ICANN New gTLD Application

18.1 Mission and Purpose of .XFINITY

18.1.1 Comcast Corporation

Comcast Corporation (“Comcast”) is a leading provider of video, high-speed Internet, and phone services to residential and business customers in the United States. As of December 31, 2010, Comcast cable systems served approximately 22.8 million video customers, 17.0 million high-speed Internet customers and 8.6 million phone customers and passed over 51 million homes and businesses in 39 states and the District of Columbia.

18.1.2 XFINITY

In 2010, Comcast launched XFINITY TV, its authenticated, On Demand online service. XFINITY TV offers online access to 150,000 entertainment choices, including movies, TV shows, premium and HD content, and a compelling search and discovery platform. All of Comcast’s digital video customers have access to XFINITY TV for no extra cost, making it a tremendous value-added service. 

Comcast also launched the XFINITY TV app on iPads, iPhones and Android-based devices. The app now combines the functionality of a remote, a TV guide and a mobile video player, with a Play Now streaming feature that today gives customers access to nearly 4,500 hours of movies and TV shows. The iPad app alone has been downloaded more than 1.3 million times since it launched in mid-November 2010. Comcast is in the process of expanding its capabilities to include live TV programming and other features. 

18.1.3 Mission and Purpose

Through a unified corporate approach, Comcast intends to submit two gTLD applications for the strings .COMCAST and .XFINITY. Comcast IP Holdings I, LLC, (“Comcast IP”) a wholly owned subsidiary of Comcast, will be the entity to file this application and bring the .XFINITY gTLD to market.

The intended mission and purpose of the .XFINITY gTLD is to serve as a trusted and intuitive namespace for the benefit of Comcast and its qualified subsidiaries’ and affiliates’ customers and other Internet users, that will deepen and broaden these entities’ relationships with those audiences.

Although ICANN has not specifically recognized a .BRAND gTLD specification in the current gTLD application round, it is widely anticipated in the brand-owner community that this will become a specialty subset of the gTLDs. The .XFINITY gTLD is intended to be one of those .BRAND gTLDs, with the goal of protecting Comcast’s online presence and identity, expanding its marketing and promotion efforts, providing a secure channel for online products and services, and offering a platform through which to consolidate many of the intellectual property activities of Comcast.

Comcast IP intends to initially limit registration and use of domain names within the .XFINITY gTLD to Comcast and its qualified subsidiaries and affiliates. This initial limited use will allow Comcast IP to establish .XFINITYʹs operations and achieve full sustainability. This limited distribution coupled with the other requirements set forth in Specification 9 of the template Registry Agreement is intended to exempt Comcast IP from its annual Code of Conduct Compliance requirements.

After the initial stages of operation, Comcast IP will evaluate whether opportunities exist to carry out the business strategy for the gTLD through expansion that continues the sustainable operations of the registry through fee-based registrations to parties other than Comcast and its qualified subsidiaries and affiliates.

Comcast IP currently plans a four-stage rollout for the .XFINITY gTLD:

Stage 1

The initial stage of implementation of the gTLD will involve Comcast registering a limited number of .XFINITY second-level domain names. This initial use will provide Comcast’s DNS Engineering personnel the time to run a number of tests to ensure seamless and secure access using the .XFINITY gTLD domain names, interoperability with various software and Web-based applications, and unbroken and secure use of all names. This initial allocation will also allow the appropriate Comcast staff to coordinate with the internal and external staff responsible for the application, delegation, and setup phases of the .XFINITY gTLD to ensure a proper transition from delegation to full operation.

Stage 2

Once all testing has been successfully completed, Comcast IP will begin allocating domain names in the .XFINITY gTLD for more widespread corporate use. During this same time period, Comcast will begin evaluating strategies to potentially migrate traffic away from its current patchwork network of second-level domain names, which are registered in a variety of TLDs, to Comcast IP’s new gTLDs, .COMCAST and .XFINITY.

It is in Stage 2 that Comcast will evaluate expanding the operations of the .XFINITY gTLD to permit registration by other registrants, such as select licensees or strategic partners. Should an assessment of its expansion strategy lead to a decision to extend registration rights to other parties, this expansion is currently planned to take place in Stage 3. However, any expansion would be conditioned upon a review of Specification 9 (Registry Code of Conduct) set forth in the template Registry Agreement to ensure compliance with Comcast IP’s business model.

Stage 3

Depending on the analysis of the evaluations undertaken in Stage 2, Comcast may implement the permanent migration of Internet traffic away from the TLDs in which Comcast’s domain names are currently registered, and toward the new Comcast IP gTLDs, .COMCAST and .XFINITY. It is in this stage that Comcast IP also may implement Comcast’s decision to extend registration rights to licensees or strategic parties, depending upon compliance with Specification 9, as noted above. The dates of such expansion are subject to change depending upon business, strategic, and industry factors at the time.

After consideration of the following factors: analysis of Comcast’s existing domain name portfolio; internal analysis of marketing initiatives; and the fact that Comcast will have full control over the number of registrations in the .XFINITY gTLD namespace, Comcast IP is confident that the number of domain name registrations will be less than 10,000 in the first five years of operation.

Stage 4

Based on their experiences with any expansion implemented in Stage 3, Comcast IP and Comcast will assess whether their business plan and expansion strategy should be augmented by extending registration rights to a broader class of licensees, including potential customers of Comcast. It is anticipated by Comcast that changes to the domain name industry, and particularly the impact of .BRAND gTLDs, will take at least five years to be realized and assessed. Any decision to expand the gTLDs beyond corporate, qualified subsidiary⁄affiliate, and licensee⁄partner use will take into account this experience as well as the technical analysis of potential expansion.

Notwithstanding this potential future expanded use of the .XFINITY name space beginning in the sixth year of operation, Comcast IP currently anticipates implementing a throttle mechanism to ensure that any proposed expansion is controlled and responsible. This proposed “time-out” mechanism is described in greater detail in the responses to Questions 45-50 of this application.

Comcast intends to use the .XFINITY gTLD in ways that are consistent with the business strategies of these or its other business segments as identified in its annual report and investor filings, see http:⁄⁄www.cmcsa.com⁄.

18.2 How do you expect that your proposed gTLD will benefit registrants, Internet users, and others? 

Given that many consumers search for Comcast and its subsidiaries’ content online, Comcast believes that the proposed .XFINITY gTLD has the potential to offer the following benefits to Internet users and consumers:

-Provide a trusted online marketplace for the millions of consumers that use Comcast’s services;
-Provide Comcast and its qualified subsidiaries and affiliates with the use of short and memorable Internet addresses in order to facilitate increased ease for navigation to Comcast online content and other services;
-Minimize the need for defensive registrations because domain names within the .XFINITY gTLD will only be registered by Comcast IP to verified Comcast administrators and qualified subsidiaries and affiliates of Comcast, at least for the first three years of operation;
-Serve as a secure platform for the distribution of copyrighted material to consumers; and
-Incorporate enhanced intellectual property rights (IPR) protection mechanisms.

Also, through the adoption of new gTLDs by the wider Internet user community, consumers may benefit from lower incidents of fraud, misdirection, infringement, phishing, malware, or other scams often associated with mistypes of domain names in the .COM space that are owned by cybersquatters, since they will be navigating to domain names in the .XFINITY gTLD.

Comcast currently offers International programming to its video customers, including channels in the following languages and⁄or from the following regions:

Arabic
Chinese
Filipino 
French
German
Greek
Israeli
Italian
Japanese
Korean
Polish
Portuguese
Russian
South Asia
Vietnamese

The above representative list of examples demonstrates the geographic nature of a particular Comcast service offering. Given these services, Comcast believes that a .XFINITY gTLD can provide an online single source-identifying location for its current and future customers.

Comcast IP would like to provide a hierarchical and intuitive framework for the .XFINITY namespace by using geographical identifiers as second-level domain names. This use of geographical identifiers to the left of the gTLD and as part of the domain name itself is believed to have a direct and material impact on search engine algorithms and their corresponding query results. Comcast would like to see if this type of hierarchical and intuitive use of second-level domain names within a gTLD provides increased consumer functionality and innovation, as premised by ICANN.

18.2.1 What is the goal of your proposed gTLD in terms of areas of specialty, service levels, or reputation?

Comcast has filed this application for a .XFINITY gTLD in order to provide a secure and  trusted virtual platform to aggregate Comcast’s already well-known and prestigious content and other goods and services. As technologies for delivering content and services evolve, Comcast will pursue opportunities to distribute its content and services to consumers in the U.S. on various platforms, including the Internet, mobile devices, and video-on-demand. As noted above, Comcast intends to use the .XFINITY gTLD as an intuitive means to offer its content and to deepen and broaden its relationship with audiences and viewers.

Most importantly, the Comcast content and services will be provided in an online namespace devoid of fraud, misdirection, infringement, phishing, malware, and other scams. While Comcast fights to protect its valuable intellectual property from piracy on the Internet, it would use the .XFINITY gTLD to offer to consumers a safe and intuitive means of accessing authorized content from Comcast and its qualified subsidiaries and affiliates.

With regard to service level and reputation, Comcast will operate the .XFINITY gTLD in accordance with the Comcast Corporation Code of Conduct, see: http:⁄⁄www.cmcsk.com⁄govdocs.cfm?DocumentID=9918.

18.2.2 What do you anticipate your proposed gTLD will add to the current space, in terms of competition, differentiation, or innovation?

As a .BRAND gTLD, the primary factors driving Comcast to seek the .XFINITY gTLD are differentiation and innovation. Comcast is one of the world’s leading media, entertainment and communications companies, and it uses existing technology and leverages emerging technologies to deliver content and services to its millions of consumers. A .XFINITY gTLD has the potential to serve as a cornerstone of this online strategy.

While some of ICANN’s new gTLDs have previously been the subject of claims regarding increased spam and phishing activities, .XFINITY from its launch will be a trusted online source of Comcast information, goods, and services. Comcast will follow its own established good business practices in working with law enforcement to create a marketplace with safeguards designed to minimize fraud and other illegal activity.

Comcast IP believes that the success of the gTLD will not be measured by the number of domain names registered, but rather by the level of consumer recognition and trust that is placed in the .XFINITY gTLD. Using this benchmark, Comcast IP strives to build consumer recognition and trust that rise to the level of that found in the .EDU and .GOV gTLDs.

18.2.3 What goals does your proposed gTLD have in terms of user experience?

In addition to providing a trusted ecosystem experience for its millions of customers who use its content, goods, and services, Comcast IP will minimize potential fraud, misdirection, infringement, phishing, malware, and other scams because domains will initially only be registered to Comcast and its qualified subsidiaries and affiliates. As a leading media, communications, and entertainment company, Comcast believes that it can be a pioneer in bringing innovation in consumer choice to this new Internet medium. 

18.2.4 Provide a complete description of the applicant’s intended registration policies in support of the goals listed above.

Comcast is fully committed to implementing all of ICANN’s consensus policies and other Rights Protection Mechanisms (RPMs) identified in the Applicant Guidebook. Moreover, based upon Comcast’s commitment and established track record in providing a safe ecosystem for consumers and vendors, Comcast intends to provide best-in-class safeguards that will evolve over time.

Because the domains within the .XFINITY gTLD are currently intended to be initially registered exclusively to Comcast and its qualified subsidiaries and affiliates, any registration and use requirements are more appropriately vested in the corporate-subsidiary and corporate-affiliate agreements, or corporate policies and practices, and not in a domain name registration agreement.

18.2.5 Will your proposed gTLD impose any measures for protecting the privacy or confidential information of registrants or users? If so, please describe any such measures.

As a leading media and communications company, with extensive online operations, Comcast has a vested interest in making sure that accurate and current domain name information is readily available in connection with each .XFINITY domain name. For the .XFINITY gTLD, all private and confidential information will be protected.

Comcast IP will ensure that the operation of the .XFINITY gTLD will be consistent with Comcast’s Web Services Terms of Service and Privacy Policy, available on here: http:⁄⁄customer.XFINITY.com⁄help-and-support⁄internet⁄comcast-web-services-terms-of-service-and-privacy-policy. 

In addition, Comcast IP intends to incorporate contractual language in its Registry-Registrar Agreement (RRA) modeled after language that has been included in the template Registry Agreement and that has been successfully utilized by existing ICANN gTLD Registry Operators.

The template Registry Agreement states, “Registry Operator shall (i) notify each ICANN-accredited registrar that is a party to the registry-registrar agreement for the TLD of the purposes for which data about any identified or identifiable natural person (“Personal Data”) submitted to Registry Operator by such registrar is collected and used under this Agreement or otherwise and the intended recipients (or categories of recipients) of such Personal Data, and (ii) require such registrar to obtain the consent of each registrant in the TLD for such collection and use of Personal Data. Registry Operator shall take reasonable steps to protect Personal Data collected from such registrar from loss, misuse, unauthorized disclosure, alteration or destruction. Registry Operator shall not use or authorize the use of Personal Data in a way that is incompatible with the notice provided to registrars.ʺ

18.2.6 Describe whether and in what ways outreach and communications will help to achieve your projected benefits.

Comcast sees the potential for the .XFINITY gTLD to play a meaningful role in the company’s future online strategy. While the extent of likely benefits is currently uncertain due to questions of consumer recognition, the adoption of new gTLDs, and the response from search engines in the marketplace, all of which will influence the communication and usage strategies for the gTLD, Comcast IP anticipates a phased-in approach to using and promoting the .XFINITY gTLD.

At first, Comcast IP plans to start using .XFINITY domains initially as redirects to existing .COM domains and other domains that Comcast currently operates. Subsequently, Comcast IP expects to initiate a targeted rollout using select gTLD domains as primary addresses and, after a careful review and analysis of this rollout and of the release of new gTLDs by others, the response from search engines to .BRAND gTLDs, and the perception of consumer, Comcast IP and Comcast may engage in a broader initiative, should the results be satisfactory and in accordance with the company’s overall strategic goals. As the marketplace evolves, the actual usage of the gTLD will dictate what outreach and communication is needed to ensure that consumers continue to interact with Comcast content in this new namespace.

18.3 What operating rules will you adopt to eliminate or minimize social costs (e.g., time or financial resource costs, as well as various types of consumer vulnerabilities)?

Comcast IPʹs proposed operating rules to limit registration to Comcast and its qualified subsidiaries and affiliates will provide a trusted online environment for consumers of Comcast’s content, goods, and services. Therefore, Comcast IP will minimize social costs by eliminating the need for third-party brand owners to defensively register their trademark in the .XFINITY gTLD, unlike other open registries. In addition, the .XFINITY gTLD will provide consumers with a trusted source for Comcast’s content, goods, and services without the risk of fraud, misdirection, infringement, phishing, malware, or malicious content.

18.3.1 What other steps will you take to minimize negative consequences⁄costs imposed upon consumers?

Comcast IP believes that the proposed operation of the .XFINITY gTLD as set forth in this application has no known negative consequences or cost implications to consumers. On the contrary, the proposed operation of this registry will likely lead to consumer benefits.

18.3.2 How will multiple applications for a particular domain name be resolved, for example, by auction or on a first-come⁄first serve basis?

Comcast IP does not envision multiple applicants for the same domain name, as domain names will initially only be registered to Comcast and its qualified subsidiaries and affiliates.

18.3.3 Explain any cost benefits for registrants you intend to implement (e.g., advantageous pricing, introductory discounts, bulk registration discounts).

Comcast IP does not envision any advantageous pricing, introductory discounts, or bulk registration discounts because it will not be marketing or creating commercial initiatives for the sale of .XFINITY domain names. Its intention is to use the gTLD as a recognizable, trusted, virtual platform offering Comcastʹs and its qualified subsidiariesʹ and affiliates’ content, goods, and services to customers and Internet users. Any potential registrant fees imposed upon licensees and strategic partners will be made in the future if this class of registrants are permitted to register domain names in the .XFINITY gTLD.

18.3.4 Note that the Registry Agreement requires that registrars be offered the option to obtain initial domain name registrations for periods of one to ten years at the discretion of the registrar, but no greater than ten years. Additionally, the Registry Agreement requires advance written notice of price increases. Do you intend to make contractual commitments to registrants regarding the magnitude of price escalation? If so, please describe your plans.

Comcast IP is committed to providing the domain name registration periods set forth in the Registry Agreement. As a .BRAND gTLD, the use of any .XFINITY domain names is conditioned upon a subsidiary or affiliate relationship with Comcast. Therefore, there is a natural incentive for Comcast IP to provide domain names with minimal price escalations and the maximum flexibility in domain registration terms possible under ICANN rules. Understanding the ownership of .XFINITY domains as noted previously, contractual commitments in a domain name registrant agreement regarding the magnitude of price escalations is not relevant or appropriate. That said, the .XFINITY domain agreements will be in accordance with all ICANN requirements.

Comcast IP acknowledges that the current template Registry Agreement requires that the Registry Operator “shall offer registrars the option to obtain registration periods for one to ten years at the discretion of the registrar.” However, Comcast and its qualified subsidiaries and affiliates, as the sole registrants within the .XFINITY gTLD, will initially only be registering domain names on an annual basis.

It is possible that at some future date, Comcast IP may wish to explore expanding the potential universe of registrants beyond the initially proposed closed network of itself and qualified subsidiaries and affiliates. If Comcast IP were to expand this potential universe of registrants it would ensure that these domain name registrants were provided adequate notice regarding any pricing terms and conditions of use, including the fact that the use of the domain name may be conditioned upon another legal obligation that the registrant has with Comcast IP.

Protection of Geographic Names

22.1 Comcast IP Holdings I, LLC has Properly Researched this Topic

Comcast IP Holdings I, LLC (“Comcast IP”) is keenly aware of the sensitivity of national governments in connection with protecting country and territory identifiers in the domain name system (DNS). In preparation for answering this question, Comcast IP reviewed the following relevant background material regarding the protection of geographic names in the DNS:

-ICANN Board Resolution 01-92 regarding the methodology developed for the reservation and release of country names in the .INFO top-level domain, see http:⁄⁄www.icann.org⁄en⁄minutes⁄minutes-10sep01.htm;

-ICANN’s Proposed Action Plan on .INFO Country Names, see http:⁄⁄www.icann.org⁄en⁄meetings⁄montevideo⁄action-plan-country-names-09oct01.htm;
-Report of the Second WIPO Internet Domain Name Process: The Recognition and Rights and the Use of Names in the Internet Domain Name System, Section 6, Geographical Identifiers, see http:⁄⁄www.wipo.int⁄amc⁄en⁄processes⁄process2⁄report⁄html⁄report.html;

- ICANN’s Governmental Advisory Committee (GAC) Principles Regarding New gTLDs, see https:⁄⁄gacweb.icann.org⁄download⁄attachments⁄1540128⁄gTLD_principles_0.pdf?version=1&modificationDate=1312358178000; and

-ICANN’s Generic Names Supporting Organization Reserved Names Working Group – Final Report, see http:⁄⁄gnso.icann.org⁄issues⁄new-gtlds⁄final-report-rn-wg-23may07.htm.

22.2 Initial Reservation of Country and Territory Names

Comcast IP is committed to initially reserving the country and territory names contained in the internationally recognized lists described in Article 5 of Specification 5 attached to New gTLD Applicant Guidebook at the second level and at all other levels within the .XFINITY gTLD at which Comcast IP will provide registrations. Specifically, Comcast IP will reserve:

1.The short form (in English) of all country and territory names contained on the ISO 3166-1 list, as updated from time to time, including the European Union, which is exceptionally reserved on the ISO 3166-1 list, and its scope extended in August 1999 to any application needing to represent the name European Union, see http:⁄⁄www.iso.org⁄iso⁄support⁄country_codes⁄iso_3166_code_lists⁄iso-3166-1_decoding_table.htm#EU;

2.The United Nations Group of Experts on Geographical Names Technical Reference Manual for the Standardization of Geographical Names, Part III Names of Countries of the World; and

3. The list of United Nations member states in six official United Nations languages prepared by the Working Group on Country Names of the United Nations Conference on the Standardization of Geographical Names.

22.3 Fair & Non-Misleading Use of Geographical Identifiers

Comcast IPʹs parent company, Comcast Corporation (“Comcast”), is a leading media, communications, and entertainment company serving approximately 22.8 million video customers, 17.0 million high-speed Internet customers, and 8.6 million phone customers in the United States. Comcast currently offers international programming to its video customers, including channels in the following languages⁄from the following regions:

Arabic
Chinese
Filipino 
French
German
Greek
Israeli
Italian
Japanese
Korean
Polish
Portuguese
Russian
Vietnamese
South Asia

The above representative list of examples demonstrates the geographic nature of just one of Comcastʹs service offerings. Given these services, Comcast believes that a .XFINITY gTLD can provide an online single source-identifying location for its current and future customers.

Comcast IP would like to provide a hierarchical and intuitive framework for the .XFINITY namespace by using geographical identifiers as second-level domain names. This use of geographical identifiers to the left of the gTLD and as part of the domain name itself is believed to have a direct and material impact on search engine algorithms and their corresponding query results. Comcast would like to see if this type of hierarchical and intuitive use of second-level domain names within a gTLD provides increased consumer functionality and innovation, as premised by ICANN.

22.4 The Legal Protection of Geographical Identifiers

One of the more authoritative resources on the current state of the law in connection with the protection of geographical identifiers was authored by the World Intellectual Property Organization (WIPO) in its 2001 “Report of the Second WIPO Internet Domain Name Process: The Recognition of Rights and the Use of Names in the Internet Domain Name System” publication. Section six of this report was devoted exclusively to the protection of geographical identifiers.

In analyzing the well-established framework against the misuse of geographical identifiers at the international, regional, and national levels, WIPO identified the following two elements for the protection of geographical identifiers: (i) a prohibition of false descriptions of the geographical source of goods; and (ii) a more extensive set of rules prohibiting the misuse of one class of geographical source indicators, known as geographical indications, (see “Report of the Second WIPO Internet Domain Name Process,” Paragraphs 206 and 210). Neither false descriptions of the geographical source of goods, nor misuse of geographical indications, is present in Comcastʹs current use, or Comcast IPʹs proposed use, of geographical identifiers.

Notwithstanding WIPO’s recommendation that the protection of geographical identifiers is “a difficult area on which views are not only divided, but also ardently held” (Paragraph 237) national governments within the ICANN Governmental Advisory Committee (GAC) and other international forums have continued to advocate for increased safeguards to protect against the misuse of geographical identifiers within the DNS.

Comcast IPʹs parent company, Comcast, as a responsible business, seeks to minimize any potential business practices that might mislead consumers. However, at the same time, it believes that it is important to be able to use geographical identifiers in a fair and non-misleading manner, if such use can benefit Internet users as proposed in Comcast IP’s business model.

22.5 Samples of Fair & Non-Misleading Use of Geographical Identifiers

In undertaking a thorough research of this subject matter prior to filing this application, Comcast IP’s subject matter experts were able to uncover the following representative sampling of fair and non-misleading use of geographical identifiers used in the existing gTLD domain name space:

Fair Use of National Geographical Identifiers

AUSTRALIA.COOP – Is operated by Co-operatives Australia, the national body for State Co-operative Federations, and provides a valuable resource about cooperatives within Australia.

UK.COOP – Is operated by Co-operatives UK, the national trade body that campaigns for cooperation, and works to promote, develop, and unite cooperative enterprises within the United Kingdom.

NZ.COOP – Is operated by the New Zealand Cooperatives Association, which brings together the country’s cooperative mutual business in a not-for-profit incorporated society.

USA.JOBS – Is operated by DirectEmployers Association (ʺDEʺ). While Employ Media, the Registry Operator of the .JOBS gTLD, is currently in a dispute with ICANN regarding the allocation of this and other domain names, DE has a series of partnerships and programs with the United States Department of Labor, the National Association of State Workforce Agencies, and Facebook to help unemployed workers find jobs.

MALDIVIAN.AERO – Is the dominant domestic air carrier in Maldives, and provides a range of commercial and leisure air transport services.

Fair Use of Regional⁄Local Geographical Identifiers

TEXAS.JOBS – Is operated by a joint effort between DE, the Texas Workforce Commission, and the National Labor Exchange to connect job seekers with approximately 96,000 job openings. An additional domain name operated by this joint effort was WORKINTEXAS-VETERANS.JOBS, a resource devoted to helping Texas veterans translate their military skills to jobs in the civil marketplace.

BROOKLYN.COOP – Is operated by Brooklyn Cooperative Federal Credit Union, which began as a modest storefront business in 2001, but is now New York City’s fastest growing credit union and a model for community development credit unions nationwide.

HYDERABAD.AERO – Is operated by the Hyderabad International Airport and provides a range of interactive services and information for both business and leisure travelers.

SACRAMENTO.AERO – Is portal website operated by Sacramento County to provide links to each of the airports serving the Sacramento area: Sacramento International Airport (SMF), Mather Airport (MHR), Executive Airport (SAC), and Franklin Field (F72).

22.6 Protection of Regional and Local Geographic Names for Non-Misleading Use

Comcast IP has stated its intention to consider using non-reserved geographic identifiers as part of a hierarchical and intuitive framework in a fair and non-misleading manner to help consumers navigate the .XFINITY namespace. Comcast IP is committed to operating the .XFINITY namespace in a manner that minimizes potential consumer confusion, and will actively work with others in the ICANN community regarding any future policy development in this area.

22.7 Potential Future Release of Initially Reserved Names

Given that Comcast IP’s parent company, Comcast, is a communications and media company currently offering content sourced internationally, Comcast IP looks forward to collaborating with other new gTLD Registry Operators (especially .BRANDs) in potentially working with ICANN’s GAC to explore potential processes that could permit the release of initially reserved country names (including ISO-3166 two-characters). Specifically, Comcast IP is interested in exploring other Registry Service Evaluation Processes (RSEP) that have been filed by existing gTLD Registry Operators in releasing previously reserved domain names.

22.8 Dispute Resolution

Comcast IP does not envision any potential disputes from governments or public authorities in connection with the registration and use of geographic names within the .XFINITY gTLD based upon its proposed use set forth in the response to Question 18 of this application.

However, Comcast IP is committed to working with any governments, public authorities, or IGOs that may have a concern regarding the registration of names with national or geographic significance at the second level within .XFINITY. Therefore, should there arise any potential disputes, Comcast IP will undertake an immediate policy development process as identified below.

22.9 Creation and Updating the Policies

If there should arise some future need for the creation or updating of the policies regarding this class of domain names, Comcast and Comcast IP will act in an open and transparent manner consistent with its prior practices to develop such a policy and⁄or recommendation.

Comcast IP is also committed to continually reviewing and updating these lists to prevent the misleading use of geographical identifiers. Consistent with this commitment, Comcast IP intends to remain an active participant in any ongoing ICANN policy discussion regarding the protection of geographic names within the DNS.

Question 23 - Registry Services

The Comcast corporation plans to create and operate a new dot XFINITY Top Level Domain. This will be a standard but closed domain registry, with additions, changes and deletions being made solely by the Comcast corporation itself. The registry will operate initially through a single independent registrar who will interface with Nominet, the registry services provider, through their standard registry services outlined below.

Nominet, the registry services provider, will administer a comprehensive list of registry services all of which are developed, managed and maintained in house. The services Nominet will provide are:

- Operation of authoritative nameservers for dot XFINITY

- Dynamic updates to zone files

- Extensible Provisioning Protocol (EPP)

- Dissemination of zone files

- Whois service (port 43 and web based)

- Searchable Whois

- Domain Name System Security Extensions (DNSSEC)

- Billing

- Customer support

- Abuse prevention

All registry services will be supported and reachable over both Internet Protocol (IP) Version 4 (IPv4) and IP Version 6 (IPv6).

It should be noted that Internationalised Domain Names (IDNs) are not being implemented for dot XFINITY.

DNS operations

Nominet will operate authoritative nameservers for dot XFINITY. The DNS constellation consists of a ʹhiddenʹ master nameserver, DNSSEC signer, one primary Unicast DNS node, six slave Unicast DNS nodes and four primary Anycast nodes.

Dynamic updates to zone files

All changes to nameservers for domain names result in an update to the dot XFINITY zone file. All zone file changes are applied dynamically for the most rapid publishing to DNS. Propagation of updates through the nameserver network will be done using incremental zone transfer (IXFR).

EPP

An EPP system, compliant with Request for Comments (RFC) 5730 will be provided for registrars to register and administer domain names, contacts and nameservers. The EPP server is provided over TCP and is compliant with RFC 5734. EPP connectivity is protected using the Secure Sockets Layer (SSL) protocol.

Registrars may register new domain names in dot XFINITY using the object definitions given in RFC 5731. Once a domain name is registered, the registrar of record will be able to update, renew, delete and query that domain name, using the respective operations as defined in RFC 5731. All registrars may issue domain check or domain transfer operations using the EPP system. If a domain transfer operation is requested, the correct authInfo value must be provided by the new registrar. The registrar of record is notified and has five days to prevent the transfer from occurring.

Registrars may also issue requests to create new contact and host objects, in compliance with RFC 5733 and 5732 respectively. Only the registrar of record may then issue requests to update, delete and query contact and host objects in line with those RFCs. A delete operation will only be successful if there are no domain names linked to the object. Host update operations will be successful only if all the domain names linked to the host are sponsored by that registrar.

All ICANN accredited registrars that have signed a dot XFINITY registrar agreement will be eligible to use the EPP system. The identity of registrars will be verified with SSL certificates - if a valid SSL certificate is not used, the server will close the connection and no operations will be possible.

Registrars may only transform or query domain names if they are the registrar of record. The exception is for transfer operations, which may be requested by all registrars if they have access to the authInfo field for the domain name. The registrar of record may prevent transfer operations from completing.

Nominetʹs EPP server is fully standards compliant and all operations described by RFC 5730, RFC 5731, RFC 5732 and RFC 5733 will be accepted by the server. All inputs to the server are checked for validity and action is taken if an input will adversely affect the service provision. All data fields are sanitised to prevent Structured Query Language (SQL) Injection attacks. Bind variables are always used for database query statements. If a connection is open but unused for more than a given time, it is closed. If a registrar opens more than a given number of connections then the oldest connection is closed.

Nominetʹs EPP service is hosted at a primary data centre and fully replicated at a secondary data centre to ensure stability. Failover procedures are well practiced and comply with BS 25999.

The dot UK service Nominet currently provides accepts RFC compliant commands and meets all of the SLAs within Specification 10 comfortably. In December 2011 Nominet handled an average daily load of more than 1.3 million EPP operations with a read-write ratio of 12 to 1. EPP availability has averaged at 99.9% over the 12 months to December 2011.

Dissemination of zone file data

Nominet will provide daily zone files to ICANNʹs Zone File Dissemination Partner using the format specified in RFC 1034 section 3.6.1 and RFC 1035 section 5. Transportation will be via a method agreed with them.

Zone server status updates

Nominet will update registrars on changes to zone server status using a variety of methods including:

- email updates

- zone server status web page

- RSS feeds

- Twitter updates

Whois Services

Nominet will provide a real time Whois service for domain names, nameserver data and for registrar data. The Whois may be accessed by any internet user either through a web-based portal or via the Port 43 service.

The Whois Service will accept Transmission Control Protocol (TCP) connections on port 43 at whois.nic.xfinity. Queries, terminated as specified in RFC 3912 by a carriage return and line feed, will be accepted. If the domain name is registered in dot XFINITY then Whois information will be returned to the client. If it is not then an appropriate error message is returned.

The web-based Whois will be available at whois.nic.xfinity. The user may enter the domain name, nameserver or registrar into a web form and will receive a response.

For both interfaces, if the request cannot be parsed as a domain name, nameserver or registrar then an appropriate error message will be returned.

The Whois service that Nominet currently provides for dot UK handles an average of between 800,000 and 1,000,000 lookups per day. Over the year to December 2011, the average monthly availability for this service was 99.99%. The server is designed to allow the limiting of requests from a single IP address to prevent denial of service. Nominet also monitors usage and performs statistical analysis to detect distributed abuse of the Whois.

Searchable Whois

Nominet will provide a searchable Whois service. This will be available on subscription to internet users. Nominet have provided this service for the dot UK domain name registry since 2006.

Nominetʹs searchable Whois allows for wildcard searches to be made on the domain name and registrant name. Results can be then exported as a comma separated values (CSV) file. Nominet will also offer the facility to allow users to set up to 20 search terms to be monitored automatically. Notifications will be sent by daily email if domain names are registered matching these search terms.

DNSSEC

The dot XFINITY zones will be signed using DNSSEC. Nominetʹs EPP server will support the DNSSEC extensions defined in RFC 5910 to allow DS records to be set in the zone.

Customer services

Nominet has a large customer support department from which it will provide support to Comcast, its chosen registrar(s), registrants and other stakeholders. Nominet has a team of 24 support advisors that manage both first and second-line support activities. This team is backed up by a third-line IT support team consisting of an additional 30+ staff. Support is provided by telephone, email, rss feeds and social media, with first and second line support available Monday to Friday (8am to 6pm) and additional emergency support available 24x7x365.

Billing system

Nominet has developed a customised billing system for domain names. Whenever a chargeable event, such as a registration or renewal, occurs in the registry, a record is made in the billing system. This feeds through to the monthly invoicing runs.

The billing system has an automated and fully configurable credit management system. The available credit or funds are audited for all registrars with warnings sent using email if they run low. The system may be configured to set any credit limit for registrar, including a zero limit to allow no credit.

Nominet also provide an online service for registrars to pay invoices and to put money on account.

Abuse prevention

Nominet has extensive abuse prevention policies and measures which include the following:

- technical solutions to enforce usage policies

- Sharing information with registrars about notifications from anti phishing companies such as Netcraft

- Registry⁄registrar agreement policies to enforce good practice

- Checking the quality of Whois data

Risk and business continuity planning

A comprehensive Risk Register, aligned to BS31100 is maintained by Nominet, the RSP, which anticipates and identifies the events which may produce uncertainty or negatively impact its operations and the achievement of its objectives. Risks are prioritised based on impact and likelihood, mitigating factors identified and remediation activities carried out. Risk owners and risk response owners are responsible for actively managing identified risks. The register is reviewed monthly by the Senior Management Team and bi-annually by the RSPʹs Audit Committee.

The RSP has achieved BS25999 Business Continuity certification recognising its best practice approach to business continuity. It operates a full business continuity management system including a routine rehearsals schedule to ensure it can continue to operate in the most challenging situations safeguarding the registry and those that rely on it.

Stability

A registry service has an adverse effect on internet stability if it is not applicable with relevant authoritative standards or adversely affects the throughput, response time, consistency or coherence of responses to servers or end systems which are themselves operating in accordance with relevant authoritative standards.

Nominetʹs registry services will be fully stable as:

- They will full comply with all RFCs listed in specification 6 to the Registry Agreement

- All responses given will be consistent and coherent.

- Nominetʹs registry systems will be responsive, comfortably meeting all SLAs given in specification 10 to the Registry Agreement.

Security

To prevent the unauthorised disclosure or access to information or to registry systems architecture and to prevent the unauthorised disclosure, alteration, insertion or destruction of registry data, Nominet secures its registry systems in a number of ways including, but not restricted to:

- Securing of networks using SSL

- Access to different network segments (both internally and externally) is controlled through firewalls, and VPNs

- VPN access uses two factor authentication.

- Role based authentication of users providing the lowest level of access required to perform required functions

- Permanently manned reception and CCTV

- Geographically diverse datacentres

- Two factor authentication for physical entry to datacentres - one of which must be biometric

- Regular penetration testing by an independent organisation

- Regular vulnerability scanning by an independent organisation

Availability and continuity

All components making up Nominetʹs dot XFINITY Registry Services will be provided on duplicated load balanced servers. A minimum of two virtualised servers will be provisioned on separate server racks and configured to each handle half of the traffic. In the event of a problem with one server, the load balancers will automatically direct traffic to the other server. The servers will be set up so that in the event of the loss of one server, the remaining servers will have enough capacity to handle the traffic.

The architecture making up the dot XFINITY Registry Services will be fully provisioned upon Nominetʹs primary datacentre and replicated in full on the secondary datacentre. The database on the secondary datacentre will be replicated to within a few seconds of the primary.

This architecture allows Nominet to have standard operating procedures to enable transition within minutes if necessary and this procedure will be practiced on a monthly basis with the secondary datacentre becoming the primary and vice versa.

Question 24 - SRS Performance

SRS overview

Nominet, the registry service provider, will administer a Shared Registry System (SRS) consisting of an Extensible Provisioning Protocol (EPP) interface to the registry. The interface is compliant with Specification 6 (section 1.2), complying with Request for Comments (RFCs) 5910, 5730, 5731, 5732, 5733 and 5734.

The implementation of EPP for dot XFINITY is based upon Nominetʹs current EPP service for dot UK and will be deployed on the same architecture as the dot UK domain.

Nominet has run the dot UK EPP for the last 8 years and the service is used by 900 registrars, representing over 6 million domains out of the total of 10 million on the register. The dot UK EPP service easily handles over 2 million transactions per day with an average availability for 2011 of 99.90%.

High Level SRS system description

The network infrastructure for Nominetʹs SRS consists of two firewalls, two EPP application servers, and two middleware servers. All are load balanced. This is shown in figure 24.1 of the attachment Q24_SRS_Figures.pdf. The server specifications are shown in table 24.1 of the attachment Q24_SRS_Tables.pdf.

Nominetʹs EPP architecture for dot XFINITY has been designed using a three-tier architecture. The two EPP application servers handle connection management and authentication along with confirming that requests are well-formed. The two middleware servers handle all business logic and manipulation of domain names and their associated objects. Finally, the registry data is stored in an Oracle database.

All EPP application and middleware servers are load balanced using a pair of f5 Network Big-IP loadbalancers.

Like Nominetʹs dot UK implementation, the EPP network for dot XFINITY will be fully reachable over Internet Protocol Version 6 (IPv6).

Interconnectivity with other registry systems

All registry systems connect to one clustered Oracle database, which provides a single point of truth and prevents the occurrence of conflicting registration data updates. The synchronisation scheme for the database is asynchronous replication using Oracle Dataguard.

When a domain is registered by a registrar using EPP, an entry is made in the database representing that domain name. Because the Whois reads directly from this database, the domain immediately becomes visible in the Whois with no delay.

Whenever changes are made to nameservers - when domains are registered or deleted or the nameservers are modified - a row is inserted into a database table that represents a list of updates to be made to the zone file. These updates are then pushed into the DNS using the IXFR protocol.

If a domain name is registered or renewed, then the SRS service programmatically triggers an update to the billing system. A chargeable event representing the registration or renewal is generated which feeds into the monthly invoicing system.

Availability and continuity

All components making up Nominetʹs Registry Services, including the EPP service, are provided on duplicated load balanced servers. A minimum of two virtualised servers will be provisioned on separate server racks and configured to each handle half of the traffic. In the event of a problem with one server, the load balancers will automatically direct traffic to the other server. The servers will be set up so that in the event of the loss of one server, the remaining servers will have enough capacity to handle the traffic.

The EPP architecture is shown in Figure 24.1 of the attachment Q24_SRS_Figures.pdf. Nominet will provision the network in full on both their primary and secondary datacentres. In particular, the database will be replicated in both datacentres. Nominetʹs two datacentres will be connected by two 10GB dual path and geographically diverse links. Each link will have a latency of less than one millisecond. Replication between the two datacentres will be asynchronous but the replicated data will only be a few milliseconds behind that of the live data. Should connectivity to one datacentre fail, the other will automatically assume the role of being the primary datacentre. The two datacentres will be connected to Nominetʹs main office by 1GB links. This allows mechanisms to be put in place to avoid possible ʺsplit brainʺ scenarios where connectivity between the datacentres is lost but both believe the other is lost and assume the primary datacentre role. Each datacentre will have a multi-homed 100MB transit link to the outside world. This connectivity will be handled by six Tier-1 providers in order to ensure availability and redundancy. Nominet will also maintain 100MB links to peering points with Internet Exchanges such as the London Internet Exchange (LINX https:⁄⁄www.linx.net⁄) and the London Access Point (LoNAP http:⁄⁄www.lonap.net⁄) from each datacentre.

This architecture will allow Nominet to have standard operating procedures to enable transition within minutes if necessary and this procedure will be practiced on a monthly basis, with the secondary data centre becoming the primary and vice versa. The relational database in the secondary datacentre will be asynchronously updated from the primary using Oracleʹs Dataguard Maximum Performance architecture.

In the very unlikely scenario that connectivity was lost to both datacentres (such that none of the six Tier-1 providers could connect to either datacentre), Nominet will maintain a third datacentre in Geneva, Switzerland that will be able to provide essential registry services in such a catastrophe.

Nominet already has a comprehensive business continuity management system with a full set of business continuity plans in place and is certified to the British Standard for business continuity, BS25999-2:2007.

Scalability

Provisioning applications on load balanced virtual machines means that Nominet can easily provision further servers should the load increase. However, Nominetʹs experience with operating the dot UK top level domain with its 10 million domain names, indicates that two application servers will easily meet the performance requirements in Specification 10 to the Registry Agreement.

The EPP service for dot XFINITY will be deployed on dedicated virtual servers in Nominetʹs datacentre. The servers making up the dot XFINITY EPP service will have their own dedicated resources as shown in Figure 24.1 of the attachment Q24_SRS_Figures.pdf.

Connectivity is shared with the other registry systems deployed at the datacentre for dot XFINITY, dot UK and up to ten other gTLDs. The total available bandwith is 10 gigabits per second and the available connectivity for each service will be throttled to an appropriate level to both provide sufficient connectivity for the EPP traffic levels and to mitigate against the impact of any traffic surges.

Performance

Nominet measures the internal processing time of all commands submitted to the EPP server to ensure that the SLAs given in Specification 10 of the Registry Agreement are met. Recent performance and availability figures for this are given in table 24.2 of the attachment Q24_SRS_Tables.pdf.

Based on all projections Nominet is more than confident that the capacity and redundancy of the SRS system for the dot XFINITY domain, with an expected maximum of 1000 domain names after 2 years, will result in equal performance figures to the dot UK domain.

Resource plan

Nominet has fully developed its SRS systems with pre-launch testing to be done in 2012. Nominet has large development, infrastructure and customer support teams experienced in running all its dot UK services. Nominet will dedicate the following resources and time from these existing teams, as well as additional resources where appropriate, to the pre-launch and post launch maintenance tasks:

Pre-launch

- Testbed deployment: 5 days by a system administrator

- Testing: 5 days by a developer

- Packaging: 2 days by a developer

- Production deployment: 5 days by a system administrator

Total pre-launch resource time 17 days.

Post launch

- Customer support: 1 hour per week

- Technical support: 1 hour per week

Total post launch resource 2 hours per week.

Question 25 - EPP

Introduction

Registrars will use Extensible Provisioning Protocol (EPP) to register and administer domain names, nameservers and contact objects for dot XFINITY. Nominet, the registry service provider, will administer an EPP server which is fully compliant with Request for Comments (RFCs) 5730 to 5734. DNSSEC extensions compliant with RFC 5910 will be implemented.

Grace periods as defined in RFC 3915 will not be implemented for dot XFINITY. However, they have been included in the underlying architecture and can be added at any point.

Nominet will modify the EPP server as necessary to support and comply with any EPP extensions which may emerge from ICANNʹs policy making process.

The EPP interface fully supports the registration lifecycle given in the answer to question 27.

Technical Plan

Nominet is experienced in running a highly available EPP service and has provided such a service to dot UK registrars since February 2008. It is used by 900 registrars, representing over 6 million domain names out of the total of 10 million on the register. The EPP server is provided over TCP and is compliant with RFC 5734. EPP connectivity is protected using SSL. The dot UK EPP service easily handles over 2 million queries per day and the monthly percentage availability figures for the 12 months to December 2011 are shown in table 25.1 of attachment Q25_EPP_Tables.pdf.

The EPP implementation for dot XFINITY has been designed and will be built to match the scope and size of the dot UK registry implementation outlined above.

The EPP system has been designed using a three-tier interface-middleware-database architecture. The backend registry database will be Oracle 11g R2 Enterprise Edition based. Duplicate nodes will be used to ensure stability. The middleware will handle all business logic and will be implemented using Java and the Spring Framework (www.springsource.org). The interface module will handle connectivity and authentication of commands, and will be implemented using Java and Netty (http:⁄⁄www.jboss.org⁄netty).

Domain Name Mapping (RFC 5731)

The EPP server for dot XFINITY will implement the domain object mapping defined in RFC 5731 and the following commands for domain objects will be available to registrars, as specified in that RFC:

- Info command to query the attributes of a domain name, including its nameservers, contacts and status values.

- Check command to check if a domain name is registered and the likely success of a subsequent Create command.

- Transfer query to query the status of a previous transfer request.

- Create command to register a domain name.

- Delete command to cancel or ʺunregisterʺ a domain name.

- Renew command to renew a domain name and extend its expiry date.

- Transfer command to move a domain name to a new registrar. This command may also be used to accept or reject transfer requests made on domain names by other registrars.

- Update command to modify the attributes of a domain name.

Registrars can use the EPP update command to set status values on domain names to prevent operations as specified in RFC 5731:

- clientDeleteProhibited. If this is set, requests to delete the domain are rejected.

- clientRenewProhibited. If this is set, requests to renew the domain are rejected. Automatic renewal on expiry still occurs.

- clientTransferProhibited. If this is set, requests to transfer the domain are rejected.

- clientUpdateProhibited. If this is set, requests to update the attributes of the domain are prohibited

- clientHold. If this is set, the domain name is not published in the zone file.

Domain Name System Security Extensions (DNSSEC) extensions Mapping (RFC5910)

DS records may be added to domain names in dot XFINITY using the EPP extensions defined in RFC 5910.

Host Mapping (RFC 5732)

The EPP server will implement the host object mapping defined in RFC 5732 and the following commands for host objects will be available to registrars as specified in that RFC:

- Info command to query the attributes of the host object.

- Check command to find if a host object exists in the registry and the anticipated success of a subsequent create command.

- Create command to add a host object to the registry.

- Delete command to remove a host object from the registry, provided there are no domain names linked to it.

- Update command to modify the IP addresses or status values for the host object. IP addresses are only set if the superordinate domain name for the host is in the dot XFINITY registry.

Registrars will be able to use the EPP update command to set status values on host objects to prevent operations as specified in RFC 5732:

- clientDeleteProhibited. If this is set, requests to delete the host object will be rejected.

- clientUpdateProhibited. If this is set, requests to update the attributes of the host object - to add or remove IP addresses or status values - will be rejected.

Contact Mapping (RFC 5733)

The EPP server for dot XFINITY will implement the contact object mapping defined in RFC 5733 and the following commands for contact objects will be available as specified in that RFC:

- Info command to query the attributes of a contact object

- Check command to determine if a client identifier has been provisioned in the registry and the anticipated success of a subsequent create command.

- Transfer query command to query the status of a previously requested transfer operation.

- Create command to add a new contact object to the registry.

- Delete command to remove a contact object from the registry, provided no domain names are linked to it.

- Transfer command to move the object to a new registrar.

- Update command to modify the attributes of a contact object.

Registrars will be able to use the EPP update command to set status values on contact objects to prevent operations as specified in RFC 5733:

- clientTransferProhibited. If this status is set then requests to transfer the contact will be rejected.

- clientDeleteProhibited. If this status is set then requests to delete the contact will be rejected.

- clientUpdateProhibited. If this status is set then requests to update the contacts attributes will be rejected.

Resource Plan

The EPP server for dot XFINITY has been implemented with pre production load testing and customisation to be completed in 2012. Nominet has large development, infrastructure and customer support teams experienced in running all its dot UK services. Nominet will dedicate the following resources and time from these existing teams, as well as additional resources where appropriate, to the post launch maintenance tasks:

- Monitoring and involvement in EPP standards development: 1 hour per week by a research team member and development team member.

Resources for technical and customer support of EPP have been included in the answer to question 24 and are not duplicated here.

Question 26 - Whois

High-level System Description

Nominet, the registry service provider, will provide a real time Whois for domain names, nameserver data and for registrar data. The Whois may be accessed by any Internet user either through a web-based portal or via the port 43 service. A searchable Whois will also be provided.

The Whois services interface with the rest of the registry via a shared database. This ensures that data is correct and up-to-date, and a correct response can be generated at the instant that a query is received. The searchable Whois maintains its own cache for efficiency, which is refreshed hourly, directly from the shared registry database.

The services are implemented in a virtualised architecture (see Q32) and share a common infrastructure.

Standards compliance

The dot XFINITY Whois service will be compliant with specification 4 of the registry agreement. It will be available on whois.nic.xfinity. The Whois services (port 43 and web based) respond as described in Specification 4 of the Registry Agreement; an outline for this is presented in the paragraphs ʺData Objectsʺ below.

The web-based Whois will also be available at whois.nic.xfinity as required by specification 4. The user may enter the domain name, nameserver or registrar into a web form and will receive a response. If the request cannot be parsed as any of these three categories then an appropriate error message will be returned.

The Whois service will be compliant with Request for Comments (RFC) 3912. As specified by the RFC, the Whois service will listen on Transmission Control Protocol (TCP) port 43 for requests from clients. If a valid request, terminated as specified in RFC 3912 by an ascii carriage return and line feed, is received then a response will be returned.

Performance and availability of the Whois service exceed the requirements given in Specification 10 of the registry agreement.

Data objects

The Whois services (port 43 and searchable) respond as described in Specification 4 of the Registry Agreement; an outline for this is presented in the paragraphs below.

Data objects: Domain names

If a request for a valid and registered dot XFINITY domain name is received by either Whois interface then a response will be returned displaying information about that domain name in the key-value pair format described in Specification 4 of the Registry Agreement. The following information will be returned:

- Domain Name

- Whois server

- Dates - creation, last update, expiry

- Registrar details

- Any status values

- All contact details - Registrant, admin, tech and billing

- Nameserver information including Domain Name System Security Extensions (DNSSEC) status information.

- Time of last update of Whois database, which is the time at which the lookup was made.

If a valid request is received and parsed as a domain name, but the domain name is either not registered or out-of-registry then an appropriate error message will be returned.

Data objects: Hosts

If a request for a nameserver held within the registry is received then a response will be returned displaying information about that nameserver. Nameserver information will be displayed in the key value pair format described in Specification 4 of the Registry Agreement. The following information will be returned:

- Nameserver name

- Internet Protocol (IP) addresses, both Internet Protocol Version 4 (IPv4) and Internet Protocol Version 6 (IPv6)

- Registrar information

- Time of update of the Whois database, which is the time at which the lookup was made.

If a request is parsed as a nameserver but is not in the registry then an appropriate error message will be returned.

Data objects: Registrars

If a request for a dot XFINITY registrar is received then a response will be returned displaying information about that registrar in the key-value pair format described in Specification 4 of the Registry Agreement. The following information will be returned:

- Name

- Address

- Contact name, phone numbers, fax numbers and email addresses.

- Website information

If a valid registrar Whois request is received and the requested registrar is not in the registry then an appropriate error message will be returned.

Bulk access

Nominet will provide ICANN with bulk access to Whois data as described in specification 4 of the Registry Agreement:

- Nominet will provide a weekly data file, using the Data Escrow format described in Specification 2, containing the thin Whois data described in Specification 4. The file will be made available to ICANN for download by SFTP. Other download methods will be provided to ICANN if requested in the future.

- In the case of registrar failure or other event that prompts the transfer of a registrars domain names to another registrar, Nominet will provide ICANN with up-to-date data for the domain names affected. Nominet will provide the data to ICANN in the Data Escrow Format described in Specification 2 within two business days. The file will be made available for download by SFTP or by any other method agreed with ICANN.

Data Protection

Nominet will ensure that data supplied by registrants is protected in accordance with all applicable laws (specifically the UK Data Protection Act 1998 and the European Union (EU) Data Protection Directive which informed it), including through an appropriately designed Whois implementation.

It should be noted that EU data protection laws place significant restrictions on the circumstances under which personal data can be distributed to the public. The Information Commissionerʹs Office (the UK data protection authority to which the registry would be subject) has indicated to Nominet that the indiscriminate publishing of the personal data of individual registrants via the Whois would not be compatible with EU data protection laws. They regard an opt-out model of the kind used by dot UK and dot TEL to be the best compromise between ensuring the integrity of the Whois and protecting the data protection rights of individuals.

It is not intended to allow third parties to register domain names in dot XFINITY as it is a closed registry and so there is no risk of publishing personal data.

Abuse

Potential forms of abuse to a Whois service include:

- Harvesting data - querying all domain names to provide a catalogue of contact details.

- Denial of service - making many connections to the Whois server, or flooding connections with data.

- Structured Query Language (SQL) Injection - crafting queries to the service to attempt to modify the underlying database.

The Whois server has a number of measures built into it to prevent such abuse:

- If a clientʹs request is not terminated within a reasonable number of characters then the connection with the client is closed automatically.

- Whois lookups are checked and sanitised to prevent SQL injection attacks.

- Bind variables are always used in all our database queries to prevent SQL injection attacks.

- The Whois server is implemented in a way that allows a limit to be placed on lookups from any single location.

Statistical analysis on lookups to detect distributed abuse is also performed.

Stability, availability and performance

Nominet is experienced in providing a stable Whois system and has done so for dot UK for many years. The Whois server is provided on a primary data-centre and fully duplicated on a secondary data-centre. Failover procedures are well practiced.

Percentage availability figures for the dot UK Whois are shown in table 26.1 of attachment Q26_Whois_Tables.pdf

Performance and availability will exceed the requirements given in Specification 10 of the new gTLD Agreement.

Searchable Whois

Nominet will provide a searchable Whois service to Internet Users on a subscription basis. Nominet has provided this service for the dot UK domain name registry since 2006 (known as the Public Register Search Service (PRSS)).

The Searchable Whois technology enables wildcard searches to be made on any fields, including:

- domain name

- registrant name

- postal address

- contact names

- registrar ids

- nameservers

- IP addresses

Searches on multiple fields may be combined using boolean logic.

Results can be exported as a comma separated values (CSV) file. Nominet also has the facility to allow users to set up to 20 search terms to be monitored automatically. Notifications are sent by daily email if domain names are registered matching the search terms.

The searchable Whois uses a separate database to the main Whois. This database uses the search and indexing technology provided by Apache Solr (http:⁄⁄lucene.apache.org⁄solr) to provide optimum search facility and speeds. The search database will be synchronised with the main registry database on an hourly basis.

The Searchable Whois has measures to detect and deal with abuse, similar to those for the port 43 Whois (see above).

Whois Architecture

The Whois server obtains its information directly from the main registry database so its responses are real time. The Whois server is developed in Java using the Spring Framework. Connection management is implemented using Netty (www.jboss.org⁄netty).

The Port 43 Whois infrastructure is shown in figure 26.1 of attachment Q26_Whois_Figures.pdf

The Port 43 Whois server specifications shown in table 26.2 of attachment Q26_Whois_Tables.pdf

The Searchable Whois Architecture is as shown in figure 26.2 of attachment Q26_Whois_Figures.pdf

The Searchable Whois server specifications are shown in table 26.3 of attachment Q26_Whois_Tables.pdf

The Searchable Whois is implemented as part of Nominetʹs interactive online services using the Spring Framework. The front end handles the interface with the user, including authentication, taking details of the search required and presenting the results. The middleware handles the mechanics of the search.

The front end and middleware servers are each provisioned as a load balanced pair, using the same load balancer topology and technology as the main Whois architecture above, namely a pair of F5 Networks big-IP servers.

The Whois service for dot XFINITY will be deployed on dedicated virtual servers in Nominetʹs datacentres. The servers making up the dot XFINITY Whois service will have their own dedicated resources as shown in Figure 26.1 of the attachment Q26_Whois_Figures.pdf.

Connectivity is shared with the other registry systems deployed at the datacentre for dot XFINITY, dot UK and up to five other gTLDs. The total available bandwith is 10 gigabits per second and traffic through each server will be throttled to an appropriate level to both provide sufficient connectivity for the Whois traffic levels and to mitigate against the impact of any traffic surges.

It is estimated that there will be a maximum of 1,000 Whois lookups per day. The dot XFINITY Whois service is provisioned to handle more than 1,000,000 lookups per day.

IT and infrastructure resources

Nominetʹs two datacentres will be connected by two 10GB dual path and geographically diverse links. Each link has a latency of less than one millisecond. Replication between the two datacentres will be asynchronous but the replicated data will be only a few milliseconds behind that of the live data. Should connectivity to one datacentre fail, the other will automatically assume the role of being the primary datacentre.

The two datacentres will be connected to Nominetʹs main office by 1GB links. This allows mechanisms to be put in place to avoid possible ʺsplit brainʺ scenarios where connectivity between the datacentres is lost and both believe the other is lost and assume the primary datacentre role. Each datacentre will have a multi-homed 100MB transit link to the outside world. This connectivity will be handled by six Tier-1 providers in order to ensure availability and redundancy. Nominet will also maintain 100MB links to peering points with Internet Exchanges such as the London Internet Exchange (LINX https:⁄⁄www.linx.net⁄) and the London Access Point (LoNAP http:⁄⁄www.lonap.net⁄) from each datacentre.

The Whois infrastructure is described in the preceding paragraph ʺWhois Architectureʺ.

Service continuity

Nominet will provide the Whois network architectures shown in figures 26.1 and 26.2 of attachment Q26_Whois_Figures.pdf in a primary datacentre and replicated in full in a secondary datacentre. The registry database is replicated from the primary datacentre to the secondary using Dataguardʹs Maximum Performance Replication. The SOLR index is generated on both datacentres for the searchable Whois. This architecture allows Nominet to have standard operating procedures to enable transition within minutes if necessary and this procedure will be practiced on a monthly basis. The Whois servers maintain high availability via SAN and virtualisation replication technologies. Should connectivity to the primary datacentre be lost the service will instantly be available in the secondary datacentre.

Nominet has a full set of business continuity plans and these have been accredited to the BS25999 business continuity standard.

Customisation of Whois service

Nominet will customise the dot XFINITY Whois service as required to handle any change in Whois output that may be deemed necessary by ICANN.

Resource plan

The dot XFINITY main Whois service has been implemented, with pre production testing and customisation to be completed in 2012. Nominet has large development, infrastructure and customer support teams experienced in running all its dot UK services. Nominet will dedicate the following resources and time from these existing teams, as well as additional resources where appropriate, to the pre-launch and post launch maintenance tasks:

Pre-launch

- Test bed deployment: 5 days by a Systems administrator

- Pre-launch load testing: 5 days split between a systems administrator and a java developer

- Packaging for production: 2 days by a java developer

- Deployment to production: 5 days by a systems administrator

Total pre launch resource time 17 days.

Post launch

- Customer support: 8 hours per week

- Technical support: 4 hours per week

- Monitoring of and involvement in Whois standards development: 2 hours per week by a research team member and member of development team

Total post launch resource 14 hours per week.

Question 27 - Registration Lifecycle

Nominet, the registry provider, has implemented a lifecycle for dot XFINITY domains which is based around Request for Comments (RFCs) 5730 and 5731. These RFCs define the Extensible Provisioning Protocol (EPP) interface for domain names including domain name registrations, updates, transfers, renewals and deletes.

Because the registry is closed, grace periods, as defined in RFC 3915, have not been implemented for dot XFINITY.

Registrars who have signed a dot XFINITY registry⁄registrar agreement will be able to register domain names that are not already registered for a period of one to 10 years. Registrars are able to renew their domain names to extend the registration period and may also delete domain names. If a domain name reaches the end of its registration period then it is automatically renewed for one year. If a domain is cancelled then it becomes immediately available for re-registration.

The lifecycle for dot XFINITY domain names is shown in the state diagram in Figure 27.1 of attachment Q27_Registration_Lifecycle_Figures.pdf. Domain name states, which represent the stage that a domain name is at in the lifecycle, are shown in boxes. Trigger points, representing events that move a domain name onto a new stage in the lifecycle, are shown by arrows on the diagram. A domain name can also change state as the result of the passage of time. State changes defined in the Uniform Rapid Suspension System are considered exceptions to the state diagram, further details are set out in the penultimate section of this response. Domain name states are described below:

State: Available for registration

A domain name in this state is not registered and may be registered on a first come, first served basis by a registrar. The only EPP command that may be performed on the domain name is a create command to register the domain name.

State: Registered

This is the default state for a registered domain name. The registrar of record may use EPP to perform update, renew, transfer or delete commands.

State: Renewed

A domain name is in this state immediately after it has been successfully renewed, either by the registrar or automatically by the registry at expiry.

Trigger points represent the events that cause a domain name to change state, that is to move to a new stage in the lifecycle. The trigger points are described below:

Trigger point: create

This trigger point represents the registration of new domain names. Any registrar, that has signed a registry-registrar agreement for dot XFINITY, may use the EPP create command to register a new domain name subject to the following pre-conditions:

- The domain name is a sub-domain of dot XFINITY.

- The domain name is in the ʺavailable for registrationʺ state and so not already registered.

- The domain name is not reserved.

- The domain name consists only of the lower case ascii letters a-z, the numbers 0-9 or a hyphen -.

- The domain name does not have hyphens in the third and fourth characters.

- The domain name label does not begin or end with a hyphen.

If the above pre-conditions hold, a registration request will be successful and the domain name will be added to the registry database. The registration period and expiry date will be set according to the period specified in the create command. Following this, if the domain name has nameservers, a dynamic update will be made to add the domain name to the zone file.

All registration requests are performed immediately and there is no pending state.

Following registration, the domain name moves into the ʺregisteredʺ state.

Trigger point: renew

A domain name may be renewed, at any time by the registrar of record using the EPP renew command, subject to the following pre-conditions:

- The resultant expiry date for the domain name is less than 10 years in the future

- The domain name does not have either clientRenewProhibited or serverRenewProhibited locks set.

If these preconditions hold then the renewal will take place and the expiry date for the domain name will be extended by the period specified in the renewal request. The domain name moves into the ʺrenewedʺ state.

Trigger point: auto-renew

A dot XFINITY domain name will be renewed by the registry if the following pre-conditions hold:

- The expiry date for the domain name has passed.

- The domain name does not have either clientRenewProhibited or serverRenewProhibited status values set.

The expiry date will be moved forward by one year and the domain name is placed into the ʺrenewedʺ state.

Trigger point: complete-renew

This trigger point occurs immediately after a domain name is placed into the ʺrenewedʺ state. The domain name is placed back into the ʺregisteredʺ state.

Trigger point: delete

A registrar may use the EPP delete command to cancel a domain name at any time provided the following pre-conditions hold:

- The registrar is the registrar of record for the domain name.

- The domain name does not have either serverDeleteProhibited or clientDeleteProhibited locks set.

Once a domain name has been deleted, it is placed into the ʺavailable for registrationʺ state and is immediately available for re-registration.

Grace Periods

Grace periods are defined in RFC 3915 and add registration states and trigger points to implement time periods following registrations, renewals, transfers and cancellations where the command can be reversed without penalty. Because dot XFINITY is a closed registry, there is no penalty for undoing any of these commands at any time and grace periods are therefore not required. If, at any time, dot XFINITY is opened up then grace periods can be easily added.

Domain Transfers

Domain transfers follow the process described in ICANN policy on transfer of registrations between registrars.

When a domain name is in the ʺregisteredʺ state, any registrar may issue a transfer request to move sponsorship of the domain to them. Transfer requests take up to 5 days to complete, during which time the registrar of record may reject the transfer and prevent it from completing.

The transfer process state diagram is shown in Figure 27.2 of the attachment Q27_Registration_Lifecycle_Figures.pdf. Domain name states are shown in boxes with arrows depicting the events that trigger change of state. The states and trigger points are described below.

State: registered

Any currently registered domain name may be transferred.

State: transfer pending

A domain name in the ʺtransfer pendingʺ state has had a transfer request submitted within the last 5 days and the registrar of record has neither accepted nor rejected the request.

When a domain name has been in the ʺtransfer pendingʺ state for 5 days, the ʺtransfer pendingʺ state is removed and the ʺtransfer acceptedʺ state is added.

State: transfer accepted

A domain name in the ʺtransfer acceptedʺ state has had a transfer request accepted, either directly by the registrar of record positively accepting the request using EPP or indirectly by the domain spending 5 days in the ʺtransfer pendingʺ state.

Trigger point: transfer request

A registrar may request a transfer for a domain name at any time provided the following preconditions are true:

- The registrar has signed a dot XFINITY registry-registrar agreement

- The registrar can provide the correct authInfo value

- The domain name does not have the transfer pending status set

- The domain name does not have either the clientTransferProhibited or serverTransferProhibited locks set.

The transfer pending status is added to the domain name for five days and the registrar of record is notified. If, after five days, the ʺtransfer pendingʺ state is still set, the domain name is moved to the requesting registrar and the ʺtransfer pendingʺ state is removed.

Trigger point: reject transfer

The registrar of record may reject a transfer request when the domain name is in the ʺtransfer pendingʺ state. The ʺtransfer pendingʺ state is removed and the domain name returns to the ʺregisteredʺ state.

Trigger point: accept transfer

The registrar of record may accept a transfer request when the domain name is in the ʺtransfer pendingʺ state. The ʺtransfer pendingʺ state is removed and the domain name has the ʺtransfer acceptedʺ state added.

Trigger point: transfer

This trigger point happens immediately after the domain name has the ʺtransfer acceptedʺ state set.

The domain name is moved to the registrar that requested the transfer, the ʺtransfer acceptedʺ state is removed and the domain name returns to the ʺregisteredʺ state.

If a registration period was specified in the request, and adding that period to the current expiry date will result in the expiry date being less than 10 years in the future, then the domain is renewed for the period requested. The renew trigger point in the registration lifecycle described above is triggered.

Domain name attribute updates

A registrar may update the attributes of a dot XFINITY domain name at any time provided the following preconditions are true:

- The registrar is the registrar of record for the domain name

- The domain name does not have either clientUpdateProhibited or serverUpdateProhibited locks set

The registrar may change the nameservers, add or remove contacts, or add or remove a lock.

If the clientUpdateProhibited lock is set and the other preconditions above hold then the registrar of record may remove the clientUpdateProhibited lock only.

Nominet would make updates to dot XFINITY domain names upon direct request by Comcast themselves. This may include a transfer or addition of one of the registry set domain locks listed below.

Domain name locks

The registry and registrar of record may place locks upon the domain name to prevent EPP commands from succeeding. The registrar of record may place the following locks upon a domain name:

- clientUpdateProhibited to prevent update of the domain nameʹs attributes

- clientDeleteProhibited to prevent cancellation of the domain name

- clientTransferProhibited to prevent transfer of the domain name

- clientRenewProhibited to prevent renewal of the domain name

- clientHold to prevent publication of the domain name in the zone file.

The registry may place any of the following locks upon a domain name:

- serverUpdateProhibited to prevent update of the domain nameʹs attributes

- serverDeleteProhibited to prevent cancellation of the domain name

- serverTransferProhibited to prevent transfer of the domain name

- serverRenewProhibited to prevent renewal of the domain name

- serverHold to prevent publication of the domain name in the zone file.

Uniform Rapid Suspension (URS)

The Registry Operator will adhere to the URS procedure (currently in draft form). Within 24 hours of receipt of notification by email from the URS Provider the Registry Operator will lock domain name. This lock will prevent all changes to the registration data, including transfer and deletion of the domain name. The domain name will continue to resolve.

In the event of a URS determination in favour of the Complainant, on notifcation of the determination the Registry Operator will suspend the domain name for the balance of the registration period. The WHOIS output will reflect the requirements set out in the URS. The Complainant will be given the option to extend the registration period for a further year at commercial rates.

Resourcing plan

Nominetʹs registry systems supporting the lifecycle in this document have been fully developed. Nominet has large development, infrastructure and customer support teams experienced in running all its dot UK services. Nominet will dedicate the following resources and time from these existing teams, as well as additional resources where appropriate, to the following post launch maintenance tasks:

Post launch:

- Technical support: 1 hour per week by a customer support advisers

Total post launch resource: 1 hour per week.

This support level is consistent with the number of registrars and domain names that will be registered in the dot XFINITY domain.

28. Abuse Prevention and Mitigation

Question 28 - Abuse Prevention and Mitigation

The dot XFINITY Top Level Domain (TLD) will be a closed registry. All domain names will be registered to and used by authorised representatives of Comcast, the registry operator. As such, domain names will be subject to direct controls by the registry operator to avoid abuse and the risk of abusive registrations will therefore be significantly mitigated.

Abuse

Abuse is defined as action in the registration or usage of a domain in the TLD that would cause actual and substantial harm, and is illegal or illegitimate. Such abuse may occur at any stage of the domain name lifecycle.

In the context of domain name registration, abuse includes infringement of a third party right where the domain is used in a way that is unfairly detrimental to that third party. Abuse also includes phishing, pharming, botnets, fraud and other abuses that are identified in the future or that are brought to the Registryʹs attention.

Abusive activity also includes that which gives rise to the registryʹs reasonable belief that the dot XFINITY domain space is being brought into disrepute; or where the activity related to a dot XFINITY domain name risks placing the Registry in breach of any applicable laws, government rules or requirements; requests of law enforcement; or where any such activity would be likely to give rise to any liability, civil or criminal, on the part of the Registry Operator and Registry Services Provider, affiliates, subsidiaries, officers, directors, and employees.

Single point of contact

In advance of the launch of the dot XFINITY TLD, a single abuse point of contact responsible for addressing matters requiring expedited attention will be published. This will be clearly visible on the registryʹs existing website at comcast.com and on the new registry website.

Registration policy

Comcast will establish a Naming Committee to be responsible for the development, maintenance and enforcement of the dot XFINITY Registry Domain Management Policy (DMP). This policy defines the rules associated with eligibility and domain name allocation, sets out the license terms governing the use of a dot XFINITY domain name and describes the dispute resolution policies for the dot XFINITY TLD. This policy is intended to be updated and revised regularly to reflect Comcastʹs strategic plans and, where appropriate, ICANN consensus policies.

The policy sets out that registration must comply with the following regarding abuse prevention:

- Domains must be used solely for purposes that enhance the strategic goals of Comcast.

- dot XFINITY domains may not be used in a way which knowingly infringes any third party intellectual property rights.

- A dot XFINITY registration must be an acceptable term that will not give rise to any moral or public order questions or in any way damage the strategic interests or reputation of Comcast.

- All dot XFINITY domains will carry accurate and up to date registration records.

- dot XFINITY domain names may not be used for illegal activities

- dot XFINITY domain names may not be used for other activities that would be considered as abusive. This includes, but is not limited to : phishing, pharming, fraud, distribution of malware.

The Naming Committee reserves the right to place the domain name in ʹserverHoldʹ status, thus removing it from the zone file, or to delete a Comcast domain name at any time.

Complaints policy and procedure

Comcast treats complaints from members of the public extremely seriously and will establish a complaints procedure to enable members of the public to complain about dot XFINITY domain names, or any content accessed via those domain names. The procedure will be publicised on the Registryʹs existing website at comcast.com and at the new Registry website. It will provide a first stage complaints procedure to Comcastʹs dedicated complaints team, a second stage internal appeals procedure to the Naming Committee and a third stage procedure for further appeal, to Comcastʹs senior management team. Complainants will be able to submit their complaint via the website, by post or by telephone and Comcast will generally respond to complaints within 10 working days. Comcastʹs response may include, if appropriate, an apology and an explanation as to how Comcast intends to resolve the complaint.

Any person wishing to complain about alleged abusive registrations or other activities concerning the operation of the dot XFINITY domain would be entitled to utilise this complaints procedure in the usual manner.

In the event that resolving a complaint requires the suspension (removing the domain name from the zone file, but not from Whois records) or cancellation of a domain name, this will be handled by the Naming Committee.

Rights holders will also have the option to complain via the UDRP and URS about any registration that they regard as abusive, but the Applicant would encourage any concerned rights holders to contact it in the first instance to attempt to resolve their concerns informally. Further details regarding rights protection can be found in the answer to question 29.

Nominet, the registry provider, has well-established relationships with Law Enforcement agencies. Nominet and Comcast will work together to respond to complaints by these agencies, and such complaints will be acknowledged by Nominetʹs abuse team within twenty four hours.

Following review, the complaint may result in one of the following actions:

- Modification of the usage of the domain name

- Suspension of the domain name

- Cancellation of the domain name.

Proposed measures for removal of orphan glue records

The default process for dot XFINITY is to automatically detect and remove orphan glue records. However, where clear evidence in written form is presented that orphan glue records are present in the zone files of dot XFINITY, Nominet, the registry service provider, will take the following action:

- A change request will be presented to Nominetʹs second line support team by the person handling the complaint. The orphan glue record will be manually removed from the register and, if necessary, locks will be put in place which will prevent any further changes being made to the domain name record in question.

- The dot XFINITY zone files update dynamically and so within 5 minutes of the change being made on the register the zone files will reflect the changed name server record.

Nominet runs a daily audit of the contents of its zone files and compares these against the contents of the registry database. In the event of a mismatch, Nominet personnel are alerted and the mismatch is corrected. This audit will help to reduce the occurrence of orphan glue records.

Measures to promote WHOIS accuracy

Comcast is committed to transparency in relation to domain name registration records and to the provision of complete and accurate Whois records.

As a closed registry, in which only Comcast personnel will be able to register second level domain names and only for business purposes, Comcast will be able to ensure the accuracy and completeness of all Whois records.

All domain names must be registered through the Naming Committee. As part of this process, Comcast personnel requesting the registration of a new second level domain will be required to provide a statement as to their business need for the domain name as well as full contact details of their name, position and business area.

The Naming Committee will perform regular audits to ensure this data remains up to date and accurate.

Information sharing

Nominet is well established in national and international industry networks covering registry specific threats as well as threats to the broader Internet landscape. It will continue this work, ensuring dot XFINITY is as resilient and secure as it can be.

Nominet provides an aggregated feed of information highlighting domain names in its domains used for phishing purposes to the relevant registrar. This feed is collated from trusted sources and allows registrars to take prompt action against abusive domains. In the event that any dot XFINITY domain names appear in the feed, action will be taken by Comcastʹs Naming Committee to remove abusive content or to place the domain name in ʹserverHoldʹ

Controls to ensure proper access to domain functions

The ability to register domain names and amend details on the register will be limited to members of the Naming Committee. Access to the mechanisms by which such changes can be made will be password protected as a minimum, and consideration will be given to implementing further security measures (such as multi-factorial authentication). Records will be kept of all registration and amendment requests to maintain a full audit trail.

Resource plan

Comcast will establish a Naming Committee that will be responsible for all domain name registrations for Comcast. It is anticipated that this team will be responsible for the accuracy of Whois details.

In addition, Comcast has a dedicated team responsible for responding to complaints. As to whether additional personnel will be required to accommodate any uplift in complaints as a result of the operation of dot XFINITY will be closely monitored and addressed as necessary.

Nominet has a large customer support team from which it operates the dot UK registry. It will provide sufficient resources to deal with orphan glue records and Law enforcement complaints. It is expected that this will require less than one hour per week from this team.

Q29 - Rights protection mechanisms

The purpose of the dot XFINITY registry is to provide a stable and secure platform for electronic communication that is within the direct control of Comcast; to keep Comcast at the forefront of Internet technology development and to ensure that the integrity of the Comcast brand is maintained.

Safeguards against unqualified registrations

To ensure that all registrations are made in compliance with the registryʹs policies and eligibility restrictions, all dot XFINITY registrations are managed through the Naming Committee. As part of this process, Comcast personnel requesting the registration of a new second level domain will be required to provide a statement as to their business need for the domain name as well as full contact details of their name, position and business area. The Comcast Naming Committee will scrutinise each statement prior to passing the application for rights protection clearance.

Rights protection

It is Comcastʹs policy and practice to treat the intellectual property rights of others with respect and therefore rights protection is a core objective of the Registry. In particular, Comcast already has well-developed internal processes for clearing domain names prior to their adoption by the business so as to ensure as far as possible that new models, services and other initiatives do not infringe the rights of others. These processes include conducting a search against relevant trademark databases and a fuller legal advice process in the event that problems are identified by this search.

Comcast will implement and adhere to any rights protections mechanisms that may be mandated by ICANN at any time and will adhere to the requirements listed in Specification 7 of the registry agreement.

Sunrise period

ICANN mandate that sunrise registration services must be offered for a minimum of 30 days during the pre-launch phase. A 30 day sunrise period will be offered for dot XFINITY and during this period eligible trademark owners registered in the Trademark Clearinghouse will have an early opportunity to register names in the TLD.

It should be noted that as only members of Comcastʹs corporate group will be eligible to register domain names in dot XFINITY, there will be limited registrations during the Sunrise period.

Trademark claims service

ICANN mandate that a trademark claims service is offered for at least the first 60 days that the registration is open for general registration. During this period, all potential registrants must be notified of the presence of trademark holders registered in ICANNʹs Trademark Clearinghouse.

A trademark claims service will be offered for dot XFINITY and attempts to register a domain name which corresponds with a mark registered in the Trademark Clearinghouse will have to be approved by Comcastʹs in-house Legal Team.

The checks will be carried out by Nominet UK, the Applicantʹs registry services provider, who will fulfil the requirements to send notices out under the claims service, in order to keep the process at armsʹ length.

This service will be continued past the minimum initial 60 days and trademark clearing house checks will be made for all registrations in dot XFINITY.

Protection of third party trademark rights: implementation of the trademark Post-delegation Dispute Resolution Policy

The dot XFINITY registry will follow the PDDRP process as required under the registry agreement. We believe that the approach to the operation of the dot XFINITY registry set out in this application demonstrates that we intend to operate the dot XFINITY registry in a way which will not harm the interests of trademark holders and therefore complaints under the PDDRP are unlikely. However, the dot XFINITY registry commits to entering into good faith negotiations with parties who have a valid concern regarding their trademark rights, and to participating in good faith in the PDDRP process. In the unlikely event that a PDDRP complaint is brought against the dot XFINITY registry, the complaint will be dealt with by the Comcastʹs Intellectual Property Legal Team.

Abusive use and takedown procedures

While registrations in the dot XFINITY registry will clearly be subject to the UDRP and URS, the Applicantʹs preference is for any rights holders with a concern about dot XFINITY registrations to approach it in the first instance to discuss their concerns.

In the rare event that Comcast receives such a complaint of trademark infringement, this is treated extremely seriously. Comcast has a dedicated in-house Legal team who investigate such complaints and respond accordingly.

Because dot XFINITY will be a closed registry, Comcast does not anticipate that it will be subject to a significant number of third party claims of abusive registrations or activities otherwise harmful to the legal rights of others. That said, Comcast is committed to providing appropriate mechanisms to enable third parties to complain in the event that they consider their rights to have been infringed or otherwise harmed by Comcastʹs conduct, and to provide a remedy in the unlikely event that such a claim is made out. Complaints will initially be addressed by Comcastʹs in-house Legal team and if a complaint is considered to be well-founded, Comcast will take one or more of the following actions:

- cease the harmful conduct

- suspend the domain name to remove it from the zone file

- cancel the domain name.

If at any time the complainant is unsatisfied with Comcastʹs response then they can utilise the UDRP or URS policies. Alternatively, Comcast will ask Nominet to mediate the dispute. The mediation will be provided by Nominetʹs two qualified mediators who have substantial experience of such disputes from their role in mediating dot UK disputes under the dot UK Dispute Resolution Service.

Uniform Rapid Suspension (URS)

The URS process offers an accelerated process for trademark holders to protect their marks. The process will award in favour of the aggrieved party if they are able to show for a registered domain name the following:

- the domain name is identical or confusingly similar to their eligible trade mark

- the registrant has no legitimate right or interest to the domain name

- the domain name is being used in bad faith.

If the URS process awards in favour of an aggrieved party then the domain name in question will be suspended. The nameservers for the domain name will be redirected to an informational web page provided by the URS Provider about the URS. The Whois will continue to display the original registrant information and will reflect that the Whois will not be transferred, deleted or modified for the life of the registration.

When a domain name that is subject to URS expires, then it will be deleted.

The dot XFINITY registry will adhere to all URS decisions. Results of URS decisions will be implemented by Nominet, the registry services provider. Nominet has significant experience in implementing the results of dispute resolution processes as it has operated the dot UK Dispute Resolution Service for more than 10 years.

Nominetʹs four-person second-line support team will deal with any URS notifications relating to dot XFINITY domain names as soon as is reasonably practicable, and in any event within 24 hours of receipt of the decision from the URS provider. The support team works 08:00 to 18:00 local UK time, with one member on-call outside of those hours to address any urgent issues. The on-call support team member will implement all URS notifications received outside of core working hours.

Uniform Dispute Resolution Policy (UDRP)

Under the UDRP, a trademark owner may submit a complaint to an approved dispute resolution service provider. In the event that the provider finds for the complainant then they may order a transfer, deletion or other action on the domain name. UDRP decisions are implemented by the relevant ICANN accredited registrar.

The dot XFINITY registry will fully comply with all UDRP decisions and it will be a requirement on dot XFINITY registrars to do so.

Resource plan

Comcast already has a dedicated in-house Legal team responsible, inter alia, for responding to complaints of IP infringement. As to whether additional personnel will be required to accommodate any uplift in complaints as a result of the operation of dot XFINITY, this will be closely monitored and addressed as necessary. However, given the modest number of registrations expected in the TLD, it is not presently anticipated that further resource will be necessary.

Nominetʹs existing Dispute Management team incorporating 2 qualified lawyers and 2 experienced mediators will handle mediation. URS decisions will be handled by Nominetʹs abuse team made up of four staff.

Question 30a - Security Policy

Nominet, the Registry Services Provider has been running the dot UK TLD for the past 15 years and has an impeccable security record in protecting both the dot UK TLD and the information within the registry. Nominet works at the forefront of information security and contributes to the development of both global and national security standards to further protect the security, stability and resilience of the Internet.

The aim of Nominetʹs Security Programme is to secure the business, its data, its people, and the services that the organisation provides. Nominet maintains policies, standards and procedures that are designed to protect the company assets according to their sensitivity, criticality and value.

The goals of Nominetʹs Security programme are:

- Allocation of responsibility by Nominet management for development, implementation, monitoring and review of information security policies and standards

- Monitoring, evaluation and management of information security threats, vulnerabilities and risks

- Awareness of, and adherence to, all published information security policies, standards and processes applicable to management or use of information assets by Nominet Personnel with access to such information assets

- Access controls and business continuity management of Nominet information processing facilities, information assets and business processes

- Implementation of an information security incident management process

- Periodic review of the Information Security Programme to ensure its effectiveness.

Processes and Solutions

Nominet employs security capabilities which are robust and appropriate for the high profile and large TLD registry that it operates. Nominet is fully compliant and certified with the British Standard for Business Continuity BS25999-2:2007. Any gTLD that Nominet operates will benefit from this proven security approach.

Physical security at Nominet includes a permanently manned reception area with CCTV monitoring of all entrances including recording of video. All staff wear visible corporate photo ID cards and are encouraged to challenge unaccompanied strangers. Access to server areas requires biometric identification in addition to ID cards. In addition to these physical checks already mentioned, Nominetʹs datacentre locations employ further physical security measures including a 24x7 manned reception, ballistic resistant glass mantrap, and air locks. Security staff ensure that access is only available to those specifically authorised. Nominetʹs servers are housed in a secure caged area within the datacentre with a card access controlled door.

Server security starts with a minimal install of the operating system, with extra software only being installed if required. Access is restricted to those required to administer the server and its software, with audits carried out at regular intervals to ensure that access is still required.

Patching is carried out as part of a regular and ongoing patch management programme to ensure that critical servers and services are kept secure. Nominet also maintain a very close relationship with DNS software providers and have reported bugs to them to help patch their software, following responsible disclosure guidelines.

All external connections to Nominetʹs systems are encrypted using TLS (Transport Layer Security), with internal connections being encrypted where possible. TLS ensures that where appropriate TCP, UDP and BGP connections are encrypted. All privileged access to Nominetʹs servers is protected with two factor authentication. HSMs are used where appropriate to store private key information.

Networks are separated with firewalls (Juniper SRX3600) deployed between different network segments to help protect Nominetʹs sensitive information. All external access to Nominetʹs services is through firewalls to servers located in a DMZ. Wireless access points in Nominetʹs offices are also located in a DMZ to prevent direct access to internal systems. Wireless access is encrypted following best practice guidelines. Only authorised devices are permitted to connect to the company network.

Access to all devices (desktop devices, servers, network devices etc) is via individual usernames and passwords controlled by a central directory service (Microsoft Active Directory). This allows easy control of all user access from a single location, helping simplify user access control. Access to Nominetʹs systems is forbidden unless expressly permitted, and users are granted the minimal access required to perform their job function effectively. Users are assigned unique user ids, and these user ids are never re-issued to other users. Accounts are disabled for any user who no longer requires access or has left the company, and user access is reviewed on a regular basis. The following roles are not carried out by the same people - Systems operation, Systems development, Systems⁄Network administration.

The following controls are also applied to separate systems:

- Development and production software are run in separate environments.

- Development and test work are separated.

- Development facilities are not loaded on production systems.

- Development personnel use separate logon IDs for development and test systems to reduce the risk of error.

- Development staff do not have access to production systems.

Anti-virus software from a reputable supplier is used to scan computers and media on a routine basis. Anti-virus software is kept up to date on a centralised basis.

All access to Nominetʹs services and servers is logged locally, and also to a central location. Nominet also collect logs from firewalls, Intrusion Detection Systems (IDS)⁄Intrusion Prevention Systems (IPS), network devices, security devices, applications, databases etc. Event correlation is performed on all these logs to help identify any unusual activity. Nominet use security information and event management software (Arcsight Express) to do this event correlation.

In addition to the monitoring that is carried out by the devices listed above, Nominet has developed a proprietary technology platform to capture and analyse traffic at its name servers. With this technology Nominet can discover trends, identify abuse patterns and research the behaviour of botnets etc. Using this Nominet can identify security flaws and help the company understand the effect they may have on global DNS infrastructure.

Security for in-house written applications is controlled in many ways:

- All application code is peer reviewed.

- Security guidelines for software development have been written and are followed.

- All source code is held in a central repository, access to which is restricted by password.

- All changes to code are regression tested to ensure the application continues to function as expected.

- All changes to code can be attributed to the developer who made them.

Secure disposal of equipment is tightly controlled, with all storage media removed from equipment prior to disposal and all media is then wiped in accordance with best practice guidelines.

Change control is a tightly controlled process at Nominet, with identification and recording of significant changes, including all changes to security configuration. Approval must be gained at every stage, with all changes tested before being put into the live environment. System owners are always involved in these changes to ensure that no registry system is affected without the business being made aware of upcoming changes. Assessment of the potential impact of any changes is made, and there is an approval procedure for proposed changes. Nominet try to ensure that implementation of change causes minimal disruption to normal operations, bundling up changes into a formal release where applicable. All changes must have an approved rollback plan for recovering from unsuccessful changes.

Staff are encouraged to report security incidents, and all such incidents are investigated by Nominetʹs system administration team, who have access to the research team if required. Action is taken to reduce the impact of the problem initially, and the root cause of the problem is determined. Action is then taken to deal with problem, making changes as required. Any affected users are notified along with any recommended action (such as changing passwords).

Independent Assessment Reports

Nominet currently undergoes specific security testing as part of an approach to maintain PCI-DSS (Payment Card Industry Data Security Standard) Compliance. Using a third party (Trustkeeper), monthly scans are carried out against a section of Nominetʹs internet facing systems to test for vulnerabilities. These scans are designed to detect more than 5,000 known network, operating system and application vulnerabilities including the SANS Institute Top 20 list and are executed without any impact on Nominetʹs systems. The most recent scan was carried out on the 17th January 2012 and the result was a pass.

Nominet is also undergoing a three year programme of security testing using an ISO27001 certified third party assessor (First Base Technologies). The scope of the testing that First Base is carrying out includes (but is not limited to):

- Public IP Address Scan

- External Infrastructure Penetration Test

- Authenticated Remote Access Test

- Web Application Penetration Test

- Internal Infrastructure Penetration Test

- Server and Network technical Audit

- Wireless network Discovery

- Wireless Client Device Discovery and Analysis

- Building Access Test

- Email Spear Phishing

- USB Spear Phishing

- Telephone Social Engineering

- Technical Workshop participation

In addition to the above, First Base have also carried out training programmes for staff on information security vulnerability, and social engineering compliance. Nominet is fully committed to passing the programme of work being carried out by First Base, and where applicable, putting suitable remediation plans in place.

Other Security Measures

Nominet is fully engaged with National and International security agencies to fully understand the ever changing global risk register for security vulnerabilities. Agencies include the US NTIA, UK Cabinet Office, UK GCHQ (Government Communications Head Quarters), UK EC-RRG (Electronic Communications Resilience and Response Group) and many other formal and informal security groups.

Nominet works closely within the internet community to develop, support and publicise security standards and best practice across the global internet. Staff at Nominet helped develop the global DNSSEC security standard and authored a number of the key RFCs (Requests for Comments) that make up this standard. Nominet is currently at the forefront of DNS research, attempting to understand patterns of misuse and criminal behaviour with the global DNS. Nominetʹs Director of IT was selected as one of 12 global experts to analyse and audit ICANNʹs security, stability and resilience work and report back to both the ICANN board and the NTIA on areas for improvement. Nominetʹs Head of Research is a member of the DSSAWG (Domain Stability and Security Working Group) looking into how best to coordinate global DNS security incidents.

Commitments to registrants

We will commit to dot XFINITY registrants that:

- All data will be secured and protected in line with ISO 27001 guidelines

- We will not take any action in relation to a domain name registration unless we are satisfied that it has been received from the right person;

- We will require registrars to prove their identity, including by the use of unique identifiers and multi-factorial authentication where appropriate, when they submit transactions to our systems;

- Our registrars will be contractually obliged to maintain the security of their system identifiers and passwords and prevent the unauthorised disclosure of the same; and

- The registry will be operated in accordance with the Data Protection Act 1998 which, amongst other things, requires us to implement appropriate technical and organisational measures to prevent unauthorised or unlawful processing of personal data, and against accidental loss or destruction of, or damage to, personal data.

Resourcing plan

Nominet employs a dedicated Head of Information and Technology Security to help develop best-practice security policy and to liaise with national and international security agencies, organisations and groups in order to ensure that both Nominet and the TLDs that it operates are as secure as possible.

The implementation of Nominetʹs security policy is already in place. Nominet has a dedicated security team and large infrastructure team from which it will dedicate the following resources to post launch maintenance tasks related to the security policies that will be used by the dot XFINITY registry.

- Maintenance, review and improvement of the security policy and arrangements: 5 hours a week by the Head of IT Security

- Technical support: 5 hours per week

Total post launch resource: 10 hours per week.

Cheryl Diane Bertuccini	Vice President, Assitant Secretary
Kristin Maney Kipp	Vice President, Assistant Secretary
Rosemarie Stacey Teta	President
Sandra Webster Crowell	Vice President, Assistant Treasurer

New gTLD Application Submitted to ICANN by: Comcast IP Holdings I, LLC

String: XFINITY

Originally Posted: 13 June 2012

Application ID: 1-1170-40267

Applicant Information

1. Full legal name

2. Address of the principal place of business

3. Phone number

4. Fax number

5. If applicable, website or URL

Primary Contact

6(a). Name

6(b). Title

6(c). Address

6(d). Phone Number

6(e). Fax Number

6(f). Email Address

Secondary Contact

7(a). Name

7(b). Title

7(c). Address

7(d). Phone Number

7(e). Fax Number

7(f). Email Address

Proof of Legal Establishment

8(a). Legal form of the Applicant

8(b). State the specific national or other jursidiction that defines the type of entity identified in 8(a).

8(c). Attach evidence of the applicant's establishment.

9(a). If applying company is publicly traded, provide the exchange and symbol.

9(b). If the applying entity is a subsidiary, provide the parent company.

9(c). If the applying entity is a joint venture, list all joint venture partners.

Applicant Background

11(a). Name(s) and position(s) of all directors

11(b). Name(s) and position(s) of all officers and partners

11(c). Name(s) and position(s) of all shareholders holding at least 15% of shares

11(d). For an applying entity that does not have directors, officers, partners, or shareholders: Name(s) and position(s) of all individuals having legal or executive responsibility

Applied-for gTLD string

13. Provide the applied-for gTLD string. If an IDN, provide the U-label.

14(a). If an IDN, provide the A-label (beginning with "xn--").

14(b). If an IDN, provide the meaning or restatement of the string in English, that is, a description of the literal meaning of the string in the opinion of the applicant.

14(c). If an IDN, provide the language of the label (in English).

14(c). If an IDN, provide the language of the label (as referenced by ISO-639-1).

14(d). If an IDN, provide the script of the label (in English).

14(d). If an IDN, provide the script of the label (as referenced by ISO 15924).

14(e). If an IDN, list all code points contained in the U-label according to Unicode form.

15(a). If an IDN, Attach IDN Tables for the proposed registry.

15(b). Describe the process used for development of the IDN tables submitted, including consultations and sources used.

15(c). List any variant strings to the applied-for gTLD string according to the relevant IDN tables.

16. Describe the applicant's efforts to ensure that there are no known operational or rendering problems concerning the applied-for gTLD string. If such issues are known, describe steps that will be taken to mitigate these issues in software and other applications.

17. (OPTIONAL) Provide a representation of the label according to the International Phonetic Alphabet (http://www.langsci.ucl.ac.uk/ipa/).

Mission/Purpose

18(a). Describe the mission/purpose of your proposed gTLD.

18(b). How do you expect that your proposed gTLD will benefit registrants, Internet users, and others?

18(c). What operating rules will you adopt to eliminate or minimize social costs?

Community-based Designation

19. Is the application for a community-based TLD?

20(a). Provide the name and full description of the community that the applicant is committing to serve.

20(b). Explain the applicant's relationship to the community identified in 20(a).

20(c). Provide a description of the community-based purpose of the applied-for gTLD.

20(d). Explain the relationship between the applied-for gTLD string and the community identified in 20(a).

20(e). Provide a description of the applicant's intended registration policies in support of the community-based purpose of the applied-for gTLD.

20(f). Attach any written endorsements from institutions/groups representative of the community identified in 20(a).

Geographic Names

21(a). Is the application for a geographic name?

Protection of Geographic Names

22. Describe proposed measures for protection of geographic names at the second and other levels in the applied-for gTLD.

Registry Services

23. Provide name and full description of all the Registry Services to be provided.

Demonstration of Technical & Operational Capability

24. Shared Registration System (SRS) Performance

25. Extensible Provisioning Protocol (EPP)

26. Whois

27. Registration Life Cycle

28. Abuse Prevention and Mitigation

29. Rights Protection Mechanisms

30(a). Security Policy: Summary of the security policy for the proposed registry

© Internet Corporation For Assigned Names and Numbers.