Go
SGNIC
Singapore Network Information
Centre (SGNIC) Pte Ltd
Go

Registry Lock FAQ

General

What is SGNIC RegistryLock?

‘RegistryLock’ is a security feature implemented by SGNIC to help .sg registrants mitigate the risk of ‘domain name hijacking’.

Domain name hijacking occurs when a hacker gains control of and modifies the DNS nameserver records associated with a domain name. The hacker can also redirect the website and emails referenced by the domain name to other sites or computers of the hacker’s choice.

Who should consider enabling RegistryLock?

Registrants who heavily promote their own websites for online presence and branding, especially websites that engage in e-commerce activities. Registrants should assess the risks and consequences resulting from domain name hijacking, weigh them against the cost (if any) and extra processes involved in locking and unlocking domain names before deciding if they wish to enable RegistryLock on their .sg domain names.

What happens if “RegistryLock” is enabled on a .sg domain name?

Modifications (submitted by the appointed registrar) that alter the ‘DNS nameserver’ information (specifically ‘DNS nameserver hostnames’ and ‘Child-host’ DNS IP ‘glue record’) and DNSSEC information (i.e. DS records) will be rejected by SGNIC, if a domain name has been enabled with RegistryLock. The registrant needs to ask his/her administrative contact to login to “VerifiedID@SG & RegistryLock” portal to temporarily unlock the ‘.sg’ domain name before informing his/her domain name provider (e.g. appointed registrar or reseller of registrar) to perform such modifications.
 
Registrants need to note that in order to successfully perform modifications, there might be extra processes involving multiple parties (i.e. administrative contact and registrar) and each party might have different operating hours). Before deciding on enabling RegistryLock, registrants are advised to look into the current processes of how the registrar supports nameserver updates and DS record updates.

What are the requirements to enable ‘RegistryLock’?

The locking and unlocking processes need to be performed by the administrative contact that has

  • A valid Singpass account (issued by the Singapore Government to individuals); or 
  • A valid Corppass account (issued by the Singapore Government to corporate entities); or
  • A valid SGNICID (issued by SGNIC to entities which are not able to have a Singpass account or Corppass account).
The registrant needs to first ensure that he/she has appointed such an administrative contact. Most .sg domain names registered after 2 May 2013 would meet this pre-requisite requirement due to the implementation of the VerifiedID@SG scheme [https://verifiedid.sgnic.sg/faq.html].
What is the cost to enable “RegistryLock” on a .sg domain name?

Currently SGNIC is providing this service free of charge to registrants.

While SGNIC endeavours to keep this service free of charge to registrants, it reserves the right to charge for this service in the future. Registrants will be given ample notice in advance.

How do you enable “RegistryLock” on a .sg name?
The administrative contact of a .sg domain name can enable “RegistryLock” in three steps:
(a) Login to VerifiedID@SG & RegistryLock portal (https://verifiedid.sgnic.sg) via Singpass as Individual/Business user or SGNICID (after resetting password and setting up OTP); (sample screenshot
(b) Click on “Domains without RegistryLock”; and (sample screenshot
(c) Click on “Lock” button. (sample screenshot)
 
Can the registrant appoint an organisation without a Corppass account or individual without a Singpass account as the administrative contact?

All registrants should appoint a local administrative contact with a Singpass account or a Corppass account. However, under circumstances listed below, the registrant may ask his/her administrative contact to apply for a “SGNICID”. Entities that may apply for SGNICID are:

• A local organisation (without a Corppass account) in the business of registering and managing domain names (e.g., registrars, resellers, law firms, etc.) and is managing a sizable number of .sg domain names (to be determined by SGNIC on a case-by-case basis) at the point of application;

• A foreign organisation or foreign individual (without a Singpass account or Corppass account) who is unable to appoint a local administrative contact with a Singpass account or Corppass account; or

• An entity that, in SGNIC's sole discretion, would require a SGNICID.
 
Note that all the entities above must have a local presence and valid Singapore postal address in order to be appointed as an administrative contact for .sg domain names.

What is the process to unlock a domain?

There are two types of “unlock”: (i) “Unlock (Temporary)” and (ii) “Unlock (Permanent)”. “Unlock (Temporary)” is to temporarily disable RegistryLock in order to allow the appointed registrar to make authorised changes on the domain name. “Unlock (Permanent)” is to permanently disable RegistryLock on the domain name.

To unlock the domain name, the administrative contact of the domain name shall:
(a) Login to VerifiedID@SG & RegistryLock portal (https://verifiedid.sgnic.sg) via Singpass as Individual/Business user or SGNICID (after resetting password and setting up OTP); (sample screenshot)
(b) Click on “Locked Domains” (sample screenshot); and
(c) Click on “Unlock” button where he/she will be presented with the choices of ‘Unlock (Temporary)’ and ‘Unlock (Permanent)’ (sample screenshot).
 
For “Unlock (Temporary)”, the administrative contact may choose the “Unlock period” (e.g. for 15 minutes). The selection would be used to determine the “Auto-Relock Time”. When the “Auto-Relock Time” is reached, the domain name will be relocked (RegistryLock enabled).
What are the options for “Unlock period” and which one should the administrative contact choose?
The current options are “5 minutes”, “15 minutes”, “30 minutes”, “1 hour”, “2 hours”, “3 hours”, “4 hours”, “5 hours”, “6 hours”, “9 hours”, 12 hours”, “15 hours”, “18 hours”, “24 hours”, “36 hours” and “48 hours”. The registrant and administrative contact must determine the “right” period depending on factors such as the appointed registrars’ business hours and turnaround time. 
Can the “Auto-Relock Time” be extended?
Yes. The administrative contact can perform an extension by indicating an additional unlock period. This period will be added onto the current “Auto-Relock Time”. The steps are:
(a) Login to VerifiedID@SG & RegistryLock portal (https://verifiedid.sgnic.sg/) via Singpass as Individual/Business user or SGNICID (after resetting password and setting up OTP); (sample screenshot
(b) Click on “Temporarily Unlocked Domains” (sample screenshot); and
(c) Click on “Extend Auto-Relock Time” button (sample screenshot) and select the desired duration.
Can the domain name be locked before the “Auto-Relock Time”?
Yes. If changes have been completed by the registrar before the “Auto-Relock Time”, the administrative contact can lock the domain name with immediate effect. The steps are:
(a) Login to VerifiedID@SG & RegistryLock portal  (https://verifiedid.sgnic.sg/) via Singpass as Individual/Business user or SGNICID (after resetting password and setting up OTP)(sample screenshot)
(b) Click on “Temporarily Unlocked Domains” (sample screenshot); and
(c) Click on “Lock Now” button (sample screenshot).
Can I transfer, renew or modify (registrant/contact changes) a domain name enabled with RegistryLock?

Yes you can. Such functions other than change of nameservers (and IP addresses of ‘child hosts’) and change of DNSSEC information (i.e. DS records) are not affected by the “RegistryLock” feature.

If the registrant is also an administrative contact with a valid Singpass account or Corppass account, can he/she proceed to enable the “RegistryLock” feature and perform the administration of locking and unlocking of his/her domain names?
Yes, he/she can do so.
Will email notifications be sent when locking and unlocking functions are performed?
Yes. The following actions will trigger an email notification to the registrant, administrative contact and registrar:
• ‘Lock’
• ‘Unlock (Temporary)’
• ‘Unlock (Permanent)’
• ‘Lock Now’
• ‘Extend Auto-Relock Time’
• ‘Auto-Relock’
How do I check if a domain name is locked or unlocked?
Anyone can perform a WHOIS search via https://www.sgnic.sg on the domain name. Domain names that are locked will have a “RegistryLock” status, while a domain name without RegistryLock enabled will not show this status. (sample screenshot)

If a domain name is temporarily unlocked, WHOIS will show a “Registry Lock: Unlocked” status.

The administrative contact of the domain name may also check the RegistryLock status via the 'VerifiedID@SG & RegistryLock’ portal. A ‘Lock’ icon will reflect “RegistryLock Enabled” (sample screenshot).
What will happen to the locked domain names if there is a change of administrative contact?
The new administrative contact will take over the responsibility of unlocking and locking the domain names.
Can names be locked or unlocked in a batch?
No, the system only supports locking and unlocking on a per domain name basis.
How is SGNIC’s RegistryLock service different from those offered by registrars? If I’m already subscribed to a similar service from my registrar, do I still need to sign up for SGNIC’s RegistryLock service?
"Locking" and “Unlocking” of a domain name may take place at 2 'levels' - the 'registrar' level and 'registry' level. SGNIC's RegistryLock service refers to locking/unlocking at the 'registry' level. Some registrars may offer locking of .sg domain names at the 'registrar' level (using their own processes to authenticate that the change requests are genuine).
 
Generally, the more levels of protection a domain name has, the safer the domain name is from risks of domain name hijacking. However, before signing up for locking services, registrants should evaluate if such protection might result in inconveniences that outweigh the benefits of locking the domain name.