Personal tools
You are here: Home Proceedings Task Force Proceedings Archive wg-domainz-model-review Thick Model 01/09/00
Navigation
 

Thick Model 01/09/00

A Thick Structural Model for the .nz Registry

Introduction

The following describes a model for the .nz Registry that includes sufficient structure to ensure the rights of all parties involved.The goals of this structure are:

  1. to protect the registrant's rights over a domain name through the structure of the registry and its operations;
  2. to minimise a registrant's interactions with the registry; and
  3. to allow registrar's to manage the various processes associated with domain name registration.

Overview

On registration of a new name the registrant is issued with a Domain Name Registration Certificate denoting ownership of the domain name. The registrant delegates to a registrar permission to maintain the domain name's entry in the register on behalf of the registrant.There is only one delegation per domain name.If the registrant changes registrars a new delegation to the new registrar is created and replaces the old delegation. The registrant's certificate contains sufficient information that the registrant may participate in an on-line process to change its registrar.

Entities and Relationships

The registry needs to be aware of four classes of entities: domain names, registrants, registrars and name service providers.

Each domain name must be associated with a registrant (the name holder), and one or more name service providers. These may be one-to-one relationships or many-to-one relationships.The latter has the advantage that a change in detail about the registrant or name service provider can be made only once for all domain names affected. (Exception information could be associated with individual domain names.) Registrant and name service provider information is also more likely to be consistent if one copy is held.

There is a question of whether a registrar is directly associated with a domain name or associated with the registrant, making the association with the domain name indirect.Associating a registrar with the registrant rather than individual domain names appears to have advantages in allowing a registrant's names to be managed as a set.However, this raises the question of whether a registrant should be forced to use a single registrar or be allowed to distribute its business over several registrars. The latter is clearly preferable and could be covered in either of two ways: associating each domain name directly with the registrar that manages it or accepting that a single organisation may appear as more than one registrant with each appearance associated with a different registrar.

The relationship between the registry and registrars and the registry and name service providers must be formal.In the following we assume that both registrars and name service providers participate in a public key system with the registry and that this system is used to authenticate all communication between the parties.The exact details will vary depending on the nature of the communication (email, web, secure socket).

We also present a mechanism below that allows registrants to independently authenticate the critical operation of changing a registrar.

The Domain Name Registration Certificate

A structural design for a registry requires that each registrant has some way to authenticate its rights over a domain name to the registry should it be necessary.In the past this has been done by issuing a name holder key or password.The key has been delivered by email to the registrant.This has been a significant weakness in the system with the key frequently lost by the registrant.

Several ccTLD registries issue "hard" certificates.While this adds a cost to the initial registration it has the advantage of presenting the registrant with an important looking document accompanied by instructions to "Store this is a safe place."The certificate can contain information that can be used to authenticate the registrant.

The .nz Domain Name Registration Certificate should carry the following information: the domain name, the registrant's name, the date of registration, a challenge string, a response string and a key. The certificate should also carry forms to be used in cancelling the name or assigning the name to a new registrant.Instructions on or distributed with the certificate should indicate its value and strongly recommend that it be stored in a safe place.

Processes

The following presents the key processes that the registry must support. These have been identified as:

  • Registration of a new name.
  • Cancellation of a name.
  • Change to details, other than registrant, associated with a name.
  • Change of registrant for a name.
  • Change of registrar.
  • Cancellation of name service for a name.
Registration of a new name

A registrant registers a new domain name through a registrar.If the registrant is new to the registrar, the registrar should first create a registrant entry.Creation of a registrant entry returns a registrantID to the registrar.The registrantID is in fact a delegation certificate giving authority from the registrant to the registrar to carry out all operations for all domain names associated with the registrantID . The registrantID may only be used by the registrar to which it has been issued.

At any time a domain name is associated with exactly one registrantID . Several registrantIDs may exist for a single registrant if the registrant chooses to use multiple registrars.

Once a registrar possesses a registrantID for the registrant the registrar can create one or more new domain names.This operation may fail if the name is already taken, the registrantID has been revoked or the registrar is not properly authenticated.

The registry issues a Domain Name Registration Certificate directly to the registrant.

Confirmation of the creation of a new domain name is delivered by e-mail to all parties concerned: the registrar, the registrant, and the name service provider(s).

Cancellation of a domain name.

A domain name may only be cancelled by the return of the Domain Name Registration Certificate properly annotated and signed by the registrant.This is intended to ensure that there is no way any other party can cause a name to be removed from the register.

Confirmation of the cancellation of the name is delivered by e-mail to all parties concerned; the registrar, the registrant, and the name service provider(s).

Change of domain name details.

The registrant's registrar has delegated authority to change all information associated with the registrant's domain names, including the name service provider(s) and the identity of the delegated registrar.The registrar does not have delegated authority to change the name of the registrant associated with a name or to cancel the name.

Operations in the interface to the registry will need to be provided to change information associated with both domain name entries and registrant entries.The delegated authority is represented by the registrantID issued to the registrar at the time the name was created.

Confirmation of each change is delivered by e-mail to all parties concerned: the registrar(s), the registrant and the name service provider(s).If either the registrar or name service provider is changed both old and new must be notified.

Change of registrant.

It may be necessary to change the registrant associated with a domain name should the name be sold or the owner change its name.In at least some cases this will cause responsibility for the name to pass from one entity to another.This can only be done with the authorisation of the current registrant and must result in the issuing of new security information as held on the Domain Name Registration Certificate.

Change of registrant will change the delegated authority for the name from one registrantID to another.The two registrantIDs may be held by different registrars.

The current registrant should annotate and sign the appropriate form on the Domain Name Registration Certificate and return the certificate to the registry.The information provided will include the name of the new registrant.The registry will issue a new Domain Name Registration Certificate to the new registrant.

On receipt of the Domain Name Registration Certificate the new registrant will be able to change registrars as described below.At this point the change of registrant process is complete.

Change of registrar.

Since the registrar has delegated authority to change information associated with a domain name, changing the registrar is equivalent to changing this delegation and is a critical change for the registrant. It may occur under any of several scenarios.

  • Under normal circumstances we would expect the registrant to have the cooperation of both the old and new registrar.
  • For any of several reasons the registrant may not have the cooperation of the old registrar.This could occur because of a dispute between the parties, because the registrar is slow to action the request or because the registrar has gone out of business.

Finally, since the new registrar will pick up the costs of maintaining the domain name in the register it should not be possible to change the delegation without the consent of the new registrar.

The design is intended to be capable of being woven into the registration process of a registrar. In both cases the registrant contacts the new registrar and arranges to transfer the domain name.If necessary the new registrar creates a registrant entry and obtains a registrantID. The new registrar creates and signs an appropriate message for the registry indicating that it is prepared to accept the transfer of the name.

Authority for the transfer can come from either the registrant or the old registrar.At the appropriate point in the registration process the registrant is asked if it will be authorising the transfer or delegating it to the old registrar.If the transfer is to be actioned by the old registrar the new registrar sends the signed acceptance to the old registrar.The old registrar forwards the acceptance along with its own directions signed and accompanied by its registrantID. The registry now has in one message both the direction to change the registrar signed by the current registrar and acceptance of the delegation by the new registrar.

  • Note 1: In this situation authority for authenticating the registrant lies with the old registrar.
  • Note 2: This process allows the "friendly" transfer of a domain name between two registrars without reference to the registrant, though the registrant will be notified.This allows efficient handling of situations such as a takeover or merger of registrars.

Alternatively the registrant may choose to authorise the tranfer directly. In this case the registrant is presented with two pages that are in fact pages supported by the registry. The first page asks the registrant to enter the challenge string from their Domain Name Registration Certificate. The second page returns the response string and asks for the key and authorisation to make the change.The challenge and matching response authenticates the registry to the registrant.The key authenticates the registrant to the registry and authorises the change to the new registrar. At this point the process can return to the new registrar's web site.

Either of the above processes result in the creation of a new registrantID that now delegates authority to the new registrar.This replaces the previous registrantID effectively revoking the previous delegation.The change is executed and all parties, registrant, both registrars and name service provider(s) are notified by email.

Cancellation of name service.

A name service provider may request that their name servers be disassociated from one or more domain names.To do this the name service provider must be recognised by the registry and be able to submit an authenticated request.

Notification of the withdrawal of service should be immediately sent to both the associated registrar and the affected registrant.

© 2000 The Internet Society of New Zealand
Last updated 1 September 2000

Document Actions