Registry Lock FAQ

General

What is SGNIC RegistryLock?
‘RegistryLock’ is a security feature implemented by SGNIC to help .sg registrants mitigate the risk of ‘domain name hijacking’.
What is ‘domain name hijacking’?
When a registrant registers a ‘.sg’ domain name, the registrant needs to provide SGNIC important information known as ‘Domain Name System (DNS) nameservers’ (e.g. ns1.example.com and ns2.example.com). The ‘DNS nameservers’ are computers that contain important technical information (also known as ‘DNS resource records’ e.g. ‘A’ for IP address or ‘MX’ for mail exchanger server) to redirect users to the registrant’s website, email server, etc. The correct values of the ‘DNS nameservers’ are sent to SGNIC via the registrant’s appointed domain name registrar (as instructed by the registrant).
 
If a hacker can modify the values of the ‘DNS nameservers’ to other ‘DNS nameservers’ that he/she controls, the hacker is said to have ‘hijacked’ the domain name. He/she can redirect the registrant’s website and emails to computers of his/her choice.
How can a hacker hijack a domain name?
A ‘.sg’ domain name may be hijacked if a hacker is able to modify the ‘DNS nameserver’ information through the registrant’s appointed registrar. This can occur in a number of ways such as:
 
(i) the hacker had access to the registrant’s username/password that the registrant used to transact (i.e. update nameservers) with the appointed domain name provider (e.g. registrar or reseller of the registrar); or
(ii) the hacker managed to trick the appointed registrar into believing that he/she represents the registrant (e.g. through social engineering); or
(iii) the hacker managed to infiltrate the appointed domain name providers’ backend system to submit nameserver modifications.
What are the consequences of domain name hijacking?
The damage caused by domain name hijacking depends on the actions of the hacker and the value of the registrant’s website, emails and other services that depend on the domain name. For example, if a hacker redirects the website to a page that simply shows that he/she can successfully deface your website, the registrant may suffer only reputational damage. If the registrant depends heavily on the website for e-commerce activities, such activities may be disrupted and the registrant may suffer economic losses. The hacker may also trick users into believing that the services (e.g. website, emails, remote-login/ftp, etc.) are legitimate and when users transact with such services, sensitive information may be leaked to the hacker.
Who should consider enabling RegistryLock?
RegistryLock would be most beneficial for registrants whom heavily promote its own websites for online presence and branding and, especially websites that engage in e-commerce activities. Registrants should assess the risks and consequences resulting from domain name hijacking, weigh them against the cost (if any) and extra processes involved in locking and unlocking domain names before deciding if they wish to enable RegistryLock on their .sg domain names. On SGNIC’s part, to keep the entry barriers to a minimum, we are providing the locking/unlocking process at no cost and we have designed the processes to be as hassle-free as possible.
What are the implications if “RegistryLock” is enabled on a Registrant’s .sg domain name?
Modifications (submitted by the appointed registrar) that alter the ‘DNS nameserver’ information (specifically ‘DNS nameserver hostnames’ and ‘Child-host’ DNS IP ‘glue record’) and DNSSEC information (i.e. DS records) will be rejected by SGNIC if a domain name has been enabled with RegistryLock. The registrant needs to ask his/her administrative contact to login to SGNIC’s portal to temporarily unlock the ‘.sg’ domain name before informing his/her domain name provider (e.g. appointed registrar or reseller of registrar) to perform such modifications.
 
This means that unless the administrative contact has explicitly unlocked the domain name, a hacker will not be successful in hijacking the domain name even if he gained access to the registrant’s login credentials to modify domain name information or gained access to the registrar’s backend system.
 
On the other hand, registrants need to note that in order to successfully perform modifications, there might be extra processes involving multiple parties (i.e. administrative contact and registrar) and each party might have different operating hours). This may cause inconveniences when the registrant needs to update nameservers or DS records urgently. However not every registrant will face such inconveniences. For example, if the administrative contact is also the authorised person to login to registrar’s webportal to update nameservers in real-time, the administrative contact would be able to orchestrate the unlocking, update and relocking smoothly. Before deciding on enabling RegistryLock, registrants are advised to look into the current processes of how the registrar supports nameserver updates and DS record updates.
What are the requirements to enable ‘RegistryLock’?

The locking and unlocking processes need to be performed by the administrative contact that has

  • a valid SingPass ID (an ID issued by the Singapore Government to individuals); or 
  • a valid CorpPass ID (an ID issued by the Singapore Government to corporate entities); or
  • a valid SGNICID (an ID issued by SGNIC to entities which are not able to have a SingPass ID or CorpPass ID).
Therefore, the registrant needs to first ensure that he/she has appointed such an administrative contact. Most .sg domain names registered after 2 May 2013 would meet this pre-requisite requirement due to the implementation of the VerifiedID@SG scheme [https://verifiedid.sgnic.sg/faq.html].
 
To check if a domain name is under the VerifiedID@SG scheme, please check the WHOIS results for the domain name (via SGNIC’s WHOIS search at https://www.sgnic.sg). A domain name under VerifiedID@SG scheme would display the ‘VerifiedID@SG-Mandatory’ status. (sample screen shot)
 
If a domain name does not have ‘VerifiedID@SG-Mandatory’ status, the registrant can still enable RegistryLock on the domain name if he/she appoints an administrative contact with a valid SingPass ID, CorpPass ID or SGNICID. Such appointment must be done via the registrant’s appointed domain name provider (e.g. Registrar or Reseller of the Registrar).

 

Are domain name locked by default lock after the implementation of RegistryLock?
No. Administrative contact will need to login to VerifiedID@SG & RegistryLock portal to enable the RegistryLock on their domain name.
What is the cost to enable “RegistryLock” on a .sg domain name?
Currently SGNIC is providing this service free of charge to registrants*. As the administrative contact is the party that performs the locking and unlocking processes, registrants should find out if the administrative contact expects registrants to compensate the administrative contact for his/her efforts.
 
*While SGNIC endeavours to keep this service free of charge to registrants, it reserves the right to charge for this service in the future. Registrants will be given ample notice in advance.
What is the process to enable “RegistryLock”?
The administrative contact of a .sg domain name can enable “RegistryLock” in 3 steps:
(a) Login to “VerifiedID@SG & RegistryLock” portal   (https://registrylock.sgnic.sg) via SingPass, CorpPass or SGNICID; (sample screenshot)
(b) Click on “Domains without RegistryLock”; and (sample screenshot)
(c) Click on “Lock” button. (sample screenshot


 
Refer to question 4 on the effects of locking a domain name.
Can the registrant use an organisation without a CorpPass ID or individual without a SingPass ID as the administrative contact?
All registrants should appoint a local administrative contact with a SingPass ID or a CorpPass ID. However, under circumstances listed below, the registrant may ask his/her administrative contact to apply for a “SGNICID”. Entities that may apply for SGNICID are:
• A local organisation, without a CorpPass ID and is in the business of registering and managing domain names (e.g. registrars, resellers, law firms, etc.) and is managing a sizable number of .sg domain names (to be determined by SGNIC on case-by-case basis) at the point of application;
• A foreign organisation or foreign individual (without a SingPass ID or CorpPass ID) who is unable to appoint a local administrative contact with a SingPass ID or CorpPass ID; or
• An entity that, in SGNIC's sole discretion, would require a SGNICID.
 
Note that all the entities above must have a local presence and valid Singapore postal address in order to be appointed as an administrative contact for .sg domain names.
What is the process to unlock a domain?
There are 2 types of “unlock”: (i) “Unlock (Temporary)” and (ii) “Unlock (Permanent)”. “Unlock (Temporary)” is to temporarily disable RegistryLock in order to allow the appointed registrar to make authorised changes on the domain name. The “Unlock (Permanent)” is to permanently disable RegistryLock on your domain name (i.e. revert the domain name to its original RegistryLock disabled status).
 
To unlock the domain name, the administrative contact of the domain name shall:
(a) Login to “VerifiedID@SG & RegistryLock” portal (https://registrylock.sgnic.sg) via SingPass, CorpPass or SGNICID; (sample screenshot)
(b) Click on “Locked Domains” (sample screenshot); and
(c) Click on “Unlock” button where he/she will be presented with the choices of ‘Unlock (Temporary)’ and ‘Unlock (Permanent)’ (sample screenshot).
 
For “Unlock (Temporary)”, the administrative contact may choose the “Unlock period” (e.g. for 15 minutes). The selection would be used to determine the “Auto-Relock Time”. When the “Auto-Relock Time” is reached, the domain name will be relocked (RegistryLock enabled).
What are the options for “Unlock period” and which one should the administrative contact choose?
The current options are “5 minutes”, “15 minutes”, “30 minutes”, “1 hour”, “2 hours”, “3 hours”, “4 hours”, “5 hours”, “6 hours”, “9 hours”, 12 hours”, “15 hours”, “18 hours”, “24 hours”, “36 hours” and “48 hours”. The registrant and administrative contact must determine the “right” period depending on factors such as the appointed registrars’ business hours and turnaround time. If the time is too short, the registrar may not be able to make the authorised changes in time. If the time is too long, there is a risk that the domain name is not protected against domain name hijacking during the unlocked period.
Can the “Auto-Relock Time” be extended?
Yes. If the change cannot be completed by the “Auto-Relock Time”, the administrative contact can login to the “VerifiedID@SG & RegistryLock” portal to perform an extension by indicating an additional unlock period. This period will be added onto the current “Auto-Relock Time”. The steps are:
(a) Login to “VerifiedID@SG & RegistryLock” portal (https://registrylock.sgnic.sg) via SingPass, CorpPass or SGNICID; (sample screenshot)
(b) Click on “Temporarily Unlocked Domains” (sample screenshot); and
(c) Click on “Extend Auto-Relock Time” button (sample screenshot) and select the desired duration.
Can the domain name be locked before the “Auto-Relock Time”?
Yes. If changes have been completed by the registrar before the “Auto-Relock Time”, the administrative contact can login to the “VerifiedID@SG & RegistryLock” portal to lock the domain name with immediate effect. The steps are:
(a) Login to “VerifiedID@SG & RegistryLock” portal  (https://registrylock.sgnic.sg) via SingPass, CorpPass or SGNICID; (sample screenshot)
(b) Click on “Temporarily Unlocked Domains” (sample screenshot); and
(c) Click on “Lock Now” button (sample screenshot).
Can I transfer, renew or modify (registrant/contact changes) a domain name enabled with RegistryLock?
Yes you can. Functions other than change of nameservers (and IP addresses of ‘child hosts’) and change of DNSSEC information (i.e. DS records) are not affected by “RegistryLock” feature.
What is the responsibility and accountability of an administrative contact for RegistryLock-enabled domain names?
The administrative contact is obligated to the registrant to perform the unlocking and locking of a RegistryLock domain name with the registrant’s consent.
Will email notifications be sent when locking and unlocking functions are performed?
Yes. The following actions will trigger an email notification to the registrant, administrative contact and registrar:
• ‘Lock’
• ‘Unlock (Temporary)’
• ‘Unlock (Permanent)’
• ‘Lock Now’
• ‘Extend Auto-Relock Time’
• ‘Auto-Relock’
Is there a way to check if a domain name is locked or unlocked?
Anyone can perform a WHOIS search via http://www.sgnic.sg on the domain name. Domain names that are locked will have a “RegistryLock” status, while a domain name without RegistryLock enabled will not show this status. (sample screenshot)
 
If a domain name is temporarily unlocked, WHOIS will also show a “Temporarily Unlocked” status.
 
The administrative contact of the domain name may also check the RegistryLock status via the 'VerifiedID@SG & RegistryLock’ portal. A ‘Lock’ icon will reflect “RegistryLock Enabled” (sample screenshot).
What will happen to the locked domain names if there is a change of administrative contact?
The new administrative contact will take over the responsibility of unlocking and locking the domain names.
What is a ‘child host’?
A child host is a sub domain name created from the parent domain name. For example, NS1.example.sg and NS2.example.sg are child hosts of parent domain name example.sg. Child hosts (ending with ‘.sg’ and with a valid IP address) need to be registered with SGNIC (through the registrar) before they can be used as name servers for ‘.sg’ domain names. Child hosts can be only registered by owner of the parent domain name (through the registrar).
What can the registrant do if his/her administrative contact does not respond to or does not assist with locking or unlocking of domain name?
The registrant can consider designating another party as the administrative contact. Registrants can update the administrative contact through the registrar.
Can the registrar assist the registrant with the locking and unlocking?
Yes, if the registrant designates the registrar as the administrative contact. This is a private/commercial arrangement between the registrant and the registrar that is outside of SGNIC’s purview. Registrants are advised to check with the registrar on the details such as costs and procedures.
Can the administrative contact perform batch locking and unlocking?
No, the system only supports locking and unlocking on a per domain name basis.
How is SGNIC’s RegistryLock service different from those offered by registrars? If I’m already subscribed to a similar service from my registrar, do I still need to sign up for SGNIC’s RegistryLock service?
"Locking" and “Unlocking” of a domain name may take place at 2 'levels' - the 'registrar' level and 'registry' level. SGNIC's RegistryLock service refers to locking/unlocking at the 'registry' level. Some registrars may offer locking of .sg domain names at the 'registrar' level (using their own processes to authenticate that the change requests are genuine).
 
Before the implementation of SGNIC's RegistryLock service, if a registrant has a locking service with the registrar, the type of service would most likely be locking/unlocking at the 'registrar' level. After the implementation of SGNIC's RegistryLock service, registrants who already have a locking service from the registrar may consider adding SGNIC’s RegistryLock as another layer of protection. As a general rule of thumb, the more levels of protection a domain name have, the safer is the domain name from risks from domain name hijacking. However before signing up for locking services, registrants should evaluate if such protection will result in inconveniences that outweigh the benefits of locking the domain name.
 
It is also possible that some registrars may choose to integrate both 'levels' as one service. Under such a scenario, the registrar typically requires the registrant to appoint the registrar as the domain name's administrative contact. After the registrar authenticates that the registrant's change request is genuine, the registrar will proceed to lock/unlock the domain name at the registry level (via SGNIC's portal acting as the registrant's administrative contact).
 
Please note that (i) locking and unlocking services provided by the registrar at the 'registrar' level and (ii) the appointment of the registrar as an administrative contact for the registrant's domain name, are private/commercial arrangements/ between the registrar and the registrant. Registrants are advised to check with the registrar on the detailed procedures and cost of engaging the registrar for such services.