SGNIC
Singapore Network Information
Centre (SGNIC) Pte Ltd
Go

Being a Registrar

General

What is the minimum period of accreditation for registrars?

Currently, SGNIC will accredit registrars for a period of 3 years. SGNIC will review renewal requests submitted by registrars on a case-by-case basis.

How do I become an SGNIC accredited registrar?

The process and criteria for becoming a SGNIC accredited registrar is outlined in detail under Be Our Registrar.

What is the minimum criteria to be an accredited registrar?

The minimum criteria are:

  • Applicants will need to have a minimum working capital of S$50,000. Foreign-based applicants will also need to be ICANN-accredited.
  • Technical capability such as the ability to accommodate all the archival database including the creation and maintenance of Whois-type public access database service and the provision of daily back-up and archives of them.
  • Ability to provide prompt service to registrants for their registration needs.
  • At least six months (continuous) prior experience in domain name registration business.
What are the financial considerations before I decide to apply to be an accredited registrar?

The following financial considerations apply:

  • S$1,000 non-refundable application fee, to be submitted together with application.
  • A minimum working capital of S$50,000 for all applicants for the preceding 2 years before application.
  • S$30,000 performance bond in the form of a banker’s guarantee for companies which are not able to produce two years' worth of audited statements showing a minimum working capital of S$50,000 or in SGNIC’s assessment, it is necessary for a potential registrar to provide a performance bond.
  • A S$4,500 accreditation fee for successful applicants. This accreditation fee will cover an accreditation period of three years. Thereafter, renewal of registrar accreditation is at a three yearly interval at a fee of S$4,500.
  • A S$3,000 starting balance in the Deposit Account with SGNIC.
  • Prevailing taxes will apply to fees payable.
Is there is limit to the number of registrars SGNIC will accredit?

To encourage competition and promote innovation, there will be no limit on the number of registrars accredited by SGNIC.

Technical - General

Technical - EPP

Technical - WHOIS

Technical - Domain Name

How many characters are allowed for a .sg domain name?
A .sg domain name (excluding the category suffix such as ‘.sg’ or ‘.com.sg’) must be between 1 and 63 ascii characters. This restriction also applies to the Punycode format of Chinese and Tamil Internationalized Domain Names (IDN). 
What are the characters allowed in a .sg domain name?
For ASCII/Latin domain names, only letters, digits and hyphen (LDH) are allowed. Chinese characters are allowed for all domain name categories including .新加坡.  Tamil characters are allowed for .சிங்கப்பூர். 
Does SGNIC support Internationalized Domain Names (IDN)?
Yes, SGNIC supports Chinese and Tamil domain names. 

Technical - Contact Object

Technical - Host Object

Mandatory Security Requirement for Renewal of Registrar Accreditation

What is SGNIC’s Mandatory Security Requirement for Renewal of Registrar Accreditation?

SGNIC requires that a SGNIC accredited registrar who seeks to extend the term of its registrar accreditation must, prior to the expiry of the term under its Registrar Accreditation Agreement (RAA), undergo a web application vulnerability assessment (“VA”) test for its .sg domain name registration web portal (“Mandatory Security Requirement for Renewal of Registrar Accreditation”). SGNIC requires that the registrar completes the web application VA and rectify any “high” and “medium” security risk findings in the final year (usually year 3) of such registrar’s accreditation, and furnishes to SGNIC a copy of the final web application VA test report showing that there are no “high” or “medium” security risk findings in the web application VA test results. The final web application VA test date must be within the final year of the registrar’s term of accreditation (usually year 3), i.e. dated no more than 12 months before the expiry of the term of accreditation, and shall be to SGNIC’s satisfaction.

Why is there a need to ensure that an accredited registrar’s .sg domain name registration web portal is secure?

 

Most SGNIC accredited registrars operate a web portal that allows registrants to modify their .sg domain name information, such as contact details and name servers. If an attacker is able to gain unauthorised access to an accredited registrar’s web portal by exploiting vulnerabilities of the web portal, the attacker may be able to perform unauthorised modifications to registrants’ .sg domain name information. Such unauthorised modifications may then allow the attacker to, for example, hijack domain names and/or redirect registrants’ websites, emails or other services, to servers controlled by the attacker.
What harm may be caused to registrants if an attacker is able to gain unauthorised access into an accredited registrar’s domain name registration web portal?
The harm will depend on the actions of the attacker after it gains control of the domain name, the issues created by the attacker, and the value and importance placed on the contents of the registrant’s website, emails and other services attached to the domain name. For example, (i) the attacker may change the visual appearance of a registrant’s web portal to demonstrate its ability to deface such website thus affecting the registrant’s reputation, (ii) interfere with activities over the registrant’s web portal thereby causing disruption and/or economic losses, or (iii) trick end users into believing that services provided over the registrant’s web portal  are nevertheless legitimate so much so that users continue to transact using such services, resulting in sensitive information being leaked to the attacker.
What is web application VA testing and how does it help to secure a SGNIC accredited registrar’s domain name registration web portal?
Web application VA testing is a non-intrusive approach that serves to produce a prioritised list of security vulnerabilities associated with a web application. Typically, a software tool is used to automate the ‘scanning’ of the web application to identify vulnerabilities that may be exploited. Each vulnerability may be validated to remove false positives and is assigned a security risk rating of “high”, “medium” or “low”. The organisation that has undergone web application VA testing may then prioritise which vulnerabilities to resolve first.
Apart from web application VA testing, are there any other mandatory security requirements imposed by SGNIC?
SGNIC requires that all SGNIC accredited registrars undergo web application VA tests for their domain name registration web portals for purposes of SGNIC’s Mandatory Security Requirement for Renewal of Registrar Accreditation. SGNIC considers web application VA testing to be an important minimum requirement, and would expect all accredited registrars to perform the web application VA tests to enhance their level of security protection. As accredited registrars are responsible for the security of their own systems and web portals, where any security breach may adversely impact both registrars and registrants, it is recommended that such registrars not only implement regular web application VA testing, but also carry out other security assessments such as host/network based VA tests, host/network and web application penetration tests and IT general controls reviews as well. 
Are all SGNIC accredited registrars affected by SGNIC’s Mandatory Security Requirement for Renewal of Registrar Accreditation?
SGNIC requires that all SGNIC accredited registrars be subject to the Mandatory Security Requirement for Renewal of Registrar Accreditation. First, an existing registrar whose term of accreditation expires on or after 1 July 2020 will be required to comply with SGNIC’s Mandatory Security Requirement for Renewal of Registrar Accreditation with effect from 1 January 2019. Second, where an existing registrar’s term of accreditation would expire before 1 July 2020, notwithstanding a renewal of the registrar’s term of accreditation in view of the aforementioned, such registrar would only need to comply with the Mandatory Security Requirement at its subsequent renewal. Third, where a registrar would be accredited on or after 1 January 2019, such registrar would only need to comply with SGNIC’s Mandatory Security Requirement when its accreditation renewal is subsequently due. SGNIC is also prepared to waive the application of the Mandatory Security Requirement for Renewal of Registrar Accreditation on a case-by-case basis, in the event an accredited registrar does not operate a web portal for registrants to modify .sg domain name details.
What must an accredited registrar provide to SGNIC for purposes of the Mandatory Security Requirement for Renewal of Registrar Accreditation?

The registrar shall provide SGNIC with a web application VA test report. The VA test report shall:

a) be produced by a SGNIC pre-screened security vendor in accordance with the requirements and scope of work as defined here
b) comprise of a final assessment date of not more than 12 months before the registrar’s accreditation expiry date; and
c) contain no security risk findings that are rated as “high” or “medium”.

What happens if the web application VA test report submitted by an accredited registrar does not comply with SGNIC’s requirements?

SGNIC may reject the accredited registrar’s application for an extension of the term of its accreditation under the RAA. SGNIC may, however, at its sole and absolute discretion and on a case-by-case basis, consider extending the registrar’s term of accreditation for a short period (e.g. 6 months) to provide the registrar additional time to fulfil the Mandatory Security Requirement for Renewal of Registrar Accreditation, with a view to extending such registrar’s accreditation should the registrar eventually comply with SGNIC’s requirements.

How much does it cost to conduct a web application VA test?

Based on SGNIC’s survey of the market in 2018, the fees to conduct a web application VA test may range from approximately S$2,800 to S$5,000.

Will SGNIC provide funding support to assist SGNIC accredited registrars to meet the Mandatory Security Requirement for Renewal of Registrar Accreditation?

Yes, partial sponsorship, subject to a cap, will be provided per web application VA test conducted for an initial period of 3 years from 1 January 2019 for SGNIC accredited registrars that are Small and Medium Enterprises (SMEs) and have met SGNIC’s sponsorship requirements. The funding support is described below. More details are in the FAQ on Sponsorship Programme for Web Application Vulnerability Assessment:

 

Sponsorship Application Date

 Sponsorship Details

1 Jan 2019 – 30 Sep 2019
(Within 9 months from the commencement of SGNIC’s sponsorship programme for web application VA

80% sponsorship per web application VA test conducted, to be capped at a Total Sponsorship Amount of S$4,400.

1 Oct 2019 – 31 Dec 2021
(After 9 months from  commencement of SGNIC’s sponsorship programme for web application VA)

50% sponsorship per web application VA test conducted, to be capped at a Total Sponsorship Amount of S$2,750.

 

 

 Who are SGNIC’s pre-screened security vendors?
Please refer to the list of pre-screened security vendors as published here.
Why is there a need to use a pre-screened security vendor?
As there are no industry certifications to identify security vendors for the conduct of web application VA tests, it would be difficult for accredited registrars and SGNIC to determine if a vendor’s VA testing and reports constitute an adequate assessment of the vulnerability situation of a registrar’s web application. As the starting point, SGNIC is of the view that a screening of the vendor’s methodology and track record would minimally help to ascertain the credibility and qualifications of a vendor before a registrar engages the vendor’s services. 
Can an accredited registrar request for its security partner to be identified as a pre-screened security vendor by SGNIC?
Yes, you can inform your security partner (which includes a local or overseas-based security partner that a registrar works with) to submit an application form to SGNIC to be identified as a pre-screened security vendor. SGNIC will assess the security vendor’s track record and methodology to determine if the security vendor can be included as one of SGNIC’s pre-screened security vendor. 

Will SGNIC guarantee the quality of work of a SGNIC pre-screened security vendor?
While SGNIC will identify certain security vendors as pre-screened security vendors based on such vendors’ track record and methodology, SGNIC makes no guarantee or assurances as to the quality of work of such pre-screened security vendors. That said, for the purposes of identifying security vendors as pre-screened security vendors, SGNIC will make every effort to review a security vendor’s credibility and qualifications. The list of pre-screened security vendors and any information pertaining to the pre-screened vendors that are provided by SGNIC, are provided ‘as is’ without any express or implied warranty of any kind. 

Will SGNIC be involved in the appointment of a pre-screened security vendor by an accredited registrar or the resolution of any dispute between them?
No, SGNIC is not involved in an accredited registrar’s appointment of a pre-screened security vendor. The registrar shall arrange for the engagement of a pre-screened security vendor, including the terms of engagement and scope of the security vendor’s services. Any dispute, including that arising from the services or products provided by the registrar’s appointed security vendor, shall be resolved directly between the registrar and the security vendor. 
What are the technical requirements and scope of the web application VA testing?
The technical requirements and scope of work are set out here.  Accredited registrars shall ensure that the relevant requirements are met when they procure VA test services from pre-screened security vendors. 
What is a typical project flow for each web application VA testing?
Where a SGNIC accredited registrar qualifies for SGNIC’s Sponsorship Programme for Vulnerability Assessment, the typical workflow for web application VA testing is as follows:
va_wf_sponsored
Where a SGNIC accredited registrar does not qualify for SGNIC’s Sponsorship Programme for Vulnerability Assessment, the typical workflow for web application VA testing is as follows:
va_wf
What is the recommended timeline for an accredited registrar to start the engagement with a pre-screened security vendor?
Accredited registrars should plan to carry out the first VA tests, from as early as 15 months and no later than 6 months, before the expiry of the terms of accreditation under such registrars’ respective RAAs. Accredited registrars should also be aware that the final VA test dates shall be not more than 12 months before the expiry of the terms of accreditation under their respective RAAs. Such registrars should plan for a lead time (e.g. 3 to 6 months) to fix any vulnerabilities before the final VA test/ re-scan (taking into consideration that there may be numerous vulnerabilities found, with some vulnerabilities requiring deeper research, and others requiring upgrades of framework/webserver, etc). As SGNIC generally engages/ reminds registrars about their renewals of accreditation approximately 6 months before the expiry of their respective terms of accreditation, SGNIC would strongly recommend that registrars produce the final VA scan/ test result by then to avoid any delay in the renewals of accreditation by SGNIC.