| RFC 8909 | Registry Data Escrow | November 2020 |
| Lozano | Standards Track | [Page] |
This document specifies the format and contents of data escrow deposits targeted primarily for domain name registries. The specification is designed to be independent of the underlying objects that are being escrowed, and therefore it could also be used for purposes other than domain name registries.¶
This is an Internet Standards Track document.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8909.¶
Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
Registry Data Escrow (RDE) is the process by which a registry periodically submits data deposits to a third party called an escrow agent. These deposits comprise the minimum data needed by a third party to resume operations if the registry cannot function and is unable or unwilling to facilitate an orderly transfer of service. For example, for a domain name registry or registrar, the data to be deposited would include all of the objects related to registered domain names, e.g., names, contacts, name servers.¶
The goal of data escrow is higher resiliency of registration services, for the benefit of Internet users. The beneficiaries of a registry are not just those registering information there but also the users of services relying on the registry data.¶
In the context of domain name registries, registration data escrow is a requirement for generic Top-Level Domains (gTLDs) (e.g., Specification 2 of the ICANN Base Registry Agreement; see [ICANN-GTLD-RA-20170731]), and some country code TLD (ccTLD) managers are also currently escrowing data. There is also a similar requirement for ICANN-accredited domain registrars.¶
This document specifies a format for data escrow deposits independent of the objects being escrowed. An independent specification is required for each type of registry/set of objects that is expected to be escrowed.¶
The format for data escrow deposits is specified using version 1.0 of the Extensible Markup Language (XML) as described in [W3C.REC-xml-20081126], and XML Schema notation as described in [W3C.REC-xmlschema-1-20041028] and [W3C.REC-xmlschema-2-20041028].¶
Readers are advised to read Section 2 ("Terminology") carefully to understand the precise meanings of Differential and Incremental Deposits, as the definitions used in this document are different from the definitions typically used in the domain of data backups.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
In the past few years, the issue of registry continuity has been carefully considered in the gTLD and ccTLD spaces. Various organizations have carried out risk analyses and developed business continuity plans to deal with those risks, should they materialize.¶
One of the solutions considered and used, especially in the gTLD space, is Registry Data Escrow as a way to ensure the continuity of registry services in the extreme case of registry failure.¶
So far, almost every registry that uses Registry Data Escrow has its own specification. It is anticipated that more registries will be implementing escrow, especially with an increasing number of domain registries coming into service, adding complexity to this issue.¶
It would seem beneficial to have a standardized specification for Registry Data Escrow that can be used by any registry to submit its deposits.¶
While the domain name industry has been the main target for this specification, it has been designed to be as general as possible.¶
Specifications covering the objects used by registration organizations shall identify the format and contents of the deposits a registry has to make, such that a different registry would be able to rebuild the registration services of the former, without its help, in a timely manner and with minimum disruption to its users.¶
Since the details of the registration services provided vary from registry to registry, specifications covering the objects used by registration organizations shall provide mechanisms that allow extensibility to accommodate variations and extensions of the registration services.¶
Given the requirement for confidentiality and the importance of accuracy of the information that is handled in order to offer registration services, parties using this specification shall define confidentiality and integrity mechanisms for handling the registration data.¶
Specifications covering the objects used by registration organizations shall not include in the specification transient objects that can be recreated by the new registry, particularly those of delicate confidentiality, e.g., DNSSEC KSK/ZSK (Key Signing Key / Zone Signing Key) private keys.¶
Details that are a matter of policy should be identified as such for the benefit of the implementers.¶
Non-technical issues concerning data escrow, such as whether to escrow data and for what purposes the data may be used, are outside the scope of this document.¶
Parties using this specification shall use a signaling mechanism to control the transmission, reception, and validation of data escrow deposits. The definition of such a signaling mechanism is outside the scope of this document.¶
The XML namespace prefix "rde" is used for the namespace "urn:ietf:params:xml:ns:rde-1.0", but implementations MUST NOT depend on it; instead, they should employ a proper namespace-aware XML parser and serializer to interpret and output the XML documents.¶
The XML namespace prefixes "rdeObj1" and "rdeObj2", with the corresponding namespaces "urn:example:params:xml:ns:rdeObj1-1.0" and "urn:example:params:xml:ns:rdeObj2-1.0", are used as example data escrow objects.¶
Numerous fields indicate "dates", such as the creation and expiry dates for objects. These fields SHALL contain timestamps indicating the date and time in UTC, specified in Internet Date/Time Format (see [RFC3339], Section 5.6) with the time-offset parameter specified as "Z".¶
The format for data escrow deposits as produced by a registry is defined below. The deposits are represented in XML (Section 6). Only the format of the objects deposited is defined. This document does not prescribe the method used to transfer such deposits between the registry and the escrow agent or vice versa.¶
The protocol intends to be object agnostic, allowing the "overload" of abstract elements using the "substitutionGroup" attribute [W3C.REC-xmlschema-1-20041028] of the XML Schema element to define the actual elements of an object to be escrowed.¶
The specification for each object to be escrowed MUST declare the identifier to be used to reference the object to be deleted or added/modified.¶
The container or root element for a Registry Data Escrow deposit is <deposit>.¶
The <deposit> element contains the following attributes:¶
A REQUIRED "type" attribute that is used to identify the kind of deposit:¶
The <deposit> element contains the following child elements:¶
A REQUIRED <watermark> element contains the date-time [RFC3339] corresponding to the Timeline Watermark of the deposit.¶
This element contains auxiliary information regarding the data escrow deposit.¶
A REQUIRED <rdeMenu> element contains the following child elements:¶
For Differential Deposits, this element contains the list of objects that have been deleted since the previous deposit of any type. For Incremental Deposits, this element contains the list of objects that have been deleted since the previous Full Deposit.¶
This section of the deposit MUST NOT be present in Full Deposits.¶
For Full Deposits, this element contains all objects. For Differential Deposits, this element contains the list of objects that have been added or modified since the previous deposit of any type. For Incremental Deposits, this element contains the list of objects that have been added or modified since the previous Full Deposit.¶
When applying Incremental or Differential Deposits (when rebuilding the registry from data escrow deposits), the relative order of the <deletes> and <contents> elements is important because dependencies may exist between the objects. All of the <deletes> elements MUST be applied first, in the order in which they appear. All of the <contents> elements MUST be applied next, in the order in which they appear.¶
If an object is present in the <contents> or <deletes> section of several deposits (e.g., Full and Differential), the registry data from the latest deposit (as defined by the Timeline Watermark) SHOULD be used when rebuilding the registry. An object SHOULD NOT exist multiple times in either the <contents> or <deletes> elements in a single deposit.¶
When rebuilding a registry, the <deletes> section MUST be ignored if present in a Full Deposit.¶
RDE is specified in XML Schema notation. The formal syntax presented here is a complete schema representation of RDE suitable for automated validation of RDE XML instances.¶
The <CODE BEGINS> and <CODE ENDS> tags are not part of the schema; they are used to note the beginning and ending of the schema for URI registration purposes.¶
<CODE BEGINS>
<?xml version="1.0" encoding="UTF-8"?>
<schema targetNamespace="urn:ietf:params:xml:ns:rde-1.0"
xmlns:rde="urn:ietf:params:xml:ns:rde-1.0"
xmlns="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified">
<annotation>
<documentation>
Registry Data Escrow schema
</documentation>
</annotation>
<!-- Root element -->
<element name="deposit" type="rde:escrowDepositType"/>
<!-- RDE types -->
<complexType name="escrowDepositType">
<sequence>
<element name="watermark" type="dateTime"/>
<element name="rdeMenu" type="rde:rdeMenuType"/>
<element name="deletes" type="rde:deletesType" minOccurs="0"/>
<element name="contents" type="rde:contentsType"
minOccurs="0"/>
</sequence>
<attribute name="type" type="rde:depositTypeType"
use="required"/>
<attribute name="id" type="rde:depositIdType" use="required"/>
<attribute name="prevId" type="rde:depositIdType"/>
<attribute name="resend" type="unsignedShort" default="0"/>
</complexType>
<!-- Menu type -->
<complexType name="rdeMenuType">
<sequence>
<element name="version" type="rde:versionType"/>
<element name="objURI" type="anyURI" maxOccurs="unbounded"/>
</sequence>
</complexType>
<!-- Deletes type -->
<complexType name="deletesType">
<sequence minOccurs="0" maxOccurs="unbounded">
<element ref="rde:delete"/>
</sequence>
</complexType>
<element name="delete" type="rde:deleteType" abstract="true"/>
<complexType name="deleteType">
<complexContent>
<restriction base="anyType"/>
</complexContent>
</complexType>
<!-- Contents type -->
<complexType name="contentsType">
<sequence minOccurs="0" maxOccurs="unbounded">
<element ref="rde:content"/>
</sequence>
</complexType>
<element name="content" type="rde:contentType" abstract="true"/>
<complexType name="contentType">
<complexContent>
<restriction base="anyType"/>
</complexContent>
</complexType>
<!-- Type of deposit -->
<simpleType name="depositTypeType">
<restriction base="token">
<enumeration value="FULL"/>
<enumeration value="INCR"/>
<enumeration value="DIFF"/>
</restriction>
</simpleType>
<!-- Deposit identifier type -->
<simpleType name="depositIdType">
<restriction base="token">
<pattern value="\w{1,13}"/>
</restriction>
</simpleType>
<!-- A RDE version number is a dotted pair of decimal numbers -->
<simpleType name="versionType">
<restriction base="token">
<pattern value="[1-9]+\.[0-9]+"/>
<enumeration value="1.0"/>
</restriction>
</simpleType>
</schema>
<CODE ENDS>¶
Data escrow deposits are represented in XML, which provides native support for encoding information using the Unicode character set and its more compact representations, including UTF-8. Conformant XML processors recognize both UTF-8 and UTF-16. Though XML includes provisions to identify and use other character encodings through the use of an "encoding" attribute in an <?xml?> declaration, the use of UTF-8 is RECOMMENDED.¶
This document uses URNs to describe XML namespaces and XML schemas conforming to a registry mechanism described in [RFC3688]. Two URI assignments have been registered by the IANA.¶
Registration for the RDE namespace:¶
Registration for the RDE XML schema:¶
This specification does not define the security mechanisms to be used in the transmission of the data escrow deposits, since it only specifies the minimum necessary to enable the rebuilding of a registry from deposits without intervention from the original registry.¶
Depending on local policies, some elements -- or, most likely, the whole deposit -- will be considered confidential. As such, the parties SHOULD take all necessary precautions, such as encrypting the data at rest and in transit to avoid inadvertent disclosure of private data. Regardless of the precautions taken by the parties regarding data at rest and in transit, authentication credentials MUST NOT be escrowed.¶
Authentication of the parties passing data escrow deposit files is also of the utmost importance. The escrow agent MUST properly authenticate the identity of the registry before accepting data escrow deposits. Similarly, the registry MUST authenticate the identity of the escrow agent before submitting any data.¶
Additionally, the registry and the escrow agent MUST use integrity-checking mechanisms to ensure that the data transmitted is what the source intended. Validation of the contents by the escrow agent is RECOMMENDED to ensure not only that the file was transmitted correctly from the registry but also that the contents are "meaningful".¶
This specification defines a format that may be used to escrow personal data. The process of data escrow is governed by a legal document agreed upon by the parties, and such a legal document must ensure that privacy-sensitive and/or personal data receives the required protection.¶
Example of a Full Deposit with the two example objects rdeObj1 and rdeObj2:¶
<?xml version="1.0" encoding="UTF-8"?>
<rde:deposit
xmlns:rde="urn:ietf:params:xml:ns:rde-1.0"
xmlns:rdeObj1="urn:example:params:xml:ns:rdeObj1-1.0"
xmlns:rdeObj2="urn:example:params:xml:ns:rdeObj2-1.0"
type="FULL"
id="20191018001">
<rde:watermark>2019-10-17T23:59:59Z</rde:watermark>
<rde:rdeMenu>
<rde:version>1.0</rde:version>
<rde:objURI>urn:example:params:xml:ns:rdeObj1-1.0</rde:objURI>
<rde:objURI>urn:example:params:xml:ns:rdeObj2-1.0</rde:objURI>
</rde:rdeMenu>
<rde:contents>
<rdeObj1:rdeObj1>
<rdeObj1:name>EXAMPLE</rdeObj1:name>
</rdeObj1:rdeObj1>
<rdeObj2:rdeObj2>
<rdeObj2:id>fsh8013-EXAMPLE</rdeObj2:id>
</rdeObj2:rdeObj2>
</rde:contents>
</rde:deposit>¶
Example of a Differential Deposit with the two example objects rdeObj1 and rdeObj2:¶
<?xml version="1.0" encoding="UTF-8"?>
<rde:deposit
xmlns:rde="urn:ietf:params:xml:ns:rde-1.0"
xmlns:rdeObj1="urn:example:params:xml:ns:rdeObj1-1.0"
xmlns:rdeObj2="urn:example:params:xml:ns:rdeObj2-1.0"
type="DIFF"
id="20191019001" prevId="20191018001">
<rde:watermark>2019-10-18T23:59:59Z</rde:watermark>
<rde:rdeMenu>
<rde:version>1.0</rde:version>
<rde:objURI>urn:example:params:xml:ns:rdeObj1-1.0</rde:objURI>
<rde:objURI>urn:example:params:xml:ns:rdeObj2-1.0</rde:objURI>
</rde:rdeMenu>
<rde:contents>
<rdeObj1:rdeObj1>
<rdeObj1:name>EXAMPLE2</rdeObj1:name>
</rdeObj1:rdeObj1>
<rdeObj2:rdeObj2>
<rdeObj2:id>sh8014-EXAMPLE</rdeObj2:id>
</rdeObj2:rdeObj2>
</rde:contents>
</rde:deposit>¶
Example of an Incremental Deposit with the two example objects rdeObj1 and rdeObj2:¶
<?xml version="1.0" encoding="UTF-8"?>
<rde:deposit
xmlns:rde="urn:ietf:params:xml:ns:rde-1.0"
xmlns:rdeObj1="urn:example:params:xml:ns:rdeObj1-1.0"
xmlns:rdeObj2="urn:example:params:xml:ns:rdeObj2-1.0"
type="INCR"
id="20200317001" prevId="20200314001">
<rde:watermark>2020-03-16T23:59:59Z</rde:watermark>
<rde:rdeMenu>
<rde:version>1.0</rde:version>
<rde:objURI>urn:example:params:xml:ns:rdeObj1-1.0</rde:objURI>
<rde:objURI>urn:example:params:xml:ns:rdeObj2-1.0</rde:objURI>
</rde:rdeMenu>
<rde:deletes>
<rdeObj1:delete>
<rdeObj1:name>EXAMPLE1</rdeObj1:name>
</rdeObj1:delete>
<rdeObj2:delete>
<rdeObj2:id>fsh8013-EXAMPLE</rdeObj2:id>
</rdeObj2:delete>
</rde:deletes>
<rde:contents>
<rdeObj1:rdeObj1>
<rdeObj1:name>EXAMPLE2</rdeObj1:name>
</rdeObj1:rdeObj1>
<rdeObj2:rdeObj2>
<rdeObj2:id>sh8014-EXAMPLE</rdeObj2:id>
</rdeObj2:rdeObj2>
</rde:contents>
</rde:deposit>¶
Special suggestions that were incorporated into this document were provided by James Gould, Edward Lewis, Jaap Akkerhuis, Lawrence Conroy, Marc Groeneweg, Michael Young, Chris Wright, Patrick Mevzek, Stephen Morris, Scott Hollenbeck, Stephane Bortzmeyer, Warren Kumari, Paul Hoffman, Vika Mpisane, Bernie Hoeneisen, Jim Galvin, Andrew Sullivan, Hiro Hotta, Christopher Browne, Daniel Kalchev, David Conrad, James Mitchell, Francisco Obispo, Bhadresh Modi, and Alexander Mayrhofer.¶
Shoji Noguchi and Francisco Arias participated as coauthors through version 07 of draft-arias-noguchi-registry-data-escrow (the precursor to this document) and provided invaluable support for this document.¶