<!DOCTYPE html><!-- This site was created in Webflow. https://webflow.com --><!-- Last Published: Thu Mar 27 2025 17:44:48 GMT+0000 (Coordinated Universal Time) --><html data-wf-domain="www.identity.digital" data-wf-page="659ec03ae7f51422418e2722" data-wf-site="643d4b3fc3e02d37e33dd7d5" data-wf-collection="659ec03ae7f51422418e2736" data-wf-item-slug="dnssec-practice-statement"><head><meta charset="utf-8"/><title>Policies | DNSSEC Practice Statement</title><meta content="Identity Digital is committed to the stable and secure operation of its top-level domains. Read our DNSSEC Practice Statement." name="description"/><meta content="Policies | DNSSEC Practice Statement" property="og:title"/><meta content="Identity Digital is committed to the stable and secure operation of its top-level domains. Read our DNSSEC Practice Statement." property="og:description"/><meta content="Policies | DNSSEC Practice Statement" property="twitter:title"/><meta content="Identity Digital is committed to the stable and secure operation of its top-level domains. Read our DNSSEC Practice Statement." property="twitter:description"/><meta property="og:type" content="website"/><meta content="summary_large_image" name="twitter:card"/><meta content="width=device-width, initial-scale=1" name="viewport"/><meta content="Webflow" name="generator"/><link href="https://cdn.prod.website-files.com/643d4b3fc3e02d37e33dd7d5/css/identity-digital.webflow.bf9f2a5a9.min.css" rel="stylesheet" type="text/css"/><script type="text/javascript">!function(o,c){var n=c.documentElement,t=" w-mod-";n.className+=t+"js",("ontouchstart"in o||o.DocumentTouch&&c instanceof DocumentTouch)&&(n.className+=t+"touch")}(window,document);</script><link href="https://cdn.prod.website-files.com/643d4b3fc3e02d37e33dd7d5/64919d95567de373712c8c43_favicon-sm.png" rel="shortcut icon" type="image/x-icon"/><link href="https://cdn.prod.website-files.com/643d4b3fc3e02d37e33dd7d5/64919d9a181cdaa42e801d0a_favicon-lg.png" rel="apple-touch-icon"/><!-- Finsweet Cookie Consent --> <script async src="https://cdn.jsdelivr.net/npm/@finsweet/cookie-consent@1/fs-cc.js" fs-cc-mode="opt-in"></script> <!-- Google Tag Manager --> <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-5VQF86T');</script> <!-- End Google Tag Manager --> <style> section { background: white; position: relative; z-index: 2; transition: z-index 300ms; } .footer__overlay { pointer-events: none; } @media only screen and (min-width: 992px) { .footer { position: fixed; bottom: 0; } } @media only screen and (min-width: 992px) { .card:hover { background: white; box-shadow: 0px 44px 54px 0px #0000001A; } .card:hover .button { background: #AFE2E3; color: #111921; border-color: #AFE2E3; } } /*Active states*/ .sector.is-active { background: black; border-color: black; color: white; } .testimonial__button.is-active { background: #0055B8; } form ul { list-style-type: none; margin: 0; padding: 0; } input[type=checkbox], input[type=radio] { height: 1.5rem; width: 1.5rem; flex-grow: 0; flex-shrink: 0; flex-basis: auto; border: 1px solid #939393 !important; border-radius: 0.4rem !important; margin-right: 12px; } </style></head><body class="body"><div class="gdpr-components"><div fs-cc="banner" class="fs-cc-banner2_component"><div class="fs-cc-banner2_container"><div class="fs-cc-banner2_text">By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our <a href="/policies/privacy-policy" class="fs-cc-banner2_text-link">Privacy Policy</a> for more information.</div><div class="fs-cc-banner2_buttons-wrapper"><a fs-cc="deny" href="#" class="fs-cc-banner2_button fs-cc-button-alt w-button">Deny</a><a fs-cc="allow" href="#" class="fs-cc-banner2_button w-button">Accept</a><a fs-cc="open-preferences" href="#" class="fs-cc-banner2_button fs-cc-button-alt _2 w-button">Preferences</a></div></div></div><div fs-cc-scroll="disable" fs-cc="preferences" class="fs-cc-prefs2_component"><div class="fs-cc-prefs2_form-wrapper w-form"><form id="cookie-preferences" name="wf-form-Cookie-Preferences" data-name="Cookie Preferences" method="get" class="fs-cc-prefs2_form" data-wf-page-id="659ec03ae7f51422418e2722" data-wf-element-id="b7fa4e24-3f86-e1e8-2a73-84cc40d6b4a3"><div class="fs-cc-prefs2_content"><div class="fs-cc-prefs2_space-small"><div class="fs-cc-prefs2_title">Privacy Preferences</div></div><div class="fs-cc-prefs2_option"><div class="fs-cc-prefs2_toggle-wrapper"><div class="fs-cc-prefs2_label">Essential cookies</div><div class="gdpr-p">Required</div></div></div><div class="fs-cc-prefs2_option"><div class="fs-cc-prefs2_toggle-wrapper"><div class="fs-cc-prefs2_label">Marketing cookies</div><label class="w-checkbox fs-cc-prefs2_checkbox-field"><div class="w-checkbox-input w-checkbox-input--inputType-custom fs-cc-prefs2_checkbox"></div><input type="checkbox" id="marketing-2" name="marketing-2" data-name="Marketing 2" fs-cc-checkbox="marketing" style="opacity:0;position:absolute;z-index:-1"/><span for="marketing-2" class="fs-cc-prefs2_checkbox-label w-form-label">Essential</span></label></div></div><div class="fs-cc-prefs2_option"><div class="fs-cc-prefs2_toggle-wrapper"><div class="fs-cc-prefs2_label">Personalization cookies</div><label class="w-checkbox fs-cc-prefs2_checkbox-field"><div class="w-checkbox-input w-checkbox-input--inputType-custom fs-cc-prefs2_checkbox"></div><input type="checkbox" id="personalization-2" name="personalization-2" data-name="Personalization 2" fs-cc-checkbox="personalization" style="opacity:0;position:absolute;z-index:-1"/><span for="personalization-2" class="fs-cc-prefs2_checkbox-label w-form-label">Essential</span></label></div></div><div class="fs-cc-prefs2_option"><div class="fs-cc-prefs2_toggle-wrapper"><div class="fs-cc-prefs2_label">Analytics cookies</div><label class="w-checkbox fs-cc-prefs2_checkbox-field"><div class="w-checkbox-input w-checkbox-input--inputType-custom fs-cc-prefs2_checkbox"></div><input type="checkbox" id="analytics-2" name="analytics-2" data-name="Analytics 2" fs-cc-checkbox="analytics" style="opacity:0;position:absolute;z-index:-1"/><span for="analytics-2" class="fs-cc-prefs2_checkbox-label w-form-label">Essential</span></label></div></div><div class="fs-cc-prefs2_buttons-wrapper"><a fs-cc="deny" href="#" class="fs-cc-prefs2_button fs-cc-button-alt w-button">Reject all cookies</a><a fs-cc="allow" href="#" class="fs-cc-prefs2_button w-button">Allow all cookies</a><a fs-cc="submit" href="#" class="fs-cc-prefs2_submit w-button">Save preferences</a></div></div></form><div class="w-form-done"></div><div class="w-form-fail"></div><div fs-cc="close" class="fs-cc-prefs2_overlay"></div></div></div></div><div data-animation="over-right" data-collapse="small" data-duration="400" data-easing="ease" data-easing2="ease" role="banner" class="navbar w-nav"><div class="nav-container w-container"><a href="/" class="nav__brand w-nav-brand"><div class="w-embed"><svg width="100%" height="100%" viewBox="0 0 160 53" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M132.616 5.94501H136.488V8.64168H132.616V15.4904C132.616 16.2526 132.532 17.0511 133.305 17.5411C134.275 18.1581 136.173 17.6899 136.488 17.6245V20.3938C136.009 20.597 132.355 21.4246 130.529 19.6062C129.818 18.8985 129.455 17.9221 129.455 16.6736V8.64168H126.664V5.94501H129.451V2.01434H132.619V5.94501H132.616ZM120.661 20.6116H123.829V5.94501H120.661V20.6079V20.6116ZM120.661 3.1685H123.829V0H120.661V3.1685ZM70.7485 20.6116V18.5283C69.6052 20.1107 67.845 20.9636 65.7326 20.9636C61.6858 20.9636 58.8694 17.8242 58.8694 13.2801C58.8694 8.73605 61.6568 5.59659 65.7036 5.59659C67.7579 5.59659 69.4855 6.44588 70.7485 8.06097V0H73.9461V20.6079H70.7485V20.6116ZM70.8937 13.2765C70.8937 10.46 69.1334 8.61265 66.5239 8.61265C63.9143 8.61265 62.125 10.4891 62.125 13.2765C62.125 16.0639 63.8853 17.9403 66.5239 17.9403C69.1625 17.9403 70.8937 16.0929 70.8937 13.2765ZM63.7655 25.406H66.963V46.014H63.7655V43.9307C62.6222 45.5131 60.8619 46.366 58.7496 46.366C54.7028 46.366 51.8864 43.2266 51.8864 38.6825C51.8864 34.1385 54.6738 30.999 58.7206 30.999C60.7748 30.999 62.5024 31.8483 63.7655 33.4634V25.406ZM63.9143 38.6861C63.9143 35.8697 62.154 34.0223 59.5445 34.0223C56.9349 34.0223 55.1456 35.8987 55.1456 38.6861C55.1456 41.4735 56.9059 43.35 59.5445 43.35C62.1831 43.35 63.9143 41.5026 63.9143 38.6861ZM96.2562 13.6902C96.2562 10.3475 97.5156 8.58724 99.8929 8.58724C101.976 8.58724 103.09 9.84666 103.09 12.1659V20.6116H106.317V11.6069C106.317 7.79603 104.382 5.59296 101.007 5.59296C98.9819 5.59296 97.2833 6.44225 96.1691 8.17349V5.94501H93.0913V20.6079H96.2598V13.6866L96.2562 13.6902ZM91.5996 31.3511V44.838C91.5996 49.5926 88.6235 52.2639 84.0504 52.2639C81.0743 52.2639 78.6208 51.0988 76.8097 49.4111L78.7188 47.0484C80.1887 48.3259 81.811 49.1208 83.8689 49.1208C86.5983 49.1208 88.4928 47.4186 88.4928 45.0231V43.9633C87.4947 45.4296 85.6764 46.2499 83.5641 46.2499C79.2813 46.2499 76.5266 43.2592 76.5266 38.6535C76.5266 34.0477 79.3721 30.999 83.506 30.999C85.6183 30.999 87.4657 31.9064 88.4021 33.3763V31.3511H91.5996ZM88.5509 38.6861C88.5509 35.8407 86.8487 34.0223 84.2391 34.0223C81.6296 34.0223 79.7822 35.8987 79.7822 38.6861C79.7822 41.4735 81.5715 43.35 84.2391 43.35C86.9068 43.35 88.5509 41.5316 88.5509 38.6861ZM124.747 36.4177V46.0103H121.579V43.9851C120.581 45.4804 118.94 46.3624 116.915 46.3624C113.953 46.3624 111.957 44.4569 111.957 41.7566C111.957 39.2342 113.398 37.6082 116.65 37.209C117.797 37.0674 120.508 36.7553 120.817 36.7154C121.216 36.6646 121.666 36.5448 121.666 36.0403V35.9931C121.666 34.7627 120.425 33.7864 118.508 33.7864C116.483 33.7864 115.314 35.0313 114.799 36.033L112.447 34.5268C113.561 32.4 115.895 30.9627 118.751 30.9627C122.236 30.9627 124.744 32.8028 124.744 36.4141L124.747 36.4177ZM121.579 39.2378L117.354 39.7641C116.004 39.9093 115.195 40.617 115.151 41.6695C115.093 43.0632 116.309 43.644 117.648 43.575C119.873 43.4625 121.579 42.0216 121.579 40.0835V39.2342V39.2378ZM127.854 46.0176H131.081V25.4097H127.854V46.0176ZM70.7485 46.0176H73.917V31.3547H70.7485V46.0176ZM70.7485 28.5745H73.917V25.406H70.7485V28.5745ZM113.957 2.01434H110.788V5.94501H108.001V8.64168H110.788V16.6736C110.788 17.9221 111.151 18.8985 111.866 19.6062C113.692 21.4246 117.35 20.597 117.826 20.3938V17.6245C117.514 17.6899 115.612 18.1581 114.643 17.5411C113.87 17.0511 113.957 16.2526 113.957 15.4904V10.2604V8.64531H117.83V5.94864H113.957V2.01434ZM90.9863 14.1729H79.7023C79.7023 16.7607 81.7639 18.2089 84.1339 18.2089C85.9123 18.2089 87.3677 17.4394 88.1045 16.5139L88.1952 16.572L90.5435 18.0782C89.0699 20.0744 86.8414 21.1052 84.0758 21.1052C79.7205 21.1052 76.5266 18.198 76.5266 13.3491C76.5266 8.79412 79.7096 5.59296 84.0431 5.59296C91.4944 5.59296 91.0552 13.6394 90.9899 14.1729H90.9863ZM87.8141 11.763C87.6327 9.17884 85.6474 8.23882 83.9597 8.23882C81.851 8.23882 80.1052 9.38572 79.7894 11.763H87.8105H87.8141ZM53.1204 20.6116H56.2889V5.94501H53.1204V20.6079V20.6116ZM53.1204 3.1685H56.2889V0H53.1204V3.1685ZM106.288 27.424H103.119V31.3547H100.332V34.0514H103.119V42.0833C103.119 43.3318 103.482 44.3081 104.197 45.0159C106.023 46.8342 109.681 46.0067 110.157 45.8035V43.0342C109.845 43.0995 107.943 43.5677 106.974 42.9507C106.201 42.4608 106.288 41.6623 106.288 40.9001V35.6701V34.055H110.161V31.3583H106.288V27.4276V27.424ZM94.6375 46.0176H97.806V31.3547H94.6375V46.0176ZM94.6375 28.5745H97.806V25.406H94.6375V28.5745ZM149.798 5.94501L145.693 14.8916L141.468 5.94501H137.81L144.02 18.5863L140.902 25.406H144.274L153.169 5.94501H149.798ZM157.459 5.08121C156.058 5.08121 154.919 3.94157 154.919 2.5406C154.919 1.13964 156.058 0 157.459 0C158.86 0 160 1.13964 160 2.5406C160 3.94157 158.86 5.08121 157.459 5.08121ZM157.459 0.286725C156.218 0.286725 155.205 1.29571 155.205 2.5406C155.205 3.7855 156.214 4.79448 157.459 4.79448C158.704 4.79448 159.713 3.7855 159.713 2.5406C159.713 1.29571 158.704 0.286725 157.459 0.286725ZM157.419 1.13601C157.801 1.13601 158.08 1.20497 158.261 1.34289C158.443 1.48081 158.534 1.69132 158.534 1.97078C158.534 2.09781 158.508 2.21033 158.461 2.30469C158.414 2.39906 158.349 2.4789 158.269 2.54786C158.189 2.61319 158.105 2.66763 158.015 2.71119L158.835 3.92342H158.178L157.514 2.85274H157.198V3.92342H156.61V1.13601H157.423H157.419ZM157.376 1.62236H157.198V2.37728H157.39C157.586 2.37728 157.724 2.34461 157.811 2.27928C157.895 2.21396 157.938 2.11959 157.938 1.98893C157.938 1.85827 157.891 1.76028 157.801 1.70583C157.71 1.65139 157.568 1.62236 157.379 1.62236H157.376Z" fill="currentColor"/> <path d="M0 0V46.0394H46.0394V0H0ZM19.9655 42.4971H3.54233V22.1867C3.54233 17.6499 7.21895 13.977 11.7521 13.977C16.2889 13.977 19.9619 17.6536 19.9619 22.1867V42.4971H19.9655ZM11.7521 11.7666C7.21169 11.7666 3.52781 8.08275 3.52781 3.54233H19.9764C19.9764 8.08275 16.2925 11.7666 11.7521 11.7666ZM23.5187 42.5007V3.5387C34.2764 3.5387 42.9979 12.2602 42.9979 23.0179C42.9979 33.7755 34.2764 42.4971 23.5187 42.4971V42.5007Z" fill="#006271"/> </svg></div></a><nav role="navigation" class="nav-menu w-nav-menu"><div class="nav-wrapper"><a href="/registrar" class="nav__link w-nav-link">Registrar</a><a href="/registry" class="nav__link w-nav-link">Registry</a><a href="/reseller" class="nav__link w-nav-link">Reseller</a><div data-hover="false" data-delay="0" class="dropdown w-dropdown"><div class="dropdown-toggle w-dropdown-toggle"><div class="d__tetxropdown-toggle">About</div></div><nav class="dropdown-list w-dropdown-list"><a href="/company" class="dropdown-link w-dropdown-link">Company</a><a href="/careers" class="dropdown-link w-dropdown-link">Careers</a><a href="/newsroom" class="dropdown-link w-dropdown-link">Newsroom</a></nav></div><a href="/contact" class="nav__link w-nav-link">Contact</a></div></nav><div class="hamburger w-nav-button"><div class="hamburger__line"></div><div class="hamburger__line"></div><div class="hamburger__line"></div></div></div></div><section class="hero hero--auto"><div class="hero__text-content hero__text-content--auto bg-gray"><div class="content-wrapper"><h1 class="hero__title text--black mb-0">DNSSEC Practice Statement</h1></div></div></section><section class="policy"><div style="-webkit-transform:translate3d(0, 40px, 0) scale3d(1, 1, 1) rotateX(0) rotateY(0) rotateZ(0) skew(0, 0);-moz-transform:translate3d(0, 40px, 0) scale3d(1, 1, 1) rotateX(0) rotateY(0) rotateZ(0) skew(0, 0);-ms-transform:translate3d(0, 40px, 0) scale3d(1, 1, 1) rotateX(0) rotateY(0) rotateZ(0) skew(0, 0);transform:translate3d(0, 40px, 0) scale3d(1, 1, 1) rotateX(0) rotateY(0) rotateZ(0) skew(0, 0);opacity:0" class="content-wrapper contact-wrapper--grid"><div id="w-node-_346a9f61-6bb2-6299-5e08-c2e78f6aeb1f-418e2722"><div class="richtext--policies mt-0 w-richtext"><h4>Identity Digital DNSSEC Practice Statement (DPS) Version 2.00 2025-01-03</h4><p><strong>1. INTRODUCTION</strong></p><p>1.1. Overview</p><p>This document was created using the template provided under the current practicing documentation.¹ Henceforth in this document, the “Company” shall refer to Identity Digital Inc., and its subsidiaries. This document comprises the practices utilized by the Company to operate DNS zones as it relates to the DNS Security Extensions. Unless stated otherwise within this document, these statements pertain to all TLD zones under the Company’s auspice that have been signed.</p><p>1.2. Document name and identification</p><p>Identity Digital DNSSEC Practice Statement (DPS) Version 2.00</p><p>1.3. Community and Applicability</p><p>This section describes the various “stakeholders” of the functionality provided by DNSSEC and a signed TLD.</p><p>1.3.1. The TLD Registry</p><p>The Company operates in two distinct modes: (1) As a Registry Operator (RO), where the TLD has been directly delegated to the Company by ICANN, and (2) as a Registry Service Provider (RSP), where the Company operates and performs the functions of maintaining the zone, on behalf of another entity (which acts as the RO). In the case where the Company is the RO for a zone, the Company is also acting as the RSP.</p><p>The Company is expected to perform the following functions:<br/></p><ul role="list"><li>In “Online KSK” mode, where the Company is either the RO, or the Company is the RSP and the RO does not maintain the KSK: Generate the Key Signing Keys (KSK) for the zone.</li><li>In “Offline KSK” mode, where the Company is the RSP and the RO maintains the KSK: Generate Key Signing Requests (KSRs) and receive Signed Key Responses</li><li>(SKRs) to and from the RO, respectively.</li><li>Generate the Zone Signing Keys (ZSK) for the zone. In “Offline KSK” mode, also include these ZSKs as part of KSRs.</li><li>In “Online KSK” mode: Sign the apex DNSKEY RRSet using the KSK.</li><li>In “Offline KSK” mode: Signatures received from within the SKR for the apex DNSKEY RRSet are loaded and used as appropriate.</li><li>Sign the relevant Resource Records of the zone using the ZSK.</li><li>Update the ZSK and KSK as needed.</li><li>In “Online KSK” mode: Send Delegation Signer (DS) Resource records to ICANN for inclusion into the root zone.</li><li>Receive DS Resource Records from accredited registrars, and update the zone accordingly.</li><li>Update the WHOIS information accordingly.</li></ul><p>1.3.2. Accredited Registrars</p><p>Registrars that are accredited by a given TLD RO are required to make changes to the zone using one of two mechanisms via: (1) the RFC-based Extensible Provisioning Protocol (EPP) directly, or (2) via a Web Administration Tool. The Web Administration Tool is a Company provided front end to EPP. For DNSSEC, registrars are expected to maintain Delegation Signer (DS) records with the Company on behalf of their customer, the registrant.</p><p>1.3.3. Registrants</p><p>Registrants are responsible for ensuring that their second level zones are properly signed and maintained. They must also generate and upload DS records for their signed zones to their registrar (who, in turn, sends these into the Company).</p><p>1.4. Specification Administration</p><p>1.4.1. Specification administration organization</p><p>The Company maintains this specification.</p><p>1.4.2. Contact Information</p><p>Questions or concerns regarding this DPS, or the operation of a signed TLD should be sent to the Company Customer Support Center.</p><p>They can be reached via:</p><ul role="list"><li>Phone: +1 (425) 298-2200</li><li>Email: support@identity.digital</li></ul><p>1.4.3. Specification change procedures</p><p>The DPS is reviewed periodically and updated as appropriate.</p><p>All changes are reviewed by operations and security teams and submitted to executive management for approval. Once accepted, procedures are updated, and appropriate personnel are trained on any new or changed practice. Once all preparatory work has been completed, the DPS is published and becomes effective as of its publication.</p><p><strong>2. PUBLICATION AND REPOSITORIES</strong></p><p>2.1. Repositories</p><p>This DPS can be found at <a href="https://identity.digital/policies/dnssec-practice-statement/">https://identity.digital/policies/dnssec-practice-statement/</a> <br/>Only the Company Operations department has the ability to update the contents of the website. ACLs on the file are Read-Only.</p><p>2.2. Publication of public keys</p><p>The Company generates DS-record data for all zones run in “Online KSK” mode. Key Signing Keys (KSKs) are signed with the Secure Entry Point (SEP) bit set. As soon as possible, the Company sends DS-record data pertaining to these KSKs for signed TLD zones to ICANN for publication in the root. No other trust anchors or repositories are used.</p><p><strong>3. OPERATIONAL REQUIREMENTS</strong></p><p>3.1. Meaning of domain names</p><p>Generally, domain names are defined in Section 2 of RFC 8499.²</p><p>Policies regarding restrictions on domain names within a given zone are specified by the registry operator, and vary from TLD to TLD.</p><p>3.2. Identification and authentication of child zone manager</p><p>Registry Operators must first give express permission to the Company to permit DNSSEC for child zones in a given TLD. Only registrars (on behalf of their registrants) are permitted to activate DNSSEC for a child zone. To activate DNSSEC, a registrar must submit a Delegation Signer (DS) record either via the Web Administration Tool, or via EPP (according to RFC 5910). It is the responsibility of the child zone manager to accurately maintain the chain of trust from the DS record for the child zone downward.</p><p>For EPP, each registrar has unique credentials to access the TLD registry, which are verified before EPP transactions of any kind can be conducted. For the Web Administration Tool, certificates are used to uniquely identify each registrar.</p><p>3.3. Registration of delegation signer (DS) resource records</p><p>DS records are sent to the registry by the registrar via EPP (specifically, according to RFC 5910). Once submitted to the TLD registry, the WHOIS data is changed, and the zone changes are automatically propagated out to the DNS infrastructure.</p><p>3.4. Method to prove possession of private key</p><p>It is the responsibility of the accredited registrar to ensure the integrity of the data submitted to the Company. There is no requirement that a corresponding DNSKEY already be published in a zone before a DS record is submitted to the parent. This makes proof of possession of a private key unpredictable. The Company therefore does not perform any tests to prove possession of a private key.</p><p>3.5. Removal of DS resource records</p><p>3.5.1. Who can request removal</p><p>Only the sponsoring registrar for a domain name can add, change, or delete DS records for that domain name. Registrars must provide an Auth-Info code to verify any change for this domain name.</p><p>3.5.2.Procedure for removal request</p><p>DS records are removed using the appropriate EPP command, as specified by RFC 5910. Only the Sponsoring Registrar can request a DS record be removed, and then only if they include the correct Auth-Info code</p><p>3.5.3.Emergency removal request</p><p>Because this is facilitated via EPP, and the system is updated continuously, there is no additional procedure required for an emergency removal request.</p><p><strong>4. FACILITY, MANAGEMENT AND OPERATIONAL CONTROLS</strong></p><p>4.1. Physical Controls</p><p>The Company uses four geographically separate sites located in different countries that are not part of our offices. Both sites are physically protected environments that deter, prevent, and detect unauthorized use of, access to, and disclosure of sensitive information and systems. Both facilities limit access to authorized personnel. Visitors are only permitted by escort from Authorized personnel, and for a specific purpose (such as hardware repair by a technician).</p><p>All facilities provide redundant and backup power, air conditioning, and fire suppression and protection services. The sites provide redundant and backup DNSSEC services for each other. Reasonable precautions have been taken to minimize the impact of water exposure to the Company’s systems.</p><p>Media with sensitive information is stored within the Company’s facilities with appropriate physical and logical access controls designed to limit access to authorized personnel.</p><p>Sensitive documents, materials, and media are shredded or rendered unreadable before disposal.</p><p>The Company performs routine backups of critical system data and maintains an off-site backup with a bonded third party storage facility.</p><p>4.2. Procedural Controls</p><p>There are at least two operational teams with access to and responsibility for the signer systems. Each team member holds a part of the password necessary to grant access to the signer systems. Any task performed on a signer system requires an authorized representative from each team to be present.</p><p>4.3. Personnel Controls</p><p>Personnel Controls</p><p>The Company requires that all personnel taking part in a trusted role have to have been working for the Company for at least one year and must have the qualifications necessary for the job role.</p><p>The Company provides training to all personnel upon hire as well as requisite training needed to perform job responsibilities. Refresher training and updates are provided as needed. Personnel and rotated and replaced as needed.</p><p>In limited circumstances, contractors may be permitted to occupy a trusted role. Any such contractor is required to meet the same criteria applied to a Company employee in a comparable position.</p><p>The Company provides all employees with the materials and documentation necessary to perform their job responsibilities.</p><p>4.4. Audit Logging Procedures</p><p>All key life cycle events, including but not limited to generation, activation, rollover, destruction, and use, whether successful or unsuccessful, are logged with a system that includes mechanisms to protect the log files from unauthorized viewing, modification, deletion, or other tampering.</p><p>Access to physical facilities is logged by the facility and the log is only accessible to authorized personnel.</p><p>The Company monitors all log entries for alerts based on irregularities and incidents. The Company security team reviews all audit logs at least weekly for suspicious or unusual activity.</p><p>4.5. Compromise and Disaster Recovery</p><p>In the event of a key compromise or disaster, the Company’s incident response team would be notified. The response team has documented procedures for investigation, escalation, and response. The team is responsible for assessing the situation, developing an action plan, and implementing the action plan with approval from executive management.</p><p>The Company maintains redundant facilities to ensure immediate availability of a disaster recovery site should one site become unavailable. Key data is cloned, encrypted, and sent to a hot spare in the same facility, and to two spares in the redundant facility. The ability to encrypt and decrypt the key data resides entirely within each system&#x27;s High Security Module, and exists nowhere external to the signing systems.</p><p>4.6. Entity termination</p><p>The Company has adopted a DNSSEC termination plan in the event that the roles and responsibilities of the signing services must transition to other entities. The Company will coordinate with all required parties in order to execute the transition in a secure and transparent manner.</p><p><strong>5. TECHNICAL SECURITY CONTROLS</strong></p><p>5.1. Key Pair Generation and Installation</p><p>All key pairs are generated on the signer systems according to parameters set by the operational team. The signer systems meet the requirements of FIPS 140-3 level 3 or higher.</p><p>Key Pair Generation and Installation</p><p>All key pairs are generated on the signer systems according to parameters set by the operational team. The signer systems meet the requirements of FIPS 140-3 level 3 or higher.</p><p>5.2. Private key protection and Cryptographic Module Engineering Controls</p><p>All signing modules are FIPS 140-3 level 3 certified or higher. No unencrypted access to the private key is permitted. Access to the signer system is specified in the Procedural and Personnel Control sections.</p><p>Multiple redundant signing systems are maintained. The systems include a mechanism to backup key pairs and other operational parameters to each other in a secure manner. Private keys are not otherwise backed up, escrowed, or archived. When a private key is deactivated it is destroyed by the signing system.</p><p>A trusted team has the authority to create, activate, and deactivate key pairs, and executes the responsibility according to documented policies and procedures.</p><p>5.3. Other Aspects of Key Pair Management</p><p>5.3.1. Public key archival</p><p>Obsolete public keys are not archived.</p><p>5.3.2. Key Usage Periods</p><p>Zone Signing Keys (ZSKs) are used in production for approximately one month before being rolled. Key Signing Keys (KSKs) are rolled based on RO policy, but are expected to change at least every five years.</p><p>5.4. Activation Data</p><p>Activation data is a set of passwords corresponding to user accounts with key-generation privileges. The passwords are “split” to ensure that no single operator can perform these operations.</p><p>5.5. Computer Security Controls</p><p>The Company ensures that the systems maintaining key software and data files are trustworthy systems secure from unauthorized access. In addition, the Company limits access to production servers to those individuals with a valid business reason for such access. General application users do not have accounts on production servers.</p><p>5.6. Network Security Controls</p><p>The signing systems are placed in the Company’s production systems, which are logically separated from all other systems. Use of normal network security mechanisms such as firewalls mitigate intrusion threats; only restricted role users are allowed access to production systems, and their work is logged. </p><p>5.7. Timestamping</p><p>The signer systems securely synchronize their system clocks with a trusted time source inside the Company’s network.</p><p>5.8. Life Cycle Technical Controls</p><p>Applications developed and implemented by the Company conform to its development and change management procedures. All software is traceable using version control systems. Software updates in production are part of a package update mechanism, controlled via restricted role access and updated via automated recipes. All updates and patches are subject to complete verification prior to deployment. The Company also uses a third-party solution on its signer systems, where updates are tested in a secure lab environment prior to deployment.</p><p><strong>6. ZONE SIGNING</strong></p><p>6.1. Key lengths, Key Types and algorithms</p><p>6.1.1. Key Signing Key</p><p>The Company currently uses ECDSA Curve P-256 with SHA-256, as well as RSA/SHA 256 ( algorithm 8³ ) with a key length of at least 2048 bits, as the generation algorithms. RSA/SHA 256 is in the process of being phased out. Ed25519 (algorithm 13) is under evaluation, and should be considered to be deployed as well.</p><p>6.1.2. Zone Signing Key</p><p>The Company currently uses ECDSA Curve P-256 with SHA-256, as well as RSA/SHA 256 ( algorithm 8) with a key length of at least 1024 bits, as the generation algorithms. RSA/SHA 256 is in the process of being phased out. Ed25519 (algorithm 13) is under evaluation, and should be considered to be deployed as well.</p><p>6.2. Authenticated denial of existence</p><p>Authenticated denial of existence is provided through the use of NSEC3 records as specified in RFC 5155⁴ and RFC 9276⁵.</p><p>6.3. Signature format</p><p>Authenticated denial of existence is provided through the use of NSEC3 records as specified in RFC 51554 and RFC 92765.</p><p>6.4. Key Rollover</p><p>6.4.1. Zone signing key roll-over</p><p>The Company rolls the ZSK with a pre-publishing scheme as described in RFC 4641⁶, section 4.2.1.1. ZSK roll-over is carried out once a month.</p><p>6.4.2. Key signing key roll-over</p><p>The Company rolls the KSK with a double-DS scheme, as described in RFC 4641, section 4.2.1.2. There are no planned KSK rollover frequencies defined at this time.</p><p>6.5. Signature life-time and re-signing frequency</p><p>Zones are signed once every 8 or 9 days (4 times a month), with a signature life-time of 20 days. Jitter is introduced to avoid presumptive attacks during signing.</p><p>6.6. Verification of resource records</p><p>DNSKEY and SOA RRSet signatures are verified prior to publication.</p><p>6.6.1. Verification of zone signing key set</p><p>Verification of the zone signing key set is performed by validating the public key data contained in the Key Signing Record.</p><p>6.7. Resource records time-to-live</p><ul role="list"><li>DNSKey: 1 day (86400s)</li><li>NSEC3: SOA minimum 1 day</li><li>Delegation Signer (DS): 1 day</li><li>RRSIG: varies depending on the RR covered</li></ul><p><strong>7. COMPLIANCE AUDIT</strong></p><p>7.1. Frequency of entity compliance audit</p><p>Compliance Audits are intended to be conducted at least biennially.</p><p>7.2. Identity/qualifications of auditor</p><p>The auditor is an entity who is proficient in the technologies they are auditing.</p><p>7.3. Auditor&#x27;s relationship to audited party</p><p>Auditors are independent of the Company.</p><p>7.4. Topics covered by audit</p><p>Environmental, network and software controls, operations, key management practices and operations.</p><p>7.5. Actions taken as a result of deficiency</p><p>Any gaps identified in the audit will result in the creation of an action map, which lists what actions are necessary for the resolution of each gap. Management will design and implement mitigating steps to close the gaps identified.</p><p>7.6. Communication of results</p><p>The Company will communicate internally to resolve any gaps designated by the action map. Should deficiencies be found in this document, it will be augmented to mitigate the issue, and posted with a new revision number.</p><p><strong>8. LEGAL MATTERS</strong></p><p>This DPS is to be construed in accordance with and governed by the internal laws of the United States without giving effect to any choice of law rule that would cause the application of the laws of any jurisdiction other than the internal laws of the United States.</p><p>The following material shall be considered confidential:</p><ul role="list"><li>Private keys</li><li>Information necessary to retrieve/recover private keys</li><li>Disaster recovery plans (DRPs)</li><li>Any operational details relevant to the management and administration of DNS keys, including but not limited to network, software, hardware details.</li></ul><p>The Company does not implicitly or explicitly provide any warranty, and has no legal responsibility for any procedure or function within this DPS. The Company shall not be liable for any financial damages or losses arising from the use of keys, or any other liabilities. All legal questions or concerns should be sent to legal@identity.digital.</p><p>¹ Definitions for many of the terms used in this document are defined in Section 2 of RFC 6841.</p><p>² <a href="https://datatracker.ietf.org/doc/html/rfc8499" target="_blank">https://datatracker.ietf.org/doc/html/rfc8499</a></p><p>³ As defined in</p><p><a href="https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1" target="_blank">https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1</a></p><p>⁴ <a href="https://datatracker.ietf.org/doc/html/rfc5155" target="_blank">https://datatracker.ietf.org/doc/html/rfc5155</a></p><p>⁵ <a href="https://datatracker.ietf.org/doc/html/rfc9276" target="_blank">https://datatracker.ietf.org/doc/html/rfc9276</a></p><p>⁶ <a href="https://datatracker.ietf.org/doc/html/rfc4641" target="_blank">https://datatracker.ietf.org/doc/html/rfc4641</a>‍</p><h3><a href="https://cdn.prod.website-files.com/643d4b3fc3e02d37e33dd7d5/67c0b519c53a17151ed52ccb_DNSSEC-Practice-Statement.pdf" target="_blank">Download the PDF</a></h3></div></div><aside id="w-node-_6d68ed60-9d5a-80ce-ab31-e80e55a7c372-418e2722" data-w-id="6d68ed60-9d5a-80ce-ab31-e80e55a7c372" style="-webkit-transform:translate3d(0, 4rem, 0) scale3d(1, 1, 1) rotateX(0) rotateY(0) rotateZ(0) skew(0, 0);-moz-transform:translate3d(0, 4rem, 0) scale3d(1, 1, 1) rotateX(0) rotateY(0) rotateZ(0) skew(0, 0);-ms-transform:translate3d(0, 4rem, 0) scale3d(1, 1, 1) rotateX(0) rotateY(0) rotateZ(0) skew(0, 0);transform:translate3d(0, 4rem, 0) scale3d(1, 1, 1) rotateX(0) rotateY(0) rotateZ(0) skew(0, 0);opacity:0" class="aside text--black"><div class="contact-info mb-2"><div class="text--lg text--bold">Regulatory</div><a href="mailto:regulatorycontact@identity.digital" class="text-link mt-0-4">regulatorycontact@identity.digital</a></div><div class="contact-info mb-2"><div class="text--lg text--bold">Abuse</div><a href="mailto:abuse@identity.digital" class="text-link mt-0-4">abuse@identity.digital</a><a href="/policies/report-abuse" class="text-link mt-0-4">Abuse webform</a></div><div class="contact-info mb-2"><div class="w-condition-invisible w-dyn-bind-empty w-richtext"></div></div></aside></div></section><div><div class="footer__overlay"></div><footer class="footer"><div class="content-wrapper"><div class="div-block"><a href="#" class="footer__brand w-inline-block"><img src="https://cdn.prod.website-files.com/643d4b3fc3e02d37e33dd7d5/672900d7423f9435a06d7768_id-logo.png" loading="lazy" alt="" class="footer__logo"/></a><img src="https://cdn.prod.website-files.com/643d4b3fc3e02d37e33dd7d5/66ba6d9ea2e324606f087f08_img-logo-inc5000.png" loading="lazy" width="112" alt="Logo for Inc. 5000 America&#x27;s Fastest-Growing Private Companies" class="image"/></div><div class="footer__content"><div class="footer__nav"><div class="footer__nav__col"><div class="footer__nav__title">Identity Digital</div><a href="/registrar" class="footer__link">Registrar</a><a href="/registry" class="footer__link">Registry</a><a href="/reseller" class="footer__link">Reseller</a><a href="/tld-portfolio" class="footer__link">TLD Portfolio</a><a href="/premium-catalog" class="footer__link">Premium Catalog</a></div><div class="footer__nav__col"><div class="footer__nav__title">About</div><a href="/company" class="footer__link">Company</a><a href="/careers" class="footer__link">Careers</a><a href="/newsroom" class="footer__link">Newsroom</a></div><div class="footer__nav__col"><div class="footer__nav__title">Follow</div><a rel="noopener" href="https://www.facebook.com/identitydigitaltlds/" target="_blank" class="footer__link">Facebook</a><a rel="noopener" href="https://twitter.com/IdentityDig" target="_blank" class="footer__link">X</a><a rel="noopener" href="https://www.linkedin.com/company/identitydigital-inc/" target="_blank" class="footer__link">Linkedin</a></div><div class="footer__nav__col"><div class="footer__nav__title">Support</div><a href="/help-center" class="footer__link">Help Center</a><a href="/contact" class="footer__link">Contact</a><a href="/policies/report-abuse" class="footer__link">Report Abuse</a><a href="https://brandportal.identity.digital/" target="_blank" rel="noopener" class="footer__link">Marketing Assets</a><a rel="noopener" href="https://registrar.identitydigital.services/" target="_blank" class="footer__link">Registrar Portal</a></div><div class="footer__nav__col"><div class="footer__nav__title">Legal</div><a href="/policies" class="footer__link">Policies</a><a href="/policies/website-terms-of-use" class="footer__link">Website Terms of Use</a><a href="/policies/privacy-policy" class="footer__link">Privacy Policy</a><a rel="noopener" href="https://whois.donuts.co/" target="_blank" class="footer__link">WHOIS Access</a></div></div><div class="footer__copyright"><div class="footer__copyright__text">Copyright ©2021-2024 Identity Digital Inc., 10500 NE 8th Street Suite 750 Bellevue, WA 98004 All Rights Reserved.</div><div class="footer__copyright__text">Identity Digital, the Identity Digital logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Identity Digital Inc. and its subsidiaries in the United States and in other countries. All other trademarks are property of their respective owners.</div><div class="footer__copyright__text">This site is protected by reCAPTCHA and the <a href="https://policies.google.com/privacy" rel="noopener" target="_blank" class="link--footer">Google Privacy Policy</a> and <a href="https://policies.google.com/terms" rel="noopener" target="_blank" class="link--footer">Terms of Service</a> apply.</div></div></div></div></footer></div><div style="display:block" class="loading-screen"></div><script src="https://d3e54v103j8qbb.cloudfront.net/js/jquery-3.5.1.min.dc5e7f18c8.js?site=643d4b3fc3e02d37e33dd7d5" type="text/javascript" integrity="sha256-9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0=" crossorigin="anonymous"></script><script src="https://cdn.prod.website-files.com/643d4b3fc3e02d37e33dd7d5/js/webflow.schunk.4a394eb5af8156f2.js" type="text/javascript"></script><script src="https://cdn.prod.website-files.com/643d4b3fc3e02d37e33dd7d5/js/webflow.schunk.fdec043debf8e001.js" type="text/javascript"></script><script src="https://cdn.prod.website-files.com/643d4b3fc3e02d37e33dd7d5/js/webflow.7db5a644.51189707f34f8b8e.js" type="text/javascript"></script><script> let windowResized; let footerEl = document.querySelector('footer') const setMargin = () => { footerHeight = footerEl.offsetHeight footerEl.previousElementSibling.style.height = `calc(${footerHeight}px - 11.2rem)` } setMargin() window.addEventListener('resize', () => { clearTimeout(windowResized) windowResized = setTimeout(setMargin, 1000) }) </script><script src="https://tools.refokus.com/rich-text-enhancer/bundle.v1.0.0.js"></script></body></html>