Registry Data Escrow Service FAQ
Frequently Asked Questions About Registry Data Escrow
Registry Data Escrow ensures that the data associated with registered domain names is never at risk of being lost or inaccessible.
What is Registry Data Escrow?
Registry Data Escrow is a specialized data protection service designed to meet the compliance and best practice needs of domain name registrants worldwide.
Registry Data Escrow is a specialized data protection service designed to meet the compliance and “best practice” needs of domain name registrants worldwide. The service ensures that up-to-date copies of domain name ownership and contact details are held in escrow by a trusted, neutral third party (the Escrow Agent), to be accessed and released only under pre-defined and controlled conditions. The purpose of Registry Data Escrow is to help safeguard registrar and registrant interests in the event of a registry’s business or technical failure.
Who escrows registry data, and why?
All generic top-level domain (gTLD) Registry Operators, including those for new gTLDs, are required to escrow their data. Some country code top-level domain (ccTLD) Registry Operators proactively choose to do so as well.
- gTLDs: As part of its Registry Agreement with the Internet Corporation for Assigned Names and Numbers (ICANN), each gTLD Registry Operator must comply with provisions contained within a Registry Data Escrow Agreement. That agreement requires gTLD Registry Operators to transfer registry data for their TLD on a daily basis to a reputable escrow agent to be held in escrow. ICANN must be named as a third-party beneficiary under each such escrow agreement. Escrowing registry data helps ensure continuity of service for the gTLD in the event of a natural disaster, a technical failure of a registry, or a security breach within the Domain Name System (DNS).
- ccTLDs: ccTLD Registry Operators optionally adopt the best practice of escrowing their data both to protect the interests of their registrants as well as to comply with their local governments, governing bodies, etc. who may insist on implementing safeguards to ensure the security and stability of the DNS.
Why does ICANN require Registry Data Escrow?
Data in escrow with Iron Mountain may be used to help ensure continuity of service in the event of a natural disaster, a technical failure of the registry, or a security breach within the DNS system.
Full compliance with data escrow requirements and validation is part of ICANN’s strategic plan. This plan is designed to ensure continuation of Internet-wide DNS operations in the event of a physical or business failure of a registry. If a problem ever occurs with an ICANN-approved Registry Operator, ICANN needs to know that a copy of the gTLD registration information held by that Registry Operator is protected. There are cases, such as if a registry’s ICANN-accredited status is terminated, that ICANN may have to step in and take measures to transfer those domain names to another Registry Operator. With this data in an escrow account held by a neutral third party, the domain name information is protected and secured.
What data is escrowed?
Registries must make regular deposits to their escrow account that consist of data elements residing within their then-current complete registry database. Full deposits include the contents of all domain objects, host objects, contact objects, registrar objects, and, when applicable, Domain Name System Security Extensions (DNSSEC)-related key material. All deposits must adhere to a precise set of format specifications and conventions as documented in the Registry Data Escrow Agreement.
How frequently must registry data be transferred to the escrow agent?
Registry Operators make differential escrow deposits daily and full escrow deposits weekly. The weekly full escrow deposit consists of the entire set of registry database objects as defined in the specification document accompanying the Registry Data Escrow agreement as of 00:00 UTC on each Sunday. On a daily basis during the intervening six days between full escrow deposits, the Registry Operator submits differential escrow deposits at a pre-defined time (after 00:00 UTC and before 23:59 UTC). This differential deposit includes all registry database objects that have been created, deleted, or updated since the previous full or differential deposit.
What is the escrow agent’s role?
Registry data escrow is one of the essential stakeholder protection mechanisms for gTLDs.
Escrow agents are obligated to receive, store, and protect registry escrow deposits within a secure facility accessible only to the agent’s authorized staff or other representatives. Escrow agents are also required to validate the format and completeness of the data file set of each registry escrow deposit, and notify ICANN if any nonconformities are discovered; escrow agents will retest non-conforming escrow deposits upon their remediation by the Registry Operator. Finally, escrow agents will release to the beneficiary (or its designee) all deposits within its possession pertaining to the Registry Operator:
- Whose Registry Agreement has expired without renewal or been terminated; or
- Misses one or more full deposits or five or more differential deposits within any calendar month and fails to correct the omission(s); or
- Whose deposits fail the escrow agent’s validation of one or more full deposits or five or more differential deposits within any calendar month and fails to remediate the failure(s); or
- Who has ceased business operations, filed for bankruptcy, or become insolvent
What is the file format for escrow deposits?
Data extracted from registry databases is sent in XML format, compressed, and encrypted prior to transmission to the escrow agent, preferably via authenticated, secure file transfer. Physical media may also be used with special permission from ICANN. Compressing the data helps minimize file transfer times and storage capacity requirements, whereas encryption of the data helps to ensure its privacy. The suggested compression algorithm is ZIP; OpenPGP is the required encryption message format.
Why choose Iron Mountain as your escrow agent?
Iron Mountain is the global leader in information protection, management, and storage services. In 2001, Iron Mountain was the first company ever selected to protect registry data via escrow agreements, and in 2007 ICANN selected Iron Mountain as its preferred provider of escrow services with its Registrar Data Escrow program.
Today, Iron Mountain is the definitive worldwide market leader for the delivery of registrar and registry data escrow services. Iron Mountain is currently the escrow agent of choice for 75% of the gTLD Registry Operators required by ICANN to escrow their data, comprising more than 99% of all domain names registered under all gTLDs. No other escrow agent possesses the breadth of expertise and experience comparable to Iron Mountain’s for the delivery of data escrow services to Internet registrars and Registry Operators.
Where is my data stored?
All electronic escrow deposits first go to Iron Mountain’s “Underground” in Western Pennsylvania, U.S.A. This facility has received the highest possible security rating — it is 60 meters below ground, and is a self-sufficient city featuring full backup power for up to seven days. It has its own fire department and water treatment plant, 24-hour armed security, and 24x7 service operation. In addition, a copy of every deposit is made as a failsafe, and backed up to a second secure data bunker for redundancy.
How do I know my data is safe?
Extensive electronic safeguards are used for escrow data transfers. Registry Operator deposits are received via secure FTP (SFTP) which ensures transfer integrity, allows for content encryption, and validates authenticity. Registry Operators are required to submit encrypted data so that only Iron Mountain and the escrow beneficiary can decrypt it. Once data is sent to Iron Mountain’s secure facility via SFTP, it is placed in an inbound directory specific to each Registry Operator. The files are then automatically picked up by a background process and moved electronically onto the secure Iron Mountain network.
Who pays for Registry Data Escrow?
Registry Operators make payments directly to their escrow agents for Registry Data Escrow services but Registry Service Providers may pay on their behalf.
What happens if I miss a deposit or if it has errors?
Iron Mountain will log escrow deposit activity on a registry-by-registry basis. If a deposit is not received as scheduled, or if there are problems with the deposit, an automated email will be sent to the Registry Operator notifying them of the error. If there is no response to the email, an Iron Mountain representative will contact the Registry Operator to determine the status of the deposit. All deposits, including missed and failed deposits, are reported to ICANN.
How do I get started?
For further information on the Iron Mountain Registry Data Escrow services, please contact us by email at email@example.com or call +1 770 239 9200, Option 1.