Policies

I. Registration Requirements

II. .WhosWho Terms of Acceptable Use and Takedown Policy

1. Acceptable Use Overview
2. Notice of Violations
3. Prohibited Actions
4. Abuse Point of Contact
5. Policy Purposes
6. Actions The Registry May Take
7. Preventative Measures at Registry's Sole Discretion
8. Dispute Resolution Alternative
9. Service by Mail
10. Disqualification of Registrants
11. Representations by Registrants

III. Incorporation of Applicable Dispute Resolution Services

IV. Reservation

V. .WhosWho End User Privacy Policy

VI. WHOIS Terms of Service

VII. Billing Policy for Registrars

VIII. DNSSEC Practice Statement

---

I. Registration Requirements

Before the Registry Operator will accept applications for registration from Registrar, all domain name applicants in the .WhosWho TLD ("Applicants") must enter into an electronic or paper registration agreement with the Registrar, in accordance with the ICANN RAA and this Agreement. Such electronic or paper registration agreement shall include, at a minimum, the following certifications:

1. The data provided in the domain name registration application is true, correct, up-to-date and complete;
2. The domain name registrant has the authority to enter into the registration agreement;
3. The domain name registrant shall comply with the .WhosWho Acceptable Use Policy;
4. The domain name will not be used for distributing malware, abusively operating botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting, pornography (whether textual or pictorial), personal adult services/prostitution (regardless of their legality under applicable law) or otherwise engaging in activity contrary to applicable law, and providing (consistent with applicable law and any related procedures) consequences for such activities including suspension or deletion of the domain name registration.

II. .WhosWho Acceptable Use and Takedown Policy

This Acceptable Use and Takedown Policy (“Acceptable Use Policy”) of Who’s Who Registry (the “Registry”), is to be read together with the Registration Agreement and words and phrases used in this Acceptable Use and Takedown Policy shall have the same meanings attributed to them as in the Registration Agreement unless otherwise specified or the context clearly otherwise requires.

Please note that the Registry may modify this Acceptable Use Policy from time to time in order to comply with applicable laws and terms and/or any conditions set forth by ICANN: ICANN-approved amendments are effective automatically as designated by ICANN. Any revisions or modifications to this Acceptable Use Policy shall be effective thirty (30) days after the initial date of posting such revisions or modifications on the Registry’s website and such amendments shall be binding upon the domain name registrant.

1. Acceptable Use Overview

All domain name registrants must act responsibly in their use of any .WhosWho domain or website hosted on any .WhosWho domain, and in accordance with this policy, ICANN rules and regulations, and applicable laws, including those that relate to privacy, data collection, consumer protection (including in relation to misleading and deceptive conduct), fair lending, and intellectual property rights.

The Registry will not tolerate abusive, malicious, profane, obscene, vulgar, or illegal conduct in registration of a domain name; nor will the Registry tolerate such content on a website hosted on a .WhosWho domain name.

This Acceptable Use Policy will govern the Registry’s actions in response to abusive, malicious, profane, obscene, vulgar, or illegal conduct of which the Registry becomes aware. In all cases the Registry reserves the right to bring the offending sites into compliance using any of the methods described herein, or others as may be necessary in the Registry’s discretion, whether or not described in this Acceptable Use Policy.

Upon becoming aware of impermissible conduct, the Registry (or its designees) may alert any relevant Registrar about any identified threats, and may work with them to resolve such issues. The Registry will also utilize such other methods in compliance with applicable laws and ICANN policies, as it deems appropriate.

2. Notice of Violations

The Registry may identify Acceptable Use Policy violations by any means, including without limitation, a private complaint, public alert, government or enforcement agency outreach, ICANN notification, and on-going monitoring by the Registry or its partners. At its discretion, the Registry or its designee, through an automated system or otherwise, may view any website hosted on a .WhosWho domain, for the purpose of identifying Acceptable Use Policy violations.

3. Prohibited Actions

Conduct in violation of this Acceptable Use Policy includes but is not limited to:

• Phishing; attempting to defraud and defame Internet users via masquerading as a known website, with the intent to steal or expose credentials, money or identities.
• Domain Name or Domain Theft; changing the registration of a domain name without the permission of its original registrant.
• Botnet Command and Control; running services on a domain name to control a collection of compromised computers or “zombies,” or to direct Distributed Denial of Service attacks (“DDoS attacks”)
• Distribution of Malware; the creation and/or distribution of “malicious” software designed to infiltrate a computer system, mobile device, software, operating infrastructure, and/or website, without the owner or authorized party’s consent. Malware includes, without limitation, computer viruses, worms, keyloggers and trojan horses.
• Fast Flux Attacks ⁄ Hosting; the sheltering of phishing, pharming and malware sites and networks from detection, and the frustration of methods employed to defend against such practices, whereby the IP addresses associated with fraudulent sites are changed rapidly so as to make the true location of the sites difficult to find.
• Hacking; the attempt to gain unauthorized access (or exceed the level of authorized access) to a computer, information system, user account or profile, database, or security system.
• Pharming; the redirecting of Internet users to websites other than those the user intends to visit, usually through, but not limited to, unauthorized changes to the Hosts file on a victim’s computer or DNS records in DNS servers, or DNS hijacking or poisoning.
• Spam; the use of electronic messaging systems to send unsolicited bulk messages. The term applies to email spam and similar abuses such as instant messaging spam, mobile messaging spam, and spamming of websites and Internet forums.
• Piracy; the unlicensed publication, display and/or dissemination of any material that infringes the copyrights of any person.
• Counterfeiting; the sale and advertising of illegal goods, including without limitations, goods that infringe the trademarks of any party.
• Child Pornography; the storage, publication, display and/or dissemination of pornographic materials depicting individuals under the legal age in the relevant jurisdiction. Alternatively, no website hosted on any .WhosWho domain may be used in a way as to mislead or deceive minors into viewing sexually explicit materials, whether in violation of a governing law or otherwise.
• Pornography; the storage, publication, display or dissemination of pornographic materials of any type is specifically proscribed on any .WhosWho domain. Where any question arise as to what constitutes pornographic materials, the decision of the Registry Operator will unilaterally prevail. [The registry will not entertain arguments of what constitutes pornography versus art, and in lieu directs prospective registrants to the gTLDs for pornography/adult (i.e. .XXX, .PORN, .SEX, .ADULT) and for art (.ART), with prophylactic recommendations that the appropriate choice of gTLD may avoid any contention, and subsequent disappointment, in future.]

Further abusive behaviors include, but are not limited to: cybersquatting, front-running, gripe sites, deceptive and ⁄or offensive domain names, fake renewal notices, cross- gTLD registration scam, name spinning, pay-per-click, traffic diversion, false affiliation, domain kiting ⁄ tasting, fast-flux, 419 scams or if the domain name is being used in a manner that appears to threaten the stability, integrity or security of the Registry, or any of its Registrar partners and ⁄or that may put the safety and security of any registrant or user at risk.

4. Abuse Point of Contact

All complaints should be addressed to: abuse@nic.whoswho

5. Policy Purposes

The Registry reserves the right, in its sole discretion and without notice to any other party, to take appropriate actions (whether administrative, operational or otherwise) to:

• Protect the integrity and stability of the Registry;
• Comply with any applicable laws, government rules or requirements, ICANN regulations, requests of law enforcement, or any dispute resolution process;
• Avoid any liability, civil or criminal, on the part of Registry as well as its affiliates, subsidiaries, officers, directors, and employees;
• Comply with the terms of the registration agreement, the Registry-Registrar Agreement, the Registry Agreement, or any other binding commitments, whether written or otherwise;
• Correct mistakes made by the Registry or any Registrar in connection with a domain name registration;
• Allow for the resolution of a dispute of any sort whether or not the dispute appears to be unmerited or unsubstantiated;
• Respond to complaints of abusive behavior on websites hosted on .WhosWho domains; or
• Otherwise implement the Acceptable Use Policy.

6. Actions The Registry May Take

To enforce this Acceptable Use Policy, including responding to any prohibited activities or to effectuate the policy purposes described above, the Registry may take actions including but not limited to:

• Conduct an assessment to determine whether any alleged abusive or otherwise harmful behavior violates the Registry’s policies, applicable laws, or ICANN regulations;
• Lock down a domain name preventing any changes to the contact and name server information associated with the domain name;
• Place a domain name “on hold” rendering the domain name non-resolvable or prohibiting transfer of the domain name to another Registrar;
• Substitute name servers in cases in which the domain name is associated with an existing law enforcement investigation in order to collect information about the DNS queries and, when appropriate, to share information with law enforcement to assist the investigation;
• Cancel or transfer or take ownership of any domain name, either temporarily or permanently;
• Deny attempted registrations from repeat violators (see the section on Disqualification of Registrants below);
• Use relevant technological services, whether our own or third party, such as computer forensics and information security; and
• Share relevant information on abuse with other registries, Registrars, ccTLDs, law enforcement authorities (i.e., security professionals, etc.) not only on abusive domain name registrations within its own gTLD, but also information uncovered with respect to domain names in other registries to enable such parties to take appropriate action.

7. Preventative Measures at Registry's Sole Discretion

The Registry may also take preventative measures at its sole discretion including (without limitation):

• DNSSEC deployment which reduces the opportunity for pharming and other man-in-the-middle attacks;
• Removal of orphan glue records; and
• Place upon registry lock, hold or similar status a domain name during resolution of a dispute.

8. Dispute Resolution Alternatives

The Registry is not bound to adjudicate any dispute between parties and cannot and does not accept any responsibility for any loss or damage a domain name registrant or anyone else may suffer as a result of any action or omission by us or by anyone else under this Acceptable Use Policy.

Any abuse-related issues with which the Registry is unable to assist should be resolved through an appropriate dispute resolution forum. In such circumstance, the Registry will act following provision of:

• The final determination of an internationally recognized dispute resolution body or a court of law, resolving the inter-party dispute or otherwise mandating the Registry’s action;
• Any requirement of ICANN or other recognized authority which demands action or response; or
• In the case of a wrongful transfer of a domain name, a registrant may also provide written agreement of the Registrar of record and the gaining Registrar sent by email, letter or fax that the transfer was made by mistake or procedural error or was unauthorized.

9. Service by Mail

All notices under this section should be served by mail to:

WHO’S WHO REGISTRY
Box 300
New York, New York 10024
U.S.A.
INFO@DOMAINS.WHOSWHO


Anyone acting under this section is responsible for all costs, fees, damages and other expenses relating to any such action, including any actions the Registry is required to take.

10. Disqualification of Registrants

Registrants, their agents or affiliates, determined by the Registry, in its sole discretion, to have repeatedly engaged in abusive, malicious or illegal conduct may be disqualified from maintaining any registrations or making future registrations of .WhosWho domain names.

In addition, name servers that are found to be associated with fraudulent registrations may be added to a local blacklist and any existing or new registration that uses such fraudulent NS record may be investigated.

Following disqualification of a registrant, the Registry may cause such registrant’s .WhosWho domain names to resolve to a page noting that the domains have been disabled for abuse-related reasons.

11. Representations by Registrants

By registering a domain name in .WhosWho:

1. The Registrant represents and warrants that current, complete, and accurate information has been provided in connection with its Registration, and that Registrant will correct and update this information to ensure that it remains current, complete, and accurate throughout the term of any resulting Registration or Reservation. The Registrant’s obligation to provide current, accurate, and complete information is a material element of this Agreement, and the .WhosWho Registry Operator reserves the right to immediately deny, cancel, terminate, suspend, lock, or transfer any Registration if it determines, in its sole discretion, that the information is materially inaccurate;
2. The Registrant consents to the collection, use, processing, and/or disclosure of Registrant’s personal information in the United States and in accordance with the .WhosWho Privacy Policy posted on the .WhosWho website at domains.whoswho/policies#privacy;
3. The Registrant agrees to submit to proceedings commenced under the Uniform Dispute Resolution Policy (“UDRP”), and the Uniform Rapid Suspension (“URS”) service. Registrant further agrees to abide by the final outcome of any of those processes, subject to any appeal rights provided in those processes or the law, and hereby releases the .WhosWho Registry Operator, its affiliates and service providers from any and all direct or indirect liability associated with such dispute resolution processes;
4. The Registrant acknowledges that the .WhosWho Administrator reserves the right to deny, cancel or transfer any registration or transaction, or place any domain name(s) on registry lock, hold or similar status, that it deems necessary, in its discretion if it reasonably concludes that the domain name is being used in a manner that appears to (i) conflict with this Policy, (ii) threaten the stability, integrity or security of the .WhosWho TLD, the DNS or the global Internet, or any of its registrar partners and/or (iii) put the safety and security of any registrant or user at risk. The process also allows the Registry to take proactive measures to detect and prevent criminal conduct or cybersecurity threats.
5. The Registrant agrees to indemnify to the maximum extent permitted by law, defend and hold harmless the .WhosWho Registry Operator, its affiliates and service providers, and each of their respective directors, owners, officers, employees, contractors, and agents, from and against any and all claims, damages, liabilities, costs and expenses, including reasonable legal fees and expenses, arising out of or relating to the Registrant’s use, operation, Registration of any name and/or website in the .WhosWho .

The .WhosWho Registry Operator reserves the right to modify, change, or discontinue any aspect of its services, agreements, of this Acceptable Use Policy.

III. Incorporation of Applicable Dispute Resolution Services

In addition, Registrar agrees to incorporate the following text (or translation of such text into relevant language) into their Registration Agreement:

"The Registrant acknowledges having read and understood and agrees to be bound by the terms and conditions of the following documents, as they may be amended from time to time, which are hereby incorporated and made an integral part of this Agreement:

1. The Uniform Domain Name Dispute Resolution Policy (UDRP), available at https://www.icann.org/resources/pages/udrp-2012-02-25-en
2. The Uniform Rapid Suspension (URS) Procedure and Rules, available at http://newgtlds.icann.org/en/announcements-and-media/announcement-05mar13-en; and
3. The Transfer Dispute Resolution Policy, (TDRP) available at https://www.icann.org/resources/pages/tdrp-2012-02-25-en and its successors, such as the one which is effective from 01 December 2016 available at https://www.icann.org/resources/pages/transfer-policy-2016-06-01-en.

The UDRP sets forth the terms and conditions in connection with a dispute between a Registrant and any party other than the Registry Operator or Registrar over the registration and use of an Internet domain name registered by Registrant. Registry Operator is not required to ensure that a domain name is being used in compliance with the UDRP.

The URS is one of several new Rights Protection Mechanisms available in the New gTLD Program. It complements the existing UDRP by offering a lower-cost, faster path to relief for rights holders experiencing the most clear-cut cases of infringement. The URS Procedure defines the URS claims process. The Rules will help service providers implement URS in a consistent manner.

The TDRP sets forth the terms under which a dispute relating to Inter-Registrar domain name transfers are handled. Registrars are encouraged to first of all attempt to resolve the problem among the Registrars involved in the dispute. In cases where this is unsuccessful and where a registrar elects to file a dispute, the TDRP procedures apply. Registry Operator is not required to ensure that a domain name is being used in compliance with the TDRP processes.

IV. Reservation

Registry Operator reserves the right to deny, cancel, place on registry-lock or hold, or transfer any registration that it deems necessary, in its discretion:

1. to protect the integrity, security and stability of the Internet or Registry;
2. to comply with any applicable laws, government rules or requirements, requests of law enforcement or any other relevant authority or in compliance with any dispute resolution process;
3. to avoid any liability, civil or criminal, on the part of Registry Operator and Registry Service Provider and their affiliates, subsidiaries, subcontractors, officers, directors, employees and stockholders;
4. for violations of this Agreement and its Exhibits and its Policies and Related Online Documents included by reference in the Registry-Registrar Agreement;
5. to correct mistakes made by Registry Operator or any Registrar in connection with a domain name registration; and/or
6. to ensure compliance with ICANN and/or Registry Operator policies and/or procedures.

Registry Operator also reserves the right to lock or place on hold a domain name during resolution of a dispute. Registry Operator will notify Registrar of any cancellations, locks, holds or transfer made by Registry Operator to the Registrar’s domain name registrations, via email or other method as may be mutually agreed upon by the Parties, within twenty four (24) hours of any change, unless otherwise required to by law.

Registry Operator reserves the right to take immediate action to remove orphan glue records (as defined at https://www.icann.org/resources/files/sac-048-2012-02-25-en) when provided with evidence in written form that such records are present in connection with malicious conduct.

V. .WhosWho End User Privacy Policy

This Privacy Policy describes the collection, use, and disclosure of Personal Information, which is information that personally identifies users, such as names, email addresses or billing information, or other data that we can reasonably link to that kind of information.

PERSONAL INFORMATION COLLECTION, USE, AND DISCLOSURE

Information Registrants Provide on our Web Sites. On our web sites, we collect Personal Information only if users choose to give it to us, for example by subscribing to RSS feeds or blog posts or electing to “follow” .WhosWho on social media sites. Like all web sites, we automatically collect Log Data about user visits. This information does not identify a user to us unless identifying data (names, contact information, or other Personal Information) has also been given to us. We use Personal Information and Log Data to respond to your requests, process transactions that users initiate, improve our web site, and deliver personalized content to users. We may disclose that information to third parties to help us in these activities, but we do not allow them to use the Personal Information for other purposes.

Domain Name Registry Services. When you register a domain name, your registrar will collect certain information, including your name, address, contact information, and the IP address of the servers on which your domain name is hosted. As the Registry Operator for .WhosWho, we collect this information, known as “WHOIS Information” from registrars, and makes it available online in the WHOIS database.

We use WHOIS Information and other information collected in the course of providing registry services to: comply with law and regulation, and contractual obligations; investigate and respond to complaints of abusive conduct; and enforce registry policies related to, without limitation: WHOIS accuracy, limitations on registration, and prohibitions against the use of domain names to distribute malware, operate botnets, or engage in phishing, piracy, intellectual property infringement, fraud or deceptive practices, counterfeiting or other activity that is contrary to applicable law.

We reserve the right to use and disclose this information as needed to provide the domain registry services, identify and respond to cybersecurity threats, protect our rights and the rights of third parties, and as required by law. In addition, we may from time to time collect and aggregate demographic data or statistical analysis and other research, but do not disclose Personal Information in that process.

Other Use and Disclosure of Personal Information. We do not use or disclose Personal Information other than as described above, except:

• With users’ express permission;
• Where permitted by our customer agreements, for internal use, research, fraud prevention, and product development;
• To (i) comply with US laws or the laws of other nations, or to respond to lawful requests and legal process in US or another nation's civil, criminal or investigative matters, (ii) enforce agreements, our terms and conditions, and policies, and protect our rights and property as the site owner, and (iii) in an emergency, to protect the personal safety of our Registry Service Provider, Neustar Inc., its customers, or any person;
• In an aggregated or de-identified form that does not directly identify you;
• With third party vendors, consultants and other service providers who are working on our behalf, but we limit their access and use of Personal Information to that which is needed to carry out their work for us; and
• In connection with any merger, sale of company assets, financing or acquisition of all or a portion of our business to another company.

COOKIES
We use cookies and similar technologies such as web beacons and pixel tags on our sites to distinguish among our visitors and track information during multiple visits. We may use cookies, web beacons, pixel tags or similar technologies, along with other information described in this policy to enhance and personalize the user experience on our sites and to manage and enable preferences, transactions and related uses of .WhosWho services and information. These technologies do not identify users to us unless users have voluntarily provided Personal Information on our site. If a user has set her/his browser to warn before accepting cookies, a warning message will be received prior to receiving each cookie. Users can refuse cookies by turning them off in their browsers, but some of the features on our site may not work if this has been done. Cookies never contain or convey Personal Information. Users can remove persistent cookies by following directions provided in their Internet browser’s “help” files, or may opt-out as described below.

EU AND SWISS SAFE HARBORS
We may receive Personal Information about residents of the European Union and Switzerland in the course of providing registry services. Our handling of such information complies with the U.S. – EU Safe Harbor framework and the U.S. – Swiss Safe Harbor framework as administered by the U.S. Department of Commerce, and we have certified our adherence to the Safe Harbor principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. Additional information about the Safe Harbor programs is available at: http://www.export.gov/safeharbor.

SECURITY
We have implemented policies that include administrative, technical, and physical safeguards designed to protect Personal Information against unauthorized access, use, or disclosure.

CHILDREN
We do not knowingly collect information from children under 13, and we do not create marketing segments or knowingly enable advertising targeted to children under 18.

POLICY CHANGES
This Policy may change from time to time. We will post any privacy policy changes on this page and, if the changes are significant, we will provide a more prominent notice.

INFORMATION FOR CALIFORNIA RESIDENTS
Pursuant to Section 1798.83 of the California Civil Code, residents of California who have an established business relationship with us may request certain information with respect to the Personal Information we share with third parties for those third parties’ direct marketing purposes. To exercise your rights, email us at info@domains.whoswho.

CONTACT US

Who’s Who Registry
Box 300
New York, NY 10024 USA
info@domains.whoswho

DEFINITIONS:

Cookies are text files placed on a computer’s browser that can be used to recognize you as a web site user or to provide personalized content.

Log data is the Internet page request that is automatically collected when you visit a web site, and typically includes the URL of the page requested, Internet Protocol address, browser type, browser language, the date and time of your request, one or more cookies that may uniquely identify your browser. Advertising logs also contain information about ad campaign delivery, which we use for reporting and analytics, and to measure ad effectiveness.

Personal information is information that personally identifies you, such as your name, email address or billing information, or other data that we can reasonably link to that kind of information.

Pixel tags are placed on a web site or within the body of an email for the purpose of tracking activity on web sites, or when emails are opened or accessed, and are often used in combination with cookies.

Web beacons are small pieces of code placed on web pages that can be used for such purposes as counting visitors and delivering cookies or to otherwise customize the user experience.

VI. WHOIS Terms of Service

The WHOIS service offered by Who's Who Registry, the Registry Operator for .WhosWho, and the access to the records in the .WhosWho WHOIS database are provided for information purposes only and designed to assist persons in determining whether a specific domain name registration record is available or not in the Who's Who Registry database and to obtain information related to the registration records of existing domain names. Who's Who Registry cannot, under any circumstances, be held liable in such instances where the stored information would prove to be wrong, incomplete, or not accurate in any sense. By submitting a WHOIS query, you agree that you will not use this data:

1. to allow, enable or otherwise support in any way the transmission of unsolicited, commercial advertising or other solicitations whether via direct mail, email, telephone or otherwise;
2. to enable high volume, automated, electronic processes that apply to the registry (or its systems );
3. for target advertising in any possible way;
4. to cause nuisance in any possible way to the registrants by sending (whether by automated, electronic processes capable of enabling high volumes or other possible means) messages to them;
5. to violate any law, rule, regulation or statute; and/or
6. in contravention of any applicable data and privacy protection acts.

Without prejudice to the above, it is explicitly forbidden to extract, copy and/or use or re-utilize in any form and by any means (electronically or not) the whole or a quantitatively or qualitatively substantial part of the contents of the WHOIS database without prior and explicit permission by Who's Who Registry, nor in any attempt hereof, or to apply automated, electronic processes to Who's Who Registry (or its systems or their designated third party Registry Service Provider's systems). You agree that any reproduction and/or transmission of data for commercial purposes will always be considered as the extraction of a substantial part of the content of the WHOIS database. By utilizing this website and/or submitting a query you agree to abide by this policy and accept that Who's Who Registry, or their third party Registry Service Provider, can take measures to limit the use of its WHOIS services in order to protect the privacy of its registrants or the integrity of the database. We reserve the right to make changes to the Website, the Service(s) and these Terms and Conditions at any time without prior notice to you. It is your responsibility to review these Terms and Conditions each time you access or use the Website and/or Service(s) to keep apprised of any changes. If you do not agree to the changes implemented by Who's Who Registry, your sole and exclusive remedy is to terminate your use of the Website and/or Service(s).

By executing a query, in any manner whatsoever, you agree to abide by these Terms and Conditions.

NOTE: FAILURE TO LOCATE A RECORD IN THE WHOIS DATABASE IS NOT INDICATIVE OF THE AVAILABILITY OF A DOMAIN NAME.

VII. Billing Policy for Accredited Registrars

NOTE: This section is for businesses that sell .WhosWho domain names to end users. If you wish to buy one or more .WHOSWHO domains for yourself or your organization, ICANN rules require that you must purchase them through one of our "Accredited Registrars," whom you will pay - usually online by your choice of convenient payment options. (When you buy a domain from any of them, they will in turn pay us for your .WhosWho domain purchases, and that's what the section below is about. To find a linklist of logos from our Accredited Registrars that can be filtered with the push of a button, CLICK HERE or here http://internet.whoswho/register.
We look forward to having you with us!

1.1 Payment Methods

All payments will be made in USD.
Payment can be made in two ways:

1. the Pre-Payment Debit Account Program, or
2. the Payment in Arrears Program (for qualifying Registrars only).

1.2 Pre-Payment Debit Account Program

1.2.1 Registrars using debit accounts must transfer sufficient funds into their account to ensure that funds are available for all their domain name applications. Registrars who wish to use a credit/debit card must be sure to have an adequate credit limit or deposit funds, as a backup, which will support the number of domain name applications submitted. If you have any questions at any time, please contact Registry Billing Support at +1-877-BILL-277 (+1-877-245-5277) or registry-billing@neustar.biz.

1.2.2 Registrar must establish an account with Neustar’s bank. The Registrar is responsible for funding the account to a level that is consistent with its monthly sales volume. Who’s Who Registry has elected to have Neustar perform the billing and collections operations, and Neustar shall debit the Registrar’s account for each billable transaction on at least a daily basis.

1.2.3 Upon receipt of Registrar’s initial deposit, Neustar shall provide Registrar with login credentials to Neustar’s eBill system. Through eBill, Registrar may check their account balance, which shall be updated four times per day. In addition, through eBill, Registrar may elect to set a “low water mark” for funds in its Debit Account (LWM). Such LWM may be changed at any time by sending a request to registry-billing@neustar.biz . Changes are made by Neustar by the close of the next business day. In the event that the funds available in Registrar’s Debit Account fall below the LWM, notification will be sent to the Registrar. Registrar shall have 48 hours to initiate a deposit to their account to bring their balance to a level that supports the number of domain name applications submitted.

1.2.4 The Registry Operator will pay bank fees associated with the Registrar’s account, but the Registrar is responsible for all wire transfer fees. For example, a wire transfer of US$500.00 would include a US$20.00 transaction fee from the originating bank. This US$20.00 fee is the responsibility of the sending Registrar. The monthly fees associated with the handling of the remaining US$480.00 are paid by the Registry Operator at Bank of America.

1.2.5 If the account falls to a zero balance, the Registry Operator reserves the right to stop accepting orders from the Registrar until the account is fully funded to a level that supports the number of domain name applications submitted. In the event that Neustar allows a Registrar to fall below a zero balance, Registrar must replenish the Debit Account by no later than seven (7) days after such account falls below zero. Failure to replenish the Debit Account may result in Registrar being converted to “not-in-good standing”, meaning that Registrar will be unable to create new domains, renew domains, or transfer in any domain names from another registrar until such time that the account is replenished.

1.3 Payment in Arrears Program

1.3.1 Certain Registrars may qualify to participate in Neustar’s Payment in Arrears Program which allows Registrars to make all payments owed for certain top-level domains (TLDs) for which Neustar is providing registry services (for example, .BIZ, .US, .TRAVEL and others),within thirty (30) days after the date of an invoice. For a specific list of TLDs participating in this program, please contact your account representative or send an e-mail to registry-billing@neustar.biz.

1.3.2 Registrar Reserve.

1.3.2.1 In order to qualify for this program, Registrars must submit to Neustar a pre-payment in the amount of US$ 50,000.00 (in the manner set forth below) which Neustar will hold in reserve in a non-interest bearing account on behalf of the Registrar and its Affiliates (“Registrar Reserve”). Only one Registrar Reserve is required to cover all of the participating TLDs for which Neustar is providing registry services.

1.3.2.2 The Registrar Reserve shall, at the election of the Registrar, cover Registrar and all of Registrars’ Affiliates. For the purposes of this Program, (i) “Affiliate” means a person or entity that, directly or indirectly, through one or more intermediaries, or in combination with one or more other persons or entities, controls, is controlled by, or is under common control with, the person or entity specified, and (ii) “control” (including the terms “controlled by” and “under common control with”) means the possession, directly or indirectly, of the power to direct or cause the direction of the management or policies of a person or entity, whether through the ownership of securities, as trustee or executor, by serving as an employee or a member of a board of directors or equivalent governing body, by contract, by credit arrangement or otherwise.

1.3.2.3 Prior to submitting the payment set forth in Section 1.3.2.1 above, Registrar shall send an e-mail to registry-billing@neustar.biz requesting participation in the Payment in Arrears Program and detailing which Affiliates (if any) will be included in the Program under the same Registrar Reserve.

1.3.2.4 Statements shall be posted to each qualifying Registrar’s billing extranet account by no later than ten (10) days after the end of each month detailing the total number of billable transactions for the previous month broken out by type and top-level domain.

1.3.2.5 Neustar must receive payment for each statement in full by no later than thirty (30) days after the date of the applicable statement (“Due Date”). In the event that Neustar does not receive payment in full by the Due Date, Neustar has the right to withdraw all unpaid amounts from the Registrar Reserve. If the unpaid amount is greater than the balance remaining in the Registrar Reserve, Neustar may, at its option, (i) change the Registrar (and its Affiliates’) status to “not-in-good standing,” prevent the Registrar (and its Affiliates) from creating new domains, renewing domains or transferring in domains for all TLDs; and (ii) assess a late fee on all unpaid amounts equal to one and one-half percent (1.5%) of the maximum rate allowed by law, whichever is less, from the original due date to the date paid in full.

1.3.2.6 Registrars shall be required to refill the Registrar Reserve the full $50,000.00 balance by no later than seven (7) days from the date in which the Registrar Reserve was used to pay off Registrar’s outstanding balance.

1.3.2.7 If a Registrar fails to pay an invoice on time two times in any six (6) month period, or three times in any two (2) year period, Neustar has the right to disqualify the Registrar from participating in the Payment in Arrears Program, and if disqualified, Neustar shall automatically move the Registrar to the Pre-payment Debit Account Program. A Registrar that has been disqualified from the Payment in Arrears Program shall not be eligible to participate in the Payment in Arrears Program for a minimum of twenty-four (24) months following such disqualification.

1.3.2.8 In the event Registrar terminates its relationship with all Neustar-sponsored TLDs or elects to switch to the Pre-Payment Debit Account Program, all unused Registrar Reserve funds shall be returned to Registrar within thirty (30) days of such termination and/or election.

1.4 Instructions for Electing Either Program

Step 1: Complete the Registrar Profile form available on the Registrar Extranet, which is used to provide general background on your profile and for electing either the Pre-Payment Debit Account Program or Payment in Arrears Program.

Step 2: Return the completed form via email (reg-support@neustar.biz) or facsimile to Neustar Customer Support at +1.571.434.5758.

Step 3: In the event that Registrar has elected the Pre-Payment Debit Account Program or Registrar is unable to qualify for the Payment in Arrears Program, Registrar will receive a new Bank of America Debit account number within five (5) to seven (7) business days along with wire transfer instructions from Neustar.

Step 4: Using the wire transfer instructions below, if Registrar has elected to participate in the Pre-payment Debit Account Program, Registrar shall make the initial deposit into the account to comply with the Projected Monthly Sales, which were entered into Registrar Profile form. In the event Registrar has elected to participate in the Payment in Arrears Program, Registrar shall be required to use the wire transfer instructions below to make the required Registrar Reserve payment.

VIII. DNSSEC Practice Statement

1. Introduction

This document is our DNSSEC Practices Statement for the .WhosWho TLD. It states the considerations that we follow in providing DNSSEC services for the Zone. This document details the practices used by Neustar on behalf of clients in their capacity as a Registry Service Provider for .WhosWho and others. The Zone file data, including DNSSEC keys used to sign the Zone file remain the property of the Registry Operator of the .WhosWho TLD.

1.1 Overview

Domain Name System Security Extensions(DNSSEC) has been proposed to add data integrity and authentication to the existing Domain Name System (DNS). The DNSSEC system asserts trustworthiness of data using a chain of public-private keys. For end users wanting to use DNSSEC enabled name servers, DNSSEC aware resolvers will be necessary to take advantage of the system.

1.2 Document Name and Identification

Document Name: DNSSEC Practice Statement
Version: 2.0
Date Created: 12 May 2011
Date Modified:15 August 2016

1.3 Community and Applicability

The following stakeholders of this DNSSEC implementation have been identified:

• End Users
• Recursive Name Server Providers
• Registrants
• Registrars
• Registry Operators

Relationship between different entities is regulated through the following agreements:
RELATIONSHIP || AGREEMENT
Registry Operator and Registry Service Provider || Registry Operator – Registry Service Provider Agreement
Registry Operator and Registrar || Registrar – Registry Agreement
Registry Operator and Registrant || Registrant – Registrar Agreement

1.4 Specification Administration

1.4.1 Specification administration organization

• Organization: Neustar Inc.
• Website: www.neustar.biz

1.4.2 Contact Information

• Name: Customer Support
• Address: Neustar Inc., 21575 Ridgetop Circle, Sterling, VA 20166, USA
• Phone: +1 844-677-2878 (Toll-free in USA) & +1 571-434-6700
• Email: reg-support@neustar.biz

1.4.3 Specification Change Procedures

Queries with regards to the content of this document may be made directly in writing via email, post or telephone to the contact listed. Some requests may only be made in writing via email or post and requestors may be notified to do so should they place the initial request via telephone.

We reserve the right to amend the DNSSEC Practice Statement without notification. Updated or new DNSSEC Practice Statement will be published as specified in Section 2.

2. Publication Repositories

2.1 Repositories

This DNSSEC Practice Statement will be published at the Registry Operator’s policy webpage.

2.2 Publication of Public Keys

DS records of SEP keys are made available by publication of in the root Zone. We maintain a mailing list on behalf of the Registry Operator, which will notify of policy changes specific to DNSSEC and will contain alerts in the event of an emergency key rollover.
Email: dnssec-announce@lists.Registry.neustar

2.3 Access Controls on Repositories

Information that the organization deems publicly viewable is published on the Registry Operator’s website. Other information may be requested by writing to the contact specified in Section 1.4.2.Provision of requested information is at our sole discretion.

This document may refer to documents that are confidential in nature, or considered for our internal use. These documents may be made available on request after consideration on a case by case basis. We reserve the right to deny access to confidential documents or documents classified for internal use only.

We will take all the necessary measuresto protect information and material that is of a secure nature with respect to DNSSEC. These measures will be commensurate with the nature of such information and material being secured.

3. Operational Requirements

3.1 Meaning of Domain Names

Restrictions and policy of naming of child Zones is determined by the appropriate policy in place governing the TLD.

3.2 Identification and Authentication of Child Zone Manager

We do not conduct any identification or authentication of the child Zone manager. This is the responsibility of the Registrar of Record.

3.3 Registration of Delegation Signing (DS) Resource Records

The chain-of-trust to the child Zone is established by publishing a signed DS record into the Zone.

The submission of a DS record is carried out by the Registrar of Record using the Registry interface (EPP).

We will sign the DS record using the Zone’s ZSK(s) and publish the resulting signature along with the DS record to build the chain-of-trust.

3.4 Method to Prove Possession of Private Key

Registrars are mandated by agreements they are subject to, as specified in Section 1.3, to authenticate Registrants before accepting any changes from the Registrant that they may choose to submit to the Registry.

The need for Registrants to explicitly prove the possession of a private key is invalidated due to workings of DNSSEC, as the Registrant submits a DS record using interfaces provided by the Registrar. A chain of trust is established when the Registrant signs their Zone using the private key corresponding to the DS submitted.

In the case where the Registrant does not possess the private component corresponding to the DS, they will not be able to create valid signatures for records in their Zone and the chain of trust culminating at their records will be invalidated.

3.5 Removal of DS Resource Record

The Registrar of Record uses the Registry interface to remove the DS record.

We may remove a DS record and re-delegate the child-Zone in consultation with the Registry Operator, Registrar and Registrant if it is deemed that the child Zone has been compromised. Such a removal may be initiated by the Registry Operator, Registrar, Registrant or us.

4. Facility, Management and Operational Controls

4.1 Physical Controls

4.1.1 Site Location and Construction

The Registry architecture consists of a primary site, a secondary site, and geographically dispersed DNS sites. The components at the secondary site are identical to those at the primary site.

We chose data centers for Registry operations after carrying out stringent checks and visits on a large number of available providers. Each data center provides the following minimum set of requirements:

• Redundant Power Feed
• Un-interruptible Power Supply (minimum 30 minutes)
• Backup Power source (generator)
• Fire Detection System (High Sensitivity Smoke Detectors)
• Fire Suppression System
• Water Detection System
• Multiple (Diverse) Internet Links
• Stringent Physical Security (On-site security personnel, bio-metric access control)
• 24/7 Access Availability
• Robust Cooling System (HVAC)
• Real Time/Pro-active Power & Environmental Monitoring

4.1.2 Physical Access

Access to all Registry systems at each data center is restricted. Equipment is located in private locked racks and keys to these are only given out to authorized administrators as part of stringent data center security procedures.

Remote environment surveillance is employed, including cameras and entry alarms.

In addition, direct physical access to equipment is monitored and controlled as an un-trusted interface, login sessions are not permitted to idle for long periods, and network port security is employed to minimize the opportunity for a direct network connection to be used as a security threat vector.

4.1.3 Power and Air Conditioning

N+1 power is utilized at all selected Registry data centersto maximize uptime availability. Uninterruptible Power Supply (UPS) systems are used to prevent power spikes, surges, and brownouts, and redundant backup diesel generators provide additional run time. Alerts are set on all power provision systems to allow us to begin fail over preparation in the event of a potential power provision issue to ensure a smooth and controlled fail over if required.

Similarly N+1 monitored air conditioning at Registry data centers is configured to provide maximum temperature control for the installed equipment in order to provide a stable operating environment.

4.1.4 Water Exposures

We have implemented reasonable measures for flood detection and protection at its sites, as well as having a key selection criterion for Registry and DNS sites that they be in areas which are not likely to suffer flooding.

4.1.5 Fire Prevention and Protection

Fire protection in each data center is world-class, with very early smoke detection apparatus installed and set as one element of a multi-stage, human controlled multi-Zone dry-pipe, double-interlock, pre-action fire suppression system in a configuration that complies with local regulations and industry best practice.

4.1.6 Media Storage

Sensitive media is stored offsite securely and is protected by access restrictions. Such media is reasonably protected from fire, water and other disastrous environmental elements.

4.1.7 Waste Disposal

Sensitive documents are shredded before disposal. Where sensitive data is stored electronically, appropriate means are used to render the data unsalvageable prior to disposal.

4.1.8 Off-site Backup

DNSSEC components and necessary data is stored off-site regularly as part of backup and disaster recovery. Such data is protected by reasonably secure means and has access restrictions that are similar to those implemented for online systems and data.

4.2 Procedural controls

4.2.1 Trusted Roles

The following procedures have been implemented by Neustar for providing DNSSEC services for the TLD. For each, corresponding roles of System Administrator and Security Officer have been designated.

• Key Rollover
• Key Creation
• Disposal of old key
• KSK rollover

4.2.2 Number of Persons Required Per Task

The number of persons required varies per task or procedure. Please refer to Section 4.2.1 or further information.

4.2.3 Identification and Authentication for Each Role

We require all personnel dealing with secure DNSSEC material and systems to have completed a security checks. We reserve the right to interpret the findings of the security check equitably with respect to the secure nature of this DNSSEC implementation as covered by Our Human Resources policy.

4.2.4 Tasks Requiring Separation of Duties

Tasks that are part of a Key Rollover require separation of duties. Please refer to Section 4.2.1 for further information.

Each person who fulfills a DNSSEC role must:

• be employed full time by Neustar;
• not be within their initial employment probation period;
• have completed a security check.

4.3.2 Background Check Procedures

A security check must be completed prior to taking part in DNSSEC tasks.

4.3.3 Training Requirements

Each person who is responsible for DNSSEC tasks must have attended our DNSSEC training session and be fully qualified to perform that function.

We provide frequent retraining to our employees to assist them with keeping their skills current and enabling them to perform their job proficiently.

4.3.4 Job Rotation Frequency and Sequence

We rotate the responsibility for DNSSEC related tasks between staff that satisfy the skill set required to execute those tasks.

4.3.5 Sanctions for Unauthorized Actions

We will conduct investigations where it detects or is made aware of unauthorized actions on the DNSSEC environment. We will take necessary disciplinary action should such action be warranted.

4.3.6 Contracting Personnel Requirements

Contractors and consultants are not authorized to participate in secure DNSSEC tasks.

4.3.7 Documentation Supplied to Personnel

We provide requisite training and support material to our employees to enable them to proficiently perform their duties. Supplied documentation is provided to staff under security controlled guidelines to ensure operational security

4.4 Audit Logging Procedures

All systems deployed utilize audit log functionality which is coordinated centrally. Logging is used to monitor the health of systems, trace any issues and conduct diagnosis.

4.4.1 Types of Events Recorded

A high level categorization of events that are recorded is as follows:

• Zone File Activity: Addition and removal of domain names. Changes in Resource Records associated with domain names in the TLD.
• Hardware Failures: Failure of server and network infrastructure or their components.
• Access To Hardware: Changes in access controls granting physical, console and network access to infrastructure.
• Security Profile: Changes in settings and configuration that determine the security of infrastructure or the services it provides.
• System Updates: Updates to operating environment and packages on servers and firmware on network appliances.
• Network Activity: Divergences from observed patterns of network activities.
• Redundancy Failure: Failure in backups, Disaster Recovery or transitions between primary and secondary site.
• Incident Management: Incidents being raised, allocated, acted upon and resolved.
• Failure In Event Monitoring: Failure of event monitoring system. This would be detected using a secondary event monitoring system.

4.4.2 Frequency of Processing Log

Audit logs and event monitoring feed into our monitoring system that raises alerts based on states that are not normal in regular operations.

4.4.3 Retention Period for Audit Log Information

Audit log information is securely archived for a period of 7 years.

4.4.4 Protection of Audit Log

Audit logs are only available to our staff with appropriate privileges. Audit logs do not contain private keys or other sensitive information that may lead to a compromise by using existing and known methods.

4.4.5 Audit Log Backup Procedures

Audit logs are backed up as part of the backup procedures in place for production systems. Those logs containing sensitive data are stored in a secure manner. Disposal of audit logs is carried out in accordance with Section 4.1.7.

4.4.6 Audit Collection System

In addition to information recorded manually by staff while conducting operations, Audit information is collected in Audit logs automatically. Methods specific to applications and operating environments are used to record audit logs.

Manual logs are scanned and the original documents archived in a fireproof safe.

4.4.7 Notification to Event-causing Subject

No notification is issued to the event causing subject as part of automatic event logging. However, selected events are monitored and alerts delivered to our employees that may choose to notify event causing subjects.

During execution of manual procedures the participants are informed that logging is taking place.

4.4.8 Vulnerability Assessments

We engage an external entity to perform a vulnerability audit annually. This is in addition to monitoring and analysis that is in place for production systems. A broader annual compliance audit is also performed as discussed in Section 7.

4.5 Compromise and Disaster Recovery

4.5.1 Incident and Compromise Handling Procedures

Any event that may cause or has caused an outage, damage to the Registry or disruption to service is classified as an incident. Any event that is an incident and has resulted in exposure of private DNSSEC components is classified as a compromise. Incidents are addressed using our incident management procedures.

Should we detect or be notified of a compromise, we will conduct an investigation in order to determine the nature and seriousness of the compromise. Following the investigation we will take the necessary measures to re-instate a secure state. This may involve rolling over the ZSK(s), KSK(s) or both.

Incident management is conducted in accordance with Our Incident Management process.

4.5.2 Corrupted Computing Resources, Software and/or Data

Detection or notification of corrupted computing resources will be responded to with appropriate incident management procedures and escalation procedures as necessary.

4.5.3 Entity Private Key Compromise Procedures

An emergency ZSK and KSK rollover will be carried out in the event that we detect or is notified of a private key compromise of either key. On suspicions of a compromise, we will instigate an investigation to determine the validity of such suspicions. We will notify the public through an update on the DNSSEC website and mailing list discussed in Section 2.2.

4.5.4 Business Continuity and IT Disaster Recovery Capabilities

Business continuity planning and disaster recovery for DNSSEC is carried out in accordance with our Business Continuity and Disaster Recovery Policies, and contracts in place with the Registry Operator.

4.6 Entity Termination

We will ensure that should its responsibilities to manage DNS for the TLD under consideration be terminated, it will co-ordinate with all required parties in order to execute a transition.

Should it be decided to return the TLD to an unsigned position, we will endeavor to carry it out in an orderly manner.

5. Technical Security Controls

This section provides an overview of the security policies and procedures we have in place for the operation of DNSSEC within the TLD presented as a summary for purposes of this DNSSEC Practice Statement.

5.1 Key Pair Generation and Installation

5.1.1 Key Pair Generation

The generation of KSK and ZSK is carried out by following the relevant procedure to generate keys of the strength required for the TLD.

Key Pair Generation is an audited event and audit logs are recorded and kept in accordance with relevant policies.

5.1.2 Public Key Delivery

The DS is delivered to the parent Zone using a secure and authenticated system provided by IANA. The DNSKEY is published in the DNS.

5.1.3 Public Key Parameters Generation and Quality Checking

In accordance with Section 4.2.1a one of our employees carries out the public key generation. Quality of the parameters is examined as part of our standard change control procedures.

5.1.4 Key Usage Purposes

Keys will be used in accordance with the DNSSEC implementation defined in this DNSSEC Practice Statement and other relevant documents such as agreements stated in Section 1.3. The keys are not exported from the signing system in an unencrypted form and are only exported for backup and disaster recovery purposes.

5.2 Private Key Protection and Cryptographic Module Engineering Controls

All cryptographic operations are carried out within the signing system. The private components of keys stored on the signing system are exported in encrypted forms only for backup and disaster recovery purposes.

5.2.1 Cryptographic Module Standards and Controls

Systems used for cryptographic functions must be able to generate acceptable level of randomness.

5.2.2 Private Key (m-of-n) Multi-person Control

Procedures for KSK generation and key signing implement an M-of-N multi-person approach. Out of N authorized persons that can participate in key generation or key signing, at least M need to be present.

5.2.3 Private Key Escrow

Private components of keys used for the Zone are escrowed in an encrypted format in accordance with ICANN specifications.

5.2.4 Private Key Backup

Private components of keys used for the Zone are backed up in an encrypted format in accordance with our backup and disaster recovery policies.

5.2.5 Private Key Storage an Cryptographic Module

Private keys are stored on the signer system and restricted to be only accessible to signing functions.

5.2.6 Private Key Archival

Old keys are archived for a period of seven years in an encrypted form.

5.2.7 Private Key Transfer into or from a Cryptographic Module

There are no circumstances under which a private key would be transferred into the signing systems. In accordance with Section 4.6 and in consultation with the relevant stakeholders, a private key can be transferred out of these systems. The private key will be transferred to the relevant stakeholder in encrypted form unless specifically requested otherwise by that stakeholder.

5.2.8 Method of Activating Private Key

Keys are activated during a key rollover with the appropriate employee executing the rollover procedure.

5.2.9 Method of Deactivating Private Key

A private key is deactivated by removing all signatures that deem the key valid and subsequently removing the DNSKEY record from the Zone. In the case of a KSK, the DS is removed from the root Zone. The exact order of this is dependent on the rollover method being used. Rollover methods are detailed further in Section 6.

5.2.10 Method of Destroying Private Key

We destroy keys by securely removing them from the signing system. However, encrypted backups of the keys are not destroyed but rather archived as described in Section 5.2.3.

The signing system may be de-activated following pre-configured triggers that indicate suspicious activity for example, a reboot of the signing system.

5.3 Other Aspects of Key Pair Management

5.3.1 Public Key Archival

Public components of keys are archived as part of backups and disaster recovery procedures.

5.3.2 Key Usage Periods

ITEM || VALUE

• KSK || 1 year
• ZSK || 3 months
• Signature validity periods || 30 days

Note: Keys that have been superseded are not used to sign resource records.

5.4 Activation Data

Activation data is securely generated and is protected by a confidentiality agreement between us and stakeholders that hold activation data. Activation data is decommissioned by destroying, invalidating or by using another suitable method applicable to the type of data.

5.5 Computer Security Controls

We limit access to production servers and only authorized staff members from the IT department are allowed privileged access. Access may be extended to other personnel for valid business reasons.

Authentication methods are complimented with network security measures. Passwords are rotated regularly and best practices such as tiered authentication and two factor authentication are implemented where appropriate.

5.6 Network Security Controls

Networks for secure DNSSEC infrastructure are segregated using firewalls. Audit logs are kept for all sensitive DNSSEC operations and archived for investigative purposes should security breaches be suspected or detected. Systems are divided into their applicability (e.g. front end and back end) and user and application access to them is restricted using appropriate means. Production infrastructure is logically separated from non-production infrastructure to limit access at a network level in accordance with our security policies.

5.7 Time Stamping

Timestamps are used for:

• Audit logs generated manually and automatically
• DNSSEC signatures.

We synchronize our timeservers with stratum 2 or 3 timeservers. All manually recorded times are stated in time that is local to the location of record. All automatically recorded times are in UTC.

5.8 Life Cycle Technical Controls

5.8.1 System Development Controls

All software deployed on production systems is maintained in version controlled repositories. We implement rigorous change control systems for production infrastructure.

5.8.2 Security Management Controls

We monitor our system for access, configuration changes, package installs and network connections in addition to other critical metrics that can be used to detect suspicious activities. Detailed audit logs enable us to trace any transaction on its systems and analyze events.

5.8.3 Life Cycle Security Controls

We implement fully redundant signing infrastructure and contracts with hardware manufacturers to provide 4 hour business day turnaround on support.

All production infrastructure and software is thoroughly tested before being deployed. Source code of all software deployed to production systems is authenticated and verified.

6. Zone Signing

6.1 Key Lengths, Key Types and Algorithms

We use a split key signing method. The RSA algorithm with a key length of 2048 bits is used for the KSK and 1280 bits is used for the ZSK.

6.2 Authenticated Denial of Existence

NSEC3 (RFC 5155) is used to provide authenticated denial of existence. The hash algorithm SHA1 is used. Salt values or iterations are not changed.

6.3 Signature Format

Signatures are generated using SHA256 hashes.

6.4 Key Rollover

ZSK rollover is every 3 months.

KSK rollover is every year. Rolled over using Double RRset KSK Rollover Method.

6.5 Signature Lifetime and Re-signing Frequency

Signatures are valid for 30 days. Signatures are automatically regenerated every 7½ days

6.6 Verification of Resource Records

Validity checks are made against the Zone as part of our standard monitoring process. This includes verifying DNSSEC material.

All resource records are validated by the Registry before delivery to be signed and distributed into the Zone file

6.7 Resource Records Time-to-live

TTL for each DNSSEC Resource Record in seconds is as follows:

• DNSKEY: 3600
• DS: 3600
• NSEC3: 1800
• RRSIG: Same as covered Resource Record

7. Compliance Audit

7.1 Frequency of Entity Compliance Audit

Compliance audits are conducted annually at our sole expense.

7.2 Identity/Qualifications of Auditor

Our compliance audits are performed a qualified entity which is independent from us and the Registry Operator.

7.3 Auditor’s Relationship to Audited Party

Compliance audits of our operations are performed by a qualified entity that is independent of us. Third party auditors do not participate in the multi-person control for any tasks, as stated in Section 4.2.1.

7.4 Topics Covered by Audit

The scope of our annual Compliance Audit includes all DNSSEC tasks as stated in Section 4.2.1.

7.5 Actions Taken as a Result of Deficiency

Action items that are raised as a result of compliance audits are presented to management for consideration. Management will investigate and implement corrective actions should they determine them to be necessary.

7.6 Communication Results

A report of the audit results to will be published no later than thirty (30) days after the audit.

8. Legal Matters

8.1 Fees

Not applicable.

8.2 Financial responsibility

Not applicable.

8.3 Confidentiality of business information

8.3.1 Scope of Confidential Information

The following information is kept confidential and requires privileged access as controlled by our policy:

• Secure DNSSEC information
• Audit logs
• Reports created by auditors
• Procedures
• Policies that relate to security

8.3.2 Types of Information not Considered Confidential

Information that is classified as public as part of the DNSSEC extensions to DNS are considered to be public by us and will not be subject to access restriction.

8.3.3 Responsibility to Protect Confidential Information

We are committed to the confidentiality of information and takes all measures reasonably possible to prevent the compromise of such information.

8.4 Privacy of personal information

8.4.1 Information Treated as Private

Not applicable.

8.4.2 Information not Deemed Private

Not applicable.

8.4.3 Responsibility to Protect Private Information

Not applicable.

8.4.4 Disclosure Pursuant to Judicial or Administrative Process

We shall be entitled to disclose confidential/private Information if we believe that disclosure is necessary in response to judicial, administrative, or other legal process.

8.5 Limitations of Liability

We to the extent permitted by law excludes liability for any losses, direct or indirect, punitive, special, incidental or consequential damage, in connection with or arising out of this DNSSEC Practice Statement or the actions of it or any third party (including for loss of profits, use, data, or other economic advantage), however it arises, and even if we have been previously advised of the possibility of such.

8.6 Term and Termination

8.6.1 Term

This DNSSEC Practice Statement becomes effective upon publication with the most current version being published.

8.6.2 Termination

This DNSSEC Practice Statement will be amended as required and will remain in force until it is replaced by a new version.

8.6.3 Dispute Resolution Provisions

Disputes among DNSSEC participants shall be resolved pursuant to provisions in the applicable agreements among the parties.

With the exception of injunctive or provisional relief, disputes involving us require an initial negotiation period of no less than 60 days prior to the commencement of legal action.

Subject to the foregoing, any legal action in relation to this DNSSEC Practice Statement against any party or its property may be brought in any court of competent jurisdiction in the Commonwealth of Virginia, United States of America and the parties irrevocably, generally and unconditionally submit to the nonexclusive jurisdiction of any court specified in this provision in relation to both itself and its property.

8.6.4>Governing Law

This DNSSEC Practice Statement shall be governed by and construed under the law in the Commonwealth of Virginia, United States of America.

8.6.5>Registry Jurisdiction

The Registry operates in the Commonwealth of Virginia, United States of America.