Network Working Group

Internet Engineering Task Force (IETF)                         G. Lozano
Internet-Draft
Request for Comments: 8909                                         ICANN
Intended status:
Category: Standards Track                             Jun 1, 2020
Expires: December 3,                                  November 2020
ISSN: 2070-1721

                   Registry Data Escrow Specification
                    draft-ietf-regext-data-escrow-10

Abstract

   This document specifies the format and contents of data escrow
   deposits targeted primarily for domain name registries.  The
   specification is designed to be independent of the underlying objects
   that are being escrowed escrowed, and therefore it could also be used for
   purposes other than domain name registries.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list  It represents the consensus of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid the IETF community.  It has
   received public review and has been approved for a maximum publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 7841.

   Information about the current status of six months this document, any errata,
   and how to provide feedback on it may be updated, replaced, or obsoleted by other documents obtained at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on December 3, 2020.
   https://www.rfc-editor.org/info/rfc8909.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Problem Scope . . . . . . . . . . . . . . . . . . . . . . . .   5
   4.  Conventions Used in This Document . . . . . . . . . . . . . .   6
     4.1.  Date and Time . . . . . . . . . . . . . . . . . . . . . .   6
   5.  Protocol Description  . . . . . . . . . . . . . . . . . . . .   6
     5.1.  Root element Element <deposit>  . . . . . . . . . . . . . . . . .   7
     5.2.  Rebuilding the registry Registry from data escrow deposits . . . .   8 Data Escrow Deposits
   6.  Formal Syntax . . . . . . . . . . . . . . . . . . . . . . . .   9
     6.1.  RDE Schema  . . . . . . . . . . . . . . . . . . . . . . .   9
   7.  Internationalization Considerations . . . . . . . . . . . . .  11
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  11
   9.  Implementation Status . . . . . . . . . . . . . . . . . . . .  12
     9.1.  Implementation in the gTLD space  . . . . . . . . . . . .  12
   10.  Security Considerations . . . . . . . . . . . . . . . . . . .  13
   11.
   10. Privacy Considerations  . . . . . . . . . . . . . . . . . . .  13
   12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .  14
   13. Change History  . . . . . . . . . . . . . . . . . . . . . . .  14
     13.1.  Changes from 00 to 01  . . . . . . . . . . . . . . . . .  14
     13.2.  Changes from 01 to 02  . . . . . . . . . . . . . . . . .  15
     13.3.  Changes from 02 to 03  . . . . . . . . . . . . . . . . .  16
     13.4.  Changes from 03 to 04  . . . . . . . . . . . . . . . . .  16
     13.5.  Changes from 04 to 05  . . . . . . . . . . . . . . . . .  16
     13.6.  Changes from 05 to 06  . . . . . . . . . . . . . . . . .  16
     13.7.  Changes from 06 to 07  . . . . . . . . . . . . . . . . .  16
     13.8.  Changes from 07 to 08  . . . . . . . . . . . . . . . . .  16
     13.9.  Changes from 08 to 09  . . . . . . . . . . . . . . . . .  17
     13.10. Changes from 09 to 10  . . . . . . . . . . . . . . . . .  17
     13.11. Changes from 10 to 11  . . . . . . . . . . . . . . . . .  17
     13.12. Changes from 11 to REGEXT 00 . . . . . . . . . . . . . .  17
     13.13. Changes from version REGEXT 00 to REGEXT 01  . . . . . .  17
     13.14. Changes from version REGEXT 01 to REGEXT 02  . . . . . .  17
     13.15. Changes from version REGEXT 02 to REGEXT 03  . . . . . .  17
     13.16. Changes from version REGEXT 03 to REGEXT 04  . . . . . .  17
     13.17. Changes from version REGEXT 04 to REGEXT 05  . . . . . .  18
     13.18. Changes from version REGEXT 05 to REGEXT 06  . . . . . .  18
     13.19. Changes from version REGEXT 06 to REGEXT 07  . . . . . .  18
     13.20. Changes from version REGEXT 07 to REGEXT 08  . . . . . .  18
     13.21. Changes from version REGEXT 08 to REGEXT 09  . . . . . .  19
     13.22. Changes from version REGEXT 09 to REGEXT 10  . . . . . .  19
   14.
   11. Example of a Full Deposit . . . . . . . . . . . . . . . . . .  19
   15.
   12. Example of a Differential Deposit . . . . . . . . . . . . . .  20
   16.
   13. Example of a an Incremental Deposit  . . . . . . . . . . . . . .  20
   17.
   14. References  . . . . . . . . . . . . . . . . . . . . . . . . .  21
     17.1.
     14.1.  Normative References . . . . . . . . . . . . . . . . . .  21
     17.2.
     14.2.  Informative References . . . . . . . . . . . . . . . . .  22
   Acknowledgments
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  22

1.  Introduction

   Registry Data Escrow (RDE) is the process by which a registry
   periodically submits data deposits to a third-party third party called an escrow
   agent.  These deposits comprise the minimum data needed by a third-party third
   party to resume operations if the registry cannot function and is
   unable or unwilling to facilitate an orderly transfer of service.
   For example, for a domain name registry or registrar, the data to be
   deposited would include all of the objects related to registered
   domain names, e.g., names, contacts, name servers, etc. servers.

   The goal of data escrow is higher resiliency of registration
   services, for the benefit of Internet users.  The beneficiaries of a
   registry are not just those registering information there, there but also
   the users of services relying on the registry data.

   In the context of domain name registries, registration data escrow is
   a requirement for generic top-level domains Top-Level Domains (gTLDs) (e.g.,
   Specification 2 of the ICANN Base Registry Agreement, Agreement; see [ICANN-GTLD-RA-20170731])
   [ICANN-GTLD-RA-20170731]), and some country code top-level domain TLD (ccTLD) managers
   are also currently escrowing data.  There is also a similar
   requirement for ICANN-
   accredited ICANN-accredited domain registrars.

   This document specifies a format for data escrow deposits independent
   of the objects being escrowed.  An independent specification is
   required for each type of registry/set of objects that is expected to
   be escrowed.

   The format for data escrow deposits is specified using version 1.0 of
   the Extensible Markup Language (XML) 1.0 as described in [W3C.REC-xml-20081126]
   [W3C.REC-xml-20081126], and XML Schema notation as described in
   [W3C.REC-xmlschema-1-20041028] and [W3C.REC-xmlschema-2-20041028].

   Readers are advised to read the terminology section Section 2 ("Terminology") carefully to
   understand the precise meanings of Differential and Incremental
   Deposits
   Deposits, as the definitions used in this document are different from
   the definitions typically used in the domain of data backups.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

   Deposit.  Deposits can be of

   Deposit:  There are three kinds: kinds of deposits: Full, Differential or Differential, and
      Incremental.  For all three kinds of deposits, the universe of
      registry objects to be considered for data escrow are those is comprised of
      any objects necessary
   in order required to offer the registry services.

   Differential Deposit.  Contains Deposit:  A Differential Deposit contains data that
      reflects all transactions involving the database that were not
      reflected in the last previous Full, Incremental Incremental, or Differential
      Deposit, as the case may be.  Differential Deposit files will
      contain information from all database objects that were added, modified
      modified, or deleted since the previous deposit was completed as
      of its defined Timeline Watermark.

   Domain Name. Name:  See the definition of Domain name "domain name" in [RFC8499].

   Escrow Agent.  The Agent:  An escrow agent is the organization designated by the
      registry or the third-party beneficiary to receive and guard data
      escrow deposits from the registry.

   Full Deposit.  Contains the registry Deposit:  A Full Deposit contains the registry data that
      reflects the current and complete registry database and will
      consist of data that reflects the state of the registry as of a
      defined Timeline Watermark for the deposit.

   Incremental Deposit.  Contains Deposit:  An Incremental Deposit contains data that
      reflects all transactions involving the database that were not
      reflected in the last previous Full Deposit.  Incremental Deposit
      files will contain information from all database objects that were
      added, modified modified, or deleted since the previous Full Deposit was
      completed as of its defined Timeline Watermark.  If the Timeline
      Watermark of an Incremental Deposit were to cover the Timeline
      Watermark of another Incremental or Differential Deposit since the
      last Full Deposit (i.e., one or more Incremental or Differential
      Deposits exist for the period between the Timeline Watermark of a
      Full Deposit and an Incremental or Differential Deposit) the Timeline Watermark of
   another Incremental or Differential Deposit since the last Full
   Deposit, Deposit), the more
      recent deposit MUST contain all of the transactions of the earlier
      deposit.

   Registrar.

   Registrar:  See the definition of Registrar "registrar" in [RFC8499].

   Registry.

   Registry:  See the definition of Registry "registry" in [RFC8499].

   Third-Party Beneficiary.  Is Beneficiary:  A third-party beneficiary is the
      organization that, under extraordinary circumstances, would
      receive the escrow deposits the registry transferred to the escrow
      agent.  This organization could be a backup registry, registry
      regulator, contracting party of the registry, etc.

   Timeline Watermark.  Point Watermark:  The Timeline Watermark is the point in time on
      which to base the collecting of database objects for a deposit.
      Deposits are expected to be consistent to with that point in time.

   Top-Level Domain. Domain (TLD):  See the definition of Top-Level Domain (TLD) "Top-Level Domain" in
      [RFC8499].

3.  Problem Scope

   In the past few years, the issue of registry continuity has been
   carefully considered in the gTLD and ccTLD space. spaces.  Various
   organizations have carried out risk analyses and developed business
   continuity plans to deal with those risks, should they materialize.

   One of the solutions considered and used, especially in the gTLD
   space, is Registry Data Escrow as a way to ensure the continuity of
   registry services in the extreme case of registry failure.

   So far, almost every registry that uses Registry Data Escrow has its
   own specification.  It is anticipated that more registries will be
   implementing escrow escrow, especially with an increasing number of domain
   registries coming into service, adding complexity to this issue.

   It would seem beneficial to have a standardized specification for
   Registry Data Escrow that can be used by any registry to submit its
   deposits.

   While the domain name industry has been the main target for this
   specification, it has been designed to be as general as possible.

   Specifications covering the objects used by registration
   organizations shall identify the format and contents of the deposits
   a registry has to make, such that a different registry would be able
   to rebuild the registration services of the former, without its help,
   in a timely manner, manner and with minimum disruption to its users.

   Since the details of the registration services provided vary from
   registry to registry, specifications covering the objects used by
   registration organizations shall provide mechanisms that allow its
   extensibility to accommodate variations and extensions of the
   registration services.

   Given the requirement for confidentiality and the importance of
   accuracy of the information that is handled in order to offer
   registration services, parties using this specification shall define
   confidentiality and integrity mechanisms for handling the
   registration data.

   Specifications covering the objects used by registration
   organizations shall not include in the specification transient
   objects that can be recreated by the new registry, particularly those
   of delicate confidentiality, e.g., DNSSEC KSK/ZSK (Key Signing Key /
   Zone Signing Key) private keys.

   Details that are a matter of policy should be identified as such for
   the benefit of the implementers.

   Non-technical issues concerning data escrow, such as whether to
   escrow data and under which for what purposes the data may be used, are outside of
   the scope of this document.

   Parties using this specification shall use a signaling mechanism to
   control the transmission, reception reception, and validation of data escrow
   deposits.  The definition of such a signaling mechanism is out of outside
   the scope of this document.

4.  Conventions Used in This Document

   The XML namespace prefix "rde" is used for the namespace
   "urn:ietf:params:xml:ns:rde-1.0", but implementations MUST NOT depend
   on it; instead, they should employ a proper namespace-aware XML
   parser and serializer to interpret and output the XML documents.

   The XML namespace prefix prefixes "rdeObj1" and "rdeObj2" "rdeObj2", with the
   corresponding namespaces "urn:example:params:xml:ns:rdeObj1-1.0" and
   "urn:example:params:xml:ns:rdeObj2-1.0"
   "urn:example:params:xml:ns:rdeObj2-1.0", are used as example data
   escrow objects.

4.1.  Date and Time

   Numerous fields indicate "dates", such as the creation and expiry
   dates for objects.  These fields SHALL contain timestamps indicating
   the date and time in UTC, specified in Internet Date/Time Format (see
   [RFC3339], Section 5.6) with the time-offset parameter specified as
   "Z".

5.  Protocol Description

   The following is a format for data escrow deposits as produced by a
   registry. registry is
   defined below.  The deposits are represented in XML. XML (Section 6).
   Only the format of the objects deposited is defined.  Nothing is prescribed about  This document
   does not prescribe the method used to transfer such deposits between
   the registry and the escrow agent or vice versa.

   The protocol intends to be object agnostic agnostic, allowing the "overload"
   of abstract elements using the "substitutionGroup" attribute
   [W3C.REC-xmlschema-1-20041028] of the XML Schema element to define
   the actual elements of an object to be escrowed.

   The specification for each object to be escrowed MUST declare the
   identifier to be used to reference the object to be deleted or added/
   modified.

5.1.  Root element Element <deposit>

   The container or root element for a Registry Data Escrow deposit is
   <deposit>.

   The <deposit> element contains the following attributes:

   o

   *  A REQUIRED "type" attribute that is used to identify the kind of
      deposit:

      *

      -  FULL: Full.

      *

      -  INCR: Incremental.

      *

      -  DIFF: Differential.

   o

   *  A REQUIRED "id" attribute that is used to uniquely identify the
      escrow deposit.  Each registry is responsible for maintaining its
      own escrow deposits' identifier space to ensure uniqueness.

   o

   *  A "prevId" attribute that can be used to identify the previous
      Incremental, Differential Differential, or Full Deposit.  This attribute is
      REQUIRED in Differential Deposits ("DIFF" type), is OPTIONAL in
      Incremental Deposits ("INCR" type), and is not used in Full
      Deposits ("FULL" type).

   o

   *  An OPTIONAL "resend" attribute that is incremented each time the
      escrow deposit failed the verification procedure at the receiving
      party and a new escrow deposit needs to be generated by the
      registry for that specific date.  The first time a deposit is
      generated
      generated, the attribute is either (1) is omitted or (2) MUST be "0".
      If a deposit needs to be generated again, the attribute MUST be
      set to "1", and so on.

   The <deposit> element contains the following the child elements:

5.1.1.  Child <watermark> element Element

   A REQUIRED <watermark> element contains the date-time [RFC3339]
   corresponding to the Timeline Watermark of the deposit.

5.1.2.  Child <rdeMenu> element Element

   This element contains auxiliary information of regarding the data escrow
   deposit.

   A REQUIRED <rdeMenu> element contains the following child elements:

   o

   *  A REQUIRED <version> element that identifies the RDE protocol
      version, this
      version.  This value MUST be 1.0.

   o

   *  One or more <objURI> elements that contain namespace URIs
      representing the <contents> and <deletes> element objects.

5.1.3.  Child <deletes> element Element

   For Differential Deposits, this element contains the list of objects
   that have been deleted since the previous deposit of any type.  For
   Incremental Deposits, this element contains the list of objects that
   have been deleted since the previous Full Deposit.

   This section of the deposit MUST NOT be present in Full Deposits.

5.1.4.  Child <contents> element Element

   For Full Deposits Deposits, this element contains all objects.  For
   Differential Deposits, this element contains the list of objects that
   have been added or modified since the previous deposit of any type.
   For Incremental Deposits, this element contains the list of objects
   that have been added or modified since the previous Full Deposit.

5.2.  Rebuilding the registry Registry from data escrow deposits Data Escrow Deposits

   When applying Incremental or Differential Deposits (when rebuilding
   the registry from data escrow deposits), the relative order of the
   <deletes> and <contents> elements is important because dependencies
   may exist between the objects.  All of the <deletes> elements MUST be
   applied first, in the order that in which they appear.  All of the
   <contents> elements MUST be applied next, in the order that in which they
   appear.

   If an object is present in the <contents> or <deletes> section of
   several deposits (e.g. (e.g., Full and Differential) Differential), the registry data
   from the latest deposit (as defined by the Timeline Watermark) SHOULD
   be used when rebuilding the registry.  An object SHOULD NOT exist
   multiple times either in either the <contents> or <deletes> elements in a
   single deposit.

   When rebuilding a registry, the <deletes> section MUST be ignored if
   present in a Full Deposit.

6.  Formal Syntax

   RDE is specified in XML Schema notation.  The formal syntax presented
   here is a complete schema representation of RDE suitable for
   automated validation of RDE XML instances.

   The BEGIN <CODE BEGINS> and END <CODE ENDS> tags are not part of the schema;
   they are used to note the beginning and ending of the schema for URI
   registration purposes.

6.1.  RDE Schema

  BEGIN

   <CODE BEGINS>
   <?xml version="1.0" encoding="UTF-8"?>
   <schema targetNamespace="urn:ietf:params:xml:ns:rde-1.0"
     xmlns:rde="urn:ietf:params:xml:ns:rde-1.0"
     xmlns="http://www.w3.org/2001/XMLSchema"
     elementFormDefault="qualified">

     <annotation>
       <documentation>
         Registry Data Escrow schema
       </documentation>
     </annotation>

     <!-- Root element -->
     <element name="deposit" type="rde:escrowDepositType"/>

     <!-- RDE types -->
     <complexType name="escrowDepositType">
       <sequence>
         <element name="watermark" type="dateTime"/>
         <element name="rdeMenu" type="rde:rdeMenuType"/>
         <element name="deletes" type="rde:deletesType" minOccurs="0"/>
         <element name="contents" type="rde:contentsType"
           minOccurs="0"/>
       </sequence>
       <attribute name="type" type="rde:depositTypeType"
         use="required"/>
       <attribute name="id" type="rde:depositIdType" use="required"/>
       <attribute name="prevId" type="rde:depositIdType"/>
       <attribute name="resend" type="unsignedShort" default="0"/>
     </complexType>

     <!-- Menu type -->
     <complexType name="rdeMenuType">
       <sequence>
         <element name="version" type="rde:versionType"/>
         <element name="objURI" type="anyURI" maxOccurs="unbounded"/>
       </sequence>
     </complexType>

     <!-- Deletes Type type -->
     <complexType name="deletesType">
       <sequence minOccurs="0" maxOccurs="unbounded">
         <element ref="rde:delete"/>
       </sequence>
     </complexType>

     <element name="delete" type="rde:deleteType" abstract="true" /> abstract="true"/>
     <complexType name="deleteType">
       <complexContent>
         <restriction base="anyType"/>
       </complexContent>
     </complexType>

     <!-- Contents Type type -->
     <complexType name="contentsType">
       <sequence minOccurs="0" maxOccurs="unbounded">
         <element ref="rde:content"/>
       </sequence>
     </complexType>

     <element name="content" type="rde:contentType" abstract="true" /> abstract="true"/>
     <complexType name="contentType">
       <complexContent>
         <restriction base="anyType"/>
       </complexContent>
     </complexType>

     <!-- Type of deposit -->
     <simpleType name="depositTypeType">
       <restriction base="token">
         <enumeration value="FULL"/>
         <enumeration value="INCR"/>
         <enumeration value="DIFF"/>
       </restriction>
     </simpleType>

     <!-- Deposit identifier type -->
     <simpleType name="depositIdType">
       <restriction base="token">
         <pattern value="\w{1,13}"/>
       </restriction>
     </simpleType>

     <!-- A RDE version number is a dotted pair of decimal numbers -->
     <simpleType name="versionType">
       <restriction base="token">
         <pattern value="[1-9]+\.[0-9]+"/>
         <enumeration value="1.0"/>
       </restriction>
     </simpleType>

   </schema>
  END
   <CODE ENDS>

7.  Internationalization Considerations

   Data escrow deposits are represented in XML, which provides native
   support for encoding information using the Unicode character set and
   its more compact representations representations, including UTF-8.  Conformant XML
   processors recognize both UTF-8 and UTF-16.  Though XML includes
   provisions to identify and use other character encodings through the
   use of an "encoding" attribute in an <?xml?> declaration, the use of
   UTF-8 is RECOMMENDED.

8.  IANA Considerations

   This document uses URNs to describe XML namespaces and XML schemas
   conforming to a registry mechanism described in [RFC3688].  Two URI
   assignments have been registered by the IANA.

   Registration request for the RDE namespace:

   URI:  urn:ietf:params:xml:ns:rde-1.0
   Registrant Contact:  IESG <regext@ietf.org>

      Note to RFC Editor: Please remove the email address from the RFC
      after IANA records it.
   XML:  None.  Namespace URIs do not represent an XML specification.

   Registration request for the RDE XML schema:

   URI:  urn:ietf:params:xml:schema:rde-1.0
   Registrant Contact:  IESG <regext@ietf.org>

      Note to RFC Editor: Please remove the email address from the RFC
      after IANA records it.

   See the "Formal Syntax" section Section 6 ("Formal Syntax") of this document.

9.  Implementation Status

   Note to RFC Editor: Please remove this section and the reference to
   RFC 7942 [RFC7942] before publication.  Security Considerations

   This section records the status of known implementations of the
   protocol defined by this specification at does not define the time of posting of this
   [RFC7942].  The description of implementations in this section is
   intended security mechanisms to assist the IETF in its decision processes be used
   in progressing
   drafts to RFCs.  Please note that the listing transmission of any individual
   implementation here does not imply endorsement by the IETF.
   Furthermore, no effort has been spent to verify data escrow deposits, since it only
   specifies the information
   presented here that was supplied by IETF contributors.  This is not
   intended as, and must not be construed minimum necessary to be, a catalog of available
   implementations or their features.  Readers are advised to note that
   other implementations may exist.

   According to RFC 7942 [RFC7942], "this will allow reviewers and
   working groups to assign due consideration to documents that have the
   benefit of running code, which may serve as evidence of valuable
   experimentation and feedback that have made the implemented protocols
   more mature.  It is up to the individual working groups to use this
   information as they see fit".

9.1.  Implementation in the gTLD space

   Organization: ICANN

   Name: ICANN Registry Agreement

   Description: the ICANN Base Registry Agreement requires Registries,
   Data Escrow Agents, and ICANN to implement this specification.  ICANN
   receives daily notifications from Data Escrow Agents confirming that
   more than 1,200 gTLDs are sending deposits that comply with this
   specification.  ICANN receives on a weekly basis per gTLD, from more
   than 1,200 gTLD registries, a Bulk Registration Data Access file that
   also complies with this specification.  In addition, ICANN is aware
   of Registry Service Provider transitions using data files that
   conform to this specification.

   Level of maturity: production.

   Coverage: all aspects of this specification are implemented.

   Version compatibility: versions 03 - 08 are known to be implemented.

   Contact: gustavo.lozano@icann.org
   URL: https://www.icann.org/resources/pages/registries/registries-
   agreements-en

10.  Security Considerations

   This specification does not define the security mechanisms to be used
   in the transmission of the data escrow deposits, since it only
   specifies the minimum necessary to enable the rebuilding enable the rebuilding of a
   registry from deposits without intervention from the original
   registry.

   Depending on local policies, some elements, elements -- or, most likely, the
   whole deposit -- will be considered confidential.  As such, the
   parties SHOULD take all the necessary precautions precautions, such as encrypting the
   data at rest and in transit to avoid inadvertent disclosure of
   private data.  Regardless of the precautions taken by the parties
   regarding data at rest and in transit, authentication credentials
   MUST NOT be escrowed.

   Authentication of the parties passing data escrow deposit files is
   also of the utmost importance.  The escrow agent MUST properly
   authenticate the identity of the registry before accepting data
   escrow deposits.  In a similar manner,  Similarly, the registry MUST authenticate the
   identity of the escrow agent before submitting any data.

   Additionally, the registry and the escrow agent MUST use integrity
   checking mechanisms to ensure the data transmitted is what the source
   intended.  Validation of the contents by the escrow agent is
   RECOMMENDED to ensure not only that the file was transmitted
   correctly from the registry, but also that the contents are
   "meaningful".

   Note: if Transport Layer Security (TLS) is used when providing an
   escrow services, the recommendations in [RFC7525] MUST be
   implemented.

11.  Privacy Considerations

   This specification defines a format that may be used to escrow
   personal data.  The process of data escrow is governed by a legal
   document agreed by the parties, and such legal document must ensure
   that privacy-sensitive and/or personal data receives the required
   protection.

12.  Acknowledgments

   Special suggestions that have been incorporated into this document
   were provided by James Gould, Edward Lewis, Jaap Akkerhuis, Lawrence
   Conroy, Marc Groeneweg, Michael Young, Chris Wright, Patrick Mevzek,
   Stephen Morris, Scott Hollenbeck, Stephane Bortzmeyer, Warren Kumari,
   Paul Hoffman, Vika Mpisane, Bernie Hoeneisen, Jim Galvin, Andrew
   Sullivan, Hiro Hotta, Christopher Browne, Daniel Kalchev, David
   Conrad, James Mitchell, Francisco Obispo, Bhadresh Modi and Alexander
   Mayrhofer.

   Shoji Noguchi and Francisco Arias participated as co-authors until
   version 07 providing invaluable support for this document.

13.  Change History

   [[RFC Editor: Please remove this section.]]

13.1.  Changes from 00 to 01

   1.   Included DNSSEC elements as part of the basic <domain> element
        as defined in RFC 5910.

   2.   Included RGP elements as part of the basic <domain> element as
        defined in RFC 3915.

   3.   Added support for IDNs and IDN variants.

   4.   Eliminated the <summary> element and all its subordinate
        objects, except <watermarkDate>.

   5.   Renamed <watermarkDate> to <watermark> and included it directly
        under root element.

   6.   Renamed root element to <deposit>.

   7.   Added <authinfo> element under <registrar> element.

   8.   Added <roid> element under <registrar> element.

   9.   Reversed the order of the <deletes> and <contents> elements.

   10.  Removed <rdeDomain:status> minOccurs="0".

   11.  Added <extension> element under root element.

   12.  Added <extension> element under <contact> element.

   13.  Removed <period> element from <domain> element.

   14.  Populated the "Security Considerations" section.

   15.  Populated the "Internationalization Considerations" section.

   16.  Populated the "Extension Example" section.

   17.  Added <deDate> element under <domain> element.

   18.  Added <icannID> element under <registrar> element.

   19.  Added <eppParams> element under root element.

   20.  Fixed some typographical errors and omissions.

13.2.  Changes from 01 to 02

   1.  Added definition for "canonical" in the "IDN variants Handling"
       section.

   2.  Clarified that "blocked" and "reserved" IDN variants are
       optional.

   3.  Made <rdeRegistrar:authInfo> optional.

   4.  Introduced substitutionGroup as the mechanism for extending the
       protocol.

   5.  Moved <eppParams> element to be child of <contents>.

   6.  Text improvements in the Introduction, Terminology, and Problem
       Scope per Jay's suggestion.

   7.  Removed <trDate> from <rdeDomain> and added <trnData> instead,
       which include all the data from the last (pending/processed)
       transfer request.

   8.  Removed <trDate> from <rdeContact> and added <trnData> instead,
       which include all the data from the last (pending/processed)
       transfer request.

   9.  Fixed some typographical errors and omissions.

13.3.  Changes from 02 to 03

   1.  Separated domain name objects from protocol.

   2.  Moved <extension> elements to be child of <deletes> and
       <contents>, additionally removed <extension> element from
       <rdeDomain>,<rdeHost>, <rdeContact>,<rdeRegistrar> and <rdeIDN>
       elements.

   3.  Modified the definition of <rde:id> and <rde:prevId>.

   4.  Added <rdeMenu> element under <deposit> element.

   5.  Fixed some typographical errors and omissions.

13.4.  Changes from 03 to 04

   1.  Removed <eppParams> objects.

   2.  Populated the "Extension Guidelines" section.

   3.  Fixed some typographical errors and omissions.

13.5.  Changes from 04 to 05

   1.  Fixes to the XSD.

   2.  Extension Guidelines moved to dnrd-mappings draft.

   3.  Fixed some typographical errors and omissions.

13.6.  Changes from 05 to 06

   1.  Fix resend definition.

13.7.  Changes from 06 to 07

   1.  Editorial updates.

   2.  schemaLocation removed from RDE Schema.

13.8.  Changes from 07 to 08

   1.  Ping update.

13.9.  Changes from 08 to 09

   1.  Ping update.

13.10.  Changes from 09 to 10

   1.  Implementation Status section was added.

13.11.  Changes from 10 to 11

   1.  Ping update.

13.12.  Changes from 11 to REGEXT 00

   1.  Internet Draft (I-D) adopted by the REGEXT WG.

13.13.  Changes from version REGEXT 00 to REGEXT 01

   1.  Privacy consideration section was added.

13.14.  Changes from version REGEXT 01 to REGEXT 02

   1.  Updated the Security Considerations section to make the language
       normative.

   2.  Updated the rde XML schema to remove the dependency with the
       eppcom namespace reference.

   3.  Editorial updates.

   4.  Remove the reference to RFC 5730.

   5.  Added complete examples of deposits.

13.15.  Changes from version REGEXT 02 to REGEXT 03

   1.  The <contents> section changed from MUST to SHOULD, in order to
       accommodate an Incremental or Differential Deposit that only
       includes deletes.

   2.  Editorial updates.

13.16.  Changes from version REGEXT 03 to REGEXT 04

   1.  Moved [RFC8499] to the Normative References section.

13.17.  Changes from version REGEXT 04 to REGEXT 05

   1.  Changes based on the feedback provided here:
       https://mailarchive.ietf.org/arch/msg/regext/
       UNo6YxapgjyerAYv0223zEuzjFk

   2.  The examples of deposits were moved to their own sections.

   3.  <deposit> elements definition moved to section 5.1.

   4.  The DIFF example was modified to make it more representative of a
       differential deposit.

13.18.  Changes from version REGEXT 05 to REGEXT 06

   1.  Normative references for XLM, XML Schema added.

   2.  Text added to define that version MUST be 1.0.

   3.  Normative SHOULD replaced should in of the second paragraph in escrow agent before submitting any data.

   Additionally, the
       security section.

13.19.  Changes from version REGEXT 06 to REGEXT 07

   1.  Registration contact changed in section 8.

13.20.  Changes from version REGEXT 07 registry and the escrow agent MUST use integrity-
   checking mechanisms to REGEXT 08

   1.  Changes based on ensure that the feedback provided here:
       https://mailarchive.ietf.org/arch/msg/regext/hDLz2ym4oR-ukA4Fm-
       QJ8FzaxxE

   2.  Changes based on data transmitted is what the feedback provided here:
       https://mailarchive.ietf.org/arch/msg/regext/780Xw-
       z1RMRb79nmZ6ABmRTo1fU

   3.  Changes based on
   source intended.  Validation of the feedback provided here:
       https://mailarchive.ietf.org/arch/msg/regext/
       YnPnrSedrCcgQ2AXbjBTuQzqMds

   4.  Changes based on contents by the feedback provided here:
       https://mailarchive.ietf.org/arch/msg/regext/
       BiV0NHi_k7cYwTiLdLwVgqEcFuo

13.21.  Changes from version REGEXT 08 escrow agent is
   RECOMMENDED to REGEXT 09

   1.  Changes based on the feedback provided here:
       https://mailarchive.ietf.org/arch/msg/regext/x_8twvi-
       MS4dDDRfAZfNJH92UaQ

   2.  Changes based on ensure not only that the feedback provided here:
       https://mailarchive.ietf.org/arch/msg/regext/
       B3QTxUCWUE4R_QharAQlA3041j0

13.22.  Changes file was transmitted
   correctly from version REGEXT 09 the registry but also that the contents are
   "meaningful".

      |  Note: If Transport Layer Security (TLS) is used when providing
      |  an escrow service, the recommendations in [RFC7525] MUST be
      |  implemented.

10.  Privacy Considerations

   This specification defines a format that may be used to REGEXT 10

   1.  Changes based on escrow
   personal data.  The process of data escrow is governed by a legal
   document agreed upon by the feedback provided here:
       https://mailarchive.ietf.org/arch/msg/regext/
       UaMNvl1xh60ldjpqHHYc3TNsfhg

14. parties, and such a legal document must
   ensure that privacy-sensitive and/or personal data receives the
   required protection.

11.  Example of a Full Deposit

   Example of a Full Deposit with the two example objects rdeObj1 and
   rdeObj2:

   <?xml version="1.0" encoding="UTF-8"?>
   <rde:deposit
     xmlns:rde="urn:ietf:params:xml:ns:rde-1.0"
     xmlns:rdeObj1="urn:example:params:xml:ns:rdeObj1-1.0"
     xmlns:rdeObj2="urn:example:params:xml:ns:rdeObj2-1.0"
     type="FULL"
     id="20191018001">
     <rde:watermark>2019-10-17T23:59:59Z</rde:watermark>
     <rde:rdeMenu>
       <rde:version>1.0</rde:version>
       <rde:objURI>urn:example:params:xml:ns:rdeObj1-1.0</rde:objURI>
       <rde:objURI>urn:example:params:xml:ns:rdeObj2-1.0</rde:objURI>
     </rde:rdeMenu>
     <rde:contents>
       <rdeObj1:rdeObj1>
         <rdeObj1:name>EXAMPLE</rdeObj1:name>
       </rdeObj1:rdeObj1>
       <rdeObj2:rdeObj2>
         <rdeObj2:id>fsh8013-EXAMPLE</rdeObj2:id>
       </rdeObj2:rdeObj2>
     </rde:contents>
   </rde:deposit>

15.

12.  Example of a Differential Deposit

   Example of a Differential Deposit with the two example objects
   rdeObj1 and rdeObj2:

   <?xml version="1.0" encoding="UTF-8"?>
   <rde:deposit
     xmlns:rde="urn:ietf:params:xml:ns:rde-1.0"
     xmlns:rdeObj1="urn:example:params:xml:ns:rdeObj1-1.0"
     xmlns:rdeObj2="urn:example:params:xml:ns:rdeObj2-1.0"
     type="DIFF"
     id="20191019001" prevId="20191018001">
     <rde:watermark>2019-10-18T23:59:59Z</rde:watermark>
     <rde:rdeMenu>
       <rde:version>1.0</rde:version>
         <rde:objURI>urn:example:params:xml:ns:rdeObj1-1.0</rde:objURI>
         <rde:objURI>urn:example:params:xml:ns:rdeObj2-1.0</rde:objURI>
     </rde:rdeMenu>
     <rde:contents>
       <rdeObj1:rdeObj1>
         <rdeObj1:name>EXAMPLE2</rdeObj1:name>
       </rdeObj1:rdeObj1>
       <rdeObj2:rdeObj2>
         <rdeObj2:id>sh8014-EXAMPLE</rdeObj2:id>
       </rdeObj2:rdeObj2>
     </rde:contents>
   </rde:deposit>

16.

13.  Example of a an Incremental Deposit

   Example of an Incremental Deposit with the two example objects
   rdeObj1 and rdeObj2:

   <?xml version="1.0" encoding="UTF-8"?>
   <rde:deposit
     xmlns:rde="urn:ietf:params:xml:ns:rde-1.0"
     xmlns:rdeObj1="urn:example:params:xml:ns:rdeObj1-1.0"
     xmlns:rdeObj2="urn:example:params:xml:ns:rdeObj2-1.0"
     type="INCR"
     id="20200317001" prevId="20200314001">
     <rde:watermark>2020-03-16T23:59:59Z</rde:watermark>
     <rde:rdeMenu>
       <rde:version>1.0</rde:version>
       <rde:objURI>urn:example:params:xml:ns:rdeObj1-1.0</rde:objURI>
       <rde:objURI>urn:example:params:xml:ns:rdeObj2-1.0</rde:objURI>
     </rde:rdeMenu>
     <rde:deletes>
       <rdeObj1:delete>
         <rdeObj1:name>EXAMPLE1</rdeObj1:name>
       </rdeObj1:delete>
       <rdeObj2:delete>
         <rdeObj2:id>fsh8013-EXAMPLE</rdeObj2:id>
       </rdeObj2:delete>
     </rde:deletes>
     <rde:contents>
       <rdeObj1:rdeObj1>
         <rdeObj1:name>EXAMPLE2</rdeObj1:name>
       </rdeObj1:rdeObj1>
       <rdeObj2:rdeObj2>
         <rdeObj2:id>sh8014-EXAMPLE</rdeObj2:id>
       </rdeObj2:rdeObj2>
     </rde:contents>
   </rde:deposit>

17.

14.  References

17.1.

14.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC3339]  Klyne, G. and C. Newman, "Date and Time on the Internet:
              Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002,
              <https://www.rfc-editor.org/info/rfc3339>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [RFC8499]  Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
              Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499,
              January 2019, <https://www.rfc-editor.org/info/rfc8499>.

   [W3C.REC-xml-20081126]
              Bray, T., Ed., Paoli, J., Ed., Sperberg-McQueen, C., C.M.,
              Ed., Maler, E., Ed., and F. Yergeau, Ed., "Extensible
              Markup Language (XML) 1.0 (Fifth
              Edition) REC-xml-20081126", Edition)", REC-xml-
              20081126, November 2008,
              <https://www.w3.org/TR/2008/REC-xml-20081126/>.

   [W3C.REC-xmlschema-1-20041028]
              Thompson, H., H.S., Ed., Beech, D., Ed., Maloney, M., Ed., and
              N. Mendelsohn, Ed., "XML Schema Part 1: Structures Second Edition REC-
              xmlschema-1-20041028",
              Edition", REC-xmlschema-1-20041028, October 2004,
              <https://www.w3.org/TR/2004/REC-xmlschema-1-20041028/>.

   [W3C.REC-xmlschema-2-20041028]
              Biron, P. V., Ed. and A. Malhotra, Ed., "XML Schema Part
              2: Datatypes Second Edition REC-xmlschema-2-20041028", Edition", REC-xmlschema-2-20041028,
              October 2004,
              <https://www.w3.org/TR/2004/REC-xmlschema-2-20041028/>.

17.2.

14.2.  Informative References

   [ICANN-GTLD-RA-20170731]
              ICANN, "Base Registry Agreement 2017-07-31", Agreement", 31 July 2017,
              <https://newgtlds.icann.org/sites/default/files/
              agreements/agreement-approved-31jul17-en.pdf>.

   [RFC3688]  Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
              DOI 10.17487/RFC3688, January 2004,
              <https://www.rfc-editor.org/info/rfc3688>.

   [RFC7525]  Sheffer, Y., Holz, R., and P. Saint-Andre,
              "Recommendations for Secure Use of Transport Layer
              Security (TLS) and Datagram Transport Layer Security
              (DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May
              2015, <https://www.rfc-editor.org/info/rfc7525>.

   [RFC7942]  Sheffer, Y.

Acknowledgments

   Special suggestions that were incorporated into this document were
   provided by James Gould, Edward Lewis, Jaap Akkerhuis, Lawrence
   Conroy, Marc Groeneweg, Michael Young, Chris Wright, Patrick Mevzek,
   Stephen Morris, Scott Hollenbeck, Stephane Bortzmeyer, Warren Kumari,
   Paul Hoffman, Vika Mpisane, Bernie Hoeneisen, Jim Galvin, Andrew
   Sullivan, Hiro Hotta, Christopher Browne, Daniel Kalchev, David
   Conrad, James Mitchell, Francisco Obispo, Bhadresh Modi, and A. Farrel, "Improving Awareness
   Alexander Mayrhofer.

   Shoji Noguchi and Francisco Arias participated as coauthors through
   version 07 of Running
              Code: The Implementation Status Section", BCP 205,
              RFC 7942, DOI 10.17487/RFC7942, July 2016,
              <https://www.rfc-editor.org/info/rfc7942>. draft-arias-noguchi-registry-data-escrow (the precursor
   to this document) and provided invaluable support for this document.

Author's Address

   Gustavo Lozano
   Internet Corporation for Assigned Names and Numbers
   12025 Waterfront Drive, Suite 300
   Los Angeles Angeles, CA 90292
   United States of America

   Phone: +1.310.823.9358
   Email: gustavo.lozano@icann.org