Technical Standards for gTLD Registries

Comprehensive Technical Requirements and Implementation Guidelines

EPP Protocol Standards

Extensible Provisioning Protocol (EPP) is the backbone of domain registration systems. Registry operators must implement EPP v1.0 as defined in RFC 5730-5734, supporting all mandatory commands and extensions required by ICANN specifications.

DNSSEC Implementation

DNS Security Extensions provide authentication and integrity for DNS responses. All new gTLD registries must deploy DNSSEC at the registry level and support registrant DNSSEC through EPP extensions.

RDAP Services

Registration Data Access Protocol replaces WHOIS with a structured, secure, and internationalized directory service. RDAP implementation is mandatory for all new gTLD registries per ICANN specifications.

EPP Implementation Requirements

The Extensible Provisioning Protocol forms the foundation of registry-registrar communications, enabling standardized domain management operations.

Core EPP Commands

<!-- EPP Login Command Example -->
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
  <command>
    <login>
      <clID>ClientX</clID>
      <pw>foo-BAR2</pw>
      <options>
        <version>1.0</version>
        <lang>en</lang>
      </options>
      <svcs>
        <objURI>urn:ietf:params:xml:ns:domain-1.0</objURI>
        <objURI>urn:ietf:params:xml:ns:contact-1.0</objURI>
        <objURI>urn:ietf:params:xml:ns:host-1.0</objURI>
        <svcExtension>
          <extURI>urn:ietf:params:xml:ns:secDNS-1.1</extURI>
        </svcExtension>
      </svcs>
    </login>
    <clTRID>ABC-12345</clTRID>
  </command>
</epp>

EPP Object	Required Commands	Required Extensions
Domain	check, info, create, delete, renew, transfer, update	secDNS-1.1, rgp-1.0, launch-1.0
Contact	check, info, create, delete, transfer, update	None mandatory
Host	check, info, create, delete, update	None mandatory
Session	login, logout, poll	None mandatory

EPP Extensions for New gTLDs

Launch Phase Extension (RFC 8334): Supports sunrise and claims periods
Registry Grace Period (RFC 3915): Implements add/auto-renew/redemption grace periods
DNSSEC Extension (RFC 5910): Enables DS record management
Fee Extension (RFC 8748): Provides pricing information in EPP responses
Registry Maintenance (RFC 9167): Notifies registrars of maintenance windows
Organization Extension: Links domains to organization objects
Allocation Token: Supports premium names and special allocations

DNS Infrastructure Requirements

Robust DNS infrastructure is critical for registry operations, requiring geographic distribution, redundancy, and high availability.

100%

DNS Service Availability

<400ms

DNS Query RTT

<60min

DNS Update Time

≥2

Nameserver Locations

4096 bits

DNSSEC Key Size

IPv4+IPv6

Protocol Support

Anycast Network Design

Modern registry DNS infrastructure typically employs anycast routing to distribute queries across multiple global locations, improving performance and resilience against DDoS attacks.

Requirement	Specification	Best Practice
Minimum Locations	2 geographically diverse	5+ across multiple continents
Query Capacity	Handle expected load	10x expected peak capacity
DDoS Protection	Basic mitigation required	Multi-layer with scrubbing centers
Zone File Size	Support registry scale	Handle 10x current zone size
DNSSEC Signing	Online or offline signing	HSM-based offline signing

DNSSEC Implementation Steps

Key Generation and Management

Generate Zone Signing Keys (ZSK) and Key Signing Keys (KSK) using appropriate algorithms (RSA-SHA256 or ECDSA). Implement secure key storage using Hardware Security Modules (HSMs) for production environments.

Zone Signing Configuration

Configure automatic zone signing with appropriate NSEC3 parameters for zone enumeration protection. Set reasonable signature validity periods (typically 2-4 weeks) with refresh intervals.

DS Record Publication

Submit Delegation Signer (DS) records to IANA for publication in the root zone. This establishes the chain of trust from the root to your TLD.

Key Rollover Procedures

Establish automated or semi-automated key rollover procedures for both ZSK (monthly/quarterly) and KSK (annually). Follow RFC 6781 best practices for timing and notifications.

Monitoring and Validation

Implement continuous monitoring of DNSSEC validation status using tools like DNSViz and Zonemaster. Set up alerts for signature expiration and validation failures.

Critical Security Considerations

Registry systems are high-value targets for cyberattacks. Implement defense-in-depth strategies including:

Network segmentation with EPP services isolated from public internet
Multi-factor authentication for all administrative access
Regular security audits and penetration testing
Incident response procedures with defined escalation paths
Encrypted backups with offline storage copies
Rate limiting and DDoS protection at multiple layers

RDAP Implementation Guidelines

Registration Data Access Protocol provides RESTful web services for registration data queries, replacing the legacy WHOIS protocol with standardized, structured responses.

// RDAP Domain Query Response Example
{
  "objectClassName": "domain",
  "handle": "EXAMPLE1-REP",
  "ldhName": "example.tld",
  "status": ["active", "clientTransferProhibited"],
  "entities": [{
    "objectClassName": "entity",
    "handle": "REGISTRANT-12345",
    "roles": ["registrant"],
    "vcardArray": ["vcard", [
      ["version", {}, "text", "4.0"],
      ["fn", {}, "text", "Example Registrant"],
      ["org", {}, "text", "Example Organization"],
      ["adr", {}, "text", ["", "", "123 Main St", "Anytown", "CA", "12345", "US"]],
      ["email", {}, "text", "[email protected]"]
    ]]
  }],
  "nameservers": [{
    "objectClassName": "nameserver",
    "ldhName": "ns1.example.tld",
    "ipAddresses": {
      "v4": ["192.0.2.1"],
      "v6": ["2001:db8::1"]
    }
  }],
  "rdapConformance": ["rdap_level_0"],
  "notices": [{
    "title": "Terms of Use",
    "description": ["Service subject to Terms of Use."],
    "links": [{"href": "https://example.tld/terms"}]
  }]
}

RDAP Features and Benefits

Structured Data

JSON-formatted responses enable programmatic parsing and integration with automated systems.

Internationalization

Full support for internationalized domain names and registration data in native scripts.

Access Control

Differentiated access with authentication support for tiered data visibility.

Bootstrapping

Automatic service discovery through IANA bootstrap registry for seamless queries.

IPv6 Requirements

Full IPv6 support is mandatory for all registry services, ensuring future-proof infrastructure as IPv4 address exhaustion continues globally.

Service	IPv6 Requirement	Implementation Notes
DNS Nameservers	Mandatory dual-stack	All authoritative servers must have AAAA records
EPP Services	Mandatory support	EPP servers must accept IPv6 connections
RDAP/WHOIS	Mandatory dual-stack	Web services accessible via IPv6
Registry Website	Recommended	Public-facing sites should support IPv6
Email Services	Recommended	MX records with IPv6 addresses

Best Practices for Registry Technical Operations

Automation First: Automate repetitive tasks including monitoring, backups, and reporting
Documentation: Maintain comprehensive runbooks and disaster recovery procedures
Testing Environment: Operate OT&E (Operational Test and Evaluation) systems identical to production
Change Management: Implement formal change control with rollback procedures
Capacity Planning: Monitor growth trends and scale infrastructure proactively
Vendor Diversity: Avoid single points of failure in critical service providers
Compliance Tracking: Automated SLA monitoring with alerting for threshold breaches

Internationalized Domain Names (IDN)

Supporting IDNs requires careful implementation of Unicode handling, variant management, and language-specific policies to ensure consistent user experience across different scripts.

IDN Implementation Requirements

IDNA2008 Compliance: Implement Internationalized Domain Names in Applications standard
Label Generation Rules (LGR): Define permitted code points and variant rules for each script
Variant Management: Handle blocked, allocated, and withheld variants appropriately
EPP IDN Extension: Support IDN tables and variant information in EPP
RDAP IDN Support: Provide both A-label and U-label representations
Zone File Format: Ensure proper handling of IDN labels in zone files

// IDN Label Generation Rules Example (XML)
<?xml version="1.0" encoding="utf-8"?>
<lgr xmlns="urn:ietf:params:xml:ns:lgr-1.0">
  <meta>
    <version>1.0</version>
    <date>2024-01-15</date>
    <language>und-Arab</language>
    <scope type="domain">.example</scope>
  </meta>
  <data>
    <char cp="0627" comment="ARABIC LETTER ALEF"/>
    <char cp="0628" comment="ARABIC LETTER BEH"/>
    <char cp="062A" comment="ARABIC LETTER TEH"/>
    <!-- Additional code points -->
    <char cp="0649" comment="ARABIC LETTER ALEF MAKSURA">
      <var cp="064A" type="blocked"/>
    </char>
  </data>
  <rules>
    <rule name="leading-combining-mark" comment="Disallow leading combining marks">
      <start/>
      <class property="General_Category" value="Mn"/>
    </rule>
  </rules>
</lgr>

Essential Tools and Testing Resources

DNS Testing Tools

DNSViz, Zonemaster, dig, drill - Comprehensive DNS and DNSSEC validation

EPP Client Libraries

Net::EPP (Perl), python-epp, PHP-EPP - Development and testing libraries

RDAP Clients

OpenRDAP, RDAP CLI tools, web-based RDAP browsers

Performance Testing

dnsperf, resperf, JMeter - Load testing and performance benchmarking

Security Scanners

nmap, OpenVAS, Qualys - Vulnerability assessment and compliance checking

Monitoring Platforms

Nagios, Prometheus, Grafana - Real-time monitoring and alerting

Data Escrow Technical Specifications

Daily data escrow deposits ensure registry data preservation and enable emergency recovery. Technical implementation must follow RFC 8909 specifications.

Data Export Generation

Generate full and incremental deposits in XML format following the registry data escrow specification. Include all domain, contact, nameserver, and registrar objects.

Encryption and Signing

Encrypt deposits using OpenPGP with the escrow agent's public key. Sign with registry's private key to ensure authenticity and integrity.

Secure Transfer

Upload encrypted deposits via SFTP or HTTPS to escrow agent. Implement retry logic and verify successful receipt through notification reports.

# Example Data Escrow Deposit Structure
deposit_YYYYMMDD_full_S#_R#.xml
├── header
│   ├── version: 1.0
│   ├── objURI: urn:ietf:params:xml:ns:rde-1.0
│   └── deposit type: FULL
├── contents
│   ├── domains (count: 150000)
│   ├── contacts (count: 45000)
│   ├── nameservers (count: 5000)
│   └── registrars (count: 250)
└── signature
    └── SHA-256 hash + PGP signature

Pre-Delegation Testing Requirements

Before TLD delegation, registries must pass comprehensive pre-delegation testing (PDT) to verify technical readiness:

DNS Infrastructure: Nameserver configuration, DNSSEC chain of trust, zone file accuracy
EPP Functionality: All object operations, extension support, error handling
RDAP Services: Query responses, bootstrapping, access control implementation
Data Escrow: Deposit generation, encryption, successful transmission
Trademark Services: TMCH integration, sunrise/claims implementation
Reporting Systems: Registry reporting interfaces, transaction reports

Compliance and Audit Readiness

Maintain continuous compliance with technical standards through:

Automated monitoring of all SLA metrics with threshold alerts
Regular self-audits using ICANN's compliance frameworks
Documentation of all technical changes and incident responses
Participation in ICANN technical checks and audits
Continuous improvement based on industry best practices