------------------------------------------------------------------- APNIC Document identity Title: Operational policies for National Internet Registries in the APNIC region Short title: operational-policies-nirs Document ref: APNIC-103 Version: 001 Date of original publication: 29 November 2002 Date of this version: 29 November 2002 Review scheduled: n/a Obsoletes: n/a Status: Obsolete Comments: n/a -------------------------------------------------------------------- Operational policies for National Internet Registries in the APNIC region Table of contents ----------------- 1. Introduction 1.1 General 1.2 NIR establishment 1.3 NIR fees 2. Definitions 2.1 Internet Registry (IR) 2.2 Regional Internet Registry (RIR) 2.3 National Internet Registry (NIR) 2.4 Local Internet Registry (LIR) 2.5 NIR-LIR member 2.6 Address space 2.7 Internet resources 3. APNIC address allocations to NIRs 3.1 General 3.2 Request process 3.2.1 Allocation request 3.2.2 Second opinion request 3.3 Database registration 3.4 Delegating reverse zones in in-addr.arpa 3.4.1 Option 1 3.4.2 Option 2 3.5 Address space held by NIRs 3.6 Service levels 4. Transfer of members between APNIC and an NIR 4.1 Transfer of membership from APNIC to an NIR 4.2 Transfer of membership from NIR to APNIC Appendix: Details of flat file view of a zone 1. Introduction _____________________________________________________________________ 1.1 General --------------- To improve allocation and registration services for the Asia Pacific Internet community, APNIC provides for the establishment of National Internet Registries (NIRs) within economies of the region. This structure enables registry services to be provided in the local language and culture, allowing better services to ISPs requiring Internet resources. Historically, the creation of NIRs added complexity to APNIC's ability to carry out its delegated responsibility to ensure efficient Internet resource utilisation in the Asia Pacific. The added layer of administration placed demands on APNIC that were disproportionate to the demands of other members. Because there is a need to ensure that NIRs do not negatively impact resource management in this region, a clearer, simpler framework for the operations of the NIR system has been developed. This document describes the operational procedures for resource allocation by APNIC to NIRs and their members. This document does not describe address management policies, which are documented elsewhere, and which NIRs are expected to comply with. NIRs may implement additional local policies, provided these do not conflict with regional or global policies. Any substantial policy change proposed within an NIR's community should be brought to the APNIC community for approval through existing open policy-making mechanisms. Any questions regarding this document should be referred to the APNIC Secretariat. 1.2 NIR establishment ------------------------- The recognition of NIRs in the APNIC region is the responsibility of the APNIC Executive Council. The criteria for establishment and recognition of NIRs are not discussed in this document, but are detailed in the APNIC document "Criteria for the Recognition of NIRs in the APNIC Region". 1.3 NIR fees ---------------- APNIC charges fees for providing NIR services. These fees are set at a level that ensures that other APNIC members do not subsidise NIR members and that NIRs provide sufficient funding to cover the cost of providing the services they require. Details of the NIR fees are described in the APNIC document "APNIC Fee Schedule: Membership Tiers, Fees, and Descriptions", within the provisions describing the 'per address fee' for confederations. 2. Definitions _____________________________________________________________________ 2.1 Internet Registry (IR) ------------------------------ An Internet Registry (IR) is an organisation that is responsible for distributing IP address space to its members or customers and for registering those distributions. IRs are classified according to their primary function and territorial scope within the hierarchical structure. IRs include: - APNIC and other Regional Internet Registries (RIRs); - National Internet Registries (NIRs); and - Local Internet Registries (LIRs). 2.2 Regional Internet Registry (RIR) ---------------------------------------- Regional Internet Registries (RIRs) are established under the authority of IANA to serve and represent large geographical regions. Their primary role is to manage, distribute, and register public Internet address space within their respective regions. Currently, there are three RIRs: APNIC, RIPE NCC, and ARIN, although a small number of additional RIRs may be established in the future. 2.3 National Internet Registry (NIR) ---------------------------------------- A National Internet Registry (NIR) primarily allocates address space to its members or constituents, which are generally LIRs organised at a national or distinct economy level. NIRs are expected to apply their policies and procedures fairly and equitably to all members of their constituency. 2.4 Local Internet Registry (LIR) ------------------------------------- A Local Internet Registry (LIR) is generally an Internet Service Provider (ISP), and may assign address space to its own network infrastructure and to users of its network services. LIR customers may be other "downstream" ISPs, which further assign address space to their own customers. 2.5 NIR-LIR member ---------------------- An NIR-LIR member is an LIR that is a member of an NIR. 2.6 Address space --------------------- In this document, address space means public IPv4 and IPv6 address ranges, excluding multicast addresses, private addresses defined by RFC1918 and addresses designated for experimental use. 2.7 Internet resources -------------------------- Internet resources are those resources administered by the Internet registry system including address space, autonomous system numbers, and in-addr.arpa domains associated with the address space administered by the registry. 3. APNIC address allocations to NIRs _____________________________________________________________________ 3.1 General --------------- As members of APNIC and of the Asia Pacific Internet community, NIRs are required to fully implement all applicable APNIC address management policies. As NIRs, they also take responsibility for ensuring policy compliance with respect to all Internet resources which are under their management. It should be noted that APNIC cannot delegate to an NIR sole responsibility for managing all address space within its country or economy. APNIC must remain able to accept direct membership from any organisation in the Asia Pacific region, both to promote maximum Internet routability and to meet its obligations as an open membership organisation. 3.2 Request process ------------------- For each NIR, APNIC will maintain an "allocation window" which specifies the maximum allocation which the NIR may make without seeking a "second opinion" from APNIC. 3.2.1 Allocation request When the NIR approves an allocation which is smaller than, or equal in size to, its allocation window, the NIR will send APNIC an "allocation request". When APNIC receives an allocation request, it will allocate the amount of address space specified to the NIR. The NIR will then allocate that address space to its NIR-LIR member. An allocation request must include all information required to register the allocation and create the applicable whois database objects. In particular, the allocation request must include a unique identifier for the NIR-LIR member for whom the allocation is being requested. These identifiers are used to ensure aggregation of subsequent allocations to each NIR-LIR member. In the allocation request, the NIR is not required to provide information justifying the allocation; however, the NIR must maintain such information permanently in its own records. 3.2.2 Second opinion request For requests than are larger that the NIR's allocation window, the NIR must send APNIC a "second opinion request". A second opinion request includes the same information as the allocation request, as well as information which fully justifies the proposed allocation. The second opinion request should also include a summary of the NIR's evaluation of the request and proposed allocation size. When APNIC receives a second opinion request, it will evaluate the proposed allocation size. If APNIC agrees that the request is properly justified, it will allocate the address space to the NIR for re-allocation to the NIR-LIR member. If APNIC does not agree that the request is properly justified, it will request further information as required from the NIR, and possibly request that more information be collected by the NIR from the applicant. The second opinion request procedure for allocations is very similar to the procedure used by APNIC and NIRs with respect to assignments by LIRs. 3.3 Database registration ----------------------------- An NIR may choose to operate a whois database to locally register the allocations it makes. Requirements for operating such a database are provided in the document "Criteria for the Recognition of NIRs in the APNIC Region". Whether or not an NIR does operate a whois database, the NIR is responsible for maintaining all registration records for address space under its management. This maintenance includes adding new records when allocations are made, updating records when details change, and transferring records to or from APNIC. In all cases, it is important that the APNIC database server is able to answer queries for all address space that is in use by the NIR, and also that the "source" of those responses should clearly reflect the specific NIR providing the data. 3.4 Delegating reverse zones in in-addr.arpa ------------------------------------------------ Each NIR may choose one of the following options for the managing the reverse DNS zones: 3.4.1 Option 1 In this option, reverse DNS zones may be managed as follows: - Each NIR will generate a flat file view of the zone, and place it in a publicly visible area on web, ftp, or ssh/rsync servers. A description of the required "flat file" view is included in the Appendix to this document. - On an regular cycle, APNIC will fetch this file, parse it, and include its zone information in the parent /8 zonefile. - Where duplicates exist, any APNIC object that results in a zonefile entry will override any matching NIR-asserted object. The NIR will be notified of any such overrides. - Any NIR-asserted object that lies outside the ranges allocated to the NIR will be ignored. The NIR will be notified if this occurs. 3.4.2 Option 2 In this option, APNIC will manage reverse DNS zones by an automated process, which uses 'domain' objects in the APNIC Whois Database. Changes to domain objects are synchronised to the external DNS every two hours. APNIC will create the 'inetnum' and 'domain' objects for the NIR-LIR member on the /16 and /24 boundaries. The 'mnt-by' attributes will reflect the relevant NIR, ensuring that responsibility for managing these objects remains with that NIR. The domain objects will be inactive and will include a dummy value for the 'nserver' (nameserver) attribute, as shown in the following example: domain: 28.12.202.in-addr.arpa descr: in-addr.arpa zone fro 28.12.202.in-addr.arpa admin-c: DNS3-AP tech-c: DNS3-AP zone-c: DNS3-AP nserver: remove.this.nserver.to.enable.zone.at.apnic.net mnt-by: MAINT-APNIC-AP changed: inaddr@apnic.net 20020810 source: APNIC If an NIR chooses to use the APNIC system of managing reverse domain objects, the NIR must update the domain object in the APNIC Whois Database by inserting correct nameserver information in the nserver attribute. Alternatively, if the NIR wishes to use their own reverse DNS management systems for their members, the NIR must delete the relevant dummy domain object in the APNIC Whois Database. In this case, the update cycle for synchronising changes to the external DNS will be dependant on the mirroring cycle of the particular NIR. Where the allocations of address space are smaller than /16, it will be necessary to make delegations for each /24. 3.5 Address space held by NIRs ---------------------------------- Under the previous 'confederation' model, NIRs were able to hold allocations of resources for further allocation to ISPs in their economy. This document describes a new model whereby all allocations approved by NIRs will be made from the regional address pool managed by the APNIC Secretariat. Existing address pools held by NIRs should be further allocated as appropriate, under current address management policies. 3.6 Service levels ---------------------- APNIC will attempt to respond to all NIR requests within its standard response time (currently two working days). In the case of allocation requests (as opposed to second-opinion requests), APNIC will attempt to respond with a specific allocation within one working day. 4. Transfer of members between APNIC and an NIR _____________________________________________________________________ 4.1 Transfer of membership from APNIC to an NIR ----------------------------------------------- If an LIR transfers membership from APNIC to an NIR, the following provisions apply. These provisions assume that the LIR will transfer all resources to the NIR and cancel its existing APNIC membership; however, as noted below, there may exceptions. A. APNIC should freely allow member LIRs to join NIRs in their country and to receive address registry services from that NIR (including resource allocation and registration), wherever this is preferred. B. In these cases, management responsibility for the LIR's address space and registration records will be transferred from APNIC to the NIR. The LIR will no longer receive any service from APNIC in relation to the address space received from APNIC. C. The existing address space holdings of the LIR will be transferred to the management of the NIR. This address space will be included in the assessment of the NIR's membership category in the next membership renewal. D. APNIC will not impose a per-address fee for the transfer. Likewise, APNIC will not impose any further charges on the LIR in relation to Internet resources previously allocated to that LIR. If the LIR chooses to maintain its membership with APNIC while receiving new allocations from an NIR, the LIR may choose whether and when resources are transferred (and may opt for them to be transferred gradually over time). It should be noted that although an LIR may be a member of both an NIR and APNIC, it may only obtain resource services from one source. 4.2 Transfer of membership from NIR to APNIC ------------------------------------------------ If an LIR transfers membership from an NIR to APNIC, to receive services from APNIC, the following conditions apply. NIRs should freely allow NIR-LIR members to join APNIC and to receive all address registry services from APNIC (including resource allocation and registration), wherever this is preferred. Responsibility for managing the NIR-LIR member's address space, reverse DNS, and registration records will be transferred from the NIR to APNIC. The NIR-LIR member will no longer receive any service from the NIR in relation to the address space received from the NIR. The NIR-LIR member will become an APNIC member. Their APNIC membership tier will be assessed at the next membership renewal, based on all of their APNIC-managed address space (including both the transferred address space and any other address space they have received from APNIC). The NIR will not impose any further charges on the LIR in relation to Internet resources previously allocated to that LIR. As in section 4.1 above, the transition of address space management from NIR to APNIC may take place over time, with the LIR maintaining membership of both registries. Again it should be noted in such cases that an LIR may be a member of both NIR and APNIC, but can only obtain resource services from one source. Appendix: Details of flat file view of a zone _____________________________________________________________________ Zone file download ------------------ Each NIR should create a directory on its ftp site, from which the files will be downloaded, such as: - ftp://ftp..net/pub/zones/- - ftp://ftp..net/pub/zones/-.md5 - ftp://ftp..net/pub/zones/-.asc File format ----------- The format and content of the data to be provided by the NIR is as follows: - The data format should be in the format of DNS resource records, that is, $ORIGIN. .in-addr.arpa. [TTL] NS . - Initially, the transferred data should only include NS resource records. If other RR types are provided, APNIC may ignore them. - The file may also include BIND-style comments. - The last record should be as follows: ..in-addr.arpa. TXT "Generated at with NS records. ..in-addr.arpa. TXT "Generated at with NS records. - The format is legal BIND9 zonefile contents, except there is no SOA record, and there are restrictions on the DNS RR types permitted - The associated signature files for a given zone are called .asc and .md5. the MD5 file format is the BSD Unix format, which is not the same as the normal Linux MD5 format. This was deliberately chosen because it is actually a better format for showing the MD5 information and is well defined. Examples of data made in conformance with this specification are available at: ftp://ftp.apnic.net/pub/zones/ Please note: APNIC only supports passive FTP connections.