23 Provide name and full description of all the Registry Services to be provided

Prototypical answer:

1. Overview
In order for registry service to take place stably, core factors are as the following.

- Stable reception of data related to domain registration from registrar
- Periodic distribution of TLD Zone data based on registered domain information
- Distribution and service of domain registration and relevant information (Whois)
- IDN service if necessary
- DNSSEC security service

To this, brief explanation will be given in order of SRS & EPP, DNS, Whois, IDN and DNSSEC.

2. SRS & EPP
SAMSUNG SDS entrusts registry system operation of gTLD dot 삼성(“.삼성”) to Korean ccTLD operation agency Korea Internet & Security Agency (ʺKISAʺ). SAMSUNG SDS expects to reduce load on initial operation and minimize errors as KISA, an agency that is successfully operating 1.3 million domain names, is already equipped of dot KR(“.KR”) and dot 한국(“.한국”, IDN ccTLD)ʹs domain registry system.

Leveraging expertise gained from operating the Korean ccTLD, KISA’s services will speed up resolution times, increase reliability, enhance security, protect information, and provide stability to dot KR(“.KR”) and dot 한국(“.한국”, IDN ccTLD). These services include core functions such as conformance to registry-registrar models and protocols, zone file generation and distribution, billing and collection, data escrow and backups, publicly accessible WHOIS service, technical and customer support, and redundant physical locations.

KISA has an experienced technology management team leading an expert staff of technical support, customer service, and product management specialists who assist registrars and registrants every day of the year. This disciplined team has created well-defined processes which allow them to avoid emergencies and quickly address issues as they arise.
KISA has already established a comprehensive plan to operate dot 삼성(“.삼성”) gTLD. This is technology and know-how gained by operating Korean ccTLD, and it includes DNS, continuous service of WHOIS, as well as EPP communication process.

The Main Center of KISA is operated and maintained by Telecommunication grade. Server and network equipments are all composed of dual system, while backup center is installed in KT (Korea Telecom)ʹs data center, geographically apart, allowing real time backup.
The Networks of Main Center are composed of dual structure. The outer Networks connected to the two Routers consist of one with 45Mbps and one with 1Gbps. The two networks connected to each Router pass through Firewall and Switch to connect to the inner system. The two outer networks work simultaneously as ʺActive-Activeʺ state, and one will take charge over the other when there is a problem with one.

The inner system of KISAʹs Main Center is composed of dual system, just like the outer system is.; EPP Gateway Server, Application Server, Domain Application Server, Database Server all are by two sets. Each set of systems is in ʺActive-Activeʺ state, meaning both sides will work in normal occasions, and one side will process all work if there is a problem.
Backup Center is installed in Data Center, which is geographically apart. Two sets of systems in Main Center are operated in ʺActive-Activeʺ state, and the System of Backup Center, which only has one set, can be backed up real time.

Main Center and Backup Center are connected by VPN (Virtual Private Network). Connected to VPN, all backup data is sent safely real time through encrypted channel. If there is a problem to SRS of both two sets of Main Center, tasks can be processed normally through Backup System.
The two sets of SRS system on Main Center and the one set system of Backup Center are maintained in Active state, enabling real time synchronization.

Firewall is set so that only the permitted IP Address of a registrar may access SRS system. Only those agencies verified by Registry-Registrar Agreement (RRA) may access SRS (EPP) system.
As of March 2012, usage of network and each systems is below 30% while KISAʹs dot KR (.KR) and dot 한국(.한국) owns and provides service to about 1.3 million domains.
Dot 삼성(“.삼성”) gTLD will be operated in the same system, and it expects registration of about 12,000 domain names within the first three years of service. As it does not excess the system capacity of KISA, no additional installation of network or system is required for the operation.


3. File Distribution to TLD Zone
DNS Service is one of the core functions of the Registry. Just like the other services, DNS service of dot 삼성(ʺ.삼성ʺ) gTLD uses KISAʹs system. KISA has global service system established with 8 name server sites in Korea and 6 name server sites located in each continent. DDoS Protection Machine that can detect and block DDoS attack is installed in DNS site. Of the overseas DNS sites, DDoS Protection Machine is installed in Germany and Singapore, and other sites are planned have the machine installed in 2014.

DNS is composed of three stages: zone file generation that makes the necessary information domain database; publication that writes generated data to Master DNS Server; distribution of zone file to the name servers that users have access to.

Zone File Distribution ⁄ Update
The system updates zone file every one hour. Database in zone file distribution server is replicated continuously to zone update database in each name server through secure channel. Update package is sent together with checksum and serial number that is compressed and encrypted, so that data integrity and confidentiality can be verified.

Whenever name server is updated, checksum and serial number are compared to the final state of zone file to verify that zone file in registry system matches that of name server. When checksum discovers error, it sends request to registry system to replicate full zone file to name server. Update process means that full zone file will never be redistributed. However, these features must be provided to restore zone data from unexpected event. If situations in which these features are required come, it can result in delay of zone file update distribution. Figure 35-3(Article 35) shows which flows allow each name server to update name server of zone update database.

KISAʹs currently operated DNS system is expected to service SAMSUNG SDSʹs new gTLD as well. SAMSUNG SDS expects number of registered domain in the first three years to be below 12,000. As this is less than 1% ratio when compared to KISAʹs currently running 1.3 million domain names of dot KR & dot 한국(IDN), it is expected that there will not be heavy load to KISAʹs system.

System usage and details of 14 DNS sites operated by KISA are continuously monitored, and System specification, Network Bandwidth, IP Address (IPv4, IPv6) of 14 DNS site systems including Backup site are managed.

4. Whois
Whois Service refers to providing of information such as domain name registrant and expiration date by checking the registered domain nameʹs information. Service is provided by extracting and processing data from inner database of SRS and storing it in data repository of Whois server.

- Realization of Real time Whois Information Update function
- Construction of Centralized Whois Data Repository
- Construction and realization of Whois data and service delegation through Standard 43 port
- Realization of Publication function for Whois Information Delegation
- Realization of Whois access Web Service for Internet users
- Construction and realization of Hierarchical system for the stability of Whois service.
- Security function for Whois Information Distribution

Whois service of dot 삼성(“.삼성”) is provided by using either Web(port 80) or Standard 43 port. Web service can query Domain Names, Registrars, and Name Servers, while standard 43 port can only query Domain Names.

For both Web and Port 43, Whois service provides result by instantly searching Whois System DB when service user does a query. Thus there is no separate synchronization mechanism of Whois Server. Data extracted from SRS DB for Whois search is also applied real time to Whois Distributor when there is any change.
As well, prevention of Whois information abuse is being prepared, and details of this is written in Article 26.

5. IDN (Internationalized Domain Names)
SAMSUNG SDS will try to minimize problems that may occur from IDN requirements, procedures and usage. For the operation of IDN, SAMSUNG SDS complies to RFC Standards by IETF. (RFC 5890, RFC 5891, RFC 5892, RFC 5893, RFC 5894)

Registrant submits registration application through the registrar for a desired IDN. Once registrar sends IDN registration application to the registry, registry determines if the IDN is composed of characters appropriate to SAMSUNG SDSʹs registry policy. Then, according to RFC 5891, U-Label is converted to A-Label through Punycode Conversion and then the A-Label is stored in registry DB.

Registry generates and applies a Zone file in DNS server with a domain name converted to A-Label as states above. In accordance with IETFʹs IDNA standard, each application will convert IDNʹs U-Label to A-Label and query DNS. For this query, dot 삼성(“.삼성”) DNS server will respond IP address of the A-Label.

SAMSUNG SDS plans to entrust operation to KISA, which currently operates approximately 350 thousand IDN, share IDN character policy, monitoring measures, problem minimization policy for IDN operation.
In accordance to SAMSUNG SDSʹs registration policy, domain names that only consist of the following characters are allowed for registration.
Domain name must be composed as a combination of a complete Hangul Syllable [11,172 characters], alphabet [A-Z],[a-z], numbers [0-9] and hyphen [-].
Domain name of A-Label should be between 3 and 63 characters. If Hangul is included, it should be between 1 and 17.
Domain name must not start or end with a hyphen, and there cannot be two consecutive hyphens as the third and the fourth character.
Hangul Syllable is a table of characters permitted by RFC 5892, and it refers to 11,172 characters that modern Koreans use, which is the same as the range of IDN character permitted by KISA.

SAMSUNG SDS shares IDN registration policy and operation problems with KISA and KISA investigates domains that violate registration policy and name server configuration error. Through these kinds of research and analysis by KISA, potential problems of IDN operation can be shared between SAMSUNG SDS and KISA and applied to IDN policy.

Through a discussion with IETFʹs IDNAbis Working Group, Hangul characters other than Hangul Syllable were excluded from permitted characters as IDN to prevent Hangulʹs Spoofing attack. Therefore, by limiting characters permitted as IDN to Hangul Syllable only, SAMSUNG SDS prevents attacks that use similarity of Hangul.
By blocking IDN registration of usage of character other than Hangul, SAMSUNG SDS prevents problems that can be caused by other character IDN. Since Hangul is a phonogram, there is no other character of same shape. And since Hangul is not an ideogram like Chinese Characters are, there is no phenomenon of having characters of same meaning and different shape.

6. DNSSEC
KISA, which operates dot 삼성ʹs system, has continuous DNSSEC research and experience on DNSSEC application and operation on dot KR domain. By following KISAʹs DNSSEC management policy regarding dot 삼성ʹs DNSSEC application and operation, SAMSUNG SDS seeks to minimize errors and faults caused by inexperience in initial operation of DNSSEC.
In order to effectively perform DNSSEC application and operation, KISA has DNSSEC system administrator, DNSSEC system manager, and other personnel.

Public Key Pairs are required for adoption of DNSSEC, and it is divided and managed into ʺKey Signing Key, KSKʺ and ʺZone Signing Key, ZSKʺ depending on the subject of signature. ZSK is used when signing record data within the domain zone file. KSK is a key that only signs DNSKEY record of the domain zone data that contains the domainʹs public key.
KSK is designed to securely join domain zone and domain security system of internet, and to strengthen domain zoneʹs security it is preferable to have KSK greatest size possible. However, if ZSK is too big, computing resource usage increases for the encryption.
Therefore, KSK is set 2,048 bits and ZSK is set 1,024 bits. Instead, there will be frequent update in principle with a period of about three months.

As well, to determine any falsification of domain information history of zone, zone is signed with NSEC3 method which hash encrypts the domain name. Signatures will be signed in OPT-OUT method to minimize the load caused; meaning each domain name in the zone will selectively adopt DNSSEC. Encryption algorithm used is NSEC3-RSASHA1, and the directory is created and managed separately from DNSSEC key storage directory.
DNSSEC key storage directory is created and managed separately from directories each zone is located in. Currently, KISA already operates approximately 1.3 million domain names collaboration with registrars, and it will have no problem even if dot 삼성(“.삼성”) applies for maintenance of 12,000 domain names.

Personal data security, facility security, network information security, disaster recovery management, etc are operated under ʺInternet Address Main Center Information Security policyʺ
When Delegation Signer Resource Record (DSRR) is altered by change in KSK of dot 삼성(“.삼성”) zone, domain delegation modification application will be submitted to IANA so that modifications can be applied.
For continuous DNS operation and stable DNSSEC operation, there is continuous comprehension on current condition and report is written on a regular basis.

Similar gTLD applications: (2)