29 Rights Protection Mechanisms

Prototypical answer:

During pre-launch phase, there will be one 30-day sunrise period (ʺ.BOM sunrise 1ʺ) where Trademark Clearing House sunrise services will be used and only organizations with ownership of a mark (which can be a Trademark Clearinghouse-validated word mark, a court-validated word mark or an specifically statute⁄treaty protected word) accompanied with sufficient data to document these rights, and representation that all provided information is true and correct, will be allowed to pre-register a .BOM domain. Possible conflicts where more than one rights holder to an specific mark pre-register a domain will be resolved on a first-come⁄first-serve basis.

After sunrise 1, .BOM will be taken into production status so the next registration phases can benefit of the Trademark Clearing House Claims services.

A sunrise period ((ʺ.BOM sunrise 2ʺ) where owners of .br domains registered prior to April 29 2012 can pre-register a matching .BOM domain will be provided. Possible conflicts as .br registrations occur on the third-level (so there is the possibility of example.com.br and example.net.br owners wanting example.BOM)will be resolved by letting only the oldest active registration on the .br that matches the name being registered to benefit of this sunrise period.

ʺ.BOM sunrise 3ʺ will be open to all registrants to provide level-playing opportunities in bidding for generic words. Every domain name that receives a bid will be added to a public list showing domain names and current number of bids so everyone else can also bid for that name.


Sunrise 2 and sunrise 3 will add for a period of at least 60 days. During such sunrises, Trademark Clearing House Trademark Claims services will be used to provide prospective registrants notice of the presence of a match on the Trademark Clearinghouse database, and to require that the prospective registrant acknowledges being notified, receiving, understanding and disclosing that to the best of the prospective registrant knowledge the registration and use of the requested domain name will not infringe on the rights that were subject of the notice.

Post-registration rights protection mechanisms in .BOM will include URS (Uniform Rapid Suspension), UDRP (Uniform Domain-dispute Resolution Policy) and PDDRP (Post-Delegation Dispute Resolution Procedure). URS, UDRP and PDDRP shall be part of ʺNúcleo de Informação e Coordenação do Ponto BR - NIC.brʺ registry agreement with ICANN, working with ICANN-appointed dispute resolution providers.

Resourcing for these protections mechanisms include technical resources of NIC.br to connect to the Trademark Clearinghouse, financial resources of NIC.br to pay for the connection for the Trademark Clearinghouse, and the personnel resources of NIC.br legal staff.

Additional measures that also contribute to rights protection are the .BOM registrant data (WHOIS) policy, prevention of abuse policy, abuse handling procedures, take action procedures, prevention of abusive transfer⁄cancelation and glue records management, detailed below.

.BOM Registrant Data (WHOIS) Policy:

ʺThe registrant shall provide and update the required personal data and⁄or business data so they always reflect real and valid information. Use of false, invalid, incorrect or data belonging to a third party can invalidate the contract and incur cancelation of the domain, besides law-defined penalties and liabilities. If requested by ʺNúcleo de Informação e Coordenação do Ponto BR - NIC.brʺ, either directly or through a registrar, the registrant shall provide certified documents and or update data in order to maintain WHOIS accuracy. Failing to provide timely responses for documents or data update requests can cause suspension (defined as the removal of domain publication within the DNS system) or cancelation of the domain.

In all domains that are registered by a brazilian individual or organization, the registrant needs to be uniquely identified by a document ID, which can be CPF (individual) or CNPJ (organization). This document must also be valid according to the brazilian
internal revenue service.

Registration implies agreeing with legally-binding responsibilities for the domain; such responsibilities cannot be transferred to a third party without transferring the domain itself and such transaction reflected in the WHOIS data. Domains registered in the name of a person or an organization will be considered to belong to such person or organization, so registrants need to carefully consider if proxy services could bring ownership risks to them. ʺ



.BOM Prevention of Abuse Policy:

ʺThe registrant agrees to use the .BOM domain being registered or renewed only for lawful and non-abusive purposes.
NIC.br defines abuse as the bad, wrongful or excessive use of privileges or power including but not limited to:
- Botnet command and control (a command and control infrastructure to manage a group of infected computers that receives orders from unauthorized users(s) through the network) ;
- Child entrapment or abuse ;
- Distribution of child pornography ;
- Deployment of circular references within the Domain Name System (DNS) using resources of NIC.br and⁄or other Top Level Domains (TLDs) ;
- Fast flux hosting (rapidly changing DNS records in order to prevent detection or mitigation of an abuse);
- Phishing (unsolicited communication or Web page that poses as being from a known institution to trick users into disclosing personal, privileged or financial data);
- Sending unsolicited bulk messages thru electronic mail, forums, instant messaging, mobile messaging, social networks or comment boxes ;
- Theft of any online service ;
- Unlawful or fraudulent actions ;
- Willful distribution of malware (any kind of software that executes malicious action on a computer system, like virus, worms, bots, trojan horses and root kits).ʺ
ʺ


----------------------------------

Abuse handling procedures:


Abuse detection procedures will include:
- An e-mail box abuse@nic.BOM to receive abuse complaints ;
- A web form to receive abuse or take action complaints ;
- An optional anonymized web form to receive take action complaints that can be verified by NIC.br with no corroboration ;
- Automated analysis of malware and phishing URL feeds including both public sources and association sources. NIC.br, thru its security area called CERT.br, is a member of the Anti-Phishing Working Group (APWG); the SpamPots project; the brazilian honeypot consortium organizations; FIRST (Forum of Incident Response and Security Teams) and a few research projects with brazilian universities. Results of automated analysis or information gathering generate abuse cases that will be dealt manually.
- A ticketing system to integrate, measure the service-level and manage the complaints from all three ways above.

Target service-level for abuse and take action complaints is to set a course of action within 30 minutes for 50% of the complaints, up to 8 hours for 75% of the complaints and up to 24 hours for 99% of the complaints. Staffing for this system will include at least 3 full-time employees (1 registry security officer and 2 registry security shift analysts) and will be shared among all TLDs (Top-Level Domains) managed by NIC.br, including but not limited to .BOM and .br. Abuse and take action complaints from law enforcement will be given priority and skip queues.

-----------

.BOM Take Action procedures:

ʺAs soon an abuse issue is found, in all cases an administrative procedure will be started to verify documentation of the registrant if none has been received before. For each case one or more of these actions might apply:
- Remove DNS publication of the domain in cases where domain appears as only being used to exploit phishing, malware, bonnet command and control, fast-flux hosting, DNS circular references, child pornography distribution, child abuse and entrapment;
- Notice of abusive case to registrant ;
- Notice of abusive case to registrar ;
- Notice of abusive case to hosting provider(s) ;
- Notice of abusive case to appropriate computer incident response team ;
- Notice of abusive case to appropriate law enforcement authorities.

Preemptive measures like removing DNS publication will only be done to prevent further damages to the Internet community or endangered individuals and will have collateral damages of such actions assessed prior to reaching such a decision.ʺ


------------------------

.BOM prevention of abusive transfer and⁄or cancellation:

Transfer tokens will be required to perform domain transfers; registrars will be encouraged to validate the transfer or cancellation through secondary channels. Frequent occurrence of abusive transfer and⁄or cancellations at an specific registrar can trigger a compliance investigation by NIC.br and sending of an informative notice to ICANNʹs compliance area .

-------------------

Measures for dealing with glue records:
Internet Protocol (IP) address is this context refer to both IPv4 or IPv6 regardless of IP protocol version

- Host records wonʹt be allowed outside of domain objects. Glue records are only allowed as domain attributes and only allowed to be in-zone glue records (i.e, ns.example.BOM for a example.BOM domain)
- When a domain is removed from publication all of its glue records are also removed, so no orphan glue records can exist.
- When a domain is registered the supplied DNS servers are tested to validate proper authoritative response; DNS delegation requires previous authoritative DNS configuration. This prevents amplification attacks that could arise by setting DNS glue records to victim IP addresses.
- If an IP address used to be a DNS server moves to a new delegated organization there might be undesirable traffic towards that address. Take action notices for such glue records, even they are not orphaned, will be accepted from the RIR(Regional Internet Registry) registered WHOIS contact for that address space.
- As only in-zone non-orphan glue records are allowed, any evidence of a glue record being part of malicious conduct will be considered as malicious conduct of the domain it belongs to and will subject such a domain to anti-abuse or take action policies.

Similar gTLD applications: (1)