How to Apply

How to Apply: RFP Guide

How to Find the Best Partner

City top-level domains are different from other TLDs. They have responsibilities to their residents and businesses, and need a registry services partner that can adapt to the way a city works. If you have enough time, the best way to select a registry services vendor for your city top-level domain may be to issue a formal Request For Proposal, or RFP.

This Guide provides potential city TLDs with some of the questions we believe should be asked in an RFP.

We have provided a downloadable PDF of this RFP Guide.

1. What is the vendor’s experience operating top-level domains?

Running a top-level domain (TLD) is a complicated endeavor, requiring a proficient knowledge of relevant technology, policy development expertise, capital reserves, and an ability to succeed in the marketplace.

The city must be sure that the vendor has the necessary registry services infrastructure in place, that it has been shown to be reliable in actual use, and that it will comply to all of the required ICANN specifications for new gTLD registry operations. ICANN will require the TLD operator to enter into a contract that requires compliance to industry standards. Non-compliance will mean that your application will be rejected, or that your right to administer the TLD will be compromised.

Registry operators that have years of experience will have to spend less time and resources on starting-up and refining their registry systems. Experienced operators will also have established relationships with the registrar and reseller companies that could help ensure a broader sales channel for the new .city TLD.

2. Who are the key staff?

Key staff should submit resumes detailing their experience. Key staff should have extensive industry experience and involvement with industry organizations such as ICANN, the Anti-Phishing Working Group, the Internet Society, and similar organizations. The experience of key personnel will also demonstrate the vendor’s level of understanding of what components make up a successful TLD. The key staff should include a project manager, a technical manager, a security manager, and a sales and marketing manager. You will want the vendor to allocate their most experienced and knowledgeable human resource to your project.

3. Does the vendor have the financial capability to operate your TLD?

You will want to be sure that the vendor is able to operate on a self-financed basis for the length of the proposed contract. Request proof of the vendor’s ability to fund the .city TLD operations for the determined length of the contract. The vendor should identify funding sources and projected operational costs. This information allows the City to determine if the proposer has the financial ability to operate the .city TLD and if the vendor has realistic expectations about the expected costs of setting up and operating your .city TLD. Furthermore, because of ICANN rules concerning registry continuity, the vendor should show that in the event of their business failure, sufficient funds are set aside to continue servicing existing customers until a replacement registry can be found.

Look for the vendor to answer the following questions:

  • How will the operation be financed?
  • How will the funds be allocated?
  • Are the projected costs for hardware, marketing, personnel, and other costs realistic for your city?
  • Is the amount of funding more than sufficient to cover operating costs prior to achieving breakeven?
  • At what point does the vendor anticipate achieving breakeven?
  • Are funds set aside for continued operation in case of business failure?

Potential funding sources could consist of investments, loans, cash on hand, and revenue from ongoing operations, including:

  • Sunrise domain sales, including contested auction sales and standard uncontested sales.
  • Landrush domain sales. During the landrush period, interested parties may pre-register desirable domain names. In the case of multiple registrations for the same domain, auctions are used to settle the contention sets.
  • Premium generic auctions occurring after the sunrise and landrush periods. A certain number of premium generic domain names are reserved by the registry for auction, and are auctioned off over time.
  • Standard wholesale domain name sales through the registrar channel. Registrars will sell domain names to end users at a retail price, while paying the registry operator the wholesale price of the domain.

The expected costs of setting up and operating a TLD should include:

  • Marketing costs, which includes general marketing (to include online, offline, and social media marketing), website design, and search engine optimization.
  • Selling, General and Administrative Expenses, which include setting up a datacenter, sunrise and landrush period management, legal and auditing fees, equipment procurement, salaries and hiring, rent, communications, travel, supplies, utilities and maintenance.
  • Registry Services Costs, including any outsourcing costs.
4. What is the vendor’s technical ability?

Make certain that the vendor has a robust system that adheres to relevant standards and minimum requirements, has a proven track record operating one or more TLDs, and is are willing to adapt its system to the objectives and approach that you want taken for your project – as opposed to you adapting your TLD to their system.

There are four major areas of TLD registry technology. Your vendor, either alone or with specialty partners – a common arrangement – should be proficient in all of them.

Registration Services. This is the provisioning system, where registrants and registrars connect to create and manage their domain names. It is a central database that has a number of methods of secure connection for record management, most typically using a web interface for direct user interaction or a secure encrypted connection that communicates via an XML dialog (EPP).

Resolution Services. The Domain Name Server (DNS) management, essentially the ‘broadcast’ of the Top Level Domain Name. This includes generation of zone files, a zone signing process, operating servers that are answering authoritatively, and anything related to DNS.

Public Data Services. Making registrant, domain, and name server information publicly available is part of the operation of a registry. Providing public access to services like Whois or making zone file access available are mandated responsibilities that come as part of the privilege of being delegated a TLD.

Private Data Services. There are data services that are part of the operation of a TLD which are also important. ICANN mandates that there be some form of data escrow preformed in a timely manner in order to ensure that there can be continuity to operations by restoring from the information it holds. Additionally, there will be reports or other data that will be important for the day to day business and operations of the registry.

Some good gauges of a registry service provider’s technical ability are:

  • What TLDs are currently supported and how many?
  • Is the registry on their system or outsourced?
  • Is the registry open-source software all or in part? (Open-source software is preferable.)
  • Clear description of pricing model (e.g., per-unit, flat-fee pricing).
  • Can the registry system accommodate complicated business rules?
  • Are DNS resolution services included in the bundle?
  • Are Whois services included?
  • Is Data Escrow service included or an additional cost?
  • Is the vendor compliant with all of ICANN’s standards and requirements?
  • How many registrars are currently using the vendor’s registry services platform? (If registrars are pre-integrated, they are more likely to carry your TLD on their site.)

Is the vendor willing to make technical investments in your TLD?

  • Will they handle the Registry Services Technical Evaluation Program (RSTEP) component of the application process?
  • Will the provider pay for an extended evaluation ($50,000 USD) in part or in full, if such a review is required by ICANN?
  • Will they collaborate with you on Policy to help achieve balance with business rules and their technical implementation without forcing you into solutions that minimize their programming or engineering time (ie use their canned, ‘black box’ solution)?

The vendor’s registry platform needs to adhere to best-practice standards and ICANN requirements:

  • Adheres to RFCs for registration, resolution, and whois information
  • Platform has data escrow capabilities
  • Platform has reporting capabilities
  • Platform is fully ICANN-compliant
  • Platform Supports IDNs
  • Ensure that there is support for IPv6 in record storage, access to systems, and DNS queries
  • Support for other record types in DNS like NAPTR, TXT, LOC
  • Supports DNSSEC and/or Anycast for DNS resolution and has these available without hidden charges
  • Hosted or locally-installed configurations – perhaps there are requirements that the city IT staff administrate the registry system
  • Works with all major currencies so that local currency can be supported
  • User interface can be configured for different languages – make sure there is an approach that can be configured to work with the local language(s)

Finally, the vendor should establish its level of familiarity and experience, and be able to implement technically, any of the following:

  • Customer service to registrars
  • Technical support to registrars
  • Support Escalation processes
  • System monitoring and event response
  • Billing systems
  • Internationalized Domain Names (IDNs)
  • All aspects of the domain name lifecycle
  • Technical implementation of policy
  • Reporting requirements
  • Legal requirements
  • Dispute mechanisms
  • Rights protection mechanisms
  • Support for community standards
5. What is the vendor’s marketing ability?

The history of top-level domains shows that targeted marketing, along with TLD registration policies, is the biggest factor in determining success. Your city will need a partner that is able to promote and market the .city TLD to create the pervasive positive awareness that gets citizens to use your .city name and make the TLD a success.

The new TLD round will mark a distinct break from the past, moving from a world in which .com is king to a world in which there are hundreds of viable alternatives to .com. The TLD “noise level” will be orders of magnitude higher than ever before. In this new world, “hotels.city” will be competing with “city.hotels.” Furthermore, registrars will have limited shelf space on their sites, and your .city will be competing with other TLDs for prominent placement on registrar web pages and registrar promotional materials.

Therefore, the .city brand needs to be developed quickly, and developed well, to avoid the marketing mistakes that have cost previous TLDs years of lost opportunity. In particular, it would be a mistake to rely exclusively on the registrar channel to stimulate demand.

To stand out from the crowd, you will need to market to end users directly. One of the advantages of a .city name is that the majority of the eventual registrants are physically located in the area. Your provider can take advantage of that by making use of some powerful marketing assets:

  • Local famous spokesperson with enthusiastic support.
  • Engage other city celebrities to talk about how they use .city and to tell citizens what their .city domain name is. This will create a climate of acceptance and provide people with different examples of how they can use a .city domain name.
  • A city based Internet marketing partner able to target by geographic location and by demographic ensuring city Internet users will be highly aware of the .city domain.
  • Because of the defined geography, make use of “event marketing.”

    • This multi-faceted, direct-to-consumer approach, combined with a guaranteed registrar channel, will mean that your potential customers will know about the option to register .city domains and will be charged up by the idea of owning this valuable real estate.

6. What is the vendors reporting capability?

Operating a top-level domain registry is a business with special requirements. ICANN calls for monthly reporting on registry activity, and your city departments will need to know the financials. The RFP could include requirements for the vendor to supply samples of standard reports including maintenance events, revenue received, and SLDs registered.

The RFP is an opportunity for the vendor to display its reporting capabilities. The level of reporting that a vendor provides is a good indication of their ability to understand and adapt their technical and business processes.

At a minimum, the vendor should provide reports on:

  • Financial reports
  • Reports on object creation, modification, and deletions
  • Reports on domain transfers
  • Reports on database maintenance
  • Reports on Whois queries
  • EPP logs
  • Reports on which IP log in locations
ICANN-required reports

Some reports are required by ICANN and must be submitted according their specifications:

  • Service Level Performance Report, ICANN’s required Service Level Agreement Performance Report.
  • Sample Maintenance Report, shows the registry’s level of service as required by Specification 6 of the Registry operator agreement.
  • Per Registrar Activity Report, showing activity as detailed in Specification 3 of the Registry operator agreement.
  • Whois Service Activity, showing the number of Whois queries during a one month period.
  • ICANN Operator Monthly Report, including registrar status, zone file activity, software releases, transactions and a per-registrar activity report on a monthly basis.
Reports to the city

These are examples of reports you may wish to see on a periodic basis. Your vendor should be able to provide you with these and many other reports.

  • Financial Transaction Report showing financial transactions occurring during a one-month period.
  • Revenue Received Report showing incoming funds at the registry for a one-month period.
  • SLDs Registered Report showing second-level domains registered during a one-month period.
Management reports

You may wish to require reports on the internal management of the registry, for instance:

  • Service Level Agreement (SLA) Ticket System, showing ticket status levels, priority and service levels.
  • Ticket Response Time, displaying support staff response time for closing out trouble tickets.
  • Support Department Summary, showing trouble ticket summaries across departments.
  • Systems and Network Operations Monthly Report, a monthly summary of systems and network operations for the registry.
  • Maintenance Ticket Response Time, showing response time for maintenance events.
  • Operations Department Summary, a summary of incidents and status for the past month.
7. What is the vendor’s proposed approach?

Ask the vendor how they are going to accomplish your goals. What registration policies do they propose? What is the community feedback mechanism? What are their ideas for making your TLD gain acceptance in the community? The vendor’s proposed approach should be one that shows they are aware of the market and operational challenges and have a plan to succeed.

Your registry partner should be able to guide you through the entire process. They should also be able to navigate the domain name ecosystem, making connections with the important sales channels, helping you with auctions and policy. Having a partner who is familiar with the domain name industry will be deeply beneficial. Chose a partner that is as transparent as possible and provides information about the process on their website or in discussions.

The vendor’s plan for introducing you to the world will tell you a great deal about whether they have the imagination to make your city TLD a success.

8. How will the vendor guarantee security and stability?

Security and stability of the registry system and the DNS is a multi-layered process. Your vendor should be assuring security through these and other steps:

  • The Registry should be operated in a secured facility and the servers operated behind a perimeter firewall. Registrars communicate upstream to the registry through a pre-approved firewall rule that allows their IP address to communicate with the registry system. The communication is performed via an encrypted connection which requires a username and password. The domain name being managed must be within those under the registrar’s account. The registrar has defined functions and rights to perform certain actions only on domains under their management.
  • Registry generates a zone file for the TLD in a firewall-protected private network. The zone file is generated in a protected environment, stored as a read-only document with protected user permissions, validated against the database, and tested to ensure it is functional and will create no disruption. The file is ‘pushed’ via an encrypted connection using pre-defined one-direction access to a predefined server for DNSSEC signing within the secure network.
  • The zone file is signed and then re-validated within the secure network, and transmitted using encryption and one-way communication using a security tunnel between firewalled networks to staging servers on the anycast systems, where they are tested and anti-tamper confirmed.
  • The updated, signed zone files are then pushed out from that staging server using an encrypted communication, and updates propagate outward into the anycast DNS clouds.
  • Internet users typing the domain names will have their computer performing one-way look up of domain names and will receive rapid responses to their DNS requests.
9. What is the vendor’s risk management strategy?

Helpful risk management resources for evaluating a vendor’s risk management strategy include the following:

  • The Certified Information Systems Security Professional (CISSP) is an independent information security certification governed by the not-for-profit International Information Systems Security Certification Consortium, commonly known as (ISC2). The CISSP recommend specific risk assessment and management procedures and strategies.
  • The National Institute of Standards and Technology (NIST) The NIST computer security division has a Special Publication Series, SP800 with recommendations and suggested practices to ensure stable, secure systems. Of particular interest are NIST SP 800-39, Managing Risk from Information Systems: An Organizational Perspective, and NIST SP-800-30, Risk Management Guide for Information Technology Systems.
  • CERT’s Operationally Critical Threat, Asset and a Vulnerability Evaluation (OCTAVE) provides a streamlined information asset risk evaluation method, called OCTAVE Allegro.
10. What will be the policy for reserved names?

Defining a list of reserved names in advance of a general availability to the public will save a lot of trouble later. Though it may be possible to recover official names, the public reaction is likely to be vociferously negative. Your vendor should help you put together a reserved list that might include names from some of the following categories:

  • City departments
  • Mayor’s office
  • Chamber of Commerce
  • Education
  • Police / Law enforcement
  • Municipal services
  • Social services
  • Parks and recreation
  • District or neighborhood names
  • Abbreviations / acronyms of the above

Terms such as mayor, police, parks are common to most cities, but each city will have particular initiatives, landmarks, and historical names that should be defined in collaboration with the vendor. The city should ultimately provide a preliminary list of reserved names.

Summary

These are just some of the questions that should be asked of a registry services provider. A more complete guide is available by sending an email to minds@mindsandmachines.com.