26 Whois

Prototypical answer:

26. WHOIS
26.1 Description of CONAC WHOIS System
CONAC’s WHOIS service complies with Request for Comments (RFC) 3912 and WHOIS standards in Specifications 4 and 10 of the Registry Agreement published by ICANN. CONAC provides Port-43 WHOIS, Web-based WHOIS, bulk access WHOIS and searchable WHOIS. In addition, the WHOIS system supports queries in full simplified Chinese, full traditional Chinese, simplified Chinese with ASCII, traditional Chinese with ASCII and PunyCode. CONAC will provide a RESTful WHOIS service once available in its final standardized form agreed by the IETF.

CONAC fully understands the requirements of queries and network traffic. On basis of the requirements, CONAC establishes the construction of the current WHOIS system consistent with its business model and domain name registration volume.

26.1.1 Port-43 WHOIS
The Port-43 WHOIS system is designed and implemented in accordance with RFC 3912.

The Port-43 WHOIS system receives and responds to the query information via Port-43.The format of responses follows a free text format, followed by a blank line and a legal disclaimer specifying the rights of CONAC, and of the user accessing the database. Each data object is represented as a set of key⁄value pairs, with lines beginning with keys, followed by a colon and a space as delimiters, followed by the value. For fields where more than one value exists, multiple key⁄value pairs with the same key are allowed. The first key⁄value pair after a blank line is considered the start of a new record, and is considered as identifying that record, and is used to group data together. In addition, all formats of responses including domain status, individual and organization names, address, street, city, state⁄province, postal code, country⁄region, telephone⁄fax numbers, email addresses, date and times conform to the mappings specified in EPP RFC 5730, RFC 5731, RFC 5732, RFC 5733 and RFC 5734.

If no match is found for the query, the WHOIS system will provide users with a friendly message on the response page before ending the WHOIS search.

The Port-43 WHOIS supports inquiring information about corresponding domain names, registrar and nameserver. All response formats abide by Specification 4 of the Registry Agreement, and a domain name value is shown with its PunyCode form displayed behind. Furthermore, since “.公益” TLD string has no variant, if a domain name registered at the second level shows different in traditional Chinese and simplified Chinese, both forms will be displayed in different rows. (See Table 1 of Q26_attachement for the response format)

26.1.2 Bulk Access WHOIS
CONAC provides bulk query services to meet the requirement of “Bulk Registration Data Access to ICANN” set out in Section 3 of Specification 4 of the Registry Agreement. A WHOIS data storage file will be generated one (1) day before the checking date designated by ICANN and will be made available for download by SFTP (or through other means requested by ICANN in the future). The data will be provided in the format specified in Specification 2 of the Registry Agreement. CONAC will provide ICANN with SFTP URL as well as a user name and pass code. For “Exceptional Access to Thick Registration Data” mentioned in Section 3.2 of Specification 4 of the Registry Agreement, CONAC will provide the data within two (2) business days as required.

26.1.3 Web-based WHOIS
CONAC’s Web-based WHOIS supports queries in terms of domain name, registrar and nameserver. All response formats abide by Specification 4 of the Registry Agreement, and a domain name value is shown with its PunyCode form displayed behind. Furthermore, since “.公益” TLD string has no variant, if a domain name registered at the second level shows different in traditional Chinese and simplified Chinese, both forms will be displayed in different rows. (See Table 1 of Q26_attachement for the response format)

See Figure1 of Q26_attachement for the standard query interface of the WEB-Based WHOIS.

26.1.4 RESTful WHOIS
CONAC will provide a RESTful WHOIS service once available in its final standardized form agreed by the IETF.

26.1.5 Searchable WHOIS
CONAC offers searchable WHOIS with the searchability on the web-based Directory Service, which meets the requirement of “searchable” set in Section 1.8 of Specification 4 of the Registry Agreement.

CONAC offers partial match capabilities, at least, on domain name, contacts and registrant’s name, and contact and registrant’s postal address, including all the sub-fields described in EPP (e.g., street, city, state or province, etc.);

CONAC offers exact-match capabilities, at least, on registrar id, name server name, and name server’s IP address (only applies to IP addresses stored by the registry, i.e., glue records).

CONAC offers Boolean search capabilities supporting, at least, the following logical operators to join a set of search criteria: AND, OR, NOT.

A response list with each domain name that matches the search criteria will be displayed. (See Figure2 of Q26_attachment) A page with detailed information of a domain name can be shown by clicking the “view” links at the end of each record. Such detailed information is listed in a format that complies with Specification 4 of the Registry Agreement, and a domain name value is shown with its PunyCode form displayed behind. Furthermore, since “.公益” TLD string has no variant, if a domain name registered at the second level shows different in traditional Chinese and simplified Chinese, both forms will be displayed in different rows. (See Table 1 of Q26_attachement for the response format)

Please refer to Figure3 of Q26_attachment for the Query Interface of the Searchable WHOIS.

26.2 Structure of CONAC’s WHOIS System and Topological Graph
CONAC’s WHOIS system supports IPv4 and IPv6 networks, adopts distributed deployment, raises performance by load balancing, and the structure of the WHOIS system has a feature of multi-level redundancy. (See Figure 4 of Q26_attachement for the structure of WHOIS system and topological graph)

CONAC deploys the WHOIS system into two operations centers, the primary operations center (Beijing site) and backup operations center (Chengdu site). Each site has dual-link exports and connects with IPv4⁄IPv6 networks respectively; therefore, each of the sites is capable of providing WHOIS services to all Internet users in IPv4⁄IPv6.

CONAC’s deployment of WHOIS system adopts a layered architecture. A clustered deployment has been adopted by facilities of each layer. From the dual Internet export connections to the dual redundant facilities of routers, firewalls, switches, load balancer and all elements meet the requirement of continuous operation of the WHOIS system. Currently, 2 servers (Port-43 WHOIS server and Web-based WHOIS server) have been deployed into the primary operations center. Using load balancing equipments, all ordinary WHOIS queries are balanced in the two servers. The strategy of load balancing deployment has guarantees high performance and high reliability of CONAC’s WHOIS services. The firewall has quarantined abnormal flows from the WHOIS system. In addition, two redundant WHOIS servers are available. One server is deployed with the WHOIS mirror database system (periodically synchronized with core database) and the other server is deployed with the bulk accesses and searchable WHOIS system. The server with bulk WHOIS access and searchable WHOIS system deployed is quarantined from ordinary WHOIS servers to guarantee the stable operation of the Port-43 WHOIS system and Web-based WHOIS system, and eliminate hidden troubles on system performance, which is required by ICANN regarding SLA of WHOIS service.

It should be highlighted that the bulk access WHOIS system and the searchable WHOIS system use WHOIS mirror database, for the purpose of avoiding negative effects they may bring to the performance of Port-43 WHOIS and the Web-based WHOIS that use WHOIS instances in the core database.

26.2.1 Interconnectivity to Other Registry Systems
The WHOIS system has interconnectivity only to the Shared Registration System (SRS), and does not connect to others in the registry system. SRS duplicates relevant domain name data to WHOIS instances in the core database and WHOIS mirror databases via its WHOIS data synchronization interface function.

26.2.2 Frequency of Synchronization between Servers
SRS performs the above data duplications in every 15 minutes, and ensures that each duplication takes no more than 15 minutes.

26.3 Laws and Policies to Protect Sensitive WHOIS Information
CONAC will abide by laws and regulations regarding national security, business secrets and individual privacy, and will develop policies to protect private and confidential information of registrants and users. In line with ICANN’s registry agreement requirements, the main contents of the CONAC policy include but are not limited to:

CONAC strict Pre-registration Qualification Procedures (PQP) and Continuous Compliance Mechanism (CCM) (See Section 28.5.1 for details), according to which the registrars require registrants to show their Organization Code Certificate, Certificate of legal entity and provide information regarding the functions, objectives and business scopes of the applicant organization when registering, changing and deleting a “.公益” domain name. The additional information will not be displayed in WHOIS. CONAC enforces strict administrative and technical measures to protect private and confidential information, and guarantees that the registrant information will not be disclosed or used illegally.

CONAC follows strict internal specifications and requires the registrar to take reasonable measures to prevent private and⁄or confidential information of registrants from unauthorized disclosure, loss, abusive use, tampering or destruction.

CONAC will require that registrars seek approval from registrants before gathering and using the personal data and legal entity data in the registration information.

CONAC will only use or give authorization to use the personal data and legal entity data in line with the previous policy in a way that is compatible with its policies and any notice provided to the registrars.

Additionally, CONAC will implement practical policies to encourage “.公益” domain name holders to effectively safeguard personal data of their website visitors (including ID number, telephone number, bank account, permanent address, etc.), and to extensively mitigate the risks of illegal disclosure and use of privacy information.

To ensure the confidentiality of data hold, CONAC has established security management regulations, created a dedicated position in information security and strengthened its internal control mechanisms. In accordance with ICANN regulations, CONAC will not disclose any private and⁄or confidential information to a third party without the permission of the registrant. CONAC will protect private and⁄or confidential information from wrongful appropriation by deploying security measures on the registry system, especially the core database.

CONAC currently implements a “Thick WHOIS”, and abides by ICANN’s WHOIS policies. CONAC has developed processes to ensure legitimate access to the WHOIS database and to prevent data mining of registrant details and confidential information. CONAC deploys technical measures to prevent illegal use of registrant information. For example, CONAC adopts verification codes to prevent automated bulk WHOIS queries.

26.4 Abuse Prevention
CONAC defines the forms of potential WHOIS abuses to include: 1. users conducting improper and frequent access of the WHOIS system, decreasing the efficiency of WHOIS queries of the majority of users; 2. some users illegally make use of the large amount of data obtained from the WHOIS database.

To prevent abusive use of the WHOIS, CONAC performs the following preventive actions:

1. For frequent accesses of the WHOIS system
1) To limit query frequency of a single IP address
For Port-43 WHOIS, the system limits the number of single-IP-queries per unit time, e.g. 5 times per minute.

2) To prevent malicious Web access
For a standard query to the Web based WHOIS, the primary solution to malicious access prevention includes adding a verification code image on the query page.

3) To give authorization to access mass WHOIS data
Considering the requirements of users who have reasonable requirements to access CONAC’s WHOIS system with single IP address, and to use CONAC’s searchable WHOIS, CONAC will offer higher authorities to users who have reasonable requirements through a certification procedure.

The authority has two types:

(1) Permission to access SFTP. CONAC will offer SFTP, permitting WHOIS bulk accesses.
(2) Permitting the use of advanced search services of Searchable WHOIS, CONAC sets permissions for unlimited queries within a limited time frame.

CONAC regulate the Delegation of Permissions⁄Authorities as follows:
(1) All applications shall be submitted by filing out the application form online. The application process is open to the public. A specification of application procedure and the application form are available at CONAC’s official website (http:⁄⁄www.conac.cn).
(2) All applicants shall promise not to use the data for marketing purposes, spam or other improper or illegal uses.
(3) For those users who apply for authorities to access the search functions of the searchable WHOIS, the pass-codes will be delivered to the approved applicants through e-mails or facsimiles.
(4) For those authorized users who will have time limitation associated with their access to the search functions of the searchable WHOIS, CONAC will set the time limitation to one month, and can re-issue the authorization pass-code after expiration.
(5) In order to the limitation on single IP accessing times, CONAC requires a mutual agreement signed by the two parties. All applicants may download the agreement (http:⁄⁄www.conac.cn), and send the original signed copies to CONAC. The authority will be given after CONAC’s confirmation of the receipt of the agreement and relevant fees.

2. Terms of Use of Mass WHOIS Data
CONAC posts the Terms of Use of WHOIS Data (clarifying the rights of the registry and database users) to prevent abuses from a legal and policy perspective.

26.5 Specifications for Software Development
The WHOIS system is developed independently by CONAC R&D Department which holds ISO27001 and ISO9001 the certificates of, and has a strong capability for software development. CONAC develops software in strict compliance with Software Development Life Cycle (SDLC), reviews and audits software products and development activities on basis of Software Quality Assurance (SQA) to ensure all software meet relevant standards. During the planning phase, CONAC defines development scope, schedule, and cost. During the demand analysis phase, CONAC proposes business demands and performance demands based on Service Level Agreement (SLA). During software designing, programming and software testing, CONAC reviews and audits the software products and development activities to ensure the quality of the software. The outcomes of the project including the design document, source code, testing report and user guide and so on shall be submitted to CONAC. CONAC performs business test, performance test, and security test of the software in its own testing systems, then deploys the software that passes the tests in the production environment for operation, and continues to provide maintenance and technical supports.

The WHOIS system has been completely constructed by CONAC and has passed internal acceptance tests. The testing statistics show that the WHOIS system meets the requirements including 98% availability, less than 2000 ms of RTT in 95% of all WHOIS queries, and guarantee processing of at least 530,000 queries per day (4.63 queries per second). CONAC has invited a third party that complies with ISO17025 to evaluate the WHOIS system.

The WHOIS system contains the function of searchable WHOIS.

26.6 Resourcing Plan
26.6.1 Allocation of Human Resources
CONAC allocates 16 staff in terms of marketing, customer support, engineering, general affairs and administrations to this area.

1 CTO, responsible for proposing WHOIS software requirement, system designs, project management, as well as the acceptance test, deployment and ongoing operations of the WHOIS system;

1 CFO, responsible for financial planning and reviewing relating to WHOIS software development;

1 COO, responsible for administrations relating to WHOIS operations;

4 software engineers (software engineer role A: 2 staff, role B: 1 staff, role C: 1 staff), responsible for WHOIS software design, programming, system test, document drafting related to project management, system deployment and ongoing system operations and upgrades;

1 system engineers (system engineer role B: 1 staff), responsible for system monitoring;

1 system administrator, responsible for device planning and management;

2 financial auditors (finance role B: 1 staff, role C: 1 staff), responsible for financial activities relating to giving access authorizations of the WHOIS system;

1 marketing staff (marketing staff role B: 1 staff), responsible for introducing procedures, policies and regulations regarding WHOIS services, promoting brand values and expending market share.

1 legal staff (legal staff role B: 1 staff), responsible for dealing with legal disputes relating to operations of the WHOIS system;

2 customer support staff (customer support role C: 2 staff), responsible for complaints management and customer services;

1 international relations staff (international relations role A: 1 staff), responsible for assisting the system engineer to communicate with ICANN, and helping to provide customer support to overseas users;

All the aforementioned staff are currently in place. Detailed skillset requirements on the staff can be found in section 31.3.3 in the response to Question 31.

CONAC continuously monitors WHOIS workload, and more people will be added if the human resources are found insufficient.

26.6.2 Cost of the Resource Allocation
The construction of the WHOIS system requires 8 servers, necessary network devices, broadband connections and relevant software, etc.. Please refer to the response to Question 32 for details.

Costs of resources allocation are detailed in costs and capital expenditure of Question 46, 47a and 47b. CONAC regularly monitors the change of WHOIS business scale, if the WHOIS workload reaches 50% of the system capacity, CONAC will deploy additional facilities as necessary.

Similar gTLD applications: (1)