposed policy changes
The following provisions would be inserted into the Operations and Procedures Policy, and would become a new section 25 at the end of the document. This is to avoid renumbering sections in the short term, in the expectation that a number of changes to the policy framework will be proposed as part of the .nz Policy Review. Section 25 contemplates the specific provision of the Registry Lock service will be in accordance with InternetNZ’s Registry Lock service terms and conditions.
Proposed policy wording
25. Registry Lock Service
25.1 InternetNZ offers a Registry Lock service, where a domain name can be locked at the request of the registrant.
25.2 The Registry Lock is a service that a registrant can subscribe for (provided that the Registry Lock service is offered by the relevant registrar who has subscribed for the wholesale Registry Lock service from InternetNZ) to reduce the risk of unauthorised changes to the registrant’s .nz domain name in the register. The retail Registry Lock will be supplied by the registrar to the registrant on the terms agreed between them. Under the Registry Lock service, the registrant authorises InternetNZ to “lock” the registrant’s .nz domain name in the register. The registrant (or the registrant’s agent) must then authorise InternetNZ to unlock the domain name to enable changes be made to such fields as are identified in the Registry Lock service terms and conditions, such as (by way of example):
25.2.1 any registrant, registrar, administrative or technical contact details;
25.2.2 the DNS records or any DNSSEC records held by the .nz registry;
25.2.3 any transfer of the registrar of record;
25.2.4 the delegation setting of the domain name (whether it is in the zone or not);
25.2.5 the privacy settings of the domain name (whatever privacy status is in force is maintained); and
25.2.6 such other fields as are determined by the Registry Lock service terms and conditions from time to time consistent with a Registry Lock service.
25.3 The wholesale Registry Lock service will be provided by InternetNZ in accordance with InternetNZ’s then current Registry Lock service terms and conditions (as amended by InternetNZ from time to time). InternetNZ can collect, hold, and use such information about a registrant (or the registrant’s agent) as is reasonably necessary for InternetNZ to operate the Registry Lock service subscribed for by that registrant.
25.4 When a domain name is locked by the Registry Lock service, no attributes of the domain name can be changed in the register by the usual process of a registrar acting on the registrant’s request. The exception to this will be that renewals will continue to be processed.
25.5 The channel for registrants to purchase the Registry Lock service is the registrar. InternetNZ is only involved at the retail level to verify a request to commence the Registry Lock service for the registrar and to temporarily suspend or cancel the Registry Lock service, in which case InternetNZ will make direct contact with the registrant and the registrar. Registrars are not required to offer the Registry Lock service.
25.6 The Lock service will remain in force only while the domain name registration remains active.
25.7 This section 25 of the Operations and Procedures Policy overrides any provisions of the .nz policies that are otherwise inconsistent with this section 25 or InternetNZ’s then current Registry Lock service terms and conditions.
25.8 Regardless of a domain being subject to the Registry Lock service, DNCL can take actions affecting that domain name that are authorised by other provisions of the .nz policy framework. If such an action includes a DNCL ordered lock then its provisions will apply e.g. in respect of billing renewal being suspended. A registrant can remove the Registry Lock service but this would have no impact on the DNCL ordered lock conditions.
25.9 Where a domain is locked and the registrant is unable to meet the criteria to make an authorised removal of the Registry Lock (either temporarily or to cancel the locking service), DNCL can order that the Registry Lock be removed from a domain name just as DNCL can order that a domain be locked when a domain is under an investigation. This may also be due to a Registry Lock that comes under a dispute. This order to remove a Registry Lock is independent of DNCL being able to lock a domain on the same domain name for investigative or other dispute replaced purposes that the DNC currently undertakes.
Consultation questions
This consultation is now closed.
What happens next?
InternetNZ is considering all the issues raised in the feedback, and will decide the next steps after that has happened.
Submissions
Domain Name Commission
30 September
The Domain Name Commission has published its submission on its website. Read the Domain Name Commission's submission.
Jed Laundry
17 September 2020
Do you consider the policy wording accurately and adequately reflects the proposed Registry Lock service?
No
Do you have any other comments about the proposed Registry Lock service?
Hello,
I welcome the introduction of the Registry Lock service, and I believe this will be a useful service.
I believe there are 3 areas that need to be addressed before the changes are accepted:
- The cost of the service. The service as described will require system changes by the Registrants, as well as introduce new operational costs for DNCL, and therefore I agree there should be an additional cost; however, this cost needs to consider small business and individuals who are targeted, and not just big businesses who can afford the additional protection. While this shouldn't necessarily be prescribed in the policy, indicative pricing should be provided during this consultation phase.
- Recovering lock credentials in the event of accidental loss. There should be a defined procedure in the policy for recovering locked domains, and if these procedures require in-person verification of identity, then these verification steps should also be required before the domain is locked (i.e., verification that the unlock could occur if required in the future).
- Clarity on what happens to domains that are not renewed when a domain lock is active. 13.13 prevents locked domains from entering the billing extraction process, with the expectation that the domain would be unlocked first and then a billing 'catch-up' would occur. By my understanding, this means that an registrant could register a domain, put a lock on it, and then continue to use the domain without having to pay renewal fees.
Thanks,
Jed.
Paul Hayton
17 September 2020
Do you consider the policy wording accurately and adequately reflects the proposed Registry Lock service?
Skip
Do you have any other comments about the proposed Registry Lock service?
Suggest the terms of service related to the supply of a retail Registry Lock between registrar and registrant should be mandated to be consistent across all registrars. Much like a WOF check for a car, a registrant should expect to receive the same levels of service/terms offered by any registrar for such a product, especially given the security nature of it. To do otherwise could introduce an inconsistency in the efficacy of the product.
If the security benefits of such a lock being introduced to the marketplace are so positive, why allow such a service to be only just an opt-in option for registrars? This is a one off opportunity to uniformly strengthen the DNZ and the service offerings by all registrars to registrants. Requiring all registrars to be able to offer such a service to registrants would ensure a wider knowledge of the services existence and potentially greater uptake of it by more registrants in the future.
If all registrars were to offer the service, it would also smooth the way for registrants to be able to arrange domain transfers between registrars without the need to re-establish completely new locking arrangements each time a change is made. If the end goal is a greater uptake of a product that ensures a nationally far more secure DNS it's key to reduce friction points for the registrant.
Thanks for considering this feedback :)
Ronny Hossain
16 September 2020
Do you consider the policy wording accurately and adequately reflects the proposed Registry Lock service?
Yes
Do you have any other comments about the proposed Registry Lock service?
N/A