FAQ

Currently, SGNIC will accredit registrars for a period of 3 years. SGNIC will review renewal requests submitted by registrars on a case-by-case basis.

The process and criteria for becoming a SGNIC accredited registrar is outlined in detail under Be Our Registrar.

The minimum criteria are:

• Applicants will need to have a minimum working capital of S$50,000. Foreign-based applicants will also need to be ICANN-accredited.
• Technical capability such as the ability to accommodate all the archival database including the creation and maintenance of Whois-type public access database service and the provision of daily back-up and archives of them.
• Ability to provide prompt service to registrants for their registration needs.
• At least six months (continuous) prior experience in domain name registration business.

The following financial considerations apply:

• S$1,000 non-refundable application fee, to be submitted together with application.
• A minimum working capital of S$50,000 for all applicants for the preceding 2 years before application.
• S$30,000 performance bond in the form of a banker’s guarantee for companies which are not able to produce two years' worth of audited statements showing a minimum working capital of S$50,000 or in SGNIC’s assessment, it is necessary for a potential registrar to provide a performance bond.
• A S$4,500 accreditation fee for successful applicants. This accreditation fee will cover an accreditation period of three years. Thereafter, renewal of registrar accreditation is at a three yearly interval at a fee of S$4,500.
• A S$3,000 starting balance in the Deposit Account with SGNIC.
• Prevailing taxes will apply to fees payable.

To encourage competition and promote innovation, there will be no limit on the number of registrars accredited by SGNIC.

Yes, SGNIC encourages registrars to connect to its registry system using Extensible Provisioning Protocol (EPP). Registrars will need to take note of some EPP extensions that have been customised to meet SGNIC’s registration requirements. SGNIC also provides Java/PERL API for registrars who may need it to simplify EPP-based communications. Please contact SGNIC’s Technical Support team for details.

Yes, only whitelisted IP addresses can access SGNIC’s Extensible Provisioning Protocol (EPP) service and registrar portals (for both OTE and Production).

Yes, SGNIC supports DNSSEC and encourages all registrars to support the feature for their .sg registrants.

1. Port 43 WHOIS service: whois.sgnic.sg(Public): whois.sgnic.sg (for .SG TLD), whois.zh.sgnic.sg (for .新加坡 TLD) and whois.ta.sgnic.sg (for .சிங்கப்பூர் TLD)
2. Web-based WHOIS service: https://www.sgnic.sg (public)

A .sg/.新加坡/.சிங்கப்பூர் domain name that has been registered will automatically be renewed by the system upon expiry (unless the name  has a “serverRenewProhibited” status) and move into an autoRenewPeriod of 30 days. A name can be deleted by the registrar at any point in time during the lifecycle and once this is done, the name moves into a redemptionPeriod of 30 days.  A name that cannot be auto-renewed by the system (for example, due to insufficient credit balance or name has a “serverRenewProhibited” status) will move into the redemptionPeriod of 30 days as well. If a name has dropped into the redemptionPeriod and there is intention to keep the name, the name will need to be restored with a restoration fee. Otherwise, the name will be purged from the system at the end of the 30-day redemptionPeriod. 

Registrars are given fourteen (14) days grace period for new registrations, known as the addPeriod. If a registrar withdraws the registration by deleting a domain name within this grace period, the registration fee will be refunded to the registrar automatically and the name will be immediately purged from the system.

No, SGNIC does not provide renewPeriod grace period.

If a domain name has “redemptionPeriod” status , it may be restored with a restore fee.  A restore report would need to be submitted to SGNIC within 5 days of the restore request in order for the name to be restored.

The term options are 0 year, 1 year, 2 years and 3 years, provided that the expiry date of the domain name after such renewal does not exceed 3 years from the date SGNIC receives the transfer (with renewal) instruction.

No, SGNIC does not provide transferPeriod grace period.

Yes, ‘Authorisation Code’ is required when the gaining registrar initiates/requests the domain transfer.

Email notifications will be sent to the registrars at the different transfer stages. In addition, registrars can use EPP ‘poll’ command or registrar portals to get the latest status of the domain transfer.

A registrar transfer request initiated by the gaining registrar will be automatically approved after 7 days if there is no explicit action from the losing registrar. 

Registrars must use EPP’s ‘domain check’ command for availability checks. Registrars shall not use WHOIS for domain availability checks as the WHOIS service is meant for ad-hoc domain information checks only.

The contact object is being maintained as separate object. In other words, a contact can be created without being associated with any domain name; and can be associated with more than one domain name. If a contact object is not associated with any domain name for 90 days, it will be deleted automatically by the system.

There is no limit on the number of contact objects a registrar can create. However, for each domain name, there can be only 1 registrant, 1 administrative contact, 1 billing contact and 1 technical contact associated with the domain name. Multiple contacts for each role (e.g. 2 technical contacts for 1 domain name) is not allowed.

All fields can be modified, except Contact ID and Contact Contact Category.

Postal Code is mandatory if the country indicated is Singapore.
Read https://verifiedid.sgnic.sg/faq.html#_Toc445128329 for the requirements of the Administrative Contact of a .sg domain name subject to VerifiedID@SG scheme.

Yes. However, if the host object’s hostname ends with .sg (aka ‘Child host’), the prerequisite is that parent .sg domain name must already be registered otherwise the system will not allow the creation of the host object.

Yes. Minimally 2 hosts are required; and up to maximum of 13 hosts could be associated with a domain name. In the event that zero host is associated with a domain name, the domain name will have ‘inactive’ status.

IP addresses are only required for ‘child hosts’ (i.e. host objects with hostnames ending with .sg) for glue record purposes. For such child host objects, a minimum of 1 IP address is required.. For other hosts with hostnames that do not end with .sg (a.k.a. ‘out-of-zone’ hosts), IP address is NOT required.

Yes. However, a domain name cannot be associated with multiple host objects of the same IP address.

SGNIC requires that a SGNIC accredited registrar who seeks to extend the term of its registrar accreditation must, prior to the expiry of the term under its Registrar Accreditation Agreement (RAA), undergo a web application vulnerability assessment (“VA”) test for its .sg domain name registration web portal (“Mandatory Security Requirement for Renewal of Registrar Accreditation”). SGNIC requires that the registrar completes the web application VA and rectify any “high” and “medium” security risk findings in the final year (usually year 3) of such registrar’s accreditation, and furnishes to SGNIC a copy of the final web application VA test report showing that there are no “high” or “medium” security risk findings in the web application VA test results. The final web application VA test date must be within the final year of the registrar’s term of accreditation (usually year 3), i.e. dated no more than 12 months before the expiry of the term of accreditation, and shall be to SGNIC’s satisfaction.

Most SGNIC accredited registrars operate a web portal that allows registrants to modify their .sg domain name information, such as contact details and name servers. If an attacker is able to gain unauthorised access to an accredited registrar’s web portal by exploiting vulnerabilities of the web portal, the attacker may be able to perform unauthorised modifications to registrants’ .sg domain name information. Such unauthorised modifications may then allow the attacker to, for example, hijack domain names and/or redirect registrants’ websites, emails or other services, to servers controlled by the attacker.

The harm will depend on the actions of the attacker after it gains control of the domain name, the issues created by the attacker, and the value and importance placed on the contents of the registrant’s website, emails and other services attached to the domain name. For example, (i) the attacker may change the visual appearance of a registrant’s web portal to demonstrate its ability to deface such website thus affecting the registrant’s reputation, (ii) interfere with activities over the registrant’s web portal thereby causing disruption and/or economic losses, or (iii) trick end users into believing that services provided over the registrant’s web portal  are nevertheless legitimate so much so that users continue to transact using such services, resulting in sensitive information being leaked to the attacker.

Web application VA testing is a non-intrusive approach that serves to produce a prioritised list of security vulnerabilities associated with a web application. Typically, a software tool is used to automate the ‘scanning’ of the web application to identify vulnerabilities that may be exploited. Each vulnerability may be validated to remove false positives and is assigned a security risk rating of “high”, “medium” or “low”. The organisation that has undergone web application VA testing may then prioritise which vulnerabilities to resolve first.

SGNIC requires that all SGNIC accredited registrars undergo web application VA tests for their domain name registration web portals for purposes of SGNIC’s Mandatory Security Requirement for Renewal of Registrar Accreditation. SGNIC considers web application VA testing to be an important minimum requirement, and would expect all accredited registrars to perform the web application VA tests to enhance their level of security protection. As accredited registrars are responsible for the security of their own systems and web portals, where any security breach may adversely impact both registrars and registrants, it is recommended that such registrars not only implement regular web application VA testing, but also carry out other security assessments such as host/network based VA tests, host/network and web application penetration tests and IT general controls reviews as well. 

SGNIC requires that all SGNIC accredited registrars be subject to the Mandatory Security Requirement for Renewal of Registrar Accreditation. First, an existing registrar whose term of accreditation expires on or after 1 July 2020 will be required to comply with SGNIC’s Mandatory Security Requirement for Renewal of Registrar Accreditation with effect from 1 January 2019. Second, where an existing registrar’s term of accreditation would expire before 1 July 2020, notwithstanding a renewal of the registrar’s term of accreditation in view of the aforementioned, such registrar would only need to comply with the Mandatory Security Requirement at its subsequent renewal. Third, where a registrar would be accredited on or after 1 January 2019, such registrar would only need to comply with SGNIC’s Mandatory Security Requirement when its accreditation renewal is subsequently due. SGNIC is also prepared to waive the application of the Mandatory Security Requirement for Renewal of Registrar Accreditation on a case-by-case basis, in the event an accredited registrar does not operate a web portal for registrants to modify .sg domain name details.

The registrar shall provide SGNIC with a web application VA test report. The VA test report shall:

a) be produced by a SGNIC pre-screened security vendor in accordance with the requirements and scope of work as defined here
b) comprise of a final assessment date of not more than 12 months before the registrar’s accreditation expiry date; and
c) contain no security risk findings that are rated as “high” or “medium”.

SGNIC may reject the accredited registrar’s application for an extension of the term of its accreditation under the RAA. SGNIC may, however, at its sole and absolute discretion and on a case-by-case basis, consider extending the registrar’s term of accreditation for a short period (e.g. 6 months) to provide the registrar additional time to fulfil the Mandatory Security Requirement for Renewal of Registrar Accreditation, with a view to extending such registrar’s accreditation should the registrar eventually comply with SGNIC’s requirements.

Based on SGNIC’s survey of the market in 2018, the fees to conduct a web application VA test may range from approximately S$2,800 to S$5,000.

Yes, partial sponsorship, subject to a cap, will be provided per web application VA test conducted for an initial period of 3 years from 1 January 2019 for SGNIC accredited registrars that are Small and Medium Enterprises (SMEs) and have met SGNIC’s sponsorship requirements. The funding support is described below. More details are in the FAQ on Sponsorship Programme for Web Application Vulnerability Assessment:

Sponsorship Application Date	Sponsorship Details
1 Jan 2019 – 30 Sep 2019 (Within 9 months from the commencement of SGNIC’s sponsorship programme for web application VA	80% sponsorship per web application VA test conducted, to be capped at a Total Sponsorship Amount of S$4,400.
1 Oct 2019 – 31 Dec 2021 (After 9 months from  commencement of SGNIC’s sponsorship programme for web application VA)	50% sponsorship per web application VA test conducted, to be capped at a Total Sponsorship Amount of S$2,750.

 

 

Please refer to the list of pre-screened security vendors as published here.

As there are no industry certifications to identify security vendors for the conduct of web application VA tests, it would be difficult for accredited registrars and SGNIC to determine if a vendor’s VA testing and reports constitute an adequate assessment of the vulnerability situation of a registrar’s web application. As the starting point, SGNIC is of the view that a screening of the vendor’s methodology and track record would minimally help to ascertain the credibility and qualifications of a vendor before a registrar engages the vendor’s services. 

Yes, you can inform your security partner (which includes a local or overseas-based security partner that a registrar works with) to submit an application form to SGNIC to be identified as a pre-screened security vendor. SGNIC will assess the security vendor’s track record and methodology to determine if the security vendor can be included as one of SGNIC’s pre-screened security vendor. 

While SGNIC will identify certain security vendors as pre-screened security vendors based on such vendors’ track record and methodology, SGNIC makes no guarantee or assurances as to the quality of work of such pre-screened security vendors. That said, for the purposes of identifying security vendors as pre-screened security vendors, SGNIC will make every effort to review a security vendor’s credibility and qualifications. The list of pre-screened security vendors and any information pertaining to the pre-screened vendors that are provided by SGNIC, are provided ‘as is’ without any express or implied warranty of any kind. 

No, SGNIC is not involved in an accredited registrar’s appointment of a pre-screened security vendor. The registrar shall arrange for the engagement of a pre-screened security vendor, including the terms of engagement and scope of the security vendor’s services. Any dispute, including that arising from the services or products provided by the registrar’s appointed security vendor, shall be resolved directly between the registrar and the security vendor. 

The technical requirements and scope of work are set out here.  Accredited registrars shall ensure that the relevant requirements are met when they procure VA test services from pre-screened security vendors. 

Where a SGNIC accredited registrar qualifies for SGNIC’s Sponsorship Programme for Vulnerability Assessment, the typical workflow for web application VA testing is as follows:

Where a SGNIC accredited registrar does not qualify for SGNIC’s Sponsorship Programme for Vulnerability Assessment, the typical workflow for web application VA testing is as follows:

Accredited registrars should plan to carry out the first VA tests, from as early as 15 months and no later than 6 months, before the expiry of the terms of accreditation under such registrars’ respective RAAs. Accredited registrars should also be aware that the final VA test dates shall be not more than 12 months before the expiry of the terms of accreditation under their respective RAAs. Such registrars should plan for a lead time (e.g. 3 to 6 months) to fix any vulnerabilities before the final VA test/ re-scan (taking into consideration that there may be numerous vulnerabilities found, with some vulnerabilities requiring deeper research, and others requiring upgrades of framework/webserver, etc). As SGNIC generally engages/ reminds registrars about their renewals of accreditation approximately 6 months before the expiry of their respective terms of accreditation, SGNIC would strongly recommend that registrars produce the final VA scan/ test result by then to avoid any delay in the renewals of accreditation by SGNIC.