FAQ

The registrar will have agreements with the registrants and will collect registration data about the registrants. Registrars will also insert and renew domain names on behalf of the registrants in the registry database.

Currently, SGNIC will accredit registrars for a period of 3 years. SGNIC will review renewal requests submitted by registrars on a case-by-case basis.

The process and criteria for becoming a SGNIC accredited registrar is outlined in detail in the document Information to apply for accreditation.

The minimum criteria are:

• Applicants will need to have a minimum working capital of S$50,000. Foreign-based applicants will also need to be ICANN-accredited.
• Technical capability such as the ability to accommodate all the archival database including the creation and maintenance of Whois-type public access database service and the provision of daily back-up and archives of them.
• Ability to provide prompt service to registrants for their registration needs.
• At least six months (continuous) prior experience in domain name registration business.
• Ability to maintain a minimum of 100 new domain name registrations per year to remain accredited.

The following financial considerations apply:

• S$1,000 non-refundable application fee, to be submitted together with application.
• A minimum working capital of S$50,000 for all applicants for the preceding 2 years before application.
• S$30,000 performance bond in the form of a banker’s guarantee for companies which are not able to produce two years' worth of audited statements showing a minimum working capital of S$50,000 or in SGNIC’s assessment, it is necessary for a potential registrar to provide a performance bond.
• A S$4,500 accreditation fee for successful applicants. This accreditation fee will cover an accreditation period of three years. Thereafter, renewal of registrar accreditation is at a three yearly interval at a fee of S$4,500.
• A S$3,000 starting balance in the Deposit Account with SGNIC.
• Prevailing taxes will apply to fees payable.

To encourage competition and promote innovation, there will be no limit on the number of registrars accredited by SGNIC.

Yes, only whitelisted IP addresses can access SGNIC’s EPP service and registrar panel (for both OTE or/and Production). Login to the respective registrar panels (OTE or Production) to submit IPs for whitelisting.  Up to 5 x /29 IP address ranges are supported per registrar. On Mondays and Thursdays, SGNIC will process the IP whitelisting requests that are sent in before Monday and Thursday respectively.

Yes, registrars may use Extensible Provisioning Protocol (EPP) to connect to SGNIC. Registrars will need to take note of some EPP extensions that have been customised to meet SGNIC’s registration requirements. SGNIC also provides a Java API for registrars who may need it to simplify EPP-based communications. Please refer to SGNIC’s EPP documents in the registrar portal for details.

Yes, an SSL certificate is required for EPP connection. Certificates issued by major Certificate Authorities (CA) will be recognized. If you do not have any commercial CA-issued certificate, you may contact SGNIC for an SGNIC-issued certificate.

Yes, there is a limit of 10 simultaneous connections per registrar.

1. Port 43 WHOIS service: whois.sgnic.sg (public)
2. Web-based WHOIS service: https://www.sgnic.sg (public); and
3. https://registrar.sgnic.sg/whois/whois.jsp (registrars only)

Yes, SGNIC would bar an IP address (for an hour) from accessing WHOIS service if it detects WHOIS query floods. In any case, registrars must not use WHOIS for domain availability checks (EPP ‘domain check’ command should be used instead).

No.

A typical domain lifecycle is shown in the figure below:

EXPIRED Status

The SgR2R registry system runs an automated script at an hourly interval (45th minute of every hour) to update affected domains to EXPIRED status.  An ACT(Active) domain goes into EXP(Expired) status when the expiry date/time is past the execution date/time of the automated script. Specifically, the formula used to determine if the status of a domain name should be changed to "EXP" is given by: (Date/Time when script is run) > (Expiry Date/Time).  

DELETED Status

The SgR2R registry system runs an automated script at an hourly interval (45th minute of every hour) to update affected domains to DELETED status.  An EXPIRED domain goes into DELETED Status when the expiry date/time is 30 days past execution date/time of the automated script.  Specifically, the formula used to determine if the status of a domain name should be changed to "DEL" is given by: (Date/Time when script is run) - (Expiry Date/Time) > (30x24 hours).

PURGED Status

The SgR2R registry system runs an automated script at regular intervals (45th minute of every hour) to PURGE domains with DELETED status.  A DELETED domain name gets PURGED when the deleted data/time is 30 days past execution date/time of the automated script. Specifically, the formula used to determine if a domain name should be PURGED is given by: (Date/Time when script is run) - (DELETED Date/Time) > (30 x 24 hours).

Although the specific DELETED Date/Time is not available in public WHOIS and thus the specific date/time of the purging cannot be derived accurately by the public, the general advice to the public would be that under normal circumstances, a domain name will be purged on the next 45th minute after 60 x 24 hours have passed since the domain name expiry date/time. 

For example: Domain name expiry date/time: 03-Dec-2011 07:23:52. Domain name purge date/time: 01-Feb-2012 07:45:23.

However, SGNIC does not guarantee all domain names will be purged as per described above as there may be other reasons that prevent the purging (e.g. the domain name is being held for pending court cases or if there were system maintenance activities during the execution of the automated script).

The 14-days grace period for new registration is defined as 14 days from the date and time of the registration.

Specifically, the formula used to determine whether a deletion is within the 14 days period is given by:
(Deletion Date/Time) - (Registration Date/Time) < (14 x 24 Hours)

Here are some examples:

1. the domain name has been transferred to another registrar (even if the renewal transaction is still within Renewal Grace Period); or
2. the domain name is 'renewed' as part of a domain transfer command (A transfer command can be tied with either 0, 1 or 2-year renewal); or
3. the domain name is 'renewed' via a domain reinstatement command (where a mandatory 1-year renewal is imposed).

(Cancellation Date/Time) - (Renewal Date/Time) < (14 x 24 Hours)

Here are some examples:

No.

Specifically, a transfer request will be approved if:
(Date/Time when script is run) - (Date/Time of transfer request) > (7 x 24hours)

 

The following table provides information on the various statuses of a domain name:

Read https://verifiedid.sgnic.sg/faq.html#_Toc445128329 for the requirements of the Administrative Contact of a .sg domain name subject to [email protected] scheme.

Yes. However, if the host object’s hostname ends with .sg (aka ‘Child host’), the prerequisite is that parent .sg domain name must already be registered otherwise the system will not allow the creation of the host object.

SGNIC requires that a SGNIC accredited registrar who seeks to extend the term of its registrar accreditation must, prior to the expiry of the term under its Registrar Accreditation Agreement (RAA), undergo a web application vulnerability assessment (“VA”) test for its .sg domain name registration web portal (“Mandatory Security Requirement for Renewal of Registrar Accreditation”). SGNIC requires that the registrar completes the web application VA and rectify any “high” and “medium” security risk findings in the final year (usually year 3) of such registrar’s accreditation, and furnishes to SGNIC a copy of the final web application VA test report showing that there are no “high” or “medium” security risk findings in the web application VA test results. The final web application VA test date must be within the final year of the registrar’s term of accreditation (usually year 3), i.e. dated no more than 12 months before the expiry of the term of accreditation, and shall be to SGNIC’s satisfaction.

Most SGNIC accredited registrars operate a web portal that allows registrants to modify their .sg domain name information, such as contact details and name servers. If an attacker is able to gain unauthorised access to an accredited registrar’s web portal by exploiting vulnerabilities of the web portal, the attacker may be able to perform unauthorised modifications to registrants’ .sg domain name information. Such unauthorised modifications may then allow the attacker to, for example, hijack domain names and/or redirect registrants’ websites, emails or other services, to servers controlled by the attacker.

The harm will depend on the actions of the attacker after it gains control of the domain name, the issues created by the attacker, and the value and importance placed on the contents of the registrant’s website, emails and other services attached to the domain name. For example, (i) the attacker may change the visual appearance of a registrant’s web portal to demonstrate its ability to deface such website thus affecting the registrant’s reputation, (ii) interfere with activities over the registrant’s web portal thereby causing disruption and/or economic losses, or (iii) trick end users into believing that services provided over the registrant’s web portal  are nevertheless legitimate so much so that users continue to transact using such services, resulting in sensitive information being leaked to the attacker.

Web application VA testing is a non-intrusive approach that serves to produce a prioritised list of security vulnerabilities associated with a web application. Typically, a software tool is used to automate the ‘scanning’ of the web application to identify vulnerabilities that may be exploited. Each vulnerability may be validated to remove false positives and is assigned a security risk rating of “high”, “medium” or “low”. The organisation that has undergone web application VA testing may then prioritise which vulnerabilities to resolve first.

SGNIC requires that all SGNIC accredited registrars undergo web application VA tests for their domain name registration web portals for purposes of SGNIC’s Mandatory Security Requirement for Renewal of Registrar Accreditation. SGNIC considers web application VA testing to be an important minimum requirement, and would expect all accredited registrars to perform the web application VA tests to enhance their level of security protection. As accredited registrars are responsible for the security of their own systems and web portals, where any security breach may adversely impact both registrars and registrants, it is recommended that such registrars not only implement regular web application VA testing, but also carry out other security assessments such as host/network based VA tests, host/network and web application penetration tests and IT general controls reviews as well. 

SGNIC requires that all SGNIC accredited registrars be subject to the Mandatory Security Requirement for Renewal of Registrar Accreditation. First, an existing registrar whose term of accreditation expires on or after 1 July 2020 will be required to comply with SGNIC’s Mandatory Security Requirement for Renewal of Registrar Accreditation with effect from 1 January 2019. Second, where an existing registrar’s term of accreditation would expire before 1 July 2020, notwithstanding a renewal of the registrar’s term of accreditation in view of the aforementioned, such registrar would only need to comply with the Mandatory Security Requirement at its subsequent renewal. Third, where a registrar would be accredited on or after 1 January 2019, such registrar would only need to comply with SGNIC’s Mandatory Security Requirement when its accreditation renewal is subsequently due. SGNIC is also prepared to waive the application of the Mandatory Security Requirement for Renewal of Registrar Accreditation on a case-by-case basis, in the event an accredited registrar does not operate a web portal for registrants to modify .sg domain name details.

The registrar shall provide SGNIC with a web application VA test report. The VA test report shall:

a) be produced by a SGNIC pre-screened security vendor in accordance with the requirements and scope of work as defined here
b) comprise of a final assessment date of not more than 12 months before the registrar’s accreditation expiry date; and
c) contain no security risk findings that are rated as “high” or “medium”.

SGNIC may reject the accredited registrar’s application for an extension of the term of its accreditation under the RAA. SGNIC may, however, at its sole and absolute discretion and on a case-by-case basis, consider extending the registrar’s term of accreditation for a short period (e.g. 6 months) to provide the registrar additional time to fulfil the Mandatory Security Requirement for Renewal of Registrar Accreditation, with a view to extending such registrar’s accreditation should the registrar eventually comply with SGNIC’s requirements.

Based on SGNIC’s survey of the market in 2018, the fees to conduct a web application VA test may range from approximately S$2,800 to S$5,000.

Yes, partial sponsorship, subject to a cap, will be provided per web application VA test conducted for an initial period of 3 years from 1 January 2019 for SGNIC accredited registrars that are Small and Medium Enterprises (SMEs) and have met SGNIC’s sponsorship requirements. The funding support is described below. More details are in the FAQ on Sponsorship Programme for Web Application Vulnerability Assessment:

Sponsorship Application Date	Sponsorship Details
1 Jan 2019 – 30 Sep 2019 (Within 9 months from the commencement of SGNIC’s sponsorship programme for web application VA	80% sponsorship per web application VA test conducted, to be capped at a Total Sponsorship Amount of S$4,400.
1 Oct 2019 – 31 Dec 2021 (After 9 months from  commencement of SGNIC’s sponsorship programme for web application VA)	50% sponsorship per web application VA test conducted, to be capped at a Total Sponsorship Amount of S$2,750.

 

 

Please refer to the list of pre-screened security vendors as published here.

As there are no industry certifications to identify security vendors for the conduct of web application VA tests, it would be difficult for accredited registrars and SGNIC to determine if a vendor’s VA testing and reports constitute an adequate assessment of the vulnerability situation of a registrar’s web application. As the starting point, SGNIC is of the view that a screening of the vendor’s methodology and track record would minimally help to ascertain the credibility and qualifications of a vendor before a registrar engages the vendor’s services. 

Yes, you can inform your security partner (which includes a local or overseas-based security partner that a registrar works with) to submit an application form to SGNIC to be identified as a pre-screened security vendor. SGNIC will assess the security vendor’s track record and methodology to determine if the security vendor can be included as one of SGNIC’s pre-screened security vendor. 

While SGNIC will identify certain security vendors as pre-screened security vendors based on such vendors’ track record and methodology, SGNIC makes no guarantee or assurances as to the quality of work of such pre-screened security vendors. That said, for the purposes of identifying security vendors as pre-screened security vendors, SGNIC will make every effort to review a security vendor’s credibility and qualifications. The list of pre-screened security vendors and any information pertaining to the pre-screened vendors that are provided by SGNIC, are provided ‘as is’ without any express or implied warranty of any kind. 

No, SGNIC is not involved in an accredited registrar’s appointment of a pre-screened security vendor. The registrar shall arrange for the engagement of a pre-screened security vendor, including the terms of engagement and scope of the security vendor’s services. Any dispute, including that arising from the services or products provided by the registrar’s appointed security vendor, shall be resolved directly between the registrar and the security vendor. 

The technical requirements and scope of work are set out here.  Accredited registrars shall ensure that the relevant requirements are met when they procure VA test services from pre-screened security vendors. 

Where a SGNIC accredited registrar qualifies for SGNIC’s Sponsorship Programme for Vulnerability Assessment, the typical workflow for web application VA testing is as follows:

Where a SGNIC accredited registrar does not qualify for SGNIC’s Sponsorship Programme for Vulnerability Assessment, the typical workflow for web application VA testing is as follows:

Accredited registrars should plan to carry out the first VA tests, from as early as 15 months and no later than 6 months, before the expiry of the terms of accreditation under such registrars’ respective RAAs. Accredited registrars should also be aware that the final VA test dates shall be not more than 12 months before the expiry of the terms of accreditation under their respective RAAs. Such registrars should plan for a lead time (e.g. 3 to 6 months) to fix any vulnerabilities before the final VA test/ re-scan (taking into consideration that there may be numerous vulnerabilities found, with some vulnerabilities requiring deeper research, and others requiring upgrades of framework/webserver, etc). As SGNIC generally engages/ reminds registrars about their renewals of accreditation approximately 6 months before the expiry of their respective terms of accreditation, SGNIC would strongly recommend that registrars produce the final VA scan/ test result by then to avoid any delay in the renewals of accreditation by SGNIC.