ICANN New gTLD Application

18b.1 The goals of ʺ.网络ʺ in terms of specialty, service levels and reputation are:

18b.1.1 Specialty

	(1) Inherent with CNNIC’s mission and knowledge on IDN development, the Chinese TLD ʺ.网络ʺ will enable Chinese language users to use domain names in their mother language effectively and to a certain extent, carry forward the Chinese language and culture among consumers and software vendors.
 	
	(2) The ʺ.网络ʺ will satisfy the unmet demand from the Internet service industry community by offering them with the first truly global Chinese gTLD. ʺ.网络ʺ will help those various Chinese language network applications to market their brands among Chinese language users, protect their Chinese trademarks and, above all, evolve further Internet innovation. 

18b.1.2 Service Level

	(1) CNNIC will implement much stricter Service Level Agreements (SLAs) than requirement of ICANN in order to minimize unscheduled down time due to maintenance. More importantly, CNNIC will provide for redundancy of mechanisms to prevent outages and near real time updates to critical services, such as Whois and zone file generation for registrar transactions.

	(2) CNNIC will establish a 7⁄24 customer service and complaint center for registrars, registrants and the general Internet community with overall satisfaction rate exceeding 90% with respect to the survey of registrants and registrars conducted by a third party.

18b.1.3 Reputation
　　
	(1)ʺ.网络ʺ will be the first truly global Chinese gTLD in the DNS, satisfying the demand from global Internet service industry for a Chinese string that is not constrained by limited geographic applicability;

	(2) CNNIC is expected to provide all registrars with a fair competition platform. CNNIC will also provide more transparency for registrars and the public at large, while at the same time protecting privacy interests.

	(3) CNNIC will continuously endeavor to maintain its image and reputation of being a secure and reliable domain by taking such measures as registrant information authentication, comprehensive trademark protection and information security management.

18b.2 The influence of ʺ.网络ʺ in terms competition, differentiation, and innovation are：

18b.2.1 Differentiation with Existing TLDs
 
	(1)ʺ.网络ʺ will differentiate itself with existing ASCII TLDs. Due to the long-term operation and global layout of some incumbent TLDs, most of their high value domain names which are short and easy to memorize have been registered, and users have to pay high cost to obtain domain names that exactly match the names of their organizations and brands. In contrast, as a new gTLD with a larger space for innovation, ʺ.网络ʺ, in full compliance with the naming convention of Internet service brands and application products in Chinese language, can help the registrants to expand their offerings and content, as well as their brand identity in Chinese consumers..

	(2) ʺ.网络ʺ is also different from current CDN ccTLDs such as ʺ.中国ʺ and ʺ.香港ʺ, for it is specialized in serving global Chinese language community without obvious restriction by territory. CNNIC is intended to engage 100% participation of its global licensed registrars, making “.网络” string as a globalized brand in the communities of Chinese language Internet service providers, and facilitate their promotion in the entire global Chinese user market.

18b.2.2 Enhanced Competition in Domain Name Services

 	(1) The introduction of ʺ.网络ʺ will foster competition between CNNIC and the existing TLD registry operators. Such competition will benefit consumers as it will encourage all registries including other potential registries to offer better services and prices, and boost the overall acceptance of CDN in the end-users.

	(2) In order to ensure that all contracted registrars participate in domain name competition in a fair manner, CNNIC will stay neutral and not discriminate or bias against any domain name registrars as required by ICANN, maintain equality in the provision of information, policies, technical assistance and prices for all registrars, and invite registrars and third party independent observers to conduct supervision over it.

18b.2.3 Support for Internet Innovation

	(1) The proposed gTLD will expand and diversify the global reach of the DNS, which will make it very convenient for registrants to register Chinese domain names that exactly match their idea of internet innovations with Chinese language appearance, thus avoiding the problem of confusion caused by alphabetical names; 

	(2) CNNIC attempt to establish technically feasible solutions thus assuring operational stability, while at the same time providing innovative improvement to the current system thus offering continuous enhancing registry services.

	(3) CNNIC will endeavor to promote products suitable for registrants in support of Chinese language Internet application, and actively encourage cooperation with software and mobile application vendors to drive the development of rising Chinese TLDs.

18b.3 The goals of ʺ.网络ʺ in terms of user experience are:

	(1) ʺ.网络ʺ domain names will be more applicable to users with Chinese input, reading and memory habits, make it easier to be memorized by such users, and reduce the chance of causing confusion of domain names among end-users;

	(2) ʺ.网络ʺ domain names will be made available to Chinese language Internet service community throughout the world, help them protect Chinese trademarks and brand names in a more effective manner, and promote their products in the Chinese language community efficiently;

	(3) ʺ.网络ʺ domain name will be provided in strict compliance with policies on domain name abuse prevention and right protection, and reasonable domain name monitoring will be conducted to control the percentage of abusive domain name registration under 3% and ensure that DNS services are secure and reliable;

	(4) ʺ.网络ʺ domain name will guarantee the service levels of DNS, SRS and Whois and ensure business continuity based on operation of CNNIC, by implementing active network improvement as well as effective operation monitoring measures;

	(5) ʺ.网络ʺ domain name services will be provided in a strictly neutral manner without discriminating or biasing against any domain name user, and timely customer services will be rendered and effective complaint mechanism will be put in place to increase the level of satisfaction with services.

18b.4 Complete Description of Registration Policies in Support of the Goals Listed Above

18b.4.1 Naming Conventions for ʺ.网络ʺ Domain Names

	(1) CNNIC will abide by full Internet standards regarding naming and reserved names, including RFC 1034, RFC 1123, RFC 2606, and RFC 2352, RFC3743 and RFC4713. Its URL form will be 〈registrant-defined prefix〉.〈domain name〉.〈gTLD〉.

	(2) Applicant are allowed to register second-level ʺ.网络ʺdomain names comprised of simplified or traditional Chinese characters, ASCII letters a-z (equivalence between uppercase and lowercase letters), digits 0-9 or hyphen ʺ-ʺ. A domain name may contain up to 20 Chinese characters. 
	Note: Our policy will mandate that when an IDL is registered, all variant IDLs in the IDL package are unavailable to other name holders. In addition to the registered IDL, the registry will activate Simplified whole string and Traditional whole string IDLs to the same registrant⁄applicant for free.

	(3) Single character or two character ASCII domain names will be reserved for application initially.

	(4) Hyphen ʺ-ʺ may not be placed at the beginning or end.

	(5) Hyphen ʺ-ʺ may not be placed at the third or fourth place, with exception to valid a-label.

	(6) Other names that contain contents prohibited by laws of P.R. China and ICANNʹs regulations shall not be allowed to be registered.

18b4.2. Registrants
 
	ʺ.网络ʺ registration applicants are divided into two categories: Organizational Registrant and Natural Person Registrant. Organizational registrants which represent an enterprise, shall be organizations registered under the laws of the country or region where the applicant is located and capable of undertaking civil liabilities. Natural Person registrant shall be all individual human-being registered with real identity. 

	ʺ.网络ʺ registrars shall strictly review the identity certificate submitted by registration applicants, and decline applications with incoherent information on the application form, so as to ensure the authenticity and accuracy of registration records in the Whois. 

18b4.3 Registrars

  CNNIC will offer all registrars that are accredited by ICANN pursuant to the ICANN Registrar Accreditation Agreement (ʺRAAʺ) (as it may be amended by ICANN from time to time) the opportunity to register domain names in the proposed gTLD. CNNIC will not restrict the number of qualifying registrars that may register names in the proposed gTLD and will treat all qualifying registrars equally.

18b4.3.1 Registrar License Agreement

  Any registrars seeking to register domain names in the proposed gTLD will be required to execute a Registry-Registrar Agreement (ʺRRAʺ), which will govern the relationship between the registrar and CNNIC. 

  The RRA will enable CNNIC to reject registration requests from a registrar that is not in compliance with the RRA or any ʺ.网络ʺ registration policy (refer to Question 28). CNNIC will continue to reject such requests until the registrar ceases its non-compliance.

18b 4.4 Rights Protection Mechanism of ʺ.网络ʺ Domain

  To ensure that the Chinese domain nameʺ.网络ʺ will not affect the trademark rights and other rights owned by any third party and maintain the stability ofʺ.网络ʺ operation, CNNIC will, based on the domain name management measures of China and applicable provisions of ICANN, set rights protection mechanism to the following four aspects in terms of registration:  

	(1) CNNIC will set up a Sunrise Period 30 working days only for registration by validated national recognized trademark holders before the launch of ʺ.网络ʺ to the general public.（Please see Question 29 for details）

	(2) CNNIC will, within 60 days upon making available for general public, provide Trademark Claims service for all trademarks included in the Trademark Clearing House(TMCH)（Please see Question 29 for details）.

	(3) Registrars are required to obtain true and accurate registration information from all domain name registrants based on identification authentication.

	(4) For the purpose of protecting the legitimate rights and interests of the general public and preventing domain name abuse, CNNIC will provide pre-registration pre-screening and determine whether the domain names applied and the registration information violate the provisions of ʺChina Internet Domain Name Regulationsʺ (please refer to http:⁄⁄www1.cnnic.cn⁄html⁄Dir⁄2005⁄03⁄24⁄2861.htm). 

	(5) Including a provision in the RRA that permits CNNIC to preclude a registrar from registering additional domain names in the proposed gTLD in the event that the registrar violates any of the provisions contained in this section regarding the protection of intellectual property.

	(6) CNNIC will include provisions in the RRA requiring registrars to abide by the decisions of the UDRP agents and any court of proper jurisdiction, but it shall not be responsible for making determinations regarding intellectual property rights. CNNIC will also regulate itself and respond to dispute in accordance with the Trademark Post-Delegation Dispute Resolution Procedure(PDDRP), Registry Restrictions Dispute Resolution Procedure (RRDRP) and other applicable policies on dispute resolution in case of any dispute against CNNIC.

18b.4.5 Domain name transfer, update and cancellation

   Registrars may only accept transfer requests from individuals with apparent authority to legally bind the registrant. CNNIC will streamline this process by implementing a system under which only those with the necessary user name and password and personal identification will be able to request or authorize a transfer. By implementing a user name and password system, CNNIC will ensure that the individual requesting the transfer is authorized to make the transfer.

   In terms of domain name records update and cancellation, such operation is to be confirmed upon verification of the user name and password. Domain name registrars shall, within 3 working days upon receiving applications filed by domain name registrants for the domain name records update or cancellation, submit the applications to CNNIC for further verification. Without domain name holders’ consent, domain name registrars may not conduct such operations as the update or cancellation of domain name registration.

18b.4.6 Dispute resolution

  CNNIC will follow ICANNʹs policies with respect to dispute resolution, including adoption of the Uniform Dispute Resolution Policy, and cooperation with Uniform Rapid Suspension System (URS) as the same may be amended from time. The registrars shall actively cooperate with the court, arbitration institution or ICANN designated domain name dispute resolution institution on the resolution of domain name disputes.

  All registrars shall take necessary measures during the period of domain name dispute resolution to ensure that the domain name involved is not cancelled or transferred, and shall take further steps with respect to the domain name in a timely manner upon receiving the judgment on the dispute.

18b.4.7 Billing and Collection

  In order to combat domain tasting, and in accordance with current ICANN policy including the RAA, the registrars shall charge the domain name holder for operation of the domain name. If a registrar does not receive payment for a domain name registration within forty five days after the payment becomes due, then the registrar will be obligated to cancel the registration and return the domain name to the general registry pool of available names.

18b.5 Protection for the Privacy or Confidential Information of Registrants or Users 
     
  CNNIC must maintain the trust of the registrars and the consumers. Therefore, CNNIC will not market, in any way, the registrant information obtained from registrars for purposes of running the registry, nor will it share that data with any unrelated third parties. CNNIC will only have access to such data as is necessary for operation of the registry itself and will use that data only for registry operation.

  CNNIC will provide registrars with a security mechanism for accessing and correcting personal data and will take reasonable steps to protect personal data from loss, misuse, unauthorized disclosure, alteration or destruction. To further secure registrant data, each registrant will have a secure password for the registry records. Moreover all registrars and the registry itself along with its employees will be required to abide by all applicable international, national, and local laws.
    
18b.5.1 Whois and Privacy Policy

  CNNIC will strive to maintain open access to registrant information to the extent compatible with applicable privacy laws and ʺ.网络ʺ policy of treating all registrants equitably. In addition, via the RRA, the CNNIC will require registrars to post privacy policies that provide clear and complete notice to registrants of the type of data that will be collected and maintained by CNNIC, the use of such data in operating the registry service, (including display through the Whois service), and the registrantʹs rights to access and correct data maintained by CNNIC. Clear consent to such data practices will be a prerequisite to the submission of a domain name registration request. CNNIC itself will not use the Whois service to send unsolicited e-mail to registrants, to solicit registrants by telephone, or to otherwise engage in unauthorized uses of their data. 

18b.5.2 Bulk Access Provisions

   ʺ.网络ʺ Whois system will also provide interested third parties with bulk access to the full Whois database on a subscription basis in a machine-readable format. Bulk access will provide intellectual property owners with the ability to more effectively police their marks while reducing the load on the core Whois system. 

   CNNIC, via the registrars, will require any bulk access customer to enter into an agreement prohibiting the customer from using the Whois database to send unsolicited e-mail to registrants, solicit them by telephone or use the database for other such commercial purposes.

18b.5.3 Database Security

  ʺ.网络ʺ Whois database only allows query operations and does not allow such operations as writing-in, modification and deletion. Special network segment will be set for the database to isolate the Whois information query database from the network of the registration system, and strict systematic access control and employee supervision will also be conducted. 

18b.6 Outreach and Communications 

18b.6.1 Overview

  To achieve our projected benefits described in 18.a and 18.b, CNNIC is obliged to conduct a series of publicity work to fulfill ICANNʹs mission to enhance the functionality and usability of the Internet on a global basis. These efforts are intended to create enhanced global awareness of the Internet, its growth, and its evolution from ASCII architecture to a resource with broad appeal that transcends cultural boundaries.

18b.6.2 Timing and Publicity Schedule

	(1) Warm-Up Period: Warm-Up Period will last for six months in the start-up period.  

	(2) Sunrise Period: Sunrise Period will be launched after the warm up period, 30 days before general availability. 

	(3) Land Rush Period: Land Rush Period will follow the sunrise period and is estimated to last for 60 days.

	(4) Follow-up Period: Follow-up period will be after initial launch of normal registration services.

18b.6.3 Communication Effectiveness

  CNNIC anticipate the prospective effectiveness of its communication plan as following:

18b.6.3.1 Warm-up period

  CNNIC expects that it will license over 40 ICANN accredited domestic registrars for “.网络” registration services covering major Chinese language user communities in Asia, North America, Europe, Oceania and Latin America. Followed up cooperation will be discussed in this period.

  Meanwhile strategic alliance with other corporation including MIIT, Internet Society of China, 12321 Center, TMCH Provider and other ICANN designated parties will also be made in this period for further cooperation on the operation of ʺ.网络ʺ.

18b.6.3.2 Sunrise Period

  As described in description of ʺ.网络ʺTLD Policies, CNNIC will implement a Sunrise Period to permit owners of subsisting trademark or service mark registrations having national effect to be eligible to register their trademark or service mark as a domain name, using both ASCII and Chinese characters. CNNIC will make all policy decisions and process details transparent through published articles and speaking engagements in advance and during the Sunrise period.

18b.6.3.3 Land Rush Period

  CNNIC anticipates a significant rush for domain name registrations during the Land Rush Period, which will commence immediately following the aforementioned period. CNNIC will launch an advertising campaign to secure coverage in mass media and trade media to reach both the individual Internet user and the Internet service community. Regional events will be staged to create maximum awareness and acceptance of the new gTLD.

18b.6.3.4 Followed up period

  CNNIC will, through feedback from the market, gradually consolidate the brand image of the ʺ.网络ʺ domain name in a subtle way and win trust and acknowledgment of users. Particularly, it is especially important in the follow-up period to cooperate with registrars to build long-term domain name sales and host promotion activities to pull up the applications of the ʺ.网络ʺ domain names.

18 c Operating Rules to Eliminate or Minimize Social Costs 

18.c.1 Definition and Category of Social Costs

  It is predicted that most of ʺ.网络ʺ domain names will be used within the Chinese language community, where a majority of the registrants is expected as emerging small and medium-sized  organizations in developing countries. Therefore, it would be difficult to achieve the targets of ʺ.网络ʺ if the social costs are too high. To achieve the goals of ʺ.网络ʺ, CNNIC will minimize the following time or financial resource costs of registrants, registrars and end-users via policies and operations of ʺ.网络ʺ as far as possible. As predicted by CNNIC, the operation of ʺ.网络ʺ will mainly produce the following costs:

18c.1.1 For Registrants:

	(1)costs for registration of ʺ.网络ʺ domain names 

	(2)costs for renewal of ʺ.网络ʺ domain names

	(3)costs for trademark infringement dispute and defensive registration under ʺ.网络ʺ domain

	(4)additional advertising costs incurred from the promotion of the ʺ.网络ʺ domain name

18c.1.2 For Registrars:
 
	(1) service costs to be paid to the CNNIC

	(2) costs for the promotion and marketing of ʺ.网络ʺ domain names

	(3) costs for the operation and maintenance of ʺ.网络ʺ registration services

18c.1.3 For End-users:
  
	(1) time costs for searching, inputting and memorizing the ʺ.网络ʺ domain name
 
	(2) losses incurred to the consumer as a result of ʺ.网络ʺ domain name abuse


18c.2 Rules on ʺ.网络ʺ to minimize social costs

18c.2.1 For Registrants:

18c.2.1.1 Reasonable Pricing Model of Registration
 
	(1). A unified pricing model including the price of registration and that of renewal will be formulated for ʺ.网络ʺ based on its market demand and operating costs (see Question 46 for details), and the prices will be maintained reasonable and stable to compete fairly with other IDN gTLD, so as to ensure that registrants, especially those with relatively weak economic capability are able to register the ʺ.网络ʺ domain name.
 
	(2). As the registration of”.网络” increases, the unit operating cost for every domain will keep decreasing, and CNNIC will, based on the decrease in its operating costs, adjust the prices accordingly, and provide each ICANN accredited registrar that has executed registry-registrar agreement for “.网络” advance notice of any price change according to the regulations of ICANN.
 
	(3). CNNIC will handle multiple applications for the same domain name on the basis of uniform price and first-come⁄first-serve to effectively reduce the bidding costs spent by registrants and enable more small and medium-sized enterprises to obtain high value domain names with relatively low prices.
 
	(4). CNNIC forbids registrars to register domain names with false information, occupy domain name resources in a disguised form or drive up domain name prices.

	(5)Because Chinese variants have the same pronunciation and the same meaning as its official form, Chinese users regard them as interchangeable. Thus a variant IDN, derived from an IDN by replacing some characters with their variants, should match the original IDN. It is a consensus within the Chinese language community that the Chinese internationalized domain label(IDL) and itʹs variants labels should be belong to the same registrant⁄applicant, and the Simplified and Traditional Chinese forms of the applied-for  should be resolvable simultaneously or non-resolvable at all in ʺ.网络ʺ domain. Our policy will mandate that when an IDL is registered, all variant IDLs in the IDL package are unavailable to other name holders. In addition to the registered IDL, the registry will activate Simplified whole string and Traditional whole string IDLs to the same registrant⁄applicant for free.
   
18c.2.1.2 Effectively Reduced Costs for the Renewal of Domain Names 
 
	(1). Registrants are free to choose, at their own discretion, a registration period of 1-10 years (to a maximum of 10 years) and free to renew their registration based on their own will, and CNNIC will provide in its agreement with registrars that to buy or sell under coercion, sale with treats or selling bundled services on the part of registrars are prohibited.
 
	(2). At the initial operating period of ʺ.网络ʺ, incentive measures will be taken to encourage new registrants to register ʺ.网络ʺ for a longer term of registration. Consumers of newly registered domain names will be exempted for paying certain term of registration period depending on the length of registration period, so as to expedite the popularization and lower the costs of domain names.
 
	(3). To ensure reasonable price of renewal for consumers, CNNIC will take efforts to stabilize the price and propose to undertake in the registration agreement that the registration and renewal price will be kept as stabilized during an effective term of the Registry Contract. Certain price adjustment may take place at the contract renewal point with respect to the Consumer Price Index, labor cost and tax rate change in China and the market condition change. Therefore consumers do not need to worry about low price trap.
 
	(4). CNNIC customer service group will conduct monitoring over consumers’ renewal of domain names, investigate cases where renewal fails to take place, and make improvement in services to the point in cooperation with registrars to make it more convenient for consumers to renew their domain names or change registrar and reduce costs for registrants.

18c.2.1.3 Guaranteed Trademark Rights and Reduced Costs for Domain Name Dispute
  
	(1). A Sunrise Period of 30 days will be launched in accordance with relevant policies of ICANN on Trademark Clearing House Mechanism to allow qualified right holders of validated national recognized trademarks to register ʺ.网络ʺ domain names with priority. Trademark Claim Service will also be provided in the first 60 days of general registration period, for the registration of domain names that match with corresponding trademarks included in the Trademark Clearing House, so as to allow trademark holders to protect their trademark rights through registration and reduce costs resulting from domain name disputes.
　
	(2). The UDRP, PDDRP and RRDRP provided by ICANN and relevant URS policies will be abided by in respect of ʺ.网络ʺ and accessibility of 99% information in Whois will be assured to ensure that domain name abuse. Dispute under ʺ.网络ʺ can be resolved in a timely manner and that losses incurred to domain name holders as a result of domain name abuse and trademark infringement can be reduced to the greatest extent possible.
　
	(3) Efforts will be made to introduce the Chinese domain names to the software vendors in order to expedite applications Chinese ʺ.网络ʺ domain name.  This will enable consumers to get to know the use value of Chinese domain names, increase the level of activity of domain names, reduce investments in domain name registration purely for defensive purposes, and upgrade the practical value of domain names.
  
	(4) CNNIC will undertake to treat all registrants equally, and except for domain names reserved or restricted from registration as prescribed by national laws and relevant provisions of ICANN, all holders of trademark rights will be entitled to the same registration right. CNNIC will not set any priorities in the protection of specific trademarks and guarantees to treat each registrant in a fair manner.

18c.2.1.4 Reduced Costs for the Promotion of Domain Names
  
	(1) ʺ.网络ʺ supports various combinations of Chinese characters, and a ʺ.网络ʺ domain name can be made exactly match the Chinese name of a corresponding Internet service products or brands, which makes it convenient for consumers to read and memorize, improves effectiveness in the publicity of the name of the organization, and makes it easy for itself to be accepted by most of the Chinese language end-users without too much costs for publicity.
  
	(2) CNNIC will reinforce in its publicity plans the promotion of typical cases of the application of ʺ.网络ʺ domain names and boost publicity among registrants from sideways, and concurrently increase acceptance of Chinese domain names by consumers to save publicity costs.

18c.2.2 For Registrars:

18c.2.2.1 Reasonable Registry Fee

	(1) CNNIC will provide all registrars accredited by ICANN with uniform policies on prices, preferential treatments and discounts to ensure that registrars can engage in fair competition.

	(2) The pricing of ʺ.网络ʺ domain names in registrars is relatively low as compared to other IDN gTLDs of the same category, therefore there is a room with competitive advantage for surrendering part of the profits on the part of the registrars.

18c.2.2.2 Reduced Costs for the Promotion and Marketing of ʺ.网络ʺ

	(1) CNNIC will be engaged in active cooperation with registrars in carrying out diversified marketing activities, including advertising and news release, and designate staffs to attend sales conferences organized by registrars and promote their sale.

	(2) CNNIC will institute a rebate program during each year of operation. Through this rebate program, ICANN-accredited registrars that have registered domain names in the new TLD will be eligible to receive a rebate based on the registration increase and renewal rate. This policy will be provided to each registrar equally. CNNIC will conduct annual appraisal of its licensed registrars. If an increase in new registration and renewal rate is found compared to the benchmark value of the last year’s performance, CNNIC will grant a certain amount of rebates with respect to the newly registered domain names, which shall be used as marketing funds for ʺ.网络ʺ to encourage registrars to develop markets especially in areas with a relatively low market penetration rate.
　
18c.2.2.3 Reduced Costs for the Operation of ʺ.网络ʺ

	(1). Registrars will not be charged with any certification cost, and any registrar that qualifies for the provision of ʺ.网络ʺ registration services may apply to become a ʺ.网络ʺ registrar.

	(2) The registry architecture will automate several functions. These include the ability to track, in real-time, status updates of customer registrars, custom reports for registrars, near real-time zone file updates, and over the medium term, real-time updates of the DNS zone files. By automating these processes, registrars can expect meaningful operational cost savings. As such, CNNIC, through its technological solutions, will provide indirect business opportunities to its customer registrars through lower operational costs.

	(3). There are relatively mature registrar support staffs and secure and reliable registration service platform and client which are ready to help registrars to establish ʺ.网络ʺ domain name registration services with the lowest costs.
　
18c.2.3 For End-Users:

18c.2.3.1 Reduced Costs for Searching, Inputting and Memorizing the ʺ.网络ʺ Domain Name

	(1) With the efforts of CNNIC and the Chinese language community, currently most of the browsers support the input of Chinese domain names, which has reduced costs resulting from incompatibility.

	(2) CNNIC is also actively cooperating with such Chinese language search engines and software vendors for promoting applications of Chinese domain names to make it convenient for consumers to accept Chinese domain names.

	(3)The form of the ʺ.网络ʺ domain name also fit neatly with the reading and memory habits of Chinese language users and reduces additional time costs incurred from domain name confusion.

18c.2.3.2 Reduced Losses Resulting Domain Name Abuse
 
	(1). CNNIC’s experience in domain name management will be utilized to impose punishment with respect to such acts of domain name abuse as phishing websites and virus transmission in a timely manner to reduce consumers’ costs, and CNNIC undertakes that the percentage of ʺ.网络ʺ domain name abuse will not exceed 5%.
 
	(2). Accredited registrars will be required to verify the accuracy of information in Whois, so as to ensure that law enforcement agencies can find the person who has committed act of domain name abuse and relieves can be obtained in time with respect to the rights of consumers.

	(3) Chinese variants have the same pronunciation and the same meaning as its official form, Chinese users regard them as interchangeable. The Chinese internationalized domain label(IDL) and itʹs variants labels will be mandated by CNNIC’s policy following the rules as the Simplified and Traditional Chinese forms of the applied-for should be resolvable simultaneously for the same registrant⁄applicant or non-resolvable at all in ʺ.网络ʺ domain. This will reduce the chance of string confusion caused by Chinese variant domain names.

18c.3 Specific Measures to Minimize Social Costs

18c.3.1 Domain Name String Contention Resolution

　CNNIC will, based on the right protection mechanism of ICANN, make Sunrise registration services available for holders of valid trademark rights during the 30-day Sunrise Period prior to the official launch of the general public registration of the ʺ.网络ʺ domain name. All trademark right holders will be entitled to equal priority in registration, the principle of first-come⁄first serve shall apply in case of domain name string contention, and uniform prices will be used. This measure will reduce the costs of domain name registration to the greatest extent possible comparing with the method of auction.

　After the Sunrise Period, CNNIC will continue to resolve domain name string contention on the first-come⁄first serve basis. Where any domain name dispute occurs, UDRP shall apply. Besides, either party may resort to arbitration or judicial decision, or consumers may file complaints with URS providers in view of domain name use with bad faith.

18c.3.2 Cost Benefits Measures

  To drive the stable development of ʺ.网络ʺ, CNNIC plans to adopt a two-stage promotion scheme based on the principle of providing fair and consistent preferential policies for all registrants and registries. The first stage will be consumer incentives, during which domain name registrants will be stimulated to enhance the popularity and acceptability of domain names; and the second stage will be channel incentives, during which further support will be provided for registrars to conduct marketing on the basis of consumers’ recognition in the first stage.

18c.3.2.1 First Stage

18c.3.2.1.1 Period

  The period of the first stage will be the first calendar year after the initial launch of ʺ.网络ʺ for registration.

18c.3.2.1.2 Targets

	(1) Enhance the popularity and acceptability of domain names among consumers, and increase market attention.

	(2) Increase the average term of registration of newly registered domain names and ensure the stability of domain name users.

18c.3.2.1.3 Measures

  CNNIC will take incentive measures directly targeted at consumers to encourage them to register ʺ.网络ʺ for a longer term of registration. Specifically, CNNIC will grant price concession for one-time domain name new registration with a certain length of period , so as to expedite the popularization and increase the average new registration of domain names:

	(1)An one-year exemption will be granted to the users who register one time for four to six years ;

	(2)A two-year exemption will be granted to the users who register one time for seven to nine years; 

	(3)A three-year exemption will be granted to the users who register one time for ten years.

18c.3.2.2 Second Stage

18c.3.2.2.1 Period

  The period of the second stage shall be 12 natural months since the end of the first stage, and appraisement will be conducted on a yearly basis.

18c.3.2.2.2 Targets

	(1) Encourage registrars to increase the new registration of the ʺ.网络ʺ domain name.

	(2) Encourage registrars to increase renewals of historical ʺ.网络ʺ domain names.

	(3) Encourage registrars to increase the proportion of their ʺ.网络ʺ domain name business.

18c.3.2.2.3 Measures

  If during the appraisal of the first year, a certain percentage of growth is seen in the newly registered domain names in any registrar as compared to the benchmark value and a certain rate of renewal is achieved, CNNIC will grant a certain amount of rebates with respect to the newly registered domain names as a marketing fund for the domain name promotion in the lower market penetration area, as is shown in the attached table in 48(a)_attachement_1_schedule_2.

18c.3.3 Provisions on Price Increase

18.3.3.1 Limit on price increase

  Based on the expected increasing amount of the registration of ʺ.网络ʺ, the single unit service cost for each registration is expected to be reduced. CNNIC will take efforts to stabilize the price and propose to undertake in the registration agreement that the registration and renewal price will be kept as stabilized during an effective term of the Registry Contract. Some price adjustment may take place at the contract renewal point with respect to the following conditions:
	
	(1)economic environment change with higher inflation rate in China
	
	(2)tax increase
	
	(3)labor cost increase 
	
	(4)other market variation and technical evolution that may lead to cost change
  
  Due to uncertainty of the market environment at the time of delegation, the actual contractual terms of annual price increase magnitude within the registry agreement shall be further discussed based on the above conditions at the time of delegation.

18.3.3.2 Notice of Price Increase

  With respect to initial domain name registrations, CNNIC will provide ICANN and each ICANN accredited registrar that has executed the RRA for the TLD advance written notice of any price increase (including as a result of the elimination of any refunds, rebates, discounts, product tying or other programs which had the effect of reducing the price charged to registrars, unless such refunds, rebates, discounts, product tying or other programs are of a limited duration that is clearly and conspicuously disclosed to the registrar when offered) of no less than thirty (30) calendar days. CNNIC will offer registrars the option to obtain initial domain name registrations for periods of one to ten years at the discretion of the registrar, but no greater than ten years. 

  With respect to renewal of domain name registrations, CNNIC will provide ICANN and each ICANN accredited registrar that has executed the registry-registrar agreement for the TLD advance written notice of any price increase (including as a result of the elimination of any refunds, rebates, discounts, product tying, Qualified Marketing Programs or other programs which had the effect of reducing the price charged to registrars) of no less than one hundred eighty (180) calendar days. 

  In addition, CNNIC will have uniform pricing for renewals of domain name registrations (“Renewal Pricing”).  For the purposes of determining Renewal Pricing, the price for each domain registration renewal will be identical to the price of all other domain name registration renewals in place at the time of such renewal, and such price must take into account universal application of any refunds, rebates, discounts, product tying or other programs in place at the time of renewal.

23. Registry Services

The services provided by China Internet Network Information Center (CNNIC) for ʺ.网络ʺ Top Level Domain (TLD) mainly include Shared Registration System (SRS), Domain Name Service (DNS), Whois, Internationalized Domain Name (IDN) and DNS Security Extensions (DNSSEC). With full consideration having been given to specific problems related to security and stability, all the above services are customary registry services which meet corresponding Request for Comments (RFC) standards, so there will be no security and stability problems.
CNNIC, in strict accordance with the ISO 27001 (GB⁄T 22080) (www.ptsn.net.cn⁄standard⁄std_query⁄show.php?source=gb&id=8618) security standard, has built the Information Security Management System (ISMS) to provide sound security strategies and security guarantees for ʺ.网络ʺ registry services in the aspects of physical equipment, network, system, application, data and audit. Please refer to the answer to Question 30 for more information.
23.1 SRS

23.1.1 Service Description

SRS performs the following functions：
(1) Receiving Registration Data Related to Domain Names and Name Servers from the Registrar
It supports the registry-registrar mode adopted by ʺ.网络ʺ and receives, by providing the registrar with data interfaces that meet the requirements of RFC 5730, RFC 5731, RFC 5732, RFC 5733 and RFC 5734, relevant registration data submitted to CNNIC by the registrar.
(2) Management Functions Related to Registration Data
To be specific, these functions include management of sessions, asynchronous messages, contacts, hosts, domain names, reserved name lists, registrars and status of the registry; performing automated⁄scheduled tasks; generating operation logs; performing financial operations and registration verifications; as well as bulk registration data access.
(3) Providing Interactive Interfaces for Other Related Services

(a) Providing with DNS interfaces service to read registration data to enable it to generate the ʺ.网络ʺ zone file.

(b) Providing interfaces for the Whois service to read registration data to enable it to respond to queries about registration information of ʺ.网络ʺ.

(c) Providing interfaces for the data escrow system to read registration data to enable it to process registration data into deposit files on a regular basis and submit them to the escrow agent.

(d) Providing interfaces for the monitoring system to enable it to monitor the SRS in a real-time manner.
(e) Providing the function of access to bulk data for ICANN in accordance with Specification 4 of the Registry Agreement.

(f) Connecting SRS to the Trade Mark Clearing House to search for information of trade mark owners and decide whether to approve the registration application for a specific domain name based on the search result.

(g) Analyzing SRS logs through monitoring system to provide data report function to generate monthly report required by ICANN.

23.1.2 Security Analysis

SRS adopts the following security mechanisms to ensure that there will be no unauthorized disclosure, alteration, insertion or destruction of registration data related to ʺ.网络ʺ.
23.1.2.1 Physical Security Policy

7*24 operation and maintenance team monitors SRS in a real-time manner through the monitoring system. Servers are placed in the lightening-proof, fire prevention, anti-theft and anti-static Internet Data Center (IDC) with the video monitoring system. Fingerprint identification and access card reading devices are adopted to control the visit.
23.1.2.2 Network Security Policy

SRS adopts redundant system design. Each server adopts the Intranet IP address defined in RFC 1918, which is deployed in the service network. SRS registration database adopts Intranet IP addresses to prevent Internet users from accessing these servers.
23.1.2.3 System Security Policy

The operation system and application system of SRS servers are periodically updated. Remote operation to SRS needs to be performed through bastion servers. CNNIC monitoring system monitors the use of host resources and service status in a real-time manner, and once an abnormity is detected, gives off an alarm.
23.1.2.4 Application Security Policy
Application Security Strategy involves the following aspects:

(1) The login password of each registrar in the SRS is limited to 6-32 digits and the password is stored in an encrypted form.

(2) SRS connection between registrar and registry shall adopt Secure Sockets Layer (SSL) encryption mode. Client certificate and user name⁄password achieve the strong authentication to registrars.

(3) SRS restricts the login IP address of the registrar and only authorized IP addresses can be allowed. Certificate of registrar will be verified the effectiveness.

(4) Connection will be automatically closed by the SRS if there is no operation within a specified period of time after the registrar successfully logs in.

(5) Bulk registration data access function is open to ICANN, with whom we consult about the security mechanism and adopt measures such as IP restriction and security data transmission.

23.1.2.5 Data Security Policy

(1) SRS related registration data is stored in registration database, read and write authority of which is strictly restricted. DNS service, Whois service and data escrow system only can read the SRS registration database.

(2) SRS registration database will be backed up in local tape library. Meanwhile data is also backed up into the local and remote secondary operation centers.

23.1.2.6 Auditing Security Policy

All operation records of SRS will be saved as logs, and then analyzed and audited.

23.1.3 Stability Analysis

(1) Analysis of Compliance with Relevant Standards

The implementation of SRS strictly complies with RFC 5730, RFC 5731, RFC 5732, RFC 5733, RFC 5734 and RFC 5910. In addition, the registration life cycle supported by SRS is in line with RFC 3915.

Considering the characteristics of IDN and CNNICʹs nature of business, CNNIC has made the following two extensions on the basis of Extensible Provisioning Protocol (EPP) in accordance with the guidance of RFC 3735.
(a) Completely compliant with RFC 3735, we made the extension of RFC 5731. In details, we submitted the associated draft to make extension of the variants of Chinese domain names in support of bundle registration of variants.

(b) Completely compliant with RFC 3735, we made the extension of RFC 5910. In details, we submitted the associated draft to make extension of DNSSEC in support of the Delegation Signer (DS) bulk registration for variants of Chinese domain names.

(2) Analysis of the Impact of SRS on Related Internet Servers or End Systems

(a) Impact on the Other Systems of ʺ.网络ʺ Registry Services

By adopting a redundant backup architecture (refer to the answer to Question 24), SRS guarantees its stability and reliability to meet the requirements of DNS service, Whois service, the monitoring system, bulk registration data access and the data escrow system for accessing SRS registration database.
(b) Impact on the Registrarʹs Registration System of ʺ.网络ʺ

SRS service strictly satisfies Service Level Requirements (SLR) prescribed in Specification 10 of the Registry Agreement to ensure that the registrar of ʺ.网络ʺ can normally submit registration data.
23.2 DNS Service

23.2.1 Service Description

DNS service mainly includes management of DNS zone files and resolution of DNS.
(1) DNS Zone File Management Performs the Following Functions:

(a) Generation of TLD zone files of ʺ.网络ʺ

The authoritative master servers of DNS obtain the original resource records from the SRS registration database to generate original zone files and provide them to DNS service after the files are signed through DNSSEC.
(b) Update of TLD zone files of ʺ.网络ʺ

The zone files are updated in a level-by-level manner between the authoritative master servers of DNS and the name servers at all levels, which enables these name servers to obtain the latest TLD zone files of ʺ.网络ʺ within the time limit specified in the Service Level Agreement (SLA).
(c) Access to TLD zone files of ʺ.网络ʺ

Access by authorized third-party organizations or Internet users to TLD zone files of ʺ.网络ʺ is made available.
(2) DNS Resolution Performs the Following Functions:

To provide resolution service for TLD of ʺ.网络ʺ, a service platform is established whose name servers are distributed among multiple geographic locations and which supports IPv6 and DNSSEC by adopting Anycast and Unicast.
23.2.2 Security Analysis

DNS adopts the following security mechanisms to ensure that there will be no unauthorized disclosure, alteration, insertion or destruction of resolution data related with ʺ.网络ʺ.
23.2.2.1 Physical Security Policy

7*24 operation and maintenance team monitors DNS in a real-time manner through the monitoring system. DNS servers are placed in the lightening-proof, fire proof, anti-theft and anti-static IDC with the video monitoring system. Fingerprint identification and access card reading devices are adopted to control the visit.
23.2.2.2 Network Security Policy

DNS is deployed in a service subnet. Specialized DOS⁄DDOS defense instrument and Intrusion Detection System (IDS) are adopted. When suspicious Internet attack is detected, competent security specialists will be notified to handle the problem. Access Control List (ACL) is configured in the egress router for controlling access to DNS name servers. Only DNS service ports and relevant management ports are opened; other service ports are closed.
23.2.2.3 System Security Policy

The operation system and application system of DNS servers are periodically updated. Remote operation to the system needs to be performed through bastion servers. CNNIC monitoring system monitors the use of host resources and service status in a real-time manner, and once an abnormity is detected, gives off an alarm.
23.2.2.4 Application Security Policy

Application Security Strategy involves the following aspects:
(1) Setting up DNS primary masters which are not connected to the Internet and do not provide resolution service to the public to ensure the security of original zone files of ʺ.网络ʺ.

(2) The update of zone files between different levels of name servers is accomplished through IPsec encrypted communication, to ensure secure transmission of TLD zone files of ʺ.网络ʺ.

(3) Establishing a monitoring system to ensure the integrity and consistency of data of the generation and transmission of zone files.

(4) Authenticating the identity of Internet users who attempt to access TLD zone files of ʺ.网络ʺ and reject accessing these files who fail to pass authentication or violate the terms and conditions on data use (refer to 2.1.5 of Specification 4, Registry Agreement).

23.2.2.5 Data Security Policy

Periodically backup zonefile and check the integrity of updated zonefile through technical means. Data is backed up into the local tape library periodically as well as into the local and remote secondary data centers.

23.2.2.6 Audit Security Report

Monitoring system will collect and analyze DNS server logs, and provide auditing reports.

23.2.3 Stability Analysis

(1) Analysis of Compliance with Relevant Standards

DNS adopts the stable versions of Berkeley Internet Name Domain (BIND) and Name Server Daemon (NSD), two mainstream DNS software systems, and relevant security patches are timely updated.
The design and deployment of DNS meet relevant RFC provisions (including RFC 1034, RFC 1035, RFC 1982, RFC 2181, RFC 2182, RFC 2671, RFC 3226, RFC 3596, RFC 3597, RFC 3901, RFC 4343, RFC 4472 and RFC 5966) and the technical requirements of Internet Assigned Numbers Authority (IANA).
(2) Analysis of the Impact of DNS on Related Internet Servers or End Systems

The stability and reliability of DNS service are fully ensured through the adoption a redundant backup architecture (refer to the answer to Question 35) so that relevant SLR in Specification 10 of the Registry Agreement is fully satisfied and Internet users are able to normally resolve ʺ.网络ʺ.

23.3 Whois Service

23.3.1 Service Description

Whois service performs the following functions:

(1) Providing Services in Response to Queries about Domain Registration Information

Whois service gives response to queries about the information of registrars, hosts and domain names. Through Whois system (WhoisD and Whois Web), Internet users can know whether a domain name has been registered and its detailed information.
(2) Providing an Authorized Third Party with the Function of Bulk Access

Whois service provides authorized third parties with the function of bulk access, allowing bulk access to Whois data in a specific period of time.
(3) Providing Searchable Whois Service

Using a domain name, contacts and registrantʹs name, postal address, registrar ID, name server name and name serverʹs IP address as key words, an authorized Internet user can perform searches based on a random combination of the key words through the AND⁄OR⁄NOT Boolean function.
23.3.2 Security Analysis

Whois service adopts the following security mechanisms to ensure that there will be no unauthorized disclosure, alteration, insertion or destruction of registry data related with ʺ.网络ʺ.
23.3.2.1 Physical Security Policy

7*24 operation and maintenance team monitors Whois in a real-time manner through the monitoring system. Servers are placed in the lightening-proof, fire proof, anti-theft and anti-static IDC with the video monitoring system. Fingerprint identification and access card reading devices are adopted to control the visit.
23.3.2.2 Network Security Policy

Whois system is deployed in service subnet. Access to WhoisD system is open via Port 43 while access to Whois Web is open via Port 80.
23.3.2.3 System Security Policy

The operation system and application system of Whois servers are periodically updated. Remote operation to the system needs to be performed through bastion servers. CNNIC monitoring system monitors the use of host resources and service status in a real-time manner, and once an abnormity is detected, gives off an alarm.
23.3.2.4 Application Security Policy

Application Security Policy mainly involves the following points:
(1) Whois Web servers are only used to transform Whois Web requests into WhoisD query requests and transmit such requests to WhoisD servers through load balancers. Then WhoisD servers are connected to Whois database to respond to Whois queries.

(2) For searchable Whois service, abuses of Whois information are prevented by adopting user access control and other preventive measures.

(3) Whois only permits Internet usersʹ queries and no alteration is permitted.

23.3.2.5 Data Security Policy

Whois database is created by replicating SRS registration database, and therefore, any operation of the Whois database will not affect the core registration data of ʺ.网络ʺ.

23.3.2.6 Audit Security Report

Monitoring system will collect and analyze Whois server logs, and provide auditing reports.

23.3.3 Stability Analysis

(1) Analysis of Compliance with Relevant Standards

Strictly conforming to the Whois protocol in the RFC 3912, the Whois system realizes the function of communication between the client and Whois servers by using Transmission Control Protocol (TCP) connection on Port 43 and, in strict accordance with RFC 3912 Protocol Model, uses ASCII CR and ASCII LF as the message separator.
(2) Analysis of Impact on Relevant Internet Servers and End Systems

By adopting a redundant architecture (refer to the answer to Question 26), Whois guarantees its stability and reliability so that relevant SLR in Specification 10 of the Registry Agreement is fully satisfied.
The following restrictive measures are taken to further guarantee the availability and quality of Whois service.
(a) To restrict the number of online users (configurable) of Whois service.

(b) If the user does not make any query within a specified time limit (configurable), the connection will be automatically terminated.

(c) To prevent a user from over-frequently making queries, thus delaying the response to the queries of others, the frequency (configurable) of a user to access Whois data is restricted.

(d) The Whois database for Whois bulk access is created by replicating the SRS registration database, so Whois bulk access will not affect the stability of routine Whois service.

(e) Whois database for searchable Whois service is created by replicating the SRS registration database, so searchable Whois service will not affect the stability of routine Whois service.

23.4 Internationalized Domain Names (IDN)

23.4.1 Service Description

IDN service includes:
(1) Developing, releasing and maintaining the Chinese IDN table corresponding to ʺ.网络ʺ.

(2) Formulating policies for registration of variants according to the characteristics of IDN variants.

(3) Extending relevant service systems of ʺ.网络ʺ registry to support IDN.

(a) SRS

SRS implements the registration extension of Chinese domain name variants based on EPP in accordance with RFC 3735 so that it supports the bundle registration of variants.
(b) DNS service

Following RFC 3743, RFC 4713 and Internationalized Domain Name Applications (IDNA) standards, the DNS service is capable of resolving domain names in the form of traditional, simplified and variant Chinese.
(c) Whois Service

Whois service provided by CNNIC adopts the UTF-8 encoding format and supports both English and Chinese display of response information.
(d) DNSSEC

SRS implements DNSSEC extension of Chinese domain name variants based on EPP in accordance with RFC 3735 to support DS bulk registration of variants.
23.4.2 Security Analysis

To address the problem of phishing due to similarity of IDNs, an IDN anti-phishing detection system is developed and deployed, through which phishing domain names related with ʺ.网络ʺ can be detected and then corresponding measures can be taken.
To address the problem of cybersquatting related with ʺ.网络ʺ variant domain names, CNNIC, in accordance with RFC 4713, has worked out policies for coping with variant domain names. When registrants register their original domain names for the first time, CNNIC gives them full simplified and full traditional Chinese domain names on a free-of-charge basis and reserve all the variant domain names for the registrant.
23.4.3 Stability Analysis

(1) Analysis of Compliance with Relevant Standards

The Chinese IDN tables adopted by ʺ.网络ʺ will be submitted to IANA in a standard format.
The registry services related to ʺ.网络ʺ fully satisfy RFC 3743, RFC 4713 and IDNA standards, such as RFC 5890, RFC 5891, RFC 5892, RFC 5893 and RFC 5894, and are in strict accordance with IDN guidelines by ICANN.
(2) Analysis of Impact on Relevant Internet Servers and End Systems

(a) SRS

The problem of variants of Chinese domain names may lead to occupation of more SRS resources, thus affecting the stability of SRS. To avoid such problems, CNNIC extended the registration of traditional, simplified and variant Chinese domain names based on EPP in accordance with RFC 3735, to support bundle registration of variant Chinese domain names and to enable the domains in the same bundle to have the same registration attributes. As a result, the impact of the problem of variant Chinese domain names on the stability of SRS is reduced.
(b) DNS service

In designing the capacity and performance of the DNS service, CNNIC gave full consideration to the expansion of zone files of ʺ.网络ʺ TLD due to the existence of variant Chinese domain names. Servers with sufficient memory are used to avoid the impact of such expansion on the stability of DNS service.
(c) Whois Service

Whois service provided by CNNIC adopts the UTF-8 encoding format to support IDN. Until now, supporting IDN does not affect the stability of Whois service.
(d) DNSSEC

In designing the deployment of DNSSEC, full consideration was given to the expansion of zone files of ʺ.网络ʺ TLD due to the existence of variant Chinese domain names. DNSSEC zone files are signed through Hardware Security Module (HSM) to avoid the impact of such expansion on the stability of DNSSEC.
23.5 DNSSEC

23.5.1 Service Description

The main purpose of DNSSEC service is to provide source verification for DNS data obtained by recursive servers so as to ensure that data are from the right authoritative servers and that no alteration is made to the data.
DNSSEC includes the following:
(1) SRS

(a) According to RFC 5910, the extension of SRS supports DNSSEC registration.

(b) SRS implements DNSSEC extension of Chinese domain name variants based on EPP in accordance with RFC 3735 to support DS bulk registration of variants.

(2) DNS service

(a) Management of key generation and rollover of ʺ.网络ʺ TLD.

(b) Signing zone files of ʺ.网络ʺ TLD.

(3) Whois Service

In compliance with Specification 4 of the Registry Agreement, the query results of Whois service contain information about whether zone files have been duly signed.
(4) Policies

Formulating, releasing and maintaining DNSSEC Practice Statements (DPS) for implementing DNSSEC of ʺ.网络ʺ TLD.

23.5.2 Security Analysis

The following security mechanisms are adopted for DNSSEC implementation to ensure that there will be no unauthorized disclosure, alteration, insertion or destruction of registration data related to ʺ.网络ʺ.
23.5.2.1 Physical security policy

The HSM used for Key Signing Key (KSK) signing is installed in a locked electro-magnetic shielding cabinet which can effectively prevent the interference of electro-magnetic signals from the outside. Furthermore, both the HSM and the cabinet are placed in a separate room with access control measures and only authorized persons may get access to the cabinet.
23.5.2.2 Network Security Policy

HSM is deployed in the sole subnet. Only specific server can access to prevent Internet users from accessing HSM.
23.5.2.3 System Security Policy

Monitoring system is adopted to monitor operation situation of HSM in a real-time manner. When equipment is put out of use or eliminated, a demagnetizer would be used to delete all information so that no important information is leaked.
23.5.2.4 Application Security Policy

As one of the important measures for overcoming the security defects in the DNS system, DNSSEC uses public-key cryptography to add digital signatures to each Resource Record set (RRset) in zone files to further improve the security level of the DNS system.
The security of DNSSEC depends on the proper management of the key. Keys of ʺ.网络ʺ TLD are divided into KSK and Zone Signing Key (ZSK). KSK is only used to sign ZSK. All signature operations are completed in the HSM. ZSK is used to sign zone files and key rollovers should be finished within ZSKʹs security life cycle.
NSEC3 is adopted to avoid traverse of zone files of ʺ.网络ʺ TLD.
23.5.2.5 Data Security Policy

All pairs of key (ZSK and KSK) are generated and directly saved in HSM. Private key is prohibited to access and read in any plain text, but is admitted to store and back up in an encryption form in external storage media.
23.5.2.6 Audit Security Report

Monitoring system will collect log files of DNSSEC related systems, and analyze and audit.
23.5.3 Stability Analysis

(1) Analysis of Compliance with Relevant Standards

The design and deployment of DNSSEC meet all relevant RFC standards including RFC 4034, RFC 4035, RFC 5901, RFC 4641, RFC 5074 and RFC 5155, and follow the best practices described in RFC 4641 and its successors.
(2) Analysis of Impact on Relevant Internet Servers and End Systems

(a) SRS

As far as SRS service is concerned, the implementation of DNSSEC only requires that SRS supports the registration of DS records; therefore, the stability of SRS will not be affected.
(b) DNS service

When deploying the DNS service system, CNNIC gave full consideration to the increase of load brought about by DNSSEC. By testing and analyzing the performance of DNSSEC, CNNIC improved the hardware configuration of DNS servers and increased the network bandwidth (refer to the answer to Question 35) to ensure that the deployment of DNSSEC will not affect the stability of DNS service.
(c) Whois Service

So far as Whois is concerned, the implementation of DNSSEC only requires that the query results of Whois service contain information about whether zone files have been duly signed. So, the implementation of DNSSEC will not affect the stability of Whois service.

24. SRS

China Internet Network Information Center (CNNIC) provides a Shared Registration System (SRS) that meet the requirements of Section 1.2, Specification 6 of the Registry Agreement. The SRS supports the registry-registrar model adopted by ʺ.网络ʺ and, by providing the registrar with an Extensible Provisioning Protocol (EPP) based data interface, enables the registrar to submit ʺ.网络ʺ-related registration data to CNNIC.
The SRS of CNNIC meets EPP1.0 data interface specifications defined by Request for Comments (RFC) 5730, and manages the database by using Oracle so that the reliability and stability of data storage and data access are guaranteed and registration operations can be accomplished properly and efficiently. By adopting real-time monitoring and redundant system design and by taking such measures as 7*24 on-site operation and maintenance, CNNIC ensures the proper and reliable operations of SRS under the precondition of meeting Service Level Requirement (SLR) of Specification 10 of the Registry Agreement.
All human resources, funds and equipment necessary for implementing and maintaining SRS have been put in place by CNNIC.
24.1 Implementation of SRS

24.1.1 An Overview of SRS

The SRS of ʺ.网络ʺ consists of two parts: the core registration system and the Business Operation Support System (BOSS). The core registration system is made up of the EPPServer and the registration database. BOSS provides supportive functions (e.g, financial and verification).
24.1.2 System Interfaces

SRS is connected to EPPClient, DNS service, the data escrow system, Whois service, the monitoring system and the Trade Mark Clearing House (TMCH). The interfaces between SRS and the above-mentioned systems are shown as follows.
Please see Figure 1 in the attachment of Q24_Attachment_Figure.
24.1.2.1 The Interface between SRS and EPPClient

Via an EPP1.0-compliant interface between EPPclient and SRS, CNNIC provides registration services for registrars. In line with RFC 5734, the above interface is performed based on Secure Sockets Layer (SSL) and TCP⁄IP. The functions of the interface include management of sessions, domain names, hosts and contacts (see the figure below).

Please see Figure 2 in the attachment of Q24_Attachment_Figure.
24.1.2.2 The Interface between SRS and DNS Service

The data needed for generating or updating zone files in DNS service comes from SRS registration database.

Please see Figure 3 in the attachment of Q24_Attachment_Figure.
DNS service consists of Authoritative Zone Transfer (AXFR) and Incremental Zone Transfer (IXFR).
The interface between AXFR and SRS is shown as follows:
Please see Figure 4 in the attachment of Q24_Attachment_Figure.
The interface between IXFR and SRS is shown as follows:
Please see Figure 5 in the attachment of Q24_Attachment_Figure.
24.1.2.3 The Interface between SRS and Data Escrow System

Data escrow system accesses the registration database via the interface to generate deposit files, in accordance with Specification 2 of the Registry Agreement, and regularly upload them to the data escrow agent.
24.1.2.4 The Interface between SRS and Whois System

Whois system replicates the SRS registration database as Whois database and provides Internet users with Whois service. Whois system mainly uses the following 4 tables in the registration database.
Please see Figure 6 in the attachment of Q24_Attachment_Figure.
24.1.2.5 The Interface between SRS and the Monitoring System

There are three interfaces between SRS and the monitoring system. The first is between EPPServer and the monitoring system; the second is between the registration database and the monitoring system; the third one is between BOSS and monitoring system.

24.1.2.6 The Interface between SRS and TMCH

BOSS is connected to TMCH, inquires about information of trade mark owners and decides whether to approve a specific domain name registration application according to the inquiry results.
24.1.3 Functions of SRS

The functions of SRS are divided into core registration function and business operation supporting function.
24.1.3.1 Core Registration Function

(1) Session Management

In accordance with RFC 5730, SRS implements commands of login, logout, hello and greeting. SRS supports the SSL-based connection with registrars over IPv6. Each registrar uses a different certificate. SRS restricts the registrarʹs login IP. Only an authorized IP can be connected.
(2) Asynchronous Message Management

After receiving the poll command, SRS processes all pending actions and information related to domain verifications.
(3) Management of Contacts

In accordance with RFC 5733, SRS implements commands of check, info, transfer, create, delete and update about contacts. Accredited registrars have the full authority to perform all the above commands about the contacts of their domain names.
(4) Management of Hosts

In accordance with RFC 5732, SRS implements commands of check, info, create, delete and update about hosts.
(a) SRS supports management of IPv6 hosts.

(b) All accredited registrars have the full authority to perform all the above commands about hosts.

(5) Management of Domain Names

According to RFC 5731, SRS implements all commands for domain management, including check, info, create, delete, renew, transfer and update.
In accordance with RFC 3735, CNNIC achieves EPP extension for traditional, simplified and variant Chinese domain names to support bundle registration of variant Chinese domain names. Moreover, EPP extension for DNSSEC is also achieved to support bulk registration of Delegation Signer (DS) records. Refer to the answer to Question 25.
According to the definitions in RFC 3915 and RFC 5731, SRS saves and maintains the status of EPP and Redemption Grace Period (RGP).
(6) Operation Logs

SRS records, in the form of operation logs, all business operations performed by the registrar without any impact on SRS performance. The rollback file size and the number of backup files are preset for each log file. Operation log will be pushed to the backup system periodically, please refer to the answer of Question 37. The monitoring system extracts the log for the use of data required by real-time business usability analyzing and monthly report.
(7) Automatic⁄Timed Tasks

SRS supports the following automatic⁄timed tasks:
(a) According to lifecycle requirements, SRS has an auto-renew function.

(b) SRS automatically permits transfer operations that exceed 5 days.

(d) When grace period is at maturity, domain name status will be deleted automatically.

24.1.3.2 Business Operation Supporting Function

(1) Financial and Verification Function

The core registration system records operations about registration fees without settling the account. The BOSS financial module performs settlement of accounts according to the price offered by the registrar and informs the core registration system of the financial status of each registrar.
The details of domain name verifications are handled by the BOSS verification module. BOSS writes the final results of verification into the registration database and then notifies the core registration system to make corresponding treatment.
(2) Management of Reserved Name Lists

BOSS provides the function of managing reserved name lists and maintains the reserved domain names and words in the registration database. Domain names and words that appear in the list are not permitted to register.
(3) Management of Registry Status

Due to specific reasons (legal arbitration for example), BOSS provides the function of creating or deleting server status for the domain names, hosts and contacts stored in the registration database. Relevant operations must be approved before they are carried out.
(4) Management of Registrars

BOSS can insert, delete and update the information of registrars stored in the registration database, as well as allocate and manage registrar connections.
(5) Automatic⁄Timed Tasks

BOSS supports the following automatic⁄timed tasks:
(a) In accordance with lifecycle requirements, BOSS has the function of automatically updating the status of domain names and contacts.

(b) BOSS calculates registrars’ expenses on a daily basis.

(6) Bulk Registration Data Access

BOSS provides the function of bulk registration data access.
(a) Periodic Access to Thin Registration Data

CNNIC submits to ICANN, on a weekly basis, the up-to-date registration data, which include data committed as of 00:00:00 UTC on the day previous to the one designated for retrieval by ICANN. In line with the data format s specified in Specification 2, CNNIC provides the data for all registered domain names. The data files will be compressed and encrypted for download via Secure File Transfer Protocol (SFTP) by adopting security measures such as restricting the connection of IP address.
(b) Exceptional Access to Thick Registration Data

BOSS is capable of submitting to ICANN domain-related data by registrars in accordance with the requirement of Specification 2 on format. In case of registrar failure, de-accreditation, court order, etc, that prompts the temporary or definitive transfer of its domain names to another registrar, CNNIC may submit to ICANN all the registered domain information of the losing registrar. The files containing the information are made available for download by SFTP.
(7) Sending a Query to TMCH

BOSS is connected to TMCH, inquiring about information of trade mark owners and decides whether to approve a specific domain name registration application according to the inquiry results. Related functions will be improved according to the regulations of the global TMCH.
(8) Monthly Report Function

BOSS generates the monthly report compliant with Specification 3. The monitoring system collects the logs of SRS system to analyze the data of the log to generate data required by Pre-Registrar Transactions Monthly Report and Registry Functions Activity Report. BOSS generates monthly report and submits periodically.
24.1.4 System Deployment

Please see Figure 7 in the attachment of Q24_Attachment_Figure.

(1) Internet Access

CNNIC broadcasts SRS service addresses via Border Gateway Protocol (BGP). A registrar may access SRS service through a number of Internet Service Providers (ISPs).
(2) Load Balancer

Registrars access the virtual IP configured in the layer 4 load balancers to perform registration operations.
(3) SRS Servers

SRS servers are responsible for achieving core registration and BOSS functions.
The core registration system and BOSS consist of 4 high-performance blade servers respectively. In addition, the core registration system and BOSS are both equipped with one specific cold standby server respectively. To improve system stability, all the above servers are respectively installed in two different blade boxes and configured in two different subnets.
(4) Registration Database

The registration database is used to store registration data and respond to the access requests of the core registration system, DNS service, data escrow and the access request for ICANN bulk registration data.
(5) BOSS Database

The BOSS database is used to store financial and verification data.

(6) Storage

The data in the registration database is stored in a storage device.
24.2 A Plan for Operating Robust and Reliable SRS

24.2.1 Redundant System Design

To improve reliability, a redundant design is adopted for designing the SRS architecture including network devices, load balancers, registration servers and registration databases, so as to ensure there is no single point. In addition, cold-standby servers are always ready to take over the work of other servers.
Furthermore, both local and remote secondary operation centers adopt the same SRS deployment, to ensure that a swift switch over can be made when the primary operation center fails. Please refer to the answer to Question 37.
24.2.2 Registration Data Synchronization

A storage device is connected to the registration database to store registration data. The storage device of the primary operation center is connected to the local secondary operation center through optic fibers and uses synchronous replication to ensure the consistency of data. The storage devices of the primary operation center and the remote secondary operation center use asynchronous replication with a synchronization frequency of once every minute. For details, please refer to the answer to the Question 37.
24.2.3 Failure Monitoring and Handling

The monitoring system monitors the operations of SRS and the database. Meanwhile, CNNIC has a special 7*24 team for system operation and maintenance, who monitor the SRS of ʺ.网络ʺ in a real-time manner. Once a problem is detected, the monitoring system will lose no time to give off an alarm and notify the 7*24 maintenance team to shoot and solve the trouble. Refer to the answers to Questions 39 and 42 for information about the classification of and response to SRS failures.
24.3 Compliance Analysis

24.3.1 Compliance with Specification 6

(1) In accordance with RFC 5910, RFC 5730-5734, provisioning and management of domain names are achieved by using the EPP

CNNIC achieves the extension of EPP for DNSSEC by extending RFC 5910. DS or DNSKEY records can be added to a designated domain name when it is updated and created, and relevant DS or DNSKEY data are contained in the response message of info command.
SRS fully meets the requirements of RFC 5730-5734. Refer to the answer to Question 25 for more details.
(2) Full compliance with the RGP specified in RFC 3915

SRS strictly complies with the RGP specified in RFC 3915. The RGP status of domain names is stored in the SRS registration database.
(3) Extension is made and the draft is submitted in accordance with RFC 3735

RFC 5731 and RFC 5910 have been extended in accordance with RFC 3735. Refer to the answer to Question 25.
24.3.2 Compliance with Specification 10

SRS SLRs are specified in Specification 10 as follows:
Please see Table 1 in the attachment of Q24_Attachment_Table.
(1) Service Availability

Based on 200,000 registration volume, the ordinary peak Transactions Per Minute (TPM) is less than 1,680 according to CNNICʹs trail and estimation, while it is less than 2,400 in the situation of cybersquatting. CNNIC has tested single SRS server of which average TPM may reach to 30,696. So one server is capable of undertaking SRS service. Considering system redundancy, 4 servers should be provided which are enough to undertake SRS service.

More back-end servers can be added to load balancers for processing the excessive workload brought about by the grown business needs.

Therefore, the SRS adopted by ʺ.网络ʺ can surely guarantee that the availabity of SRS service can exceed 98%.

(2) Session-command Round-Trip Time (RTT)

As shown in the following table for SRS testing, RTT of each type of command is in compliance with Specification 10.

Please see Table 2 in the attachment of Q24_Attachment_Table.

(3) Query-command RTT

As shown in the following table for SRS testing, RTT of EPP〈check〉 is in compliance with Specification 10.

Please see Table 3 in the attachment of Q24_Attachment_Table.

As shown in the following table for SRS testing, RTT of EPP〈info〉 is in compliance with Specification 10.

Please see Table 4 in the attachment of Q24_Attachment_Table.

As shown in the following table for SRS testing, RTT of EPP〈poll〉 is in compliance with Specification 10.

Please see Table 5 in the attachment of Q24_Attachment_Table.

As shown in the following table for SRS testing, RTT of EPP〈transfer〉 query is in compliance with Specification 10.

Please see Table 6 in the attachment of Q24_Attachment_Table.

(4) Transform-command RTT

System testing results of EPP〈create〉 command among transform commands are illustrated as below; as we can see, RTT is compliant with Specification 10.

Please see Table 7 in the attachment of Q24_Attachment_Table.

System testing results of EPP〈delete〉 command among transform commands are illustrated as below; as we can see, RTT is compliant with Specification 10.

Please see Table 8 in the attachment of Q24_Attachment_Table.

System testing results of EPP〈renew〉 command among transform commands are illustrated as below; as we can see, RTT is compliant with Specification 10.

Please see Table 9 in the attachment of Q24_Attachment_Table.

System testing results of EPP〈transfer〉 command among transform commands are illustrated as below. Every tested RTT is compliant with Specification 10.

Please see Table 10 in the attachment of Q24_Attachment_Table.

System testing results of EPP〈update〉 command among transform commands are illustrated as below; as we can see, RTT is compliant with Specification 10.

Please see Table 11 in the attachment of Q24_Attachment_Table.

24.4 Resource Allocation

24.4.1 Human Resources

The operation of SRS needs 6 software engineers who are responsible for software optimization and maintenance, and 10 system administrators who are responsible for 7*24 monitoring. Refer to the answer to Question 31.
24.4.2 Software and Hardware

Hardware in the 3 operation centers includes 30 high-performance blade servers, 12 high-performance database servers and 3 storage devices.
Software includes SRS, database, database cluster and storage management software. The number of lines of effective codes of the SRS software is 60,816 with C++ output ratio of 1.19 (thousand code lines man-months). The number of lines of effective codes of the BOSS is 107,881 (java) with java output ratio of 2.18 (thousand code lines man-months). The total workload will be 101 man-months. So far development and testing of the software have been completed and the system is now in trial operation.
In addition, customization scope of SRS software covers core registration system and BOSS which supports financial and auditing, searching the TMCH and monthly report function, as well as the interface with EPPClient, DNS service, data escrow system, Whois system, monitoring system and TMCH; meanwhile it satisfies the Service Level Agreement (SLA) requirements. Software customization development is carried out according to the initiation of R&D, program plan, outline design, specific design, construction stage, trail stage and issue and summarization procedures. Development procedure is compliant with regulations of Level 3 of Capability Maturity Model Integration (CMMI3).
Refer to the answer to Question 32 for more details about the software and hardware.
24.4.3 Funds

Funds for human resources, equipment procurement and maintenance have been put in place. Refer to the answer to Question 46 for the sources and uses of these funds.

25. Extensible Provisioning Protocol (EPP)

China Internet Network Information Center (CNNIC) provides registrars with a business interface that complies with Request for Comments (RFC) 3735, RFC 5730, RFC 5731, RFC 5732, RFC 5733 and RFC 5734 and has extended simplified, traditional and variant Chinese domain names, and DNS Security Extensions (DNSSEC) in accordance with RFC 3735. CNNIC has also submitted relevant drafts. All human resources, funds and equipment necessary for implementing Extensible Provisioning Protocol (EPP) have been put in place by CNNIC. 
　　
25.1 Business Interface between CNNIC and Registrars

Based on EPP, CNNIC provides registrars with a business interface for managing sessions, domain names, hosts, contacts and asynchronous messages. Via the above business interface, a registrar can perform not only complete business operation functions but also their own business workflow.
　　
All the EPP commands given by CNNIC for registrars are listed in the following table.
　　
Please see Table 1 and Table 2 in the attachment of Q25_Attachment_Table.
　　
All the above commands for the registration and management of domain names, hosts and contacts meet the requirements of parameters standardized by EPP. According to RFC 3735 and the business demand of ʺ.网络ʺ, CNNIC has extended the parameters of some of the above commands.
　　
25.2 Compliance with RFC

25.2.1 Compliance with RFC 5730

In accordance with the requirements of RFC 5730, CNNIC has realized session login, logout and hello commands, as well as poll command for asynchronous message reception and confirmation. Meanwhile, the formal syntax of EPP, result code, date format and international support satisfy RFC 5730.  
　　
25.2.2 Compliance with RFC 5731

In accordance with the requirements of RFC 5731, CNNIC has supported commands including check, info, create, delete, renew, transfer and update for domain names. 
　　
25.2.3 Compliance with RFC 5732

In accordance with the requirements of RFC 5732, CNNIC has supported commands including check, info, create, delete and update for hosts. The host of a particular domain name can be automatically transferred as the domain name is transferred. The IP of the host may be either IPv4 or IPv6.
　　
25.2.4 Compliance with RFC 5733

In accordance with the requirements of RFC 5733, CNNIC has implemented commands including check, info, create, delete, renew, transfer and update for contacts.  
　　
25.2.5 Compliance with RFC 5734

In accordance with RFC 5734, CNNIC has implemented EPP mapping and deployed the Secure Sockets Layer (SSL) protocol, both of which are based on TCP. The EPP message format, the TCP connection session, the communication sequence of the client and the server, as well as the monitoring port meet the requirement of RFC 5734.
　　
25.3 Proprietary EPP Extension

Due to the uniqueness of its business, CNNIC has implemented some function extensions of the standard EPP based on RFC 3735. To be specific, these extensions include the extension of traditional, simplified and variant Chinese domain names, and DNSSEC extensions. 
　　
25.3.1 Extension of Traditional, Simplified and Variant Chinese Domain Names

25.3.1.1 Overview

According to the characteristics of Chinese domain names, CNNIC has formulated relevant policies for variant registration (refer to the answer to Question 44). To facilitate the implementation of these policies, CNNIC, in accordance with RFC 3735, has extended EPP for traditional, simplified and variant Chinese domain names, making possible bundle registration of variant Chinese domain names.
　　
25.3.1.2 Explanation of Extensions

CNNIC has extended the response messages for the commands about the domain names mentioned in RFC 5731, including info, transfer, delete and renew and also extended the commands and response messages of update and create. Chinese characters in use have at least two forms, traditional and simplified Chinese characters. Therefore, when creating a domain name, CNNIC generates a full traditional and a full simplified domain name according to the one the registrar submits and store them in the database. 
　　
When executing the info command, CNNIC feed the traditional, simplified and variant Chinese domain names and the corresponding A-Label record back to the client. 
　　
After the command is extended, the fed back message is as follows:
　　
  S:〈?xml version=ʺ1.0ʺ encoding=ʺUTF-8ʺ standalone=ʺnoʺ?〉
   S:〈epp xmlns=ʺurn:ietf:params:xml:ns:epp-1.0ʺ〉
   S:  〈response〉
   S:    〈result code=ʺ1000ʺ〉
   S:      〈msg〉Command completed successfully〈⁄msg〉
   S:    〈⁄result〉
   S:    〈resData〉
   S:      〈domain:infData
   S:       xmlns:domain=ʺurn:ietf:params:xml:ns:domain-1.0ʺ〉
   S:        〈domain:name〉xn--fsq270a.xn--io0a7i〈⁄domain:name〉
   S:        〈domain:roid〉58812678-domain〈⁄domain:roid〉
   S:        〈domain:status s=ʺokʺ⁄〉
   S:        〈domain:registrant〉123〈⁄domain:registrant〉
   S:        〈domain:contact type=ʺadminʺ〉123〈⁄domain:contact〉
   S:        〈domain:contact type=ʺtechʺ〉123〈⁄domain:contact〉
   S:        〈domain:ns〉
   S:          〈domain:hostObj〉ns1.example.cn〈⁄domain:hostObj〉
   S:        〈⁄domain:ns〉
   S:        〈domain:clID〉ClientX〈⁄domain:clID〉
   S:        〈domain:crID〉ClientY〈⁄domain:crID〉
   S:        〈domain:crDate〉2011-04-03T22:00:00.0Z〈⁄domain:crDate〉
   S:        〈domain:exDate〉2012-04-03T22:00:00.0Z〈⁄domain:exDate〉
   S:        〈domain:authInfo〉
   S:          〈domain:pw〉2fooBAR〈⁄domain:pw〉
   S:        〈⁄domain:authInfo〉
   S:      〈⁄domain:infData〉
   S:    〈⁄resData〉
   S:    〈extension〉
   S:      〈idn:infData
   S:       xmlns:idn=ʺurn:ietf:params:xml:ns:idnv-1.0ʺ〉
   S:        〈idn:bundle〉
   S:          〈idn:oidn uLabel=ʺU+5B9EʺʺU+4F8Bʺ.ʺU+7F51ʺʺU+7EDCʺ
   S:           activated=ʺtrueʺ〉xn--fsq270a.xn--io0a7i〈⁄idn:oidn〉
   S:          〈idn:pidn uLabel=ʺU+5BE6ʺʺU+4F8Bʺ.ʺU+7F51ʺʺU+7EDCʺ
   S:           activated=ʺtrueʺ〉xn--fsqz41a.xn--io0a7i〈⁄idn:pidn〉
   S:              〈idn:vidn uLabel=ʺU+5B9FʺʺU+4F8Bʺ.ʺU+7F51ʺʺU+7EDCʺ
   S:           activated=ʺtrueʺ〉xn--fsq470a.xn--io0a7i〈⁄idn:vidn〉
   S:        〈⁄idn:bundle〉
   S:      〈⁄idn:infData〉
   S:    〈⁄extension〉
   S:    〈trID〉
   S:      〈clTRID〉ABC-12345〈⁄clTRID〉
   S:      〈svTRID〉54322-XYZ〈⁄svTRID〉
   S:    〈⁄trID〉
   S:  〈⁄response〉
   S:〈⁄epp〉

Example 〈transfer〉 Response for an authorized client:

   S:〈?xml version=ʺ1.0ʺ encoding=ʺUTF-8ʺ standalone=ʺnoʺ?〉
   S:〈epp xmlns=ʺurn:ietf:params:xml:ns:epp-1.0ʺ〉
   S:  〈response〉
   S:    〈result code=ʺ1000ʺ〉
   S:      〈msg〉Command completed successfully〈⁄msg〉
   S:    〈⁄result〉
   S:    〈resData〉
   S:      〈domain:trnData
   S:       xmlns:domain=ʺurn:ietf:params:xml:ns:domain-1.0ʺ〉
   S:        〈domain:name〉xn--fsq270a.xn--io0a7i〈⁄domain:name〉
   S:        〈domain:trStatus〉pending〈⁄domain:trStatus〉
   S:        〈domain:reID〉ClientX〈⁄domain:reID〉
   S:        〈domain:reDate〉2010-06-06T22:00:00.0Z〈⁄domain:reDate〉
   S:        〈domain:acID〉ClientY〈⁄domain:acID〉
   S:        〈domain:acDate〉2011-06-11T22:00:00.0Z〈⁄domain:acDate〉
   S:        〈domain:exDate〉2012-09-08T22:00:00.0Z〈⁄domain:exDate〉
   S:      〈⁄domain:trnData〉
   S:    〈⁄resData〉
   S:    〈extension〉
   S:      〈idn:trnData
   S:       xmlns:idn=ʺurn:ietf:params:xml:ns:idnv-1.0ʺ〉
   S:        〈idn:bundle〉
   S:          〈idn:oidn uLabel=ʺU+5B9EʺʺU+4F8Bʺ.ʺU+7F51ʺʺU+7EDCʺ
   S:           activated=ʺtrueʺ〉xn--fsq270a.xn--io0a7i〈⁄idn:oidn〉
   S:          〈idn:pidn uLabel=ʺU+5BE6ʺʺU+4F8Bʺ.ʺU+7F51ʺʺU+7EDCʺ
   S:           activated=ʺtrueʺ〉xn--fsqz41a.xn--io0a7i〈⁄idn:pidn〉
   S:              〈idn:vidn uLabel=ʺU+5B9FʺʺU+4F8Bʺ.ʺU+7F51ʺʺU+7EDCʺ
   S:           activated=ʺtrueʺ〉xn--fsq470a.xn--io0a7i〈⁄idn:vidn〉
   S:        〈⁄idn:bundle〉
   S:      〈⁄idn:trnData〉
   S:    〈⁄extension〉
   S:    〈trID〉
   S:      〈clTRID〉ABC-12345〈⁄clTRID〉
   S:      〈svTRID〉54322-XYZ〈⁄svTRID〉
   S:    〈⁄trID〉
   S:  〈⁄response〉
   S:〈⁄epp〉
 
Example 〈create〉 command:

   C:〈?xml version=ʺ1.0ʺ encoding=ʺUTF-8ʺ standalone=ʺnoʺ?〉
   C:〈epp xmlns=ʺurn:ietf:params:xml:ns:epp-1.0ʺ〉
   C:  〈command〉
   C:    〈create〉
   C:      〈domain:create
   C:       xmlns:domain=ʺurn:ietf:params:xml:ns:domain-1.0ʺ〉
   C:        〈domain:name〉xn--fsq270a.xn--io0a7i〈⁄domain:name〉
   C:        〈domain:period unit=ʺyʺ〉2〈⁄domain:period〉
   C:        〈domain:registrant〉123〈⁄domain:registrant〉
   C:        〈domain:contact type=ʺadminʺ〉123〈⁄domain:contact〉
   C:        〈domain:contact type=ʺtechʺ〉123〈⁄domain:contact〉
   C:        〈domain:authInfo〉
   C:          〈domain:pw〉2fooBAR〈⁄domain:pw〉
   C:        〈⁄domain:authInfo〉
   C:      〈⁄domain:create〉
   C:    〈⁄create〉
   C:    〈extension:
   C:      〈idn:create
   C:       xmlns:idn=ʺurn:ietf:params:xml:ns:idnv-1.0ʺ〉
   C:          〈idn:vidn uLabel=ʺU+5B9FʺʺU+4F8Bʺ.ʺU+7F51ʺʺU+7EDCʺ〉
   C:               xn--fsq470a.xn--io0a7i〈⁄idn:vidn〉
   C:      〈⁄idn:create〉
   C:    〈⁄extension〉
   C:    〈clTRID〉ABC-12345〈⁄clTRID〉
   C:  〈⁄command〉
   C:〈⁄epp〉
 
Example 〈create〉 Response for an authorized client:

   S:〈?xml version=ʺ1.0ʺ encoding=ʺUTF-8ʺ standalone=ʺnoʺ?〉
   S:〈epp xmlns=ʺurn:ietf:params:xml:ns:epp-1.0ʺ〉
   S:  〈response〉
   S:    〈result code=ʺ1000ʺ〉
   S:      〈msg〉Command completed successfully〈⁄msg〉
   S:    〈⁄result〉
   S:    〈resData〉
   S:      〈domain:creData
   S:       xmlns:domain=ʺurn:ietf:params:xml:ns:domain-1.0ʺ〉
   S:        〈domain:name〉xn--fsq270a.xn--io0a7i〈⁄domain:name〉
   S:        〈domain:crDate〉1999-04-03T22:00:00.0Z〈⁄domain:crDate〉
   S:        〈domain:exDate〉2001-04-03T22:00:00.0Z〈⁄domain:exDate〉
   S:      〈⁄domain:creData〉
   S:    〈⁄resData〉
   S:    〈extension〉
   S:      〈idn:creData
   S:       xmlns:idn=ʺurn:ietf:params:xml:ns:idnv-1.0ʺ〉
   S:        〈idn:bundle〉
   S:          〈idn:oidn uLabel=ʺU+5B9EʺʺU+4F8Bʺ.ʺU+7F51ʺʺU+7EDCʺ
   S:           activated=ʺtrueʺ〉xn--fsq270a.xn--io0a7i〈⁄idn:oidn〉
   S:          〈idn:pidn uLabel=ʺU+5BE6ʺʺU+4F8Bʺ.ʺU+7F51ʺʺU+7EDCʺ
   S:           activated=ʺtrueʺ〉xn--fsqz41a.xn--io0a7i〈⁄idn:pidn〉
   S:              〈idn:vidn uLabel=ʺU+5B9FʺʺU+4F8Bʺ.ʺU+7F51ʺʺU+7EDCʺ
   S:           activated=ʺtrueʺ〉xn--fsq470a.xn--io0a7i〈⁄idn:vidn〉
   S:        〈⁄idn:bundle〉
   S:      〈⁄idn:creData〉
   S:    〈⁄extension〉
   S:    〈trID〉
   S:      〈clTRID〉ABC-12345〈⁄clTRID〉
   S:      〈svTRID〉54322-XYZ〈⁄svTRID〉
   S:    〈⁄trID〉
   S:  〈⁄response〉
   S:〈⁄epp〉

Example 〈delete〉 response:

   S:〈?xml version=ʺ1.0ʺ encoding=ʺUTF-8ʺ standalone=ʺnoʺ?〉
   S:〈epp xmlns=ʺurn:ietf:params:xml:ns:epp-1.0ʺ〉
   S:  〈response〉
   S:    〈result code=ʺ1000ʺ〉
   S:      〈msg〉Command completed successfully〈⁄msg〉
   S:    〈⁄result〉
   S:    〈extension〉
   S:      〈idn:delData
   S:       xmlns:idn=ʺurn:ietf:params:xml:ns:idnv-1.0ʺ〉
   S:        〈idn:bundle〉
   S:          〈idn:oidn〉xn--fsq270a.xn--io0a7i〈⁄idn:oidn〉
   S:          〈idn:pidn〉xn--fsqz41a.xn--io0a7i〈⁄idn:pidn〉
   S:              〈idn:vidn〉xn--fsq470a.xn--io0a7i〈⁄idn:vidn〉
   S:        〈⁄idn:bundle〉
   S:      〈⁄idn:delData〉
   S:    〈⁄extension〉
   S:    〈trID〉
   S:      〈clTRID〉ABC-12345〈⁄clTRID〉
   S:      〈svTRID〉54321-XYZ〈⁄svTRID〉
   S:    〈⁄trID〉
   S:  〈⁄response〉
   S:〈⁄epp〉

Example 〈renew〉 response:

   S:〈?xml version=ʺ1.0ʺ encoding=ʺUTF-8ʺ standalone=ʺnoʺ?〉
   S:〈epp xmlns=ʺurn:ietf:params:xml:ns:epp-1.0ʺ〉
   S:  〈response〉
   S:    〈result code=ʺ1000ʺ〉
   S:      〈msg〉Command completed successfully〈⁄msg〉
   S:    〈⁄result〉
   S:    〈resData〉
   S:      〈domain:renData
   S:       xmlns:domain=ʺurn:ietf:params:xml:ns:domain-1.0ʺ〉
   S:        〈domain:name〉xn--fsq270a.xn--io0a7i〈⁄domain:name〉
   S:        〈domain:exDate〉2012-04-03T22:00:00.0Z〈⁄domain:exDate〉
   S:      〈⁄domain:renData〉
   S:    〈⁄resData〉
   S:    〈extension〉
   S:      〈idn:renData
   S:       xmlns:idn=ʺurn:ietf:params:xml:ns:idnv-1.0ʺ〉
   S:        〈idn:bundle〉
   S:          〈idn:oidn〉xn--fsq270a.xn--io0a7i〈⁄idn:oidn〉
   S:          〈idn:pidn〉xn--fsqz41a.xn--io0a7i〈⁄idn:pidn〉
   S:              〈idn:vidn〉xn--fsq470a.xn--io0a7i〈⁄idn:vidn〉
   S:        〈⁄idn:bundle〉
   S:      〈idn:renData〉
   S:    〈⁄extension〉
   S:    〈trID〉
   S:      〈clTRID〉ABC-12345〈⁄clTRID〉
   S:      〈svTRID〉54322-XYZ〈⁄svTRID〉
   S:    〈⁄trID〉
   S:  〈⁄response〉
   S:〈⁄epp〉

Example 〈transfer〉 Response for an authorized client:

   S:〈?xml version=ʺ1.0ʺ encoding=ʺUTF-8ʺ standalone=ʺnoʺ?〉
   S:〈epp xmlns=ʺurn:ietf:params:xml:ns:epp-1.0ʺ〉
   S:  〈response〉
   S:    〈result code=ʺ1000ʺ〉
   S:      〈msg〉Command completed successfully〈⁄msg〉
   S:    〈⁄result〉
   S:    〈resData〉
   S:      〈domain:trnData
   S:       xmlns:domain=ʺurn:ietf:params:xml:ns:domain-1.0ʺ〉
   S:        〈domain:name〉xn--fsq270a.xn--io0a7i〈⁄domain:name〉
   S:        〈domain:trStatus〉pending〈⁄domain:trStatus〉
   S:        〈domain:reID〉ClientX〈⁄domain:reID〉
   S:        〈domain:reDate〉2010-06-06T22:00:00.0Z〈⁄domain:reDate〉
   S:        〈domain:acID〉ClientY〈⁄domain:acID〉
   S:        〈domain:acDate〉2011-06-11T22:00:00.0Z〈⁄domain:acDate〉
   S:        〈domain:exDate〉2012-09-08T22:00:00.0Z〈⁄domain:exDate〉
   S:      〈⁄domain:trnData〉
   S:    〈⁄resData〉
   S:    〈extension〉
   S:      〈idn:trnData
   S:       xmlns:idn=ʺurn:ietf:params:xml:ns:idnv-1.0ʺ〉
   S:        〈idn:bundle〉
   S:          〈idn:oidn uLabel=ʺU+5B9EʺʺU+4F8Bʺ.ʺU+7F51ʺʺU+7EDCʺ
   S:           activated=ʺtrueʺ〉xn--fsq270a.xn--io0a7i〈⁄idn:oidn〉
   S:          〈idn:pidn uLabel=ʺU+5BE6ʺʺU+4F8Bʺ.ʺU+7F51ʺʺU+7EDCʺ
   S:           activated=ʺtrueʺ〉xn--fsqz41a.xn--io0a7i〈⁄idn:pidn〉
   S:              〈idn:vidn uLabel=ʺU+5B9FʺʺU+4F8Bʺ.ʺU+7F51ʺʺU+7EDCʺ
   S:           activated=ʺtrueʺ〉xn--fsq470a.xn--io0a7i〈⁄idn:vidn〉
   S:        〈⁄idn:bundle〉
   S:      〈⁄IDN:trnData〉
   S:    〈⁄extension〉
   S:    〈trID〉
   S:      〈clTRID〉ABC-12345〈⁄clTRID〉
   S:      〈svTRID〉54322-XYZ〈⁄svTRID〉
   S:    〈⁄trID〉
   S:  〈⁄response〉
   S:〈⁄epp〉

Registrants are permitted to add or remove a variant domain name when executing the update command. Example 〈update〉 Command:

   C:〈?xml version=ʺ1.0ʺ encoding=ʺUTF-8ʺ standalone=ʺnoʺ?〉
   C:〈epp xmlns=ʺurn:ietf:params:xml:ns:epp-1.0ʺ〉
   C:  〈command〉
   C:    〈update〉
   C:      〈domain:update
   C:       xmlns:domain=ʺurn:ietf:params:xml:ns:domain-1.0ʺ〉
   C:        〈domain:name〉xn--fsq270a.xn--io0a7i〈⁄domain:name〉
   C:        〈domain:add〉
   C:          〈domain:ns〉
   C:            〈domain:hostObj〉ns2.example.cn〈⁄domain:hostObj〉
   C:          〈⁄domain:ns〉
   C:          〈domain:contact type=ʺtechʺ〉234〈⁄domain:contact〉
   C:          〈domain:status s=ʺclientHoldʺ
   C:           lang=ʺenʺ〉Payment overdue.〈⁄domain:status〉
   C:        〈⁄domain:add〉
   C:        〈domain:rem〉
   C:          〈domain:ns〉
   C:            〈domain:hostObj〉ns1.example.cn〈⁄domain:hostObj〉
   C:          〈⁄domain:ns〉
   C:          〈domain:contact type=ʺtechʺ〉123〈⁄domain:contact〉
   C:          〈domain:status s=ʺclientUpdateProhibitedʺ⁄〉
   C:        〈⁄domain:rem〉
   C:        〈domain:chg〉
   C:          〈domain:registrant〉234〈⁄domain:registrant〉
   C:          〈domain:authInfo〉
   C:            〈domain:pw〉2BARfoo〈⁄domain:pw〉
   C:          〈⁄domain:authInfo〉
   C:        〈⁄domain:chg〉
   C:      〈⁄domain:update〉
   C:    〈⁄update〉
   C:    〈extension〉
   C:      〈idn:update
   C:       xmlns:idn=ʺurn:ietf:params:xml:ns:idnv-1.0ʺ〉
   C:         〈idn:add〉
   C:          〈idn:vidn〉xn--fsq470a.xn--io0a7i〈⁄idn:vidn〉
   C:         〈⁄idn:add〉
   C:         〈idn:rem〉
   C:          〈idn:vidn〉xn--fsqz41a.xn--io0a7i〈⁄idn:vidn〉
   C:         〈⁄idn:rem〉
   C:      〈idn:deactivate〉
   C:           〈idn:vidn〉xn--fsq470a.xn--io0a7i〈⁄idn:vidn〉
   C:      〈⁄idn:deactivate〉
   C:      〈⁄idn:update〉
   C:    〈⁄extension〉
   C:    〈clTRID〉ABC-12345〈⁄clTRID〉
   C:  〈⁄command〉
   C:〈⁄epp〉

For details, please refer to the link: http:⁄⁄tools.ietf.org⁄html⁄draft-kong-epp-idn-variants-mapping-00.

25.3.2 DNSSEC Extension

25.3.2.1 Overview

According to the registration polices for Chinese domain names, the registrant will obtain a full traditional, and a full simplified Chinese domain names when applying for domain name registration. To allow the registrant to apply for Delegation Signer (DS) records for multiple variant Chinese domain names, CNNIC, in accordance with RFC 3735, has implement EPP extension for DNSSEC to support bulk registration of DS records.
　　
25.3.2.2 Explanation of Extensions 

CNNIC has implemented the extension of EPP for DNSSEC by extending RFC 5910. DS records can be added to a designated domain name when it is created and updated, and relevant DS data are contained in the response message of info command. 
　　
Create message：
　　
  C:〈?xml version=ʺ1.0ʺ encoding=ʺUTF-8ʺ standalone=ʺnoʺ?〉
   C:〈epp xmlns=ʺurn:ietf:params:xml:ns:epp-1.0ʺ〉
   C:  〈command〉
   C:    〈create〉
   C:      〈domain:create
   C:       xmlns:domain=ʺurn:ietf:params:xml:ns:domain-1.0ʺ〉
   C:        〈domain:name〉
   C:          ʺU+5B9EʺʺU+4F8Bʺ.ʺU+7F51ʺʺU+7EDCʺ〈⁄domain:name〉
   C:        〈domain:period unit=ʺyʺ〉2〈⁄domain:period〉
   C:        〈domain:registrant〉123〈⁄domain:registrant〉
   C:        〈domain:contact type=ʺadminʺ〉123〈⁄domain:contact〉
   C:        〈domain:contact type=ʺtechʺ〉123〈⁄domain:contact〉
   C:        〈domain:authInfo〉
   C:          〈domain:pw〉2fooBAR〈⁄domain:pw〉
   C:        〈⁄domain:authInfo〉
   C:      〈⁄domain:create〉
   C:    〈⁄create〉
   C:    〈extension〉
   C:      〈secCDNS:create
   C:       xmlns:secCDNS=ʺurn:ietf:params:xml:ns:secCDNS-1.0ʺ〉
   C:           〈secCDNS:maxSigLife〉604800〈⁄secCDNS:maxSigLife〉
   C:        〈secCDNS:DS〉
   C:             〈secCDNS:CDN〉
   C:            ʺU+5B9EʺʺU+4F8Bʺ.ʺU+7F51ʺʺU+7EDCʺ〈⁄secCDNS:CDN〉
   C:          〈secCDNS:dsData〉
   C:            〈secCDNS:keyTag〉12345〈⁄secCDNS:keyTag〉
   C:            〈secCDNS:alg〉3〈⁄secCDNS:alg〉
   C:            〈secCDNS:digestType〉1〈⁄secCDNS:digestType〉
   C:            〈secCDNS:digest〉49FD46E6C4B45C55D4AC〈⁄secCDNS:digest〉
   C:          〈⁄secCDNS:dsData〉
   C:        〈⁄secCDNS:DS〉
   C:      〈⁄secCDNS:create〉
   C:    〈⁄extension〉
   C:    〈trID〉
   C:      〈clTRID〉ABC-12345〈⁄clTRID〉
   C:      〈svTRID〉54322-XYZ〈⁄svTRID〉
   C:    〈⁄trID〉
   C:  〈⁄response〉
   C:〈⁄epp〉
   
or：
   
  C:〈?xml version=ʺ1.0ʺ encoding=ʺUTF-8ʺ standalone=ʺnoʺ?〉
   C:〈epp xmlns=ʺurn:ietf:params:xml:ns:epp-1.0ʺ〉
   C:  〈command〉
   C:    〈create〉
   C:      〈domain:create
   C:       xmlns:domain=ʺurn:ietf:params:xml:ns:domain-1.0ʺ〉
   C:        〈domain:name〉
   C:          ʺU+5B9EʺʺU+4F8Bʺ.ʺU+7F51ʺʺU+7EDCʺ〈⁄domain:name〉
   C:        〈domain:period unit=ʺyʺ〉2〈⁄domain:period〉
   C:        〈domain:registrant〉123〈⁄domain:registrant〉
   C:        〈domain:contact type=ʺadminʺ〉123〈⁄domain:contact〉
   C:        〈domain:contact type=ʺtechʺ〉123〈⁄domain:contact〉
   C:        〈domain:authInfo〉
   C:          〈domain:pw〉2fooBAR〈⁄domain:pw〉
   C:        〈⁄domain:authInfo〉
   C:      〈⁄domain:create〉
   C:    〈⁄create〉
   C:    〈extension〉
   C:      〈secCDNS:create
   C:       xmlns:secCDNS=ʺurn:ietf:params:xml:ns:secCDNS-1.0ʺ〉
   C:           〈secCDNS:maxSigLife〉604800〈⁄secCDNS:maxSigLife〉
   C:        〈secCDNS:KEY type=ʺallʺ〉
   C:          〈secCDNS:keyData〉
   C:            〈secCDNS:flags 〉257〈⁄secCDNS:flags〉
   C:            〈secCDNS:protocol〉3〈⁄secCDNS:protocol〉
   C:            〈secCDNS:alg〉1〈⁄secCDNS:alg〉
   C:            〈secCDNS:pubKey〉AQPJ⁄⁄⁄⁄4Q==〈⁄secCDNS:pubKey〉
   C:          〈⁄secCDNS:keyData〉
   C:        〈⁄secCDNS:KEY〉
   C:      〈⁄secCDNS:create〉
   C:    〈⁄extension〉
   C:    〈trID〉
   C:      〈clTRID〉ABC-12345〈⁄clTRID〉
   C:      〈svTRID〉54322-XYZ〈⁄svTRID〉
   C:    〈⁄trID〉
   C:  〈⁄response〉
   C:〈⁄epp〉
   
Update message：
　　
  C:〈?xml version=ʺ1.0ʺ encoding=ʺUTF-8ʺ standalone=ʺnoʺ?〉
   C:〈epp xmlns=ʺurn:ietf:params:xml:ns:epp-1.0ʺ
   C:     xmlns:xsi=ʺhttp:⁄⁄www.w3.org⁄2001⁄XMLSchema-instanceʺ〉
   C:  〈command〉
   C:    〈update〉
   C:      〈domain:update
   C:       xmlns:domain=ʺurn:ietf:params:xml:ns:domain-1.0ʺ〉
   C:        〈domain:name〉 ʺU+5B9EʺʺU+4F8Bʺ.ʺU+7F51ʺʺU+7EDCʺ〈⁄domain:name〉
   C:      〈⁄domain:update〉
   C:    〈⁄update〉
   C:    〈extension〉
   C:      〈secDNS:update
   C:       xmlns:secCDNS=ʺurn:ietf:params:xml:ns:secCDNS-1.0ʺ〉
   C:        〈secDNS:rem〉
   C:         〈secCDNS:DS〉
   C:             〈secCDNS:CDN〉
   C:            ʺU+5B9EʺʺU+4F8Bʺ.ʺU+7F51ʺʺU+7EDCʺ〈⁄secCDNS:CDN〉
   C:          〈secCDNS:dsData〉
   C:            〈secCDNS:keyTag〉12345〈⁄secCDNS:keyTag〉
   C:            〈secCDNS:alg〉3〈⁄secCDNS:alg〉
   C:            〈secCDNS:digestType〉1〈⁄secCDNS:digestType〉
   C:            〈secCDNS:digest〉49FD46E6C4B45C55D4AC〈⁄secCDNS:digest〉
   C:          〈⁄secCDNS:dsData〉
   C:         〈⁄secCDNS:DS〉
   C:        〈⁄secCDNS:rem〉
   C:        〈secCDNS:add〉
   C:          〈secCDNS:DS〉
   C:             〈secCDNS:CDN〉
   C:            ʺU+5B9EʺʺU+4F8Bʺ.ʺU+7F51ʺʺU+7EDCʺ〈⁄secCDNS:CDN〉
   C:          〈secCDNS:dsData〉
   C:            〈secCDNS:keyTag〉12345〈⁄secCDNS:keyTag〉
   C:            〈secCDNS:alg〉3〈⁄secCDNS:alg〉
   C:            〈secCDNS:digestType〉1〈⁄secCDNS:digestType〉
   C:            〈secCDNS:digest〉49FD46E6C4B45C55D4AC〈⁄secCDNS:digest〉
   C:          〈⁄secCDNS:dsData〉
   C:        〈⁄secCDNS:DS〉
   C:        〈⁄secCDNS:add〉
   C:      〈⁄secCDNS:update〉
   C:    〈⁄extension〉
   C:    〈clTRID〉ABC-12345〈⁄clTRID〉
   C:  〈⁄command〉
   C:〈⁄epp〉

Example 〈info〉 Response for a Secure Delegation Using the DS Data Interface:

   S:〈?xml version=ʺ1.0ʺ encoding=ʺUTF-8ʺ standalone=ʺnoʺ?〉
   S:〈epp xmlns=ʺurn:ietf:params:xml:ns:epp-1.0ʺ
   S:     xmlns:xsi=ʺhttp:⁄⁄www.w3.org⁄2001⁄XMLSchema-instanceʺ〉
   S:  〈response〉
   S:    〈result code=ʺ1000ʺ〉
   S:      〈msg〉Command completed successfully〈⁄msg〉
   S:    〈⁄result〉
   S:    〈resData〉
   S:      〈domain:infData
   S:       xmlns:domain=ʺurn:ietf:params:xml:ns:domain-1.0ʺ〉
   S:        〈domain:name〉
   S:          ʺU+5B9EʺʺU+4F8Bʺ.ʺU+7F51ʺʺU+7EDCʺ〈⁄domain:name〉
   S:        〈domain:roid〉123456-domain〈⁄domain:roid〉
   S:        〈domain:status s=ʺokʺ⁄〉
   S:        〈domain:registrant〉123CN〈⁄domain:registrant〉
   S:        〈domain:contact type=ʺadminʺ〉helloChina〈⁄domain:contact〉
   S:        〈domain:contact type=ʺtechʺ〉 helloChina〈⁄domain:contact〉
   S:        〈domain:ns〉
   S:          〈domain:hostObj〉ns1.china 〈⁄domain:hostObj〉
   S:          〈domain:hostObj〉ns2.china 〈⁄domain:hostObj〉
   S:        〈⁄domain:ns〉
   S:        〈domain:host〉
   S:          ns1.ʺU+5B9EʺʺU+4F8Bʺ.ʺU+7F51ʺʺU+7EDCʺ〈⁄domain:host〉
   S:        〈domain:host〉
   S:          ns2.ʺU+5B9EʺʺU+4F8Bʺ.ʺU+7F51ʺʺU+7EDCʺ〈⁄domain:host〉
   S:        〈domain:clID〉ClientX〈⁄domain:clID〉
   S:        〈domain:crID〉ClientY〈⁄domain:crID〉
   S:        〈domain:crDate〉2010-04-03T22:00:00.0Z〈⁄domain:crDate〉
   S:        〈domain:upID〉ClientX〈⁄domain:upID〉
   S:        〈domain:upDate〉2010-12-03T09:00:00.0Z〈⁄domain:upDate〉
   S:        〈domain:exDate〉2012-04-03T22:00:00.0Z〈⁄domain:exDate〉
   S:        〈domain:trDate〉2011-02-08T09:00:00.0Z〈⁄domain:trDate〉
   S:        〈domain:authInfo〉
   S:          〈domain:pw〉abc123〈⁄domain:pw〉
   S:        〈⁄domain:authInfo〉
   S:      〈⁄domain:infData〉
   S:    〈⁄resData〉
   S:    〈extension〉
   S:      〈secCDNS:infData
   S:       xmlns:secCDNS=ʺurn:ietf:params:xml:ns:secCDNS-1.0ʺ〉
   S:           〈secCDNS:maxSigLife〉604800〈⁄secCDNS:maxSigLife〉
   S:        〈secCDNS:DS〉
   S:             〈secCDNS:CDN〉
   S:            ʺU+5B9EʺʺU+4F8Bʺ.ʺU+7F51ʺʺU+7EDCʺ〈⁄secCDNS:CDN〉
   S:          〈secCDNS:dsData〉
   S:            〈secCDNS:keyTag〉12345〈⁄secCDNS:keyTag〉
   S:            〈secCDNS:alg〉3〈⁄secCDNS:alg〉
   S:            〈secCDNS:digestType〉1〈⁄secCDNS:digestType〉
   S:            〈secCDNS:digest〉DVF46E6C4B45C55D4AC〈⁄secCDNS:digest〉
   S:          〈⁄secCDNS:dsData〉
   S:        〈⁄secCDNS:DS〉
   S:             〈secCDNS:CDN〉
   S:            ʺU+5B9EʺʺU+4F8Bʺ.ʺU+7F51ʺʺU+7EDCʺ〈⁄secCDNS:CDN〉
   S:          〈secCDNS:dsData〉
   S:            〈secCDNS:keyTag〉12345〈⁄secCDNS:keyTag〉
   S:            〈secCDNS:alg〉3〈⁄secCDNS:alg〉
   S:            〈secCDNS:digestType〉1〈⁄secCDNS:digestType〉
   S:            〈secCDNS:digest〉59FD46E6C4B45C55D4AC〈⁄secCDNS:digest〉
   S:          〈⁄secCDNS:dsData〉
   S:          〈secCDNS:dsData〉
   S:            〈secCDNS:keyTag〉12345〈⁄secCDNS:keyTag〉
   S:            〈secCDNS:alg〉3〈⁄secCDNS:alg〉
   S:            〈secCDNS:digestType〉1〈⁄secCDNS:digestType〉
   S:            〈secCDNS:digest〉80FD46E6C4B45C55D4AC〈⁄secCDNS:digest〉
   S:          〈⁄secCDNS:dsData〉
   S:        〈⁄secCDNS:DS〉
   S:      〈⁄secCDNS:infData〉
   S:    〈⁄extension〉
   S:    〈trID〉
   S:      〈clTRID〉ABC-12345〈⁄clTRID〉
   S:      〈svTRID〉54322-XYZ〈⁄svTRID〉
   S:    〈⁄trID〉
   S:  〈⁄response〉
   S:〈⁄epp〉

Example 〈info〉 Response for a Secure Delegation Using the Key Data Interface:

   S:〈?xml version=ʺ1.0ʺ encoding=ʺUTF-8ʺ standalone=ʺnoʺ?〉
   S:〈epp xmlns=ʺurn:ietf:params:xml:ns:epp-1.0ʺ
   S:     xmlns:xsi=ʺhttp:⁄⁄www.w3.org⁄2001⁄XMLSchema-instanceʺ〉
   S:  〈response〉
   S:    〈result code=ʺ1000ʺ〉
   S:      〈msg〉Command completed successfully〈⁄msg〉
   S:    〈⁄result〉
   S:    〈resData〉
   S:      〈domain:infData
   S:       xmlns:domain=ʺurn:ietf:params:xml:ns:domain-1.0ʺ〉
   S:        〈domain:name〉
   S:          ʺU+5B9EʺʺU+4F8Bʺ.ʺU+7F51ʺʺU+7EDCʺ〈⁄domain:name〉
   S:        〈domain:roid〉123456-domain〈⁄domain:roid〉
   S:        〈domain:status s=ʺokʺ⁄〉
   S:        〈domain:registrant〉123CN〈⁄domain:registrant〉
   S:        〈domain:contact type=ʺadminʺ〉helloChina〈⁄domain:contact〉
   S:        〈domain:contact type=ʺtechʺ〉 helloChina〈⁄domain:contact〉
   S:        〈domain:ns〉
   S:          〈domain:hostObj〉ns1.china 〈⁄domain:hostObj〉
   S:          〈domain:hostObj〉ns2.china 〈⁄domain:hostObj〉
   S:        〈⁄domain:ns〉
   S:        〈domain:host〉
   S:          ns1.ʺU+5B9EʺʺU+4F8Bʺ.ʺU+7F51ʺʺU+7EDCʺ〈⁄domain:host〉
   S:        〈domain:host〉
   S:          ns2.ʺU+5B9EʺʺU+4F8Bʺ.ʺU+7F51ʺʺU+7EDCʺ〈⁄domain:host〉
   S:        〈domain:clID〉ClientX〈⁄domain:clID〉
   S:        〈domain:crID〉ClientY〈⁄domain:crID〉
   S:        〈domain:crDate〉2010-04-03T22:00:00.0Z〈⁄domain:crDate〉
   S:        〈domain:upID〉ClientX〈⁄domain:upID〉
   S:        〈domain:upDate〉2010-12-03T09:00:00.0Z〈⁄domain:upDate〉
   S:        〈domain:exDate〉2012-04-03T22:00:00.0Z〈⁄domain:exDate〉
   S:        〈domain:trDate〉2011-02-08T09:00:00.0Z〈⁄domain:trDate〉
   S:        〈domain:authInfo〉
   S:          〈domain:pw〉abc123〈⁄domain:pw〉
   S:        〈⁄domain:authInfo〉
   S:      〈⁄domain:infData〉
   S:    〈⁄resData〉
   S:    〈extension〉
   S:      〈secCDNS:infData
   S:       xmlns:secCDNS=ʺurn:ietf:params:xml:ns:secCDNS-1.0ʺ〉
   S:        〈secCDNS:KEY type=ʺallʺ〉
   S:          〈secCDNS:keyData〉
   S:            〈secCDNS:flags 〉257〈⁄secCDNS:flags〉
   S:            〈secCDNS:protocol〉3〈⁄secCDNS:protocol〉
   S:            〈secCDNS:alg〉1〈⁄secCDNS:alg〉
   S:            〈secCDNS:pubKey〉AQPJ⁄⁄⁄⁄4Q==〈⁄secCDNS:pubKey〉
   S:          〈⁄secCDNS:keyData〉
   S:        〈⁄secCDNS:KEY〉
   S:      〈⁄secCDNS:infData〉
   S:    〈⁄extension〉
   S:    〈trID〉
   S:      〈clTRID〉ABC-12345〈⁄clTRID〉
   S:      〈svTRID〉54322-XYZ〈⁄svTRID〉
   S:    〈⁄trID〉
   S:  〈⁄response〉
   S:〈⁄epp〉

For details, please refer to the link: http:⁄⁄tools.ietf.org⁄html⁄draft-kong-epp-cdn-dnssec-mapping-00.

25.4 The EPP Schema of Business Interface between CNNIC and Registrars

The EPP Schema used by CNNIC includes two parts; one is the EPP XML Schema defined by RFC and the other is the EPP XML Schema of customized extension.
　　
25.4.1 The EPP XML Schema Defined by RFC

	(1) urn:ietf:params:xml:ns:eppcom-1.0 (Refer to RFC 5730)

	(2) urn:ietf:params:xml:ns:epp-1.0 (Refer to RFC 5730)

	(3) urn:ietf:params:xml:ns:domain-1.0 (Refer to RFC 5731)

	(4) urn:ietf:params:xml:ns:host-1.0 (Refer to RFC 5732)

	(5) urn:ietf:params:xml:ns:contact-1.0 (Refer to RFC 5733)

	(6) urn:ietf:params:xml:ns:rgp-1.0 (Refer to RFC 3915)

25.4.2 The EPP XML Schema of Customized Extension

	(1) urn:ietf:params:xml:ns:idn-1.0 (Refer to draft-kong-epp-idn-variants-mapping-00)

	(2) urn:ietf:params:xml:ns:secCDNS-1.0 (Refer to draft-kong-epp-cdn-dnssec-mapping-00)

25.5 Resource Allocation

25.5.1 Human Resources

EPP-related posts involve 2 software engineers who are responsible for EPP consistency analysis and for extending EPP in accordance with RFC 3735. Refer to the answer to Question 31. 
　　
25.5.2 Funds

Funds and human resources have been put in place. Refer to the answer to Question 46 for the source and use of these funds.

26. Whois

China Internet Network Information Center (CNNIC), based on Request for Comments (RFC) 3912, provides data objects, bulk access, lookups and web-based searchable Whois service which are defined in Specification 4 and which meet the Service Level Requirements (SLR) of Specification 10. Appropriate precaution measures have been taken to prevent abuse of registered data information. CNNIC has made available the human resources, funds and equipment needed for implementing and maintaining Whois service.
26.1 Realization of Whois System

The Whois system is used to check the detailed information of registered domain names and whether a particular domain name has been registered. In addition, CNNIC supports searchable Whois service which has a web search function with domain names, registrant names, postal addresses, contact names, registrar IDs and Internet Protocol addresses as key words and which also has the Boolean search function.
26.1.1 System Architecture

Please refer to Figure 1 in the attachment of Q26_Attachment_Figure for the details of the architecture of the Whois system.
Data in the Whois database is created by advanced replication of the Shared Registration System (SRS) registration database. The Whois system consists of the WhoisD system which is accessible by command lines via Port 43, and the web-based Whois Web system. Whois Web requests are converted into WhoisD requests and the WhoisD system is connected to the Whois database to return query results to the user. The searchable Whois system provides searchable services by accessing Whois database index files. By advanced replication of the SRS registration database, a bulk access Whois database is generated which provides bulk access function for authorized registrars or third-party users.
26.1.2 System Functions
26.1.2.1 Queries about Domain Names

Registrars and registrants may send requests to the Whois system ʺwhois 实例.网络ʺ to query about a particular domain name. The Whois system will return the following information in accordance with Specification 4 of the Registry Agreement:
(1) Information about the domain name, including domain name (U-label, A-label and variant domain name), domain ID, updated date, creation date, registry expiry date and domain status.

(2) Whois server and referral URL.

(3) Information about the sponsoring registrar, including the sponsoring registrar and the sponsoring registrar Internet Assigned Numbers Authority (IANA) ID.

(4) Information about registrants in accordance with Specification 4.

(5) Information about administers in accordance with Specification 4.

(6) Information about the technician in accordance with Specification 4.

(7) Name Server and DNSSEC.

26.1.2.2 Queries about Registrars

Registrars and registrants may send requests to the Whois system whois ʺregistrar Example Registrar, Inc.ʺ to query about a particular registrar. The Whois system will return the following information in accordance with Specification 4 of the Registry Agreement:
(1) Information about the registrar in accordance with Specification 4.

(2) Whois server and referral URL.

(3) Information about the admin contact including phone number, fax number and Email.

(4) Information about the technical contact, including phone number, fax number and Email.

26.1.2.3 Queries on Name Servers

Registrars and registrants may send requests to the Whois system whois ʺNS1.EXAMPLE.TLDʺ or whois ʺnameserver (IP Address)ʺ to query about a particular name server. The Whois system will return the following information in accordance with Specification 4 of the Registry Agreement:

(1) Information of the server, including server name and its IP address.

(2) Registrar.

(3) Whois server and referral URL.

26.1.2.4 Internationalized Domain Name (IDN) Support

The Whois system supports two ways of domain name query, i.e., U-label and A-label, and adopts UTF-8 encoding format to enable the Whois system to display information in both English and Chinese. Furthermore, the Whois system also supports displays both of U-label and A-label of the queried domain.
26.1.2.5 IP Black List

After connection with a user has been established, if the userʹs IP is found to be in the black list, then the Whois system will immediately terminate the connection.
26.1.2.6 Connection Timeout

After a connection is established, if a user does not perform any query operation within a specified time limit (configurable), the system will automatically terminate the connection.
26.1.2.7 Restrictions on the Interval of Query Time

For a user whose IP is not in the white list, their interval of query time (configurable) should be restricted to prevent highly frequent queries from hampering the response to other usersʹ queries.
26.1.2.8 Searchable Whois Service and Prevention of Information Abuse

Searchable Whois service has the following functions:

(1) For domain names, contacts, registrantʹs name, contact and registrantʹs postal address, including all the sub-fields described in Extensible Provisioning Protocol (EPP) (e.g., street, city, state or province, etc.), partial match capabilities are available.

(2) For registrar ID, name server name and name server IP address, exact match capabilities are available.

(3) Boolean search capabilities are available which meet the search criteria of AND⁄OR⁄NOT for multiple fields.

(4) All query results contain domain name-related information, including domain name, domain ID, updated date, creation date, registry expiry date and domain name status, etc.

CNNIC adopts the following measures to prevent information abuse:

(1) A registrar or registrant may only login the searchable Whois system using their own ID and password, and may only search information related to their own domain names.

(2) If a registrar, registrant or a third-party user wants to search othersʹ information, they need to explain the reasonable purposes, commit to protect privacy and security, and sign an agreement with CNNIC at first.

26.1.2.9 Bulk Access

Whois service provides bulk access capabilities for authorized registrars and third-party users. To reduce the impact of bulk access on the load of core Whois database, the data related to the capabilities are provided by a separate Whois database for bulk access.
To guarantee the quality of bulk access service, the Whois system, by identifying the userʹs IP address, provides its service only for authorized registrars and third-party users.
26.1.3 System Deployment

Please see Figure 2 in the attachment of Q26_Attachment_Figure.

(1) Internet Access

CNNIC, via Border Gateway Protocol (BGP), broadcasts service addresses of WhoisD, Whois Web, Whois bulk access and searchable Whois etc.. Users can access Whois service through multiple Internet Service Providers (ISPs).
(2) Load Balancer

WhoisD, Whois Web, Whois bulk access and searchable Whois services are all configured in the layer 4 load balancers.
(3) Whois Web Servers

The load balancers directly allocate a Whois Web request to the 4 Whois Web servers which will transfer the request back to the load balancer. The load balancer will then transfer the request to the 4 WhoisD servers. The WhoisD server, by accessing the Whois database, feeds the WhoisD query results back to the Whois Web server, which will then transfer the results to the user through the load balancers.
(4) WhoisD Servers

The load balancers directly distribute WhoisD requests to the 4 WhoisD servers which will, by accessing the Whois database, transfer the query results to the user.
4 high-performance blade servers providing WhoisD service are configured in different blade boxes and subnets.
(5) Searchable Whois Servers

Searchable Whois service requests are distributed to 4 searchable Whois servers which are configured in different blade boxes and subnets.
(6) Bulk-access Whois Servers

Whois servers provide bulk access capabilities for authorized third parties. Four bulk-access Whois servers respond to their query requests. These servers are configured in different blade boxes and subnets.
(7) Searchable Whois Index Servers

Searchable Whois requests are distributed by searching searchable index files through searchable Whois servers. Two high-performance blade servers providing searchable Whois index files are configured in different blade boxes and subnets. Whois index file servers generate index files on a regular basis and the frequency of data update is once every 5 minutes.
(8) Whois Database

The core Whois database maintains Whois data and responds to the requests of WhoisD server only.
The Whois database is built by two high-performance database servers. Data are obtained by advanced replication of the SRS core registration database with a replication interval of 5 minutes.
(9) Bulk-access Whois Database

To reduce the impact of bulk access on the load of core Whois database, CNNIC provides 2 special bulk-access databases. Data are obtained by advanced replication of the SRS core registration database with a replication interval of 5 minutes.
26.2 A Plan for Operating Robust and Reliable Whois

26.2.1 Redundant System Design

To improve reliability, a redundant design is adopted for designing the Whois system architecture including network devices, load balancers, Whois-related servers and databases, so as to ensure there is no single point. In addition, cold-standby servers are provided which are always ready for deployment and service.
Furthermore, both local and remote secondary operation centers adopt the identical Whois system deployment, to ensure that a swift switch can be made when the primary operation center fails.
26.2.2 Whois Data Synchronization

Whois data and bulk-access Whois data are obtained by advanced replication of the SRS core registration database with a replication interval of 5 minutes. Searchable Whois index data are obtained by generating searchable Whois index files through the Whois database, with an update interval of 5 minutes.
26.2.3 Failure Monitoring and Handling

CNNIC has a monitoring system and a special 7*24 team for system operation and maintenance that monitor the Whois system in a real-time manner. Once any abnormity is detected in the Whois system, the monitoring system will promptly notify the system administrator. Once a problem is detected, the 7*24 team will immediately notify the system administrator to handle it.
26.3 Compliance Analysis

26.3.1 Compliance with RFC 3912

Strictly conforming to the Whois protocol defined in the RFC 3912, the Whois system developed by CNNIC supports the function of communication between the client and Whois servers by using TCP connection on Port 43 and, in strict accordance with RFC 3912 Protocol Model, uses ASCII CR and ASCII LF to separate one message from another.
26.3.2 Compliance with Specification 4

(1) The format of Whois command response strictly complies with the format defined in Specification 4 of the Registry Agreement, followed by a blank line and a legal disclaimer.

(2) Each data object is represented as a set of key⁄value pairs, with lines beginning with keys, followed by a colon and a space as delimiters, followed by the value.
(3) For fields where more than one value exists, multiple key⁄value pairs have the same key.

(4) The format of response to queries about domain names, registrars and name servers meets Specification 4 of the Registry Agreement. It includes at least the display fields and formats as specified therein.

(5) The format of the following data fields: domain status, individual and organizational names, address, street, city, state⁄province, postal code, country, telephone and fax numbers, Email addresses, date and time conform to the mappings specified in EPP RFC 5730, RFC 5731, RFC 5732, RFC 5733 and RFC 5734.

(6) Searchable Whois service is provided in accordance with Specification 4 of the Registry Agreement, and measures are taken to prevent abuse of registered data.

26.3.3 Compliance with Specification 10

For Whois (Registration Data Directory Services, RDDS) service level, Specification 10 of the Registry Agreement sets forth the following requirements:
Please see Table 1 in the attachment of Q26_Attachment_Table.
(1) Availability

According to CNNICʹs estimation, if the registration volume of ʺ.网络ʺ is around 200,000, WhoisD daily queries will be approximately 210,000 with 7.3 transactions per second at most and the volume of Whois Web queries will be lower than that.
CNNIC has tested its own Whois system and the test results are as follows:
For a million-level aggregate registration volume (no index), 2136 transactions are successfully submitted per second. For a 10-million-level aggregate registration volume (index established), 2010 transactions are successfully submitted per second.
Under normal conditions, one server is capable of undertaking WhoisD service. Considering system redundancy, 4 servers and 1 cold-standby server should be provided and another 4 servers are enough to undertake Whois web service.
Whois bulk access is open only to authorized registrars and third-party users and 4 Whois bulk access servers are provided for this purpose.
In case registration volume increases sharply due to attacks, more back-end servers could be added under load balancers for extension.
So, the availability of service can be kept above 98%.
(2) Query Round-Trip Time (RTT)

The average query RTT is 23.65ms. 95% of queries for WhoisD, Whois Web and Whois bulk access can be finished within 1000ms to meet Specification 10 of the Registry Agreement.
(3) Update Time

The update time of Whois database and Whois bulk access database is 5 minutes to meet Specification 10 of the Registry Agreement.
26.3.4 Laws and Policies on Privacy Protection that Searchable Service must Abide by

26.3.4.1 Registration-related Privacy

As prescribed in Article 4 of Rules on Technical Protective Measures for Internet Security (Directive 82 of the Ministry of Public Security), ʺInternet service providers and Internet application organizations shall establish relevant management systems to ensure that no registration information will be disclosed or leaked without prior consent of the registrant unless otherwise specified by laws and regulations of the state. Internet service providers and users shall use technical protective measures for Internet security in accordance with the law. They shall not use such measures to infringe upon Internet end-usersʹ communication freedom and privacy. The public information network security supervision department of public security organs performs, in accordance with the law, the duty of supervising the implementation of technical protective measures for Internet security. All technical protective measures for Internet security shall meet relevant national standards. Where there is no applicable national standard, they shall meet relevant industrial technical standards on public security.ʺ
In accordance with the above legal provisions, CNNIC requires that each registrar send a notice to holders of newly-registered or renewed domain names, informing them of the following:
(1) The intended use of the applicantʹs personal information to be collected.

(2) The receiver or type of receiver of such information (including the registry and other parties that are to receive such information from the registry).

(3) What information shall be provided and what (if there is any) can be provided on a voluntary basis.

(4) In what way the registered domain name holder can access or modify (if necessary) the stored data concerning them.

Only after the user has confirmed and agreed to the above information can the registrar start to collect registration information from the user. Collection of registration information without the registrantʹs consent will be regarded as infringing upon his⁄her privacy. Information collected will be considered invalid and will not pass the registryʹs review.
26.3.4.2 Query-related Privacy

As prescribed in Section 2, Article 18 of the Implementation Rules for the Provisional Regulations on Management of International Networking of Computer Information Networks of the Peopleʹs Republic of China, Internet users shall be subject to the management of ISPs and abide by their regulations; users shall not access any computer system without permission or alter the information of others; they shall not viciously spread information of others or spread any information in the name of another person via the network; and they shall not infringe upon other peopleʹs privacy.
In compliance with the above provisions, CNNIC will adopt the following measures to control usersʹ behavior in using Whois:
(1) CNNIC will provide searchable services for fuzzy and accurate queries about limited fields that meet the requirements of ICANN. For non-existing domain names, a negative response will be given and no suggestions on related domain names will be provided in any form.

(2) For typical searchable services, users need to pass username and password authentications before accessing the searchable Whois system and they can only make queries about their own information.

(3) Searchable services for all other types of information may be opened to some of the users who have passed authentication. Such users shall inform CNNIC of the purpose of their queries and their contact information. If there is any violation of privacy, such as massively spreading other peopleʹs private information or sending large amounts of junk mail using Whois information, CNNIC will mete out punishment on the infringer in accordance with relevant laws and regulations on privacy protection and if the case is serious enough, it will be reported to relevant judicial organs.

26.4 Resource Allocation

26.4.1 Human Resources

The operation of Whois needs 4 software engineers who are responsible for software optimization and maintenance, and 10 system administrators who are responsible for 7*24 monitoring. Refer to the answer to Question 31.
26.4.2 Software and Hardware

Hardware in the 3 operation centers includes 60 high-performance blade servers and 12 high-performance database servers.
Software includes Whois software, database software, database cluster software and storage management software. WhoisD has 5100 lines of effective codes and 1200 lines of codes related to the stored procedure of the database while 8,670 for searchable Whois and 6,690 for Whois Web. The total work load is 17 man-months. So far development and testing of the software have been completed and the system is now in trial operation.
In addition, customization scope of Whois system software covers Whois system based on Port 43 and Whois Web system, Whois bulk access function and searchable Whois function; meanwhile it satisfies the SLR. Software customization development is carried out according to the initiation of R&D, program plan, outline design, specific design, construction stage, trial stage and issue and summarization procedures. Development procedure is compliant with regulations of Level 3 of Capability Maturity Model Integration (CMMI3).
Refer to the answer to Question 32 for more details about the software and hardware.
26.4.3 Funds

Funds for human resources, equipment procurement and maintenance have been put in place. Refer to the answer to Question 46 for the sources and uses of these funds.

28 Domain Name Abuse Prevention and Mitigation

  For the purpose of minimizing abusive registration and other activities that have a negative impact on Internet users, CNNIC has thoroughly measured different types of potential acts of domain name abuse, and correspondingly formulated a series of policies on preventing domain name abuse and mitigation, including registrars enforcement procedure, registration reviewing procedure and complaints handling procedure. 

  In order to implement the above policies, CNNIC will adopt measures as constructing a comprehensive contact point for filing complaints on domain name abuse, a whole life-circle domain abuse monitoring and handling platform, and an information sharing mechanism with industry partners to prevent domain name abuse. Based on these measures, CNNIC will make sure that problems of domain name abuse are detected and resolved efficiently, while Whois accuracy and completeness is concurrently improved. To implement the above policies and measures, CNNIC has allocated resources in terms of manpower, equipment and finance, and worked out an implementation plan on startup and on-going basis.

28.1 Policies of Domain Name Abuse Prevention and Mitigation

28.1.1 The Definition of Malicious or Abusive Behavior

  Based on the standards for domain name abuse formulated by the Registration Abuse Policy Working Group (RAPWG) of SSAC (Security and Stability Advisory Committee) (February 2009, available at http:⁄⁄gnso.icann.org⁄issues⁄rap⁄rap-wg-final-report-29may10-en.pdf), CNNIC defines acts of domain name abuse as those that:

	(1) causes actual and substantial harm, or is a material predicate of such harm, and	

	(2) is illegal or illegitimate, or is otherwise considered contrary to the intention and design of a stated legitimate purpose, if such purpose is disclosed.

28.1.2 Scope of Malicious or Abusive Behavior  

  Based on the definition by RAPWG and by reference to the report by the Fast-Flux working group ( 03 September 2009, available at http:⁄⁄gnso.icann.org⁄meetings⁄minutes-03sep09.htm), CNNIC currently defines 10 types of domain name abuse, which may be mitigated on the registry level, which are categorized as registration abuse and use abuse as following:

28.1.2.1 Registration abuse includes:

	(1) Cybersquatting
	
	(2) Front running

	(3) Pornographic or offensive domain names

	(4) Fake renewal notice

	(5) Domain spinning

	(6) Domain tasting

28.1.2.2 Malicious use of domain names includes:

	(1) Conduct phishing to steal usersʹ information or commit fraud;

	(2) Take advantage of the domain name to spread viruses or install malware for botnet command-and-control;

	(3) Send out spams;

	(4) Disseminate malicious information (concerning child pornography, race discrimination, sex discrimination, and etc.) that go against international ethics and morality or interfere with public order.

28.1.3 Domain Name Abuse Prevention and Mitigation Implementation plan

  Please refer to Q28_attachment_table attached for details of the description of policies defining malicious and abusive behaviors of each category above. CNNIC provides the capture metrics and solution to deal with those abusive behaviors respectively in the stages of registrar management, active monitoring and suspension as well as complaint handling.

28.1.4 Proposed Policies and Procedures for Prevention of Domain Name Abuse 

28.1.4.1 Provisions on Registrars for Domain Name Abuse Prevention

  Any registrars seeking to register domain names in the proposed gTLD will be required to execute a Registry-Registrar Agreement (ʺRRAʺ), which will govern the relationship between the registrar and CNNIC. The agreement will specify the services (i) that CNNIC will provide for the registrars, such as domain name registration services, registry hosting and operation, and full-database Whois functionality; and (ii) for which registrars will be responsible, such as providing all customer support functions for domain name registrants. 

  CNNIC will, based on the Registrar Accreditation Agreement (RAA) requirements formulated by ICANN, establish a code of conduct for registrars of ʺ.网络ʺ domain to control domain name abuse by registrars, and cooperate with the registrars to mitigate and prevent domain name abuse. The following policies are included in the RRA of CNNIC for prevention of domain name abuse.
28.1.4.1.1 Registrar Qualification Requirement

  To prevent and mitigate domain name abuse, CNNIC requires that registrars shall:

	(1)be accredited by ICANN, i.e., having been validly accreditation by ICANN pursuant to RAA agreement;

	(2)set up domain name registration service system within China with technical and customer service staff specializing in domain name services;

	(3)have the credibility or capability of providing clients with long-term services;

	(4)develop business development plans and related technical schemes;

	(5)take effective network and information security safeguard measures;
	
	(6)establish a sound domain name registration exit mechanism;

	(7)comply with other relevant national rules and regulations.

28.1.4.1.2 Prohibited Terms

  In the process of domain name registration service provision, the domain name registration service providers are not allowed:

	(1)To provide domain name registration services in a disguised name of governments, or other enterprises, public institutions or social organizations;

	(2)To occupy domain name resources in a disguised form by registering domain names based on false information;

	(3)To provide domain name registration services by using such unfair competition means as misleading and threatening users;

	(4)To induce uses to register domain names that are confusingly similar to those that are already registered;

	(5)To force users to extend the term of domain name registration or sell bundled services;

	(6)To fail to submit registration information to CNNIC in accordance with the actual registration years of domain name users;

	(7)To reject without any justified reason applications filed by domain name holders for password of domain name transfer, or charge the same for such application;

	(8)To use of the Whois database to send unsolicited e-mail to registrants, to solicit registrants by telephone or to use the database for other commercial purposes;

	(9)To purchase of domain names for any purpose except instances where the registrar has a bona fide intent to use that domain name on its own behalf.

	(10) To conduct other behaviors which are in violation of laws and regulations or infringe upon the interests of domain name users. 

28.1.4.1.3 Cooperation between CNNIC and Registrars for Preventing of Domain Name Abuse

  The RRA lays down the registrarsʹ obligations for cooperation with CNNIC in terms of domain name abuse mitigation and prevention, specifically registrars shall: 

	(1) establish a sound network and security emergency response system and intensify the domain name registration review to ensure the authenticity of the information provided by the registrants;
	Note: CNNIC will provide regular monitoring of registration data for accuracy and completeness, employing telephone call back methods to investigate the Whois accuracy level.

	(2) set up a help desk to receive complaints filed by the users on domain name abuse and disputes, to serve as the first level complaints contacting point;
	Note: CNNIC will serve as the second level complaints contacting point to the customer.

	(3) implement based on United Domain Name Dispute Resolution Policies, the decisions, judgments or verdicts of domain name dispute resolution provider or courts to rapid take down or suspension relevant domain names and provide the registrants with corresponding notices and explanations;

	(4)establish expedited channels and contact information for law enforcement and community partners and drive towards response times of domain name take down request in the 1‐3 hours range;

	(5) provide user ID and password at the time of registration, and provide registration data update, domain name transfer and cancellation services upon password verification and identification documents authentication. The domain name may be changed and put into use only upon obtaining the approval of the registrars within three working days after the registrars receive the application form for domain name registration data update, domain name transfer and cancellation.

28.1.4.1.4. Billing and Collection Provisions

  In order to combat this free domain tasting which may cause cybersquatting, and in accordance with current ICANN policy of the RAA, CNNIC will include provisions in the RRA requiring registrars to receive a reasonable assurance of payment from any potential domain name registrant prior to submitting any registration request on behalf of that registrant.

  In accordance with current ICANN policy, CNNIC recognizes that registrars may occasionally submit registrations to CNNIC in error. In such cases, the RRA will provide that registrars may receive refunds if they notify CNNIC of the error within five business days of the submission. CNNIC believes that this five day term enhances registrar monitoring of inadvertent registrations.
 
  Finally, the RRA will specify that if a registrar does not receive payment for a domain name registration within forty five days after the payment becomes due, then the registrar will be obligated to cancel the registration and return the domain name to the general registry pool of available names. This policy will prevent registrars from being able to trade or sell domain names for their own accounts in a secondary market environment.

28.1.4.1.5 Agreement Termination

  The RRA will enable CNNIC to reject registration requests from a registrar that is not in compliance with the RAA or any ʺ.网络ʺ registration policy. CNNIC will continue to reject such requests until the registrar ceases its non-compliance. In the event that such non-compliance continues, CNNIC will have the right to terminate the RRA. When the RRA is terminated by CNNIC for any reason, ʺ.网络ʺ domain name registrations managed by that registrar will be reallocated to other registrars in accordance with any applicable ICANN policy.
 
  Any disputes between CNNIC and a registrar regarding the RRA will be submitted to binding arbitration for resolution. If a registrar materially breaches the RRA, CNNIC may, on thirty days notice and an opportunity to cure such breach, terminate the RRA and prohibit such registrar from registering domain names in the proposed gTLD. By incorporating its policies into the RRA, CNNIC will be in a position to enforce its policies against the individual registrars, without the intervention of ICANN.

28.1.4.2 Policies on Name Reservation

28.1.4.2.1 Reserved Names

  CNNIC will initially reserve the following types of names for registration to ensure that domain names will not be used for such abuse activities as fraud and phishing:
	
	(1) Names required to be reserved as stipulated in the agreement executed between CNNIC and ICANN:

	*ICANN reserved names in the Top Level Reserved List in Application Guide Book and their translation in multiple languages  

	*Single & Two Character Names including the use of symbols

	*Tagged names

	*Nic, Whois, www

	(2) Geographical names (see Question 22 for details);

	(3) Names or abbreviations of the local government authorities and international inter-governmental organizations (ASCII and Chinese Translation); Note：The list will be formulated before or during the start-up period based on the final decision made by GAC, ICANN and local government authorities;
	
	(4) Other controversial names that may conflict with public interests according to the domain name regulation in China.

28.1.4.2.2 Release of Reserved Names 

  After obtaining permit from respective local authorities, legitimate registrant will be allowed to submit the application to a registrar accredited by CNNIC for registration of the domain name. The application material shall include documentations as following:

	*Domain name registration application form with an organizational stamp;

	*Proof of establishment of the organizational registrant;

	*Proof of personal identification of the registration contact person;

	*other documentations issued by relevant parties for release of reserved domain names;

  Then the registrar forwards the above material to CNNIC. After verification process, CNNIC will release the domain name to the database of the registrar. If the registration application doesnʹt get approved, CNNIC will notify the registrar about the reason of declination. The process of verification shall be finished within 3 days since CNNIC receives the application material from the registrar.   

28.1.4.3 Policies on Domain Name Registration Review  

28.1.4.3.1 Registrant Eligibility Requirements

  ʺ.网络ʺ registrants can be divided into two categories: Organizational Registrant and Natural Person Registrant. 

  Organizational registrants which represent an enterprise, shall be organizations registered under the laws of the country or region where the applicant is located and capable of undertaking civil liabilities.

  Natural Person registrant shall be all individual human-being registered with real identity. 

28.1.4.3.2 Information Authentication 

  In order to apply for ʺ.网络ʺ domain name, registrant needs to complete an application form collecting all information required for Whois. In addition, organizational registrant shall submit authentic, complete and accurate organizational proof of establishment to the registrars. Acceptable documentation includes business ID, tax ID, VAT registration certificate or equivalent of the applicant issued by local administrative authority. Natural person registrants shall submit personal identification materials issued by a recognized authority, which can be personal ID, passport or equivalent. The registration contact person shall also submit personal identification materials, which can be personal ID, passport or equivalent.  This additional documentation is just for registration record authentication but against any release to the public. 

  Based on authentication conducted by registrars, an application for domain name registration shall be rejected or cancelled in the following circumstances:

	(1)The applicant submits incomplete application form with necessary information missing;

	(2) The applicant provides invalid or fake supporting identity authentication material;
 
	(3) The contact information is inaccessible; 

	(4)The applicant provides incoherent information in the application form with its identity proof.

28.1.4.3.3 Review of Prohibited Names

  For the purpose of protecting the legitimate rights and interests of the general public and preventing domain name abuse, in addition to name reservation and applicant information authentication, CNNIC shall review and determine whether the domain names applied and the registration information violate the provisions of ʺChina Internet Domain Name Regulationsʺ (please refer to http:⁄⁄www1.cnnic.cn⁄html⁄Dir⁄2005⁄03⁄24⁄2861.htm). CNNIC may carry out review on the domain name registration information manually. In case of any domain name violating the provisions of Article 27 of the Regulations or with false, inaccurate or incomplete registration information, CNNIC shall inform the registrars of such cases for cancellation. Specific review policies include:

	(1) instigate hostility or discrimination among different ethnic groups, or disrupt national solidarity;

	(2) spread rumors, disturb public order or disrupt social stability;

	(3) spread obscenity, pornography, violence, homicide or terror or instigate crimes;

	(4) insult or libel others and thus infringing other peopleʹs legitimate rights and interests;

	(5) contain other contents prohibited by laws and administrative regulations.
 
28.1.4.4 Policies on Active Monitoring and Handling of Domain Name Abuse

  CNNIC will conduct active monitoring of Whois accuracy, information security and monitor orphan glue records and to mitigate and prevent domain name abuse.

28.1.4.4.1 Policies on Whois Accuracy Control

  CNNIC requires maintaining Whois accuracy to ensure in-time handling of domain name abuse, specifically:

	(1) require applicants to submit domain name application forms along with identity certificates of registration contact person or proof of establishment of the registration organization, and conduct identity verification;

	(2) require registrars to decline applications for domain name registration by registrants who have provided fake registration information;

	(3) require the domain name holder to apply to the registrars for registration information change;
	Note: When applying for registration information change, the applicant shall submit relevant application documents for domain name changes in the same way as applying for the domain name registration. The domain name shall be changed and put into use only upon obtaining the approval of the registrars and the registrars shall submit the changed registration information to CNNIC. The registrars shall not make changes to any clientʹs registration information without the consent of the domain name holder.

	(4) monitor registration record of registered users by random telephone revisit. Where any information in the Whois is found to be inaccurate, CNNIC will notify the registrar and require the registration contact person for making corrections, and to suspend false domain names information that involve abuse;

	(5) conduct Whois accuracy audit of every registrar on yearly basis, where registrars with weak enforcement of registration review policy which results in higher unreachable Whois data will receive penalty of reduced registrar rebate. 
	
28.1.4.4.2 Policies on Information Security Control

  Applicants for domain name registration shall submit authentic, accurate and complete domain name registration information, so as to intensify protection of usersʹ information and avoid leakage and misuse.

  CNNIC, as a trusted neutral third-party registry, must maintain the trust of the registrars and the consumers. Therefore, CNNIC will not market, in any way, the registrant information obtained from registrars for purposes of running the registry, nor will it share that data with any unrelated third parties. The registry operator will only have access to such data as is necessary for operation of the registry itself and will use that data only for registry operation.

  CNNIC will provide registrars with a mechanism for accessing and correcting personal data and will take reasonable steps to protect personal data from loss, misuse, unauthorized disclosure, alteration or destruction. To further secure registrant data, each registrant will have a secure password for his or her registry records. Only through use of this password will data be changed, registrars transferred, domain name servers be updated, etc. Registrars will develop, in consultation with the registry, secure password verification and authentication mechanisms. Moreover all registrars will be required to abide by all applicable international, national, and local laws.

   In addition, CNNIC has formulated a plan for protecting registrantsʹ information, which include: protecting the security of the information submitted by users during the entire lifecycle of the ʺ.网络ʺ domain name registration, balancing the relationship between publicly accessible database(Whois) and registrant information protection, inspecting on a regular basis the status of information security management, and controlling over staff security.

28.1.4.4.3 Requirement for Inhouse Employees In term of Information Security Management 

     CNNIC will attach special importance to the security management with respect to staffs in charge of domain name user information, and take the following measures to avoid the occurrence of deliberate information leakage:

	(1) designate special managerial staffs to conduct centralized collection and custody of domain name user information, and domain name registries shall keep such identity information of its managerial staffs and submit the same to registries for file;

	(2) execute a special confidentiality agreement with the managerial staffs in charge of domain name user information, which shall expressly provides that any leakage of domain name user information will be subject to legal liabilities;

	(3) set standards to the operation process of managerial staffs, reinforce audit of staff operation, and conduct audit and issue audit report regularly;
 
	(4) conduct security training and education for managerial staffs on a regular basis.

28.1.4.4.4 Policies on Orphan Glue Records
  
  To prevent the orphan glue records in the root domain from causing problems of domain name abuse, CNNIC will not allow the existence of orphan glue records, namely, glue records are required to be removed before the delegation point NS record is removed.

28.1.4.5 Policies of Complaints Handling

  To handle domain name abuse in time and mitigate its negative influence on registrars and internet users, CNNIC formulate policies on handling of complaints on domain name abuse as follows:

28.1.4.5.1 Contact Points for filing complaints

   Users may file complaints on domain name registration abuse or abusive use of a domain through the following channels:

	(1) the complaint contact points (web, fax, email, SMS) published on the official website of CNNIC;

	(2) the complaint channels published on the website of the registrar;

	(3) the complaint channels provided by CNCERT, which shall in turn report the complaints to CNNIC for handling;

	(4) the complaint channels provided by the Anti-Phishing Alliance of China,;

	(5) the complaint channel of 12321 Internet Spam Information Reporting and Resolution Center, which shall forward to CNNIC for handling.

28.1.4.5.2 Complaint Acceptance

  CNNIC is responsible for making acceptance and investigation from complaints. Assessment shall be conducted by anti-abuse complaint handling personnel pursuant to relevant measurement criteria (please refer to attached Q28_attachment_table: Implementation Plan of Domain Name Abuse Prevention and Mitigation), and if necessary, a special investigation team shall be formed to conduct research, analysis and judgment. Feedback shall be provided for the complainants in time upon the completion of assessment. All the investigation shall be completed within 5 business days.

28.1.4.5.3 Response to and Handling of Complaints

	(1) Handling of complaints shall be made within 5 business days upon acceptance of complaint from each channel. Afterwards, the result of handling complaints will be forwarded, via telephone call or email, to the complainant, the person against whom the complaint is filed, and other parties involved.

	(2) where  CNNIC is found upon investigation of complaints to have committed violations of laws, or fail to effectively respond to complaint filed according to Trademark Post-Delegation Dispute Resolution Procedure (PDDRP) or Registry Restriction Dispute Resolution Procedure (RRDRP), we will take remedies according to the relevant provisions of ICANN.

	(3) Where any registrar is found upon investigation of complaints to have committed violations of laws or Registry-Registrar Agreement terms, it shall be ordered to make corrections and make relevant compensations. In the case of severe breach of RRA without any correction upon notification, CNNIC is entitled to cancel the agreement and conduct further registrar transition afterwards. 
	
	(4) Where any registrant is found upon investigation of complaints to have committed violations of relevant regulations, the registrant shall be ordered to make corrections. In the case of such domain name abuse as phishing and dissemination of illegal information, as the existence of which will continue to cause greater losses to the users，the domain name shall be suspend within 2 hours after verification of the misconduct. 
	
	(5) Where the complaint involves domain name dispute, the complainant shall be told to resort to domain name dispute resolution provider or the court based on Uniform Domain Name Dispute Resolution Policy (UDRP) or relevant judicial procedures, then the registrar will be asked to lock the domain to prevent transfer or update till the dispute being resolved. CNNIC will further notify the registrar to unlock domain name or make transfer based on the dispute resolution decision. 
	
	(6) Where any information provided by the complainant is found to be inaccurate or there is no evidence to prove domain name abuse, CNNIC will reject the complaint and give corresponding explanations, and the complainant may, if not satisfied, provide further evidence to file an appeal.

28.2 Abuse Prevention and Mitigation Measures

   Based on the abuse prevention and mitigation policies above, CNNIC has developed 3 measures, including an abuse monitoring and handling platform, a comprehensive contact point and customer support center for filing complaints on domain name abuse, and an information sharing outreach mechanism with industry partners. 

28.2.1 Abuse Monitoring and Handling Platform 

  CNNIC will build an abuse monitoring and handling platform in order to monitor policy compliance of registrars, domain name applications, and post-registration domain name abuse. 

28.2.1.1 Compliance Review of Registrars

  CNNIC will, with reference to this plan, improve its agreement with and service standards for domain name registrars, define their responsibility of protecting domain name usersʹ information and domain name abuse prevention measures they shall take.
   
  CNNIC will also reinforce management of domain name registrars, and conduct investigation over the registrars on a regular (yearly) basis pursuant to this plan. The investigation may take the form of spot check, and domain name registrars that are found to be disqualified shall be required to make rectifications. The investigation will mainly involve document review, staff interview, on-site inspection, and etc. The objects to be investigated include documents on system design⁄acceptance, relevant service and application management process and system management, records on equipment management and configuration and daily operations, systems and relevant equipment, and etc. The party to be investigated shall actively cooperate with the party conducting the investigation in providing corresponding materials, and make rectifications, if necessary, based on the result of the investigation.

  Specifically, CNNIC requires that:

	(1) The registrar shall be capable of providing normal services due to major business problem;

	(2) Registrarsʹ service records and data backups shall illustrate the registrarʹs compliance to relevant policy. 

	(3) Result from registrant satisfaction survey shall meet an average standard.

	(4) There should be no report of identified violations of RRA committed by registrars.

28.2.1.2 Review of Domain Name Applications 

 CNNIC will adopt the procedures of applicantʹs identity review, rights and interests review to mitigate and prevent abuse of domain names.

28.2.1.2.1 Data Collection
  
  The ʺ.网络ʺ registrars shall collect and store as many of the technical details of the registration as possible. This information has multiple uses, including registration scoring, validation, takedown resolution, investigation, etc. This registrantʹs data to be collected includes:

	(1) Registrant Name
	(2) E-mail Address
	(3) Registrant Personal Identification Material
	(4) Company Name
	(5) Proof of Company Establishment
	(6) Address
	(7) City
	(8) Country
	(9) State
	(10) Zip
	(11) Phone Number
	(12) Additional Phone
	(13) Fax
	(14) Alternative Contact Name
	(15) Alternative Contact E-mail
	(16) Alternative Contact Phone

  The registrar shall use this information for the account, not for the WHOIS information. In addition the registrar shall have a separate form for the WHOIS information that is pre-populated with this information. The registrars shall take the responsibility to explain that this WHOIS information will be used by external parties to contact that person in event of malicious activity or other issues with the domain.

28.2.1.2.2 Registration Information Authentication

    From CNNICʹs past experience of managing ʺ.cnʺ, registration information authentication procedure can effectively prevent fake Whois data and enhance the accessibility of the contact information. Therefore, CNNIC continue to take these proceedings in ʺ.网络ʺ :
　
	(1) ʺ.网络ʺ registrars shall strictly review the identity certificate submitted by registration applicants, and decline applications with incoherent information on the application form, so as to ensure the authenticity and accuracy of registration records in the Whois. Where any user who has been declined is not satisfied with the review of ʺ.网络ʺ registrars, he or she may file a complaint to CNNIC for reconsideration, with respect to which CNNICʹs determination shall be final and binding. 

	(2) The original documentation verified by registrars will be recorded as photocopies and forwarded to CNNIC for further review of registration record.  CNNIC will provide monitoring of registration data for accuracy and completeness of Whois data. CNNIC will also employ telephone call back methods to ensure reachable Whois contact information. Any false registration information provided by the registrants will directly result in cancellation of application. 

28.2.1.2.3 Rights and Interests Review

  In the sunrise period, all applications of registration are required to be validated by ICANNʹs Trademark Clearinghouse to examine potential infringement of known trademarks. Only validated trademark owners are allowed to register with priority in the sunrise period. In order to validate the trademark status, the registrant shall provide proof of trademark registration and trademark usage to evidence its trademark rights to the string. Detailed requirement to such proof and validation process will be established upon the implementation of Trademark Clearing House.

  During the first 60 days after launching general availability, CNNIC will continue to review applications to see if the domain names applied for matches any trademark included in the Trademark Clearing House. The applicant who intend to apply for such domain names will be advised that a third party or parties have claimed intellectual property rights over that domain name, they are directed to a notice that refers to intellectual property status of the domain name. The applicant is not prevented from completing the registration. Once the application has been completed, all parties who have their trademarks for that exact domain name included in the Trademark Clearing House are advised by email that a party has registered that domain name. Included in the email will be further information on the UDRP and an explanation of steps to take for further dispute action. 

  In the following process of general operation, in addition, CNNIC shall review and determine whether the domain names applied and the registration information violate the provisions of ʺChina Internet Domain Name Regulationsʺ. CNNIC may carry out verification on the domain name registration information manually. In case of any domain name violating the provisions of Article 27 of the Regulations or with false, inaccurate or incomplete registration information, CNNIC shall inform the registrars of such cases for cancellation.

  In order to fight against phishing websites, CNNIC will also screen⁄score all registrations for ʺunusualʺ domain name registration practices, such as registering hundreds of domains at a time, registering domains which are unusually long or complex, include an obvious series of numbers tied to a random word (baddomain01, baddomain02, baddomain03).

  CNNIC, in coorporation with APAC will also screen⁄score all registrations for patterns known to be associated with phishing (government, bank, secure etc). CNNIC will also review all domain names proposed for registration against known sites that are often the subject of phishing type attacks to ensure ʺ.网络ʺ do not inadvertently aid in the provisioning of illegitimate content in online scams.

28.2.1.3 Measures of Monitoring and Handling Domain Name Abuse 

28.2.1.3.1 Measure for Examining Whois Accuracy 
  
   CNNIC will be continuously committed to enhancing Whois accuracy to ensure enforceability of the determinations regarding domain name abuse by taking the following measures: 
	
	(1)During the reviews, the registrars will make telephone check in order to ensure accuracy and accessibility of contact information provided by registrants.  

	(2)In case of any change to the contact information on points of contact, registrars will be required to provide strong passwords for verification so as to prevent any third party from impairing the accessibility of the Whois information by making changes to such information;

	(3) To further enhance the accuracy of Whois data, CNNIC will conduct further examination on fake or inaccurate information based on the application material submitted by the registrar. CNNIC will also conduct annual reviews on registrars in terms of Whois accuracy level; 

	(4) In case of any identified inaccessible Whois information concerning a domain name registration, the registrar will be advised to get in touch with the point of contact for correction to such false information. If the domain name has involved in any abusive behavior, the domain name shall be suspended by the registrar.

28.2.1.3.2 Measures for Removing Orphan Glue Records

  CNNIC will take actions to remove orphan glue records with the following procedures:

  At the time of registration of domain name or update domain name or host, the host must have IP address in order to prevent Orphan NS records.

  Before deleting a domain name, if the domain name already has a host, the host must be deleted on the first hand. If the host is being used for other domain name as name server, the domain name shall not be deleted unless the name server or the host name is changed. This procedure also applies for the host deletion process in order to prevent orphan A record.

  In the circumstance that the domain name uses the host of other domain in this zone as name server, if the domain name do not use its own host as domain name server at the same time, the NS record cannot be generated.

  However, CNNIC recognizes that there are two circumstances which may result in the existence of orphan glue records:  

	(1) If the domain name has been spotted abusive behavior and thereafter be turned to ʺseverHoldʺ status, all the domains that use such domain nameʹs host as domain name server will be unable to resolve,  hence will generate orphan glue records.

	(2) If the domain name has been turned to clientHold status due to the registrantsʹ cause, all the domains that use such domain nameʹs host as domain name server will be unable to resolve, hence will generate orphan glue records.

  In response to the above occasions, CNNIC has already adopted DNS operation monitoring system which will spot the generated NS record in a timely manner. Once the orphan glue record has been generated, CNNIC will notify the registrar to contact registrants to change NS server and thereafter remove the orphan glue record in the zone file.  

28.2.1.3.3 Limit of Fast-Flux Domains

  In addition, CNNIC recognizes that fast‐Flux domains, as domains for which either the base IP address (A record) or nameserver address (NS record), or both (known as double‐flux), are changed numeroustimes during the day, are now increasingly being used by criminal phishing, spam, and botnet gangs to ensure the resiliency of their sites and make it increasingly difficult for takedown authorities to remove or restrict access to illegitimate sites. This problem can be addressed partially by preventing or making it much more difficult to frequently change the NS record of a domain registration. There is very little, if any, legitimate need to change the NS record for a domain more than few times a month and any such action should trigger immediate red flags and possible investigation of the domain for illegal activity. 

  CNNIC will limit the ability of registrants to repeatedly change their name servers via a programmatic interface to reduce or eliminate automated name server hopping. With domains that change name servers more than twice a week (except by agreement), scrutiny and even the suspension of the domain will be conducted until a suitable explanation is provided by the registrant.

28.2.2 Measures for Protecting the Domain Name User Information throughout Lifecycle

  In view of the lifecycle of ʺ.网络ʺ domain name user information, there are four steps to be considered in the formulation of protection measures: information submission from the user to the domain name registrar, custody and use of the information by the domain name registrar, information transmission from the domain name registrar to the domain name registry, and custody and use of the information by the registry.

28.2.2.1 Information Submission from the User to the Registrar

28.2.2.1.1 Obtaining Consent to the Personal Data Processing 

    CNNIC will notify each ICANN-accredited registrar that is a party to the registry-registrar agreement for the TLD of the purposes for which data about any identified or identifiable natural person (ʺPersonal Dataʺ) submitted to CNNIC by such registrar is collected and used, and require such registrar to obtain the consent of each registrant in the TLD for such collection and use of personal data. 

  Registrar shall agree that it will not process the Personal Data collected from the Registered Name Holder in a way incompatible with the purposes and other limitations about which it has provided notice to the registered name holder in accordance with the RRA.

  Registrars shall send a notice to each holder of newly registered domain names or that of renewed domain names stating:

	*The purposes for which any Personal Data collected from the applicant are intended;

	*The intended recipients or categories of recipients of the data (including CNNIC and others who will receive the data from Registry Operator);

	* Which data are obligatory and which data, if any, are voluntary; 

	*How the Registered Name Holder or data subject can access and, if necessary, rectify the data held about them. 

 
28.2.2.1.2 Data Access Control for Security

  Registrars shall conduct vulnerability scanning at the system on a regular basis with respect to the online system through which users submit information to detect security vulnerabilities timely and conduct reinforcement; system account⁄password shall be kept with encryption.

28.2.2.1.3 Non-online Data Processing

  As to domain name registration materials submitted by means of email, fax or post, domain name registrars shall designate special staffs to receive and handle. Electronic data shall be deleted timely after being transferred to magnetic tape⁄CD⁄portable hard drive for offline storage.

28.2.2.2 Custody and Use of Information by Domain Name Registrars

  Registrar shall agree that it will take reasonable precautions to protect Personal Data from loss, misuse, unauthorized access or disclosure, alteration, or destruction. Specifically, domain name registrars shall take the following measures to reinforce protection of usersʹ information:

28.2.2.2.1 Secure Storage of Personal Data

	(1) Backstage business operation system and front-end service system (Whois system, online submission system, and etc.) shall not share the same server and storage system; 

	(2) Access control shall be conducted with respect to the backstage business system and front-end public service system.

	(3) User information under protection (including certificate of incorporation, personal certificates, telephones, family address, etc.) shall be encrypted before being written into the database. Sensitive information may not be read directly from the database.

	(4) Identity verification materials which are in picture format shall be encrypted before being stored online or, if stored offline, be transferred to such media as magnetic tape⁄CD⁄portable hard drive for proper storage. 
	(5)Materials may be stored in the online system for up to 90 days.

28.2.2.2.2 Control of Information Access

	(1) Encrypted domain name user information shall be made available for search and use only after being decrypted with special application systems.

	(2) Access to domain name user information by application systems shall be controlled by allowing access only by special personnel or system. A combination of such access control functions as IP restriction, username⁄password, and etc. will be used.

28.2.2.2.3 Proper Storage of Offline Data

	(1) Paper materials and electronic media shall be kept by special personnel and stored with lock in normal times, and access password shall be set in regard to data stored in electronic media.

	(2) Reviews shall be conducted with respect to the use of paper materials and electronic media, and records shall be made in respect thereof, including the object to be use, time of use, purpose，signature of the custodian and the user.

28.2.2.2.4 Data Removal

  In the absence of extenuating circumstances, any personal data must be deleted within 45 days of either the registrar or the registrant terminating a registration agreement. Extenuating circumstances are defined as:

	(1) UDRP action

	(2) valid court order

	(3) failure of a Registrarʹs renewal process (which does not include failure of a registrant to respond)

	(4) the domain name is used by a name server that provides DNS service to third-parties (additional time may be required to migrate the records managed by the name server)

	(5) the registrant is subject to bankruptcy proceedings, payment dispute (where a registrant claims to have paid for a renewal, or a discrepancy in the amount paid)

	(6) billing dispute (where a registrant disputes the amount on a bill)

	(7) domain name subject to litigation in a court of competent jurisdiction, or other circumstance as approved specifically by ICANN.

28.2.2.3 Information Transmission from the Domain Name Registrar to the Domain Name Registry

  CNNIC is responsible for the security of the transmission of information from the registrar to itself.

28.2.2.3.1 Network Transmission Encryption

  Specific measures may include: HTTPS encryption for WEB services, SSL encryption for EPP registration services, and FTPS or SFTP encryption for FTP services.

28.2.2.3.2 System Reinforcement and Access Control

  To detect security vulnerabilities timely, CNNIC will conduct vulnerability scanning at the system level on a regular basis with respect to the online system through which registrar submit information. System account⁄password will be kept with encryption. 

28.2.2.3.3 Non-online Data Receiving and Handling
   
  As to domain name registration materials submitted by means of email, fax or post, domain name registrars shall designate special staffs to receive and handle. Electronic data shall be deleted timely after being transferred to magnetic tape⁄CD⁄portable hard drive for offline storage.

28.2.2.4 Custody and Use of Information by Domain Name Registry

  CNNIC will take reasonable steps to protect Personal Data collected from loss, misuse, unauthorized disclosure, alteration or destruction. CNNIC will not use or authorize the use of Personal Data in a way that is incompatible with the notice provided to registrars in the RAA. CNNIC, upon receiving domain name user information, take measures to reinforce protection of usersʹ information.

28.2.2.4.1 Secure Storage of Personal Data

	(1) Backstage business operation system and front-end service system (Whois system, online submission system, and etc.) shall not share the same server and storage system; 

	(2) User information under protection (including personal certificates, telephones, family address, etc.) shall be encrypted before being written into the database. Sensitive information may not be read directly from the database.

	(3) backstage storage system shall be separated physically from and may not share the same server with the front-end user information transmission system.

	(4) Access control shall be conducted with respect to the storage system via software or hardware firewall.

28.2.2.4.2 Control of Information Access

	(1) Encrypted domain name user information shall be made available for search and use only after being decrypted with special application systems.

	(2) Access to domain name user information by application systems shall be controlled by allowing access only by special personnel or system. A combination of such access control functions as IP restriction, username⁄password, and etc. will be used.

28.2.2.4.3 Proper Storage of Offline Personal Data

	(1) Paper materials and electronic media shall be kept by special personnel and stored with lock in normal times, and access password shall be set in regard to data stored in electronic media.

	(2) Reviews shall be conducted with respect to the use of paper materials and electronic media, and records shall be made in respect thereof, including the object to be use, time of use, purpose，signature of the custodian and the user.

28.2.2.4.4 Data Removal

  In the absence of extenuating circumstances, any personal data must be deleted within 45 days of either the registrar or the registrant terminating a registration agreement. Extenuating circumstances are defined as:

	(1) UDRP action

	(2) valid court order

	(3) failure of a Registrarʹs renewal process (which does not include failure of a registrant to respond) 

	(4) the domain name is used by a name server that provides DNS service to third-parties (additional time may be required to migrate the records managed by the name server)

	(5) the registrant is subject to bankruptcy proceedings, payment dispute (where a registrant claims to have paid for a renewal, or a discrepancy in the amount paid)

	(6) billing dispute (where a registrant disputes the amount on a bill)

	(7) domain name subject to litigation in a court of competent jurisdiction, or other circumstance as approved specifically by ICANN.

28.2.3 Comprehensive Contact Point for Filing Complaints 

28.2.3.1 Contact Channel

  For the purpose of receiving reports on domain name abuse, CNNIC has published at the homepage of its official website (www.cnnic.cn) the following contact information for abuse complaints:

	*Complaints Hotline: +86-10-58813000

	*Email: supervise@cnnic.cn
	
	*Fax: +86-10-58812666
	
	*SMS: 12302 (applicable to complaints filed within China mainland)
	
	*Online complaint form available at: jubao.cnnic.cn

  The contact point is accessible 24 hours a day, 7 days a week, the channels listed above accept abuse complaints of all kinds and guarantee replies within five working days. Complainants should describe the domain names they are complaining about, the abusive behaviors and the consequences, and provide their contact information including phone numbers, email addresses, etc. so that the results of complaint handling by CNNIC can be received in time.

28.2.3.2 Measures for Abuse Complaints Handling

28.2.3.2.1 Identification of Abusive Behaviors

  A dedicated review team of domain name abuse will be employed by CNNIC to verify the domain name abuse complaint. CNNIC will remain updated on the policies concerning domain name abuse made by ICANNʹs Registration Abuse Policies Working Group (RAPWG), and thereby identify different kinds of abusive behaviors and inform related domain name holders of the results of such identification.

28.2.3.2.2 Approaches to Abuse Complaints Handling
  
  Approaches to abuse complaints handling include general procedures and rapid suspension procedures:

	(1) The general procedures are applicable mainly to those abusive behaviors where the persistent existence of domain names will not lead to further losses of Internet users, such as domain name registration abuse. The specific enforcement procedures are as follows:

	*Once an abuse compliant is received, CNNIC will forthwith change the EPP status of the domain name concerned to ʺserverTransferProhibitedʺ, and inform the holder of the domain name concerned. The abuse examiner will verify related abusive behaviors within 5 working days;

	*In the case of cyber-squatting complaint where the Uniform Domain-Name Dispute-Resolution Policy (UDRP) is applicable, the complainant will be advised to submit the dispute to the domain name dispute resolution provider or court for resolution. The domain name registrar is required to lock the domain name from further transfer or update once the dispute has been confirmed by dispute resolution provider. Thereafter, upon receipt of the domain name dispute resolution decision or law enforcement request, relevant registrar to proceed further domain name unlock, transfer or domain name suspension within 3 working days.

 	*In the case of complaint on registrarʹs violation of RRA or CNNICʹs misconduct, CNNIC will verify the complaint within 5 working days and notify the relevant registrar or personnel to make correction of their illicit behavior or terminate the agreement if applicable; 
	
	(2)The rapid suspension procedures are applicable to abusive behaviors regarding the use of domain names such as phishing or spreading of illegal contents, which may cause further losses to internet users. This procedure will most likely be the result of a complaint filed via APAC  or 12321 center. The specific enforcement procedures are as follows:

	*Once an abuse compliant is received, the relevant registrar will be required to directly lock the domain to prevent further transfer and update, while a dedicated group is assigned to communicate with relevant complaint to authenticate the complaint manually within 1-3 hours.

	*After verification, the relevant registrar will be required to directly suspend the domain name in the SRS system and the EPP status will be changed into ʺserverHoldʺ, so that the domain name will not be able to resolve or be transferred until it is ʺrestoredʺ. The domain name holder and theregistrar concerned will be informed at the same time to make corrections. After the registrant has stopped the abusive behavior and made adequate correction, which need to be confirmed by the registry, the registrar will restore the domain name to the status before suspension.

	*Once the complaint is determined to be tenable and no further appeal or correction confirmed by the registry within 60 days, the registry will take down the domain name and delete the registration record, which means the domain name comes to general availability.

	*CNNIC will insure that glue records using an invalid domain are removed when that domain is found to be invalid, even if those glue records are in use in conjunction with other domains.

	*The registrar concerned shall inform the domain name holder for three times as it has been locked, suspended, and canceled.

28.2.3.2.3 Support Escalation 

  CNNIC will operate with an escalation device. Normally support calls or other forms of communication shall start with the lowest level of support, and be escalated should the first level of support be insufficient. In cases where higher levels of support are immediately apparent (all levels of support staff will be trained in identifying these) the escalation chain may be jumped. Also, should the time limit expire with no notice, the support level may be escalated. The escalation levels and response requirements are as follows: 

	Level 1：Entry level support, basic complaints of operations or inquiries of registrar information, provided on an immediate 24⁄7 level. 

	Level 2:  Technical based question, usually unique to the registrar, that may require support from a registry systems operator or engineer. 

	Level 3: Systems outage involving non-critical operations to the registry affecting one or more registrars only, but not the entire system. 

	Level 4:  Catastrophic outage, or disaster recovery involving critical operations to the registry overall. 
   
  All customer service should use to the fullest customer management resource (CMR) systems, computer telephony integration (CTI) and databases to retain a reliable record of registry performance. While institution of such systems may be gradual, the goal should be to provide as much as possible automated systems in order to increase efficiencies and scale of operations.

28.2.4 Measures for Cooperation on Abuse Prevention

    CNNIC will establish information sharing mechanism jointly with the Anti-Phishing Alliance of China (APAC), the Anti-Phishing Working Group (APWG), the National Computer Network Emergency Response Technical Team ⁄ Coordination Center of China (CNCERT⁄CC) and the 12321 Internet Spam Information Reporting and Resolution Center, CNNIC will be committed to share information of domain name abuse prevention and mitigation with those industry partners. Data to consider sharing include:

	(1) IPs associated with fraudulent domain registrations with respectable blacklists;

	(2) Full fraud reports with industry and law enforcement;

	(3) Best practices regarding accepting and managing domain registrations.

28.2.4.1 Cooperation with APAC
  
  CNNIC is an initiator and key member of the APAC, and the place where the Secretariat and the Secretary General of APAC are located CNNIC has published at the homepage of its official website the complaint channels provided by APAC.
 
28.2.4.1.1 Reports on phishing websites may be submitted to APAC through the following channels:

	(1)Email: jubao@apac.cn
	
	(2)Telephone: 010-58813000

28.2.4.1.2 The coorporation between CNNIC and APAC with regard to phishing websites will be carried out under the following procedures:

	(1)Upon receiving complaints on phishing websites involving APAC members, the Secretariat of APAC will submit the complaints to third party technology authentication institutions for webpage analysis; the Secretariat should make determinations within one working day; in case of any difficulties or complicated circumstances, the Secretariat will ask for advices from the expertsʹ committee before making determinations; 

	(2)If any phishing website is identified, a notice will be sent to the registrar by mail. The registrar should suspend the domain name resolution within two hours upon receipt of the notice, and resolve the name to the information page of the phishing website.

	(3)If the registrar fails to suspend the domain name resolution within two hours, CNNIC, as a registry, will suspend the resolution directly and resolve the domain name to the information page of the phishing website.

	(4)Any opposition held by the registrant may be filed with the Secretariat of APAC;

	(5)The Secretariat of APAC will inform its members and the complainant concerned of the results of such procedures. 

28.2.4.1.3 Cross Reference of Phishing Websites URLs

  The APAC can provide a daily feed to the registry listing all of the phishing URLs identified by the APAC community for cross reference. CNNIC would check against this information at DNS set-up or modification time; and meanwhile, conduct periodic scanning for suspicious phishing websites.

28.2.4.2 Cooperation With Anti-phishing Working Group (APWG)

  The APWG can also provide a daily feed to the registry listing all of the phishing URLs identified by the APWG community for cross reference. CNNIC would check against this information at DNS set-up or modification time; and meanwhile, conduct periodic scanning for suspicious phishing websites.

  Specifically, CNNIC shall:

	(1) assist APWG in carrying out online phishing investigation and publish in a timely manner the trend of the distribution of phishing websites in our country;

	(2) regularly follow up the reports published by APWG on phishing websites and establish a contact interface for receiving phishing URLs updates submitted by APWG;

	(3) verify within one working day upon receipt of any complaint of the phishing domain in light of request by APWG, notify the registrar to handle the complaint, and after verification, resolve the domain name to the IP address which contains the notice of the phishing website.

28.2.4.3 Cooperation with National Computer Network Emergency Response Technical Team⁄Coordination Center of China (CNCERT⁄CC)

  CNNIC will cooperate with CNCERT⁄CC in dealing with network virus transmission and system attack via domain names. CNCERT⁄CC, an emergency response team responsible for coordinating security events of computer networks in China, provides the national public internet, major national network information systems and key departments with such services as security monitoring for computer networks, early warning, emergency response and precaution as well as technical support and collect, verify, gather and publish in a timely manner authoritative information on internet security. It has currently become an official member of the international authoritative organization, Forum of Incident Response and Security Teams (FIRST).

  The interaction between CNNIC and CNCERT is mainly reflected in the following aspects:
	
	(1)CNNIC will follow up on a regular basis vulnerabilities and early warnings on virus related to the DNS system published by CNCERT, and CNCERT will provide assistance in inspecting whether any ʺ.网络ʺ domain name is involved in virus transmission;
	
	(2)CNNIC will timely deal with vulnerabilities in the domain name system in view of opinions of CNCERT on handling abuse events, and establish service levels against network attacks;
	
	(3)CNNIC will assist CNCERT in carrying out research on unexpected network events and gathering statistics on and monitoring the trend of distribution of botnet and malware in our country.

28.2.4.4 Cooperation with the 12321 Internet Spam Information Reporting and Resolution Center

  12321 Internet Spam Information Reporting and Resolution Center (hereinafter referred to as the ʺ12321 Centerʺ), a complaint acceptance agency established by the Internet Society of China under the entrustment of the Ministry of Industry and Information Technology (formerly known as the Ministry of Information Industry) ,is responsible for assisting the Ministry of Industry and Information Technology in undertaking such work as complaint acceptance, investigation, analysis and imposition of punishment with regard to illicit information (including unsolicited information sent to end users) transmitted via information communication networks as the internet, mobile phone network, telephone network or other telecommunication services.
 
  CNNICʹs cooperation with the 12321 Center is mainly reflected in the following aspects:

	(1)receive complaint on domain names which contain illicit information reported by the 12321 Center,, timely search the Whois for the registration contact persons of the domain names which involve such information for further law enforcement;

	(2) notify relevant registrars in rapidly suspending illicit information spreading domain against which complaints are filed;

	(3) provide assistance for gathering statistics on and track the result of illicit information handling;


28.3 Resource Planning

28.3.1 Staffing 

  With proven capabilities for scaling its staff to meet the needs at peak level demands for complaint handling and customer service, CNNIC will benefit from its current staffʹs expertise to support the execution of domain name abuse prevention. Meanwhile, CNNIC also benefits from its unique position in close relation with the China Academy of Science in terms of talent recruiting. Many staff came directly from this top education institution in China with long term determination to contribute.

28.3.1.1 Initial Staffing

  We expect that the above measures of domain name abuse mitigation for the new gTLD will be executed sharing the same staff with existing TLDs ʺ.cnʺ and ʺ.中国ʺ and prospective new gTLD ʺ.公司ʺ which CNNIC has applied for. In order to provide higher standard services with lower rate of domain name abuse, other than its current staff, CNNIC will also recruit additional staff in the start-up period for the first 3 years operation for maintaining the functionality described above.

28.3.1.1.1 Management Positions (Please see attached document Q28_attachment_CV) of key managerial personnel for reference) 

	(1)CNNIC assigns its Director of Business Operation responsible for ensuring high-quality domain name application review, customer support and complaint handling for registrars and end-users and for refining and developing additional policy in conjunction with ICANN. CNNIC expects this role to be critical during the Sunrise and Land Rush Period, during which time domain name registrations rises significantly. 

	(2)CNNIC will also assign its experienced legal manager to handle with any registry misconduct lawsuit and Intellectual property dispute, and to serve as an ombudsman, assisting registrants and registrars in dispute resolutions related to ʺ.网络ʺ and respond to Registry Restriction Dispute according to Registry Restriction Dispute Resolution Procedure..

	(3)CNNIC will guarantee the neutrality for all the TLDʹs under CNNICʹs management. By assign different product manager for different TLD, who will keep checking the overall service performance of each TLD by means of registrar or registrants survey, a balance between different TLDsʹ services and higher resource efficiency will be achieved.

28.3.1.1.2 Customer Support Staff

 CNNIC has set up a customer support centre providing 7×24 hoursʹ service to handle inquires and complaints from registrants. Upon ICANNʹs delegation of ʺ.网络ʺ and ʺ.公司ʺ, volume of end-userʹs inquiries and complaints are expected to rise accordingly and more staff members will be hired to enhance the service capacities. Based on the original staffing basis of 31 employees, 5 additional employees will be recruited to support the new operation. The staff members are divided into the 3 subgroups:

	 *Registrant Service group providing telephone inquiries and complaints handling services;
	
	 *Registrant Caring group responsible for registrant visiting and renewal reminding;
	
	*Service Supporting group performing back-office support and performance supervision for the customer support centre. 

28.3.1.1.3 Registrar Supporting Staff

  The Registrar Supporting Group provides 7×24 hoursʹ telephone or on-site support to the registrars. This support will be dedicated primarily to operational registrars along with respond to inquiries from potential registrars. Overall, the registrar supporting group shall attempt to provide round the clock, real time professional support ranging from basic inquiries to high level operations critical technical support. Registrar contractual compliance review and performance evaluation shall be supported also by this group periodically. Registrars shall receive equal levels of support regardless of their location of operations. Based on our current staffing as 9 employees, we expect that 1 more staff members will be hired to improve our service offerings of the new gTLD.  

28.3.1.1.4 Review and Monitoring Staff

  CNNIC currently has 20 members to review of domain names applications and monitor the Whois accuracy on 5×8 hoursʹ basis.  As all required staff members are expected to be on duty starting from the start-up period, additional recruitment must meet the needs of the peak registration season. 1 more staff responsible for supervision of review work and monitoring of registration status should be hired to support the new gTLD forming a team with 21 persons.

28.3.1.1.5 Outreach Cooperation Liaison Team 

  CNNIC has already established long term cooperation mechanism to cooperate with the Anti-phishing Alliance of China, the International Anti-phishing Working Group and the 12321 Network Negative Information Complaint Center. 2 members have been assigned as regular contacts for the above functions, and they will also further take charge of liaison with Trademark Clearing House and Uniform Rapid Suspension System Provider as well as other assigned body designated by ICANN. Therefore, we see no needs for further staffing expansion.

28.3.1.1.6 Security Specialist 

  In order to monitor and handling of the domain name abuse caused by system vulnerability or human errors, CNNIC will assigned technical personnel to serve the as security specialist in order to actively monitor and prevent domain name abuse. The security specialist will operate with an escalation device supporting customer complaint. Specifically, their tasks include monitoring generated orphan glue record or phishing websites and communicate with relevant registrar for further solutions. As discussed in Question 31, CNNIC have already allocated 6 persons to serve this function, including 2 additional staff already recruited for the expanded operation of the new gTLDs.

28.3.1.2 Staffing on Ongoing Basis

   CNNIC has been structured to operate with an initial human capital investment to staff and manage the infrastructure required for sustaining the domain name abuse policies during the first 3 years of operations. The current staffing model also allows for back-up staffing, which provides a better overall understanding of our systems security. CNNIC foresees little expansion required for domain name abuse prevention and mitigation. However, CNNIC will expand its staff if necessary on ongoing basis. Staffing allocations may also need to be adjusted as demand for our services increases. Adjustments could include overall staff size or refinements to required technical skills. Cross-training will be used in all positions to promote job interest. Specific factors which could affect staffing levels include:

	(1)Increase in the number of registrars;

	(2)Higher than anticipated domain name registration or transfer request;

	(3)Higher than anticipated complaint volume;

	(4)Higher than anticipated domain name dispute;

	(5)Increase in the complexity of our services;

  Additional staff requirements will be met through a rigorous recruitment process following the requirement of employment. To meet registration demand and the cumulative growth of new registrars, CNNIC may hire an additional 5 staff personnel for the functionalities described above in the fourth and fifth years of ʺ.网络ʺ operations, as necessary.

28.3.1.3 Requirements for Employee

  CNNIC is structured to meet the needs of its customers: registrars, registrants, the Internet community at large, and ICANN. CNNIC staff will meet or exceed the stated requirements in skills, competence, and experience. The staff will be augmented during the initial 3 years and thereafter, as necessary, by subject-matter experts. Our requirements for employee are as following:

	(1) All key management and technical positions will be staffed with employees who have demonstrated their successful previous experiences.

	(2) Our customer service and complaint handling staff will embody the customer sensitivity and efficiency, which is essential to achieve positive client reception to the registry services.

	(3) Standard background investigations will be applied to all permanent and temporary positions. We will verify employment history and check references with prior employers, perform credit and criminal checks, and explore any employment gaps.

	(4) Staff members will be required to sign non-disclosure agreements to protect proprietary information for CNNIC and its clients.

28.3.2 Equipment Planning

28.3.2.1 Major Systems

  CNNIC has provided software and hardware for the domain name application review, customer self-service, customer support and abuse monitoring, including the following:

28.3.2.1.1 Electronic Registrant Review System;

  This system will collect the application information transmitted to CNNIC by registrars and display the information in a user friendly format for CNNIC staff to review the application. Once the review process has finished the system has also connect with shared registration system for further process of domain name registration status.

28.3.2.1.2 Customer Self-Service System
	
CNNIC will set up a multiple language system customer self-service system on our official website. This webpage will contain the following functions: 
	
	* Web-based searchable Whois.
	
	* Registrar information and contact;
	
	* ʺ.网络ʺ Registration Policy Tutorial;
	
	* Complaint and dispute challenge filing tutorial;
	
	* Web-based complaint channel
	
	* ʺ.网络ʺ related Frequent asked questions(FAQs)
 
28.3.2.1.3 Customer Support System

  CNNIC has provided an interface on its website that allows a user to determine the appropriate customer support contact information based on the domain name. Access to our customer support will be through telephone, email and web based interface. CNNIC has integrated Consumer Relationship Management (CRM), accounts, trouble ticketing, document tracking, into its customer support system infrastructure. Computer telephony integration (CTI) and databases is also used to retain a reliable record of registry performance.

28.3.2.1.4 System Monitoring and Database Management Systems 

  The system monitoring applications developed by CNNIC create a detailed error alert if the application encounters a situation of domain name abuse such as that orphan glue record has been generated or suspected phishing website is spotted with confusingly similar domain string to specific renowned websites, etc. These application alerts are automatically sent to the security team, which generates an alert to the Operations staff 24⁄7.

28.3.2.2 Work Space and Administrative Resources

  CNNICʹs current work site is currently equipped to accommodate all required personnel listed above. Every staff has been equipped with at least one desktop computer. All software required for working are pre-installed in their computers. The internet connection and telephone connection is also provided to every working staff by our office assistance team. 

  The current infrastructure will be sustainable for the projected 3 years of initial operation of ʺ.网络ʺ. CNNIC will undertake to update the software and hardware in time for ongoing basis, if necessary.

28.3.3 Funding

  CNNIC is planning to invest enough funding to ensure the implementation of the policies and measures on domain name abuse. The funding will support our customer service and technical security maintenance and other administrative function such as website design and equipment update. Please see question 47 for detailed amount of funding for each section.

29 Rights Protection Mechanisms

  For the purpose of protecting the rights and interests of Internet users and registrants to the greatest extent possible, CNNIC has formulated series of policies on domain name reservation, registration eligibility restriction, domain name dispute resolution, rights infringement complaints infringement handling. CNNIC has also planned rights protection mechanism including a sunrise period, trademark claim services, registration review and verification, URS complaint handling and rights infringement complaint channel to safeguard the intellectual property rights and other civil rights. CNNIC has made plans in terms of manpower, equipment and fund allocation for the implementation on both startup and ongoing basis.

29.1 Rights Protection Policies

29.1.1 Scope of Rights for Protection

  Based on the Rights Protection Mechanism (RPM) Proposed by ICANN GNSO and in view of the interests of the ʺ.网络ʺ community, policies on the ʺ.网络ʺ top level domain name are formulated mainly for the protection of two categories of rights that may be involved in domain name registration and the scope thereof, specifically:

29.1.1.1 Intellectual Property Rights

  CNNIC will comply with all international trademark and cybersquatting laws that apply to the operation of a domain name registry. To protect intellectual property rights involved domain names, CNNIC has stipulated in contractual conditions to restrict the registration and use of the second or the third domain of ʺ.网络ʺ in the following circumstance: 

	(1) The disputed domain name is identical with or confusingly similar to the name or mark in which other one has civil rights or interests, and

	(2) The disputed domain name holder has no right or legitimate interest in respect of the domain name or major part of the domain name, and

	(3) The disputed domain name holder has registered or has been using the domain name in bad faith.

	Note: 
	(1)Any of the following circumstances may be the use of a domain name in bad faith:

	*The purpose for registering or acquiring the domain name is to sell, rent or otherwise transfer the domain name registration to the party who is the owner of the name or mark or to a competitor of that trademark owner, and to obtain unjustified benefits; 

	* The disputed domain name holder, on many occasions, registers domain names in order to prevent owners of the names or marks from reflecting the names or the marks in corresponding domain names; 

	* The disputed domain name holder has registered or acquired the domain name for the purpose of damaging the Complainantʹs reputation, disrupting the trademark holderʹs normal business or creating confusion with the trademark holderʹs name or mark so as to mislead the public; 

	* Other circumstances which may prove the bad faith.

	(2)The person against whom the complaint is filed in any of the following circumstances before his⁄her receipt of the complaint delivered by the dispute resolution provider shall be deemed to enjoy legitimate rights and interests in the domain name:
	
	*has used the domain name or any name corresponding thereto during the provision of commodities or services;
	
	*has not obtained the trademark, but the domain name he⁄she holds has been in existence for over two years and obtained a certain degree of reputation;

	*has been using the domain name reasonably or legitimately and non-commercially without the intention to mislead the consumers for commercial profits.

29.1.1.2 Other Rights

  Except for the articles provided in preceding paragraphs, in order to maintain the interests of the nation and the civil society, CNNIC will take necessary measures to protect certain words in the following circumstances:	

	(1)Country geographic names shall not be registered by any parties without obtaining consent or non-objection of the local authorities which the geographical name points;
	
	(2)The names of products and services subject to relevant provisions of the State on obtaining license shall not be registered by individuals or enterprises without the license;
	
	(3)The names of well-recognized government and international organizations shall not be used by any organizations and individuals other than those to which such names point;
	
	(4)Domain names shall not disseminate contents that violate public order, such as pornography, violence and terrorism; 
   
	(5)Open access to registrant information shall be maintained to the extent compatible with applicable privacy laws and the CNNIC policy of treating all registrants equitably.

  CNNIC will also encourage the community to bring to its attention other reasonable safeguards, if any, that may be appropriate to employ in this area. Additionally, CNNIC will adopt any policies promulgated by ICANN with respect to rights protection.

29.1.2 Implementation Plan for Different Categories of Rights Infringement

  Please refer to table 1 in attachment Q29_attachment_table.

29.1.3 Detailed Description of Rights Protection Policies

29.1.3.1 Registration Requirement

  Registrar will conduct authentication of registrants identity (please refer to Question 28 for details) and registration eligibility check. If a registered domain name involves any of the following requirements, the original domain name registrar shall cancel the registration and notify the domain name holder in written form:

	(1) In case the domain name holder or his⁄her deputy applies for the cancellation of the domain name registration;
 
	(2) In case the registration information submitted by the domain name holder is unauthentic, inaccurate or incomplete;
   
	(3) In case the domain name holder fails to pay the corresponding fees in accordance with the provisions;
   
	(4) In case the domain name shall be written off in accordance with the judgment by the peopleʹs court, arbitration institution or the domain name dispute resolution institution; or
   
	(5) In case the domain name is in violation of the provisions and the relevant laws and regulations.

29.1.3.2 Policies on Prohibited Strings


  In addition, according to ʺChina Internet Domain Name Regulationsʺ (please refer to  http:⁄⁄www1.cnnic.cn⁄html⁄Dir⁄2005⁄03⁄24⁄2861.htm). CNNIC does not allow the registration and use of domain names for malicious purpose. Please refer to Question 28 for detailed description.

29.1.3.3 Reserved Name 

  CNNIC will initially reserve certain types of strings for registration by specific right holders only to protect the rights of the users. Please refer to Question 28 for detailed description.

  Except for the names provided in preceding paragraphs, CNNIC and the registrars shall not reserve domain names or do so in disguised form. During the process of domain name registration, the registry and registrars shall not represent any actual or potential domain name holder.

29.1.3.4 Domain Name Dispute Resolution Policy

   In order to ensure the fairness, convenience and promptness of a domain name dispute resolution procedure, the ʺ.网络ʺ domain name dispute policy are formulated in accordance with Uniform Domain Name Dispute Policy (UDRP), which is incorporated by reference and made a part of the registration agreement, and binding to the holders of the domain names. 
However, the decision the decisions based on of the facts related to the dispute will be carried out by dispute resolution provider approved by ICANN. CNNIC and domain name registrars shall not participate in the domain name resolution proceedings in any capacity or manner other than providing the information relevant to the registration and use of the domain name upon the request of the Dispute Resolution Service Providers.

  During the period of domain name dispute resolution and within 10 days upon the issuance of the determination, the domain name holder may not apply for transfer or registration information update of the domain name in dispute, except where the transferee agrees in writing to be bound by the determination on dispute resolution.

  CNNIC provides in its agreement with registrars that each registrar shall handle the domain name in accordance with the result of the decision on the dispute: where the complainant wins, carry out the remedies which the complainant has chosen for dispute resolution including domain name suspension or further transfer if necessary; where the person against whom the complaint is filed wins, the status of the domain name shall be unlocked.

29.1.3.5 Policies on Complaints for Rights Infringement

29.1.3.5.1 Complaint Acceptance

  CNNIC is responsible for the acceptance and investigation of complaints and make records of the complainantsʹ information. Assessment shall be conducted by anti-abuse complaint handling personnel pursuant to relevant measurement criteria(please refer to), and if necessary, a special investigation team shall be formed to conduct research, analysis and judgment. Feedback shall be provided for the complainants in time upon the completion of assessment.

29.1.3.5.2 Response to and Handling of Complaints

	(1)Handling of complaints shall be made within 5 business days upon acceptance of complaint from each channel. Afterwards， the result of handling complaints will be forwarded, via telephone call or email, to the complainant, the person against whom the complaint is filed and other parties involved.

	(2) Where  CNNIC is found upon investigation of complaints to have committed violations of laws, or fail to effectively respond to complaint filed according to Trademark Post-Delegation Dispute Resolution Procedure (PDDRP) or Registry Restriction Dispute Resolution Procedure (RRDRP), it shall be ordered to take remedies according to relevant provisions of ICANN .

	(3)Where any registrar is found upon investigation of complaints to have committed violations of laws or Registry-Registrar Agreement terms, it shall be ordered to make corrections and make relevant compensations. In the case of severe breach of RRA without any correction upon notification, CNNIC is entitled to cancel the agreement and conduct further registrar transition afterwards. 
	
	(4) Where any registrant is found upon investigation of complaints to have committed violations of relevant regulations, the registrant shall be ordered to make corrections. In the case of such domain name abuse as phishing and dissemination of illegal information, the existence of which will continue to cause greater losses to the users，the domain name shall be suspend within 2 hours after verification of the misconduct. 
	
	(5) Where the complaint involves domain name dispute, the complainant shall be told to resort to domain name dispute resolution provider or the court based on Uniform Domain Name Dispute Resolution Policy (UDRP) or relevant judicial procedures, then the registrar will be asked to lock the domain to prevent transfer or update till the dispute being resolved. CNNIC will further notify the registrar to unlock domain name or make transfer based on the dispute resolution decision. 
	
	(6) Where any information provided by the complainant is found to be inaccurate or there is no evidence to prove domain name abuse, CNNIC will reject the complaint and give corresponding explanations, and the complainant may, if not satisfied, provide further evidence to file an appeal.


29.2 Rights Protection Measures

29.2.1 Sunrise Period Registration for Trademark Holders

  CNNIC will, in the pre-launch phase of registration, provide Sunrise Period registration service to ensure full protection for the rights of the trademark holders. Prior to the top level domain general availability for registration, a 30-day pre-registration period is set only allowing trademark holders for domain name registrations. 

  Early applications for domains are recommended, as Sunrise applications will be processed and awarded by the registry on a first-come first-served basis. Registrant will be asked to provide additional information about their trademark.  The Trademark Clearinghouse provider designated by ICANN will take charge of validating and authenticating trademark information with respect to each domain names registration in the sunrise period. 

  In addition, CNNIC will provide notice for all trademark holders in the Clearinghouse if someone else is seeking a sunrise registration. CNNIC will, upon designation of the Trademark Clearinghouse Service Provider by ICANN, immediately set up a database connection to obtain information required for the provision of sunrise registration services.

29.2.1.1 Schedule for Sunrise Period

  The schedule for the Sunrise Period will be as follows:

  At least 6 months prior to the proposed gTLD being opened to the general public, CNNIC, in coordination with the intellectual property community, will make a general public announcement with the estimated date that it will open the proposed gTLD to the general Internet community. 

  Although registrars and others may begin accepting pre-registrations long before the beginning of the Sunrise Period, CNNIC will not begin to collect and process Sunrise Period requests until at least thirty days after the announcement. Once it begins processing these requests, CNNIC will continue to do so for a period of 30 days. 

29.2.1.2 Sunrise Eligibility Requirement

  CNNIC will provide Sunrise service in accordance with the Sunrise eligibility requirement and incorporate a Sunrise Dispute Resolution Policy.
  
  The detailed eligibility requirements include:

	(1) Ownership of a word mark: 
	*nationally or regionally registered and for which proof of use was submitted to and validated by Trademark Clearing house; or

	*that have been court validated; or

	*that are specifically protected by a statute or treaty currently in effect and that was in effect before 26 June 2008.

	(2)Representation that all provided information is true and correct

	(3) Provision of data sufficient to document rights in this trademark, including the registration number and the country of registration for the mark as part of a Sunrise registration request.  

	(4)Other requirement in accordance with current and future China domain name registration regulation. (Please see 29.1.3.1 for reference)

29.2.1.3 Sunrise Dispute Resolution Policy

  CNNIC allows challenges of sunrise registration based on the following four grounds:

	(1)at the time the challenged domain name was registered, the registrant did not hold a trademark registration of national effect (or original effect) or the trademark had not been court validated or protected by statute or treaty;

	(2)The domain name is not identical to the mark on which the registrant based its Sunrise registration;

	(3) The registrant did not hold a trademark registration of national effect (or original effect) or the trademark had not been court validated or protected by statute or treaty;

	(4)The trademark registration on which the registrant based its Sunrise registration did not issue on or before the effective date of the Registry Agreement and was not applied for on or before ICANN announce the application received;

  For registration contention of the same name between two legitimate trademark holders, the CNNIC will adopt a first-come-first-served method to address the contention during sunrise period.  If any challenge is raised thereby, resolve domain name disputes in accordance with the Sunrise Dispute Resolution Policy (SDRP) under such principles and resort to relative dispute resolution provider or the court. CNNIC will process further domain name transfer or unlock based on the result of resolution. 

29.2.2 Trademark Claims Service

  CNNIC plans to provide Trademark Claims service in the initial launch period as the first 60 days that registration is open for general registration. 

29.2.2.1 Trademark Claims Service Process

  Specific service process is as follows:

	(1)Upon the submission of any registration application by the registrant, CNNIC will search the database of the Clearinghouse during the domain name review stage;

	(2)If the domain name for registration is found to be incomplete accord with any trademark in the database of the Clearinghouse designated by ICANN, CNNIC will provide the prospective registrant with a clear notice of the scope of the mark holderʹs rights in order to minimize the chilling effect of the registrant. It should be a specific statement by prospective registrant warrant that: (i) the prospective registrant has received notification that the mark(s) is included in the Clearinghouse, (ii) the prospective registrants has received and understood the notice, and (iii) to the best of the prospective registrantʹs knowledge, the registration and use o the requested domain will not infringe on the rights that are the subject of the notice.

	(3)The Trademark Claims Notice should provide the prospective registrant access to the Clearinghouse Database information referenced in the Trademark Claim Notice to enable the registrants to understand more fully the trademark rights claimed by the trademark holder; specifically the trademark notice should be able to be provided in Chinese. 

	(4)If the prospective registrant asks for registration after receiving the notice, the registrar will, after the domain name registration is effectuated, notify in a timely manner the holder of the trademark. 

29.2.2.2 Trademark Claims Service Eligibility Requirement

  CNNIC will provide Trademark Claims Service in accordance with the Trademark Claims Service eligibility requirement.

	(1) The registrant shall hold a trademark registration of valid national effect (or original effect) or the trademark had been court validated or protected by statute or treaty;

	(2) The domain name shall be identical to the mark included in the trademark Clearinghouse database and for identical match the language of the word mark should be the same;


29.2.3 Domain Name Review and Verification Platform

  In order to provide accurate information for the determination of the person responsible for an infringing, CNNIC has assigned experience members to implement domain name review and verification processes to concurrently prevent infringements.

29.2.3.1 Registrant Information Verification

  CNNIC will cooperate with the registrars to verify whether the information submitted is authentic and accurate through verification of the registration application form and corresponding identity certificates, including personal photo ID, enterprise business license or other proof of identity, submitted by the applicant to the registrar, so as to ensure that relevant responsible person can be determined and handled in time once domain name infringement occurs. Domain name applications include information of the registration contact person which is unauthentic, inaccurate or incomplete will be rejected.

29.2.3.2 Name Reservation and Registration Process

  CNNIC will verify identity of the registrants of the reserved strings to ensure that domain names are owned by legal right holders and eliminate illegal cybersquatting, specifically:

	(1)CNNIC will initially reserve country and geographic names as described in question 22. Reserved country and geographical domain names shall be made available for registration to the extent that agreement is made by applicable government(s). CNNIC also proposes the release of these names which is subjected to the review of ICANNʹs Government Advisory Committee (GAC), and relevant government. The specific steps of which are as follows:

	*The relevant government authority shall permit to release the domain name on the first hand;

	*The registrant submits the application to a registrar accredited by CNNIC for registration of the domain name. The application material shall include: domain name registration application form with an organizational stamp, proof of establishment of the organizational registrant, proof of personal identification of the registration contact person and other documentations issued by relevant parties for release of reserved domain names.

	*The registrar forwards the above material to CNNIC. 

	*After verification process, CNNIC will release the domain name to the database of the registrar. If the registration application doesnʹt get approved, CNNIC will notify the registrar about the reason of declination. The process of verification shall be finished within 3 days since CNNIC receives the application material.   	

	(2)For names or abbreviations of the local government authorities or international inter-governmental organizations and other controversial names, CNNIC shall initially reserve those names upon the decision made by GAC and ICANN. After verification of the application material, CNNIC will release the domain name to the database of the registrar. If the registration application doesnʹt get approved, CNNIC will notify the registrar about the reason of declination. The process of verification shall be finished within 3 days since CNNIC receives the application material.   	

29.2.3.3 Rights and Interests Review Process

  In accordance with the ʺChina Internet Domain Name Regulationsʺ , CNNIC will create a list of strings forbidden for registration, which will be used in the review process to check whether any domain name contains strings forbidden for registration. The registry will reject those applications so as to prevent the appearance of infringing domain names.

  CNNIC will screen all registrations for ʺunusualʺ domain name registration practices, such as registering hundreds of domains at a time, registering domains which are unusually long or complex, include an obvious series of numbers tied to a random word (baddomain01, baddomain02, baddomain03).

  CNNIC will also screen all registrations for patterns known to be associated with phishing (bank, secure, etc.)

  CNNIC will reviewing all domain names proposed for registration against known sites that are often the subject of phishing type attacks, which will ensure ʺ.网络ʺ do not inadvertently aid in the provisioning of illegitimate content in online scams.

29.2.4 Domain Name Rights Infringement Handling

29.2.4.1 Cooperation with Unified Rapid Suspension System

  CNNIC will fully respect the trademark infringement complaints submitted by the providers of the Unified Rapid Suspension (URS) system services and establish a response channel on a 24⁄7 basis, specifically:

	(1)CNNIC will lock the domain name concerned upon the receipt of a notice of complaint from the URS provider, whereby the EPP status will be ʺTransfer Prohibitedʺ, and forbid all changes of the registered data, including transfer and deletion of the domain name, but the domain name shall continue to be resolved;

	(2)CNNIC will immediately inform the URS provider of the domain name lock, and provide the same with detailed WHOIS information channel, so as to provide convenience for it to contact the registrant;

	(3)Where the complainant wins, CNNIC will, upon receipt of the determination on URS, immediately suspend the domain name, whereby the domain name may not be resolved to the original website, the domain name server will be redirected to the information note page of URS, and information in the Whois on other domain names will continue to be that of the original registrants. In addition, the Whois shall reflect that the domain name will not be able to be transferred, deleted or modified for the life of the registration.

	(4)Where the determination is in favor of the registrant, domain name parsing will be restored to the original domain name server.

29.2.4.2 Domain Name Disputes Resolution Procedure

  CNNIC will mandate its registrar in RAA to provide assistance for taking measures for domain name disputes resolution as required by UDRP, specifically:

	(1)If the complainant submits written complaint material to the registrar or the registry to prove that he⁄she is the holder of the domain name concerned, the registrar or the registry will provide the complaint with information on the designated dispute resolution provider for further resolution;

	(2) the dispute resolution provider shall, upon receipt of complete complaint materials and confirmation of payment, send an acceptance notice to CNNIC and the registrar;

	(3) upon receive notification of the dispute resolution provider, the registrar will lock the domain name to prohibit the person against which the complaint is filed from modifying the registered data and the transfer of the domain name, at the time of which the domain name may still can be resolved;

	(4) the person against whom the complaint is filed shall submit within 20 calendar  days authentic and accurate written material in response upon the notification of the dispute resolution provider, otherwise the adjudication authority will issue a judgment based on the evidence submitted by the complainant alone;

	(5)the dispute resolution provider will appoint a panel to conduct hearing and ruling with respect to the disputed domain name, and the result of judgment shall be issued within 14 calendar days upon the provision of response by the party against which the complaint is filed;

	(6) Where the adjudication authority supports the complaint, the registered domain name shall be cancelled or transferred to the complainant by the registrar; otherwise, the Complaint shall be rejected.

  	(7) If the Dispute Resolution Service Provider rules in its decision to cancel the registered domain name or to transfer it to the Complainant, the domain name Registrar, before enforcing the decision, shall wait 10 calendar days calculating from the date on which the decision is published. If during such waiting period the Respondent submits valid proof attesting that a competent judicial authority or arbitration institution has accepted the relevant dispute, the registrar shall not enforce the decision of the Dispute Resolution Service Provider.

	*If any proof attests that the parties have reached a settlement by themselves, the Registrar shall enforce such settlement; 

	*If any proof attests that the party that instituted the judicial action or applied for arbitration has withdrawn the Complaint or the relevant action or Complaint has been rejected, the Registrar shall enforce the Dispute Resolution Service Providerʹs decision; 

	*If the judicial authority or arbitration institution has rendered a judgment or an award that has become legally effective, the Registrar shall enforce such judgment or award.

29.2.4.3 Rapid Suspension and Takedown Measures

  The rapid suspension procedures are applicable to abusive behaviors regarding the use of domain names such as phishing or spreading of illegal contents, which may cause further losses to internet users. This procedure will most likely be the result of a complaint filed via APAC or 12321 Center. The specific enforcement procedures are as follows:

	(1) Once an abuse compliant is received, the registrar will be requested to directly lock the domain to prevent further transfer and update, while a dedicated group is assigned to confirm the complaint manually within 1-3 working hours. After confirmation the registrar will be  requested to suspend the domain name in the SRS system and the EPP status will be changed into ʺserverHoldʺ, so that the domain name will not be able to resolve or be transferred until it is ʺrestoredʺ.  In case such registrar fails to give a reply on handling within one working day, CNNIC will take step to handle the complaint, which may include suspension of the domain name against which the complaint is filed. The domain name holder will be informed at the same time to make corrections. After the registrant has stopped the abusive behavior and made adequate correction, which need to be confirmed by CNNIC, the registrar will restore the domain name to the status before suspension. 

	(2) Once the complaint is determined to be tenable and no further appeal or correction confirmed by CNNIC within 60 calendar days, CNNIC will take down the domain name and delete the registration record, which means the domain name comes to general availability.

	(3) The domain name holder and its registrar concerned will be informed three times as it has been locked of investigation, suspended, or deleted.


29.2.5 Complaints Handling Measures

  CNNIC will handle complaints on domain name infringement by independently collecting complaints from users and supervising and handling infringing information in cooperation with communities.

29.2.5.1 CNNIC Complaint Channels

  At present, comprehensive contact information for domain name abuse complaints and reports is published on the home page of CNNIC (www.cnnic.cn).

  The complaint channels are open to receive all kinds of complaints on domain name abuse on a 24⁄7 basis, and CNNIC undertakes to give replies within 5 working days. The complainant shall describe the domain name against which the compliant is to be filed, evidence of abuse, results caused, and contact information, including telephone, email, and etc., for the purpose of receiving the result of complaint handling by and from CNNIC in time.

29.2.5.2 Community Interactive Complaint Channel
  
    CNNIC will establish a sound information sharing mechanism with the registrars, the APAC and the International APWG, 12321 Center to fight against rights infringement.

  CNNIC will, based on the information obtained through these channels for the determination of any rights infringement behavior related  ʺ.公司ʺ domain names, notify relevant registrar in time for handling. In case such registrar fails to give a reply on handling within one working day, CNNIC will take step to handle the complaint, which may include suspension of the domain name against which the complaint is filed. CNNIC will further share the phishing data with Internet Explorer and Microsoft or other industry partners.

29.3 Resource Planning

29.3.1 Staffing 

  With proven capabilities for scaling its staff to meet the needs at peak level demands for complaint handling and customer service, CNNIC will benefit from its current staffʹs expertise to support the rights protection. Meanwhile, CNNIC also benefits from its unique position in close relation with the China Academy of Science in terms of talent recruiting. Many staff came directly from this top education institution in China with long term determination to contribute.

29.3.1.1 Initial Staffing

  We expect that the above measures of rights protection for the new gTLD will be executed sharing the same staff with existing TLDs ʺ.cnʺ and ʺ.中国ʺ and prospective new gTLD ʺ.公司ʺ which CNNIC has applied for. In order to provide higher standard services of new gTLD with lower rate of rights infringement, other than its current staff, CNNIC will also recruit additional staff in the start-up period for the first 3 years operation for maintaining the functionality described above.

29.3.1.1.1 Management (Please refer to Q29_attachment_CV for the key members in this sector)

  CNNIC assigns its Director of Business Operation responsible for ensuring high-quality domain name application review, customer support and complaint handling for registrars and end-users and for refining and developing additional policy in conjunction with ICANN. CNNIC expects this role to be critical during the Sunrise and Land Rush Period, during which time domain name registrations rises significantly. 

  CNNIC will also assign its experienced legal manager with one assistant to handle with any registry misconduct lawsuit, registry restriction dispute or any other Intellectual property dispute, and to serve as an ombudsman, assisting registrants and registrars in dispute resolutions related to ʺ.网络ʺ and respond to Registry Restriction Dispute according to Registry Restriction Dispute Resolution Procedure(RRDRP).

29.3.1.1.2 Customer Support Staff

  CNNIC has set up a Customer Support Center providing 7×24 hoursʹ service to handle inquires and complaints from registrants. Upon ICANNʹs delegation of ʺ.公司ʺ and ʺ.网络ʺ, volume of end-userʹs inquiries and complaints are expected to rise accordingly and more staff members will be hired to enhance the service capacities. Based on the original staffing basis with 31 employees, 5 additional employees will be recruited to support the new operation. The staff members are divided into the 3 subgroups:

	 *Registrant Service group providing telephone inquiries and complaints handling services;

	 *Registrant Caring group responsible for registrant visiting and renewal reminding;

	*Service Supporting group performing back-office support and performance supervision for the customer support staff. 

29.3.1.1.3 Review and Monitoring Staff

  CNNIC currently has 20 members to review of domain names applications and monitor the Whois accuracy. As all required staff members are expected to be on duty starting from the start-up period, additional recruitment must meet the needs of the peak registration season. 1 more staff responsible for supervision of review work and monitoring of registration status should be hired to support the new gTLD which means a team with 21 persons will take charge of this functionality.

29.3.1.1.4 Outreach Cooperation Liaison Team 

  CNNIC has already established long term cooperation mechanism to cooperate with the Anti-phishing Alliance of China, the International Anti-phishing Working Group and the 12321 Network Negative Information Complaint Center. 2 members have been assigned as regular contacts for the above functions, and they will also further take charge of liaison with Trademark Clearing House and Uniform Rapid Suspension System Provider as well as other assigned body designated by ICANN. Therefore, we see no needs for further staffing expansion.

29.3.1.2 Staffing on Ongoing Basis

   CNNIC has been structured to operate with an initial human capital investment to staff and manage the infrastructure required for sustaining the rights protection during the first 3 years of operations. The current staffing model also allows for back-up staffing, which provides a better overall understanding of our systems security. CNNIC foresees little expansion required for domain name abuse prevention and mitigation. However, CNNIC will expand its staff if necessary on ongoing basis. Staffing allocations may also need to be adjusted as demand for our services increases. Adjustments could include overall staff size or refinements to required technical skills. Cross-training will be used in all positions to promote job interest. Specific factors which could affect staffing levels include:

	(1)Higher than anticipated domain name registration or transfer request;

	(2)Higher than anticipated complaint volume;

	(3)Higher than anticipated domain name dispute;

	(4)Increase in the complexity of our services;

  Additional staff requirements will be met through a rigorous recruitment process following the requirement of employment. To meet registration demand and the cumulative growth of new registrars, CNNIC may hire an additional 5 staff personnel for the functionalities described above in the fourth and fifth years of ʺ.网络ʺ operations, as necessary.

29.3.1.3 Requirements for Employee

  CNNIC is structured to meet the needs of its customers: ICANN registrars, registrants and the Internet community at large which will address the overall needs of ICANN. CNNIC staff will meet or exceed the stated requirements in skills, competence, and experience. The staff will be augmented during the initial 3 years and thereafter, as necessary, by subject-matter experts. For details of our requirements for employee for rights protection, please refer to Question 28.  

29.3.2 Equipment Planning

29.3.2.1 Major Systems

  CNNIC has provided software and hardware for the domain name application review, customer self-service, customer support and abuse monitoring, including the following:

29.3.2.1.1 Electronic registrant review system

  This system will collect the application information transmitted to CNNIC by registrars and display the information in a user friendly format for CNNIC staff to review the application. Once the review process has finished the system has also connect with shared registration system for further process of domain name registration status.

29.3.2.1.2 Customer Self-Service System

  CNNIC will set up a multiple language system customer self-service system on our official website. This webpage will contain the following functions: 

	*Web-based searchable Whois.

	* Registrar information and contact;

	* ʺ.网络ʺ Registration Policy Tutorial;

	* Complaint and dispute challenge filing tutorial;

	* Web-based complaint channel

	*ʺ.网络ʺ  related Frequent asked questions(FAQs)
 
29.3.2.1.3 Customer Support System

  CNNIC has provided an interface on its website that allows a user to determine the appropriate customer support contact information based on the domain name. Access to our customer support will be through telephone, email and web based interface. CNNIC has integrated Consumer Relationship Management (CRM), accounts, trouble ticketing, document tracking, into its customer support system infrastructure. Computer telephony integration (CTI) and databases is also used to retain a reliable record of registry performance.

29.3.2.1.4 Systematical Interface with Trademark Clearing House and Uniform Rapid Suspension System

  As ICANN has yet confirmed the implementation model of Trademark Clearing House and Uniform Rapid Suspension System Completely, we are currently expecting to establish interface with those provider upon ICANNʹs designation. We will integrate further extension in our current infrastructure to communicate with those service providers and establish independent database to restore the data they transit to us.   

29.3.2.2 Work Space and Administrative Resources

  CNNICʹs current work site is currently equipped to accommodate all required personnel listed above. Every staff has been equipped with at least one desktop computer. All software required for working are pre-installed in their computers. The internet connection and telephone connection is also provided to every working staff by our office assistance team. 

  The current infrastructure will be sustainable for the projected 3 years of initial operation of ʺ.网络ʺ. CNNIC will undertake to update the software and hardware in time for ongoing basis, if necessary.

29.3.3 Funding

  CNNIC is planning to invest enough funding to ensure the implementation of the policies and measures on rights protection. The funding will support our customer service and technical security maintenance and other administrative function such as website design and equipment update. Please see question 47 for detailed amount of funding for each section.

30(a). Security Policy

In accordance with the security standard ISO 27001 (GB⁄T 22080), China Internet Network Information Center (CNNIC) has established an Information Security Management System (ISMS) to provide a complete set of security policies and corresponding security measures for ʺ.网络ʺ registry services.

The CNNIC-established ISMS has been certified by China Information Security Certification Center (ISCCC) accredited by China National Accreditation Service for Conformity Assessment (CNAS), accords with ISO 27001:2005 and the Statement of Applicability (SOA) thereof, and possesses relevant ISCCC certificates.

Meanwhile, CNNIC has made the security level commitments about vital business systems to registrants according to the state classified protection standard and put the security and safeguarding measures into place compliant with the security requirements of corresponding levels. Correspondingly, CNNIC has set up a system for regular self-inspection and for third-party security assessment to ensure the security level commitments can be achieved.

30(a).1 Overview of Security Policy

The security policies and corresponding security measures provided by CNNIC for ʺ.网络ʺ registry services are divided into two categories. One is for technical security and the other is for management security. Technical security includes physical security, network security, system security, application security, data security and auditing security. Management security involves security management organizations, security management personnel and security management rules. Relevant security policies conform to the following standards:

(1) YD⁄T2091-2010 Security Specification for Public DNS Resolution System (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show-yd-3460-1.htm)

(2) YD⁄T2140-2010 Technical Specification of DNS Security Framework (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show-yd-3523-1.htm)

(3) YD⁄T 2136-2010 Technical Specifications of DNS Delegation (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show-yd-3519-1.htm)

(4) YD⁄T 2245-2011 Security Protection Requirements for the Domain Name Registration System (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show-yd-3684-1.htm)

(5) YD⁄T 2246-2011 Security Protection Testing Requirements for the Domain Name Registration System (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show-yd-3685-1.htm)

(6) YD⁄T 2052-2009 Security Protection Requirements for the Domain Name System (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show-yd-3397-1.htm)

(7) YD⁄T 2053-2009 Security Protection Testing Requirements for the Domain Name System (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show-yd-3398-1.htm)

(8) Information Security Technology -- Baseline for Classified Protection of Information System Security (GB⁄T 22239-2008) (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show.php?source=gb&id=8623)

(9) GB⁄T 22080:2008 (ISO⁄IEC 27001:2005, IDT) Information technology-Security techniques-Information security management systems-Requirements (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show.php?source=gb&id=8618)

(10) GB⁄T 22081:2008 (ISO⁄IEC 27002:2005, IDT) Information technology-Security techniques-Code of practice for information security management (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show-gb-8619-1.htm)

Below is an introduction of the above-mentioned various security policies.

30(a).1.1 Technical Security Policy

30(a).1.1.1 Physical Security Policy

All the systems related to ʺ.网络ʺ registry services are deployed in the Internet Data Center (IDC) rooms that meet the following security requirements:

(1) 7*24 on-site security personnel.

(2) A 7*24 video monitoring system is used to monitor the IDC room.

(3) Door-access cards and fingerprint identification technology are used for access control.

(4) Two separate circuits and one standby Uninterruptible Power Supply (UPS) are available to ensure uninterrupted power supply.

(5) Lightening-proof, fire prevention and anti-static measures are taken.

(6) All windows are equipped with infrared anti-theft alarm devices.

Furthermore, only authorized technicians (e.g. system administrators) are permitted to enter the IDC room for operations such as hardware or software update.

30(a).1.1.2 Network Security Policy

A full redundancy design is adopted for all the network equipments and links related to ʺ.网络ʺ registry services. Four security zones are respectively defined as an office subnet, a monitoring subnet, a service subnet and a database subnet according to their security level. Intrusion Detection Systems (IDS) and equipment against Denial of Service (DOS)⁄Distributed Denial of Service (DDOS) have been deployed by CNNIC.

All the servers for ʺ.网络ʺ registry services are protected by load balancers. Each server adopts the intranet IP address defined in Request for Comments (RFC) 1918. Important internal servers such as databases also adopt Intranet IP addresses to prevent Internet users from accessing these servers.

30(a).1.1.3 System Security Policy

All systems related to ʺ.网络ʺ registry services conform to the following security policies:

(1) Unnecessary services and processes are prohibited.

(2) Upgrading operating systems and important application programs shall be performed at a regular basis.

(3) Dynamic RSA token security systems shall be deployed for system authorization, access control and access password protection.

(4) Remote server management within the Intranet shall be performed through bastion hosts.

In addition, the CNNIC monitoring system monitors the use of server resources and service status in a real-time manner round the clock, and once an abnormity is detected, gives off an alarm. System-level scanning devices are used to perform systematic vulnerability scanning periodically for the internal and external networks and system reinforcement is performed very soon.

30(a).1.1.4 Application Security Policy

All applications related to ʺ.网络ʺ registry services conform to the following security policies:

(1) Shared Registration System (SRS)

(a) The SRS connection between the registrar and the registry shall adopt the Secure Sockets Layer (SSL) encryption technology, and a client certificate and a username⁄password shall be used to achieve the strong authentication to each registrar.

(b) If a registrar does not perform any operation within a preset period of time after successful login, SRS will automatically terminate the connection.

(c) Each registrarʹs login password in the SRS is restricted to within 6-32 characters, which is stored in an encrypted form.

(2) DNS service

(a) Hidden DNS resolution primary masters are established which are not connected with the Internet and which do not provide resolution service, so as to ensure the security of the original zone files of ʺ.网络ʺ.

(b) Transmission of zone files between hidden primary masters and each secondary server at each nameserver data center is achieved in the way of IPsec encryption, so as to achieve safe transmission of zone files of ʺ.网络ʺ.

(c) A monitoring system is set up to ensure data integrity in the process of generating and transmitting zone files of ʺ.网络ʺ .

(d) The specified security configuration regulations are formulated for the configuration of resolution software with inspection to the configuration at regular intervals (quarterly). If the items are not accordant with the regulations, they will be modified to keep the software configuration safe.

(e) Track the vulnerabilities of the resolution software by the specialized personnel and test and upgrade in time after detecting the vulnerabilities.

(3) Whois

(a) Whois only permits Internet usersʹ queries and no alteration is permitted.

(b) Whois Web servers are only used to transform Whois Web requests into WhoisD query requests and transmit such requests to WhoisD servers through load balancers. Then WhoisD servers are connected to Whois database to response to Whois queries.

(4) DNS Security Extensions (DNSSEC)

(a) The Hardware Security Module (HSM) used for Key Signing Key (KSK) signing is installed in a locked electro-magnetic shielding cabinet which can effectively prevent key disclosure from the interference of electro-magnetic signal.

(b) Both the HSM and the cabinet are placed in a separate room with access control measures and only authorized persons may get access to the cabinet.

(5) Internationalized Domain Names (IDN)

(a) To address the problem of phishing due to similarity of internationalized domain names, an system of Chinese domain similarity detection is established, through which phishing domain names related to ʺ.网络ʺ can be detected and then corresponding measures can be taken.

30(a).1.1.5 Data Security Policy

Only Database Administrators (DBA) who are responsible for maintenance are permitted to manage database servers. Only through specific management PCs and specific accounts can a DBA access a database server. For any change in the data and programs of an internal database, an application must be submitted through the procedures as specified for managing changes in internal databases. The application shall be reviewed by the DBA and the competent person before operations are performed at the presence of the DBA. CNNIC DBAs inspect the data backup of the database on a daily basis to make sure that the backup data is correct.Technical measures are taken to perform real-time check of the integrity of updated DNS zone files. A system has been established to guard against illegal alteration of websites to ensure data integrity of the websites related to ʺ.网络ʺ registry services. Important data of CNNIC are regularly backed up into the local tape library. Local and remote secondary operation centers have been built to realize backup of important data in the three operation centers in Beijing and Chengdu.

30(a).1.1.6 Auditing Security Policy

CNNIC formulated the thorough auditing technical methods and management measures:

CNNIC deploys the specified database auditing system to audit with the database orders, bastion hosts system to audit the server management operation and in addition, the specified centralized log collection and auditing system (LegendSec) to collect the logs of all network devices, servers and application systems, uniformly collecting and centralizing the logs to make the records.

CNNICʹs internal auditors use the database auditing system, bastion hosts system and log collection and auditing system to audit at each level and produce corresponding reports on a regular basis.

30(a).1.2 Management Security Policy

30(a).1.2.1 Security Management Organization

CINNIC has established a security management center which is responsible for ensuring the security of ʺ.网络ʺ registry services and for emergency response.

In addition to the security management center, CNNIC, to strength its ISMS, has also established, on the basis of the existing organizational structure, a ʺvirtualʺ information security management organization which consists of three tiers: the decision-making tier, the execution tier and the auditing tier.

30(a).1.2.2 Security Management Personnel

An investigation must be conducted on the background of the personnel responsible for security management related to ʺ.网络ʺ registry services to make sure that they are reliable enough in terms of educational level, work experiences, credibility, etc. The investigation should be carried out by the Personnel Department. All to-be security management personnel must be subject to background investigation.

30(a).1.2.3 Security Management Rules

Security management rules for ʺ.网络ʺ registry services are documents of the ISMS established by CNNIC. They consist of 4 tiers of documents: information security management manual; management specifications⁄measures⁄procedures⁄standards; implementation rules⁄operation guidelines⁄work guidance; and records⁄logs. See the figure below:

Please see Figure 1 in the attachment of Q30a_Attachment_Figure.

(1) The information security management manual is the guiding document for CNNIC information security management work. The manual contains such contents as information security policy, overall objective and control measures that are mentioned in the SOA and that have been implemented. Documents of the second and third tiers, such as management specifications and implementation rules can be regarded as documents supporting the information security management manual.

(2) Management specifications, measures, procedures and standards clearly define various management systems and technical control measures. Documents of the second tier provide methods and guidance for carrying out main activities of implementing the information security management system and for allocating duties. Lower-tier documents should also be referred to in implementing ISMS.

(3) Implementation rules, operation guidelines and work guidance are documents that give a detailed description of the processes mentioned in the second-tier documents. Consisting of work guidance, tables & lists, workflow charts, service standards and system manuals, documents of this tier give a detailed description of specific work and activities.

(4) Records and logs are used to keep record of various activities, serving as evidence that these activities meet the requirements of upper-tier documents. During the implementation of ISMS, a series of record tables and reports need to be kept to serve as the evidence that relevant preventive and corrective measures have been carried out.

30(a).2 Security Capability Assessment

30(a).2.1 Security Assessment Report

The CNNIC-established ISMS was certified on March 9, 2011 by ISCCC accredited by CNAS. With relevant ISCCC certificates, ISMS conforms to ISO 27001:2005 and the SOA thereof.

Please see Figure2 in the attachment of Q30a_Attachment_Figure.

30(a).2.2 Security Capability Test and Assessment

CNNIC carries out a security risk assessment at least once a year which covers classification and categorization of information assets; identification and assessment of risks; risk treatment plan and implementation thereof; continuous improvement of risk assessment, etc. The assessment results will serve as the basis for CNNIC to make decisions on overall risk management, to clearly understand the overall information risk it faces, and to formulate risk treatment measures and plans.

Meanwhile, CNNIC invites a third-party security service organization to conduct security inspection and assessment every year, the result of which will be used as an important basis for carrying out security-related work.

30(a).3 Security Level Commitment

30(a).3.1 Introduction to Classified Protection Standard

In compliant with the state classified protection standard, CNNIC has determined the security levels of the major services and made the commitments to the public to achieve the security requirements of corresponding levels according to the classes of protection standard.

According to the classified protection standard, information system is classified into five Classes from low to high depending on the importance to the state security, economic construction, social life, and the damage extent to the state security, social order, public interests, legal rights of citizen and other organizations. ʺGB⁄T 22239-2008 Information Security Technology--Baseline for Classified Protection of Information System Securityʺ clarifies the security requirements which information systems of different classes shall achieve as below:

Class I: can prevent the system from malicious attacks from individual-level threats with very little resources, ordinary natural disaster, and vital resources damage caused by other threats with corresponding damage extent. The system can be recovered for partial functions after it is damaged.

Class II: can prevent the system from the malicious attack from small-organization-level threats with little resources, common natural disaster, and important resources damage caused by other threats with corresponding damage extent. The important security vulnerabilities and incidents can be detected. Partial functions can be recovered within a specific period of time after the system is damaged.

Class III: under the unified security strategy, can prevent the system from the malicious attack from organization-level threats with relatively abundant resources, relatively serious natural disaster, and the major resources damage caused by other threats with corresponding damage extent. The security vulnerabilities and incidents can be detected. Most functions can be recovered relatively quickly after the system is damaged.

Class IV: under the unified security strategy, can prevent the system from the malicious attack from the state-level threats with abundant resources, serious natural disaster, and the resources damage caused by other threats with corresponding damage extent. The security vulnerabilities and incidents can be detected. All functions can be recovered promptly after the system is damaged.

Class V: not defined in the standard.

ʺInformation Security Technology -- Baseline for Classified Protection of Information System Security (GB⁄T 22239-2008)ʺ defines the security requirements for information systems with different classes. Based on this, ʺSecurity Protection Requirements for the Domain Name System (YD⁄T 2052-2009)ʺ and ʺSecurity Protection Requirements for the Domain Name Registration System (YD⁄T 2245-2011)ʺ further define the security requirements to domain name systems and domain name registration systems with different security classes. These security requirements are classified into the basic technical requirements and basic management requirements. Technical security requirements are related to the technology and security mechanism provided by the information system and achieved mainly through deployment of the software and hardware and the proper configuration of the security functions. Management security requirements are related to the activities various roles participate in and achieved by mainly controlling the activities of various roles from the angles of policies, regulations, procedures and records and so on.

30(a).3.2 Security Level Commitment

According to the classified protection standard of ʺInformation Security Technology -- Baseline for Classified Protection of Information System Security (GB⁄T 22239-2008)ʺ, ʺSecurity Protection Requirements for the Domain Name System (YD⁄T 2052-2009)ʺ and ʺSecurity Protection Requirements for the Domain Name Registration System (YD⁄T 2245-2011)ʺ, CNNIC undertakes the following security commitments to registrants:

(1) The DNS⁄DNSSEC service system provides global Internet users with ʺ.网络ʺ domain name resolution services. Class-4 protection is used for the primary operation centers and Class-3 protection for nameserver data centers (all nameserver data centers as one unit).

(2) With Class-3 protection, SRS service provides global users with ʺ.网络ʺ domain name registration service through registrars.

(3) With Class-3 protection, Whois service provides global users with ʺ.网络ʺ domain name query service.

CNNIC set up the corresponding security policy with the reference to the security requirements to information systems with the classes, and deploys the security assurance measures to satisfy each requirement in the standards and accept the examination of the third-party organizations.

Bing Liu	Deputy Director
Lin Qi	Deputy Director
Wei Wang	Deputy Director
Xiangyang Huang	Director

New gTLD Application Submitted to ICANN by: Computer Network Information Center of Chinese Academy of Sciences （China Internet Network Information Center）

String: 网络

Originally Posted: 13 June 2012

Application ID: 1-932-13797

Applicant Information

1. Full legal name

2. Address of the principal place of business

3. Phone number

4. Fax number

5. If applicable, website or URL

Primary Contact

6(a). Name

6(b). Title

6(c). Address

6(d). Phone Number

6(e). Fax Number

6(f). Email Address

Secondary Contact

7(a). Name

7(b). Title

7(c). Address

7(d). Phone Number

7(e). Fax Number

7(f). Email Address

Proof of Legal Establishment

8(a). Legal form of the Applicant

8(b). State the specific national or other jursidiction that defines the type of entity identified in 8(a).

8(c). Attach evidence of the applicant's establishment.

9(a). If applying company is publicly traded, provide the exchange and symbol.

9(b). If the applying entity is a subsidiary, provide the parent company.

9(c). If the applying entity is a joint venture, list all joint venture partners.

Applicant Background

11(a). Name(s) and position(s) of all directors

11(b). Name(s) and position(s) of all officers and partners

11(c). Name(s) and position(s) of all shareholders holding at least 15% of shares

11(d). For an applying entity that does not have directors, officers, partners, or shareholders: Name(s) and position(s) of all individuals having legal or executive responsibility

Applied-for gTLD string

13. Provide the applied-for gTLD string. If an IDN, provide the U-label.

14(a). If an IDN, provide the A-label (beginning with "xn--").

14(b). If an IDN, provide the meaning or restatement of the string in English, that is, a description of the literal meaning of the string in the opinion of the applicant.

14(c). If an IDN, provide the language of the label (in English).

14(c). If an IDN, provide the language of the label (as referenced by ISO-639-1).

14(d). If an IDN, provide the script of the label (in English).

14(d). If an IDN, provide the script of the label (as referenced by ISO 15924).

14(e). If an IDN, list all code points contained in the U-label according to Unicode form.

15(a). If an IDN, Attach IDN Tables for the proposed registry.

15(b). Describe the process used for development of the IDN tables submitted, including consultations and sources used.

15(c). List any variant strings to the applied-for gTLD string according to the relevant IDN tables.

16. Describe the applicant's efforts to ensure that there are no known operational or rendering problems concerning the applied-for gTLD string. If such issues are known, describe steps that will be taken to mitigate these issues in software and other applications.

17. (OPTIONAL) Provide a representation of the label according to the International Phonetic Alphabet (http://www.langsci.ucl.ac.uk/ipa/).

Mission/Purpose

18(a). Describe the mission/purpose of your proposed gTLD.

18(b). How do you expect that your proposed gTLD will benefit registrants, Internet users, and others?

18(c). What operating rules will you adopt to eliminate or minimize social costs?

Community-based Designation

19. Is the application for a community-based TLD?

20(a). Provide the name and full description of the community that the applicant is committing to serve.

20(b). Explain the applicant's relationship to the community identified in 20(a).

20(c). Provide a description of the community-based purpose of the applied-for gTLD.

20(d). Explain the relationship between the applied-for gTLD string and the community identified in 20(a).

20(e). Provide a description of the applicant's intended registration policies in support of the community-based purpose of the applied-for gTLD.

20(f). Attach any written endorsements from institutions/groups representative of the community identified in 20(a).

Geographic Names

21(a). Is the application for a geographic name?

Protection of Geographic Names

22. Describe proposed measures for protection of geographic names at the second and other levels in the applied-for gTLD.

Registry Services

23. Provide name and full description of all the Registry Services to be provided.

Demonstration of Technical & Operational Capability

24. Shared Registration System (SRS) Performance

25. Extensible Provisioning Protocol (EPP)

26. Whois

27. Registration Life Cycle

28. Abuse Prevention and Mitigation

29. Rights Protection Mechanisms

30(a). Security Policy: Summary of the security policy for the proposed registry

© Internet Corporation For Assigned Names and Numbers.