What is Registry Data Escrow? ICANN Requirements Explained
Registry data escrow is a mechanism by which a TLD registry operator regularly deposits a copy of all domain registration data — registrant information, DNS records, contact data — with an independent, ICANN-recognized third party. If the registry operator fails, this data allows another party to take over TLD operations without disrupting registrants.
Why data escrow is required by ICANN
The internet relies on TLDs being continuously available. If a registry operator goes bankrupt, ceases operations, or is otherwise unable to continue, the TLD's domain registrations — representing potentially millions of websites and email addresses — would be at risk.
ICANN's solution is mandatory data escrow. By requiring registries to deposit fresh copies of their data with an independent escrow agent, ICANN ensures that in a worst-case scenario, a successor registry operator can quickly restore TLD operations from the escrowed data.
This requirement applies to all new gTLD operators under their Registry Agreement with ICANN, and to many ccTLD operators under their respective agreements.
What data is escrowed?
ICANN's data escrow specification (RFC 8909 and related specifications) requires registries to escrow:
Personal data (registrant names, emails, addresses) must be handled in compliance with applicable privacy regulations (GDPR, etc.) by both the registry and the escrow agent.
How often and in what format?
ICANN specifies escrow deposits on two schedules:
Full deposits: A complete snapshot of all data, delivered weekly (typically Sunday). These are large files that capture the entire registry state.
Differential deposits: Incremental changes since the last full deposit, delivered daily. These are smaller files that keep the escrow agent current between full deposits.
The data format is XML-based, specified in ICANN's Data Escrow Specification (part of the Registry Agreement Specifications). Files are encrypted and signed before transmission to the escrow agent.
RSPs like ADG handle all aspects of data escrow generation, encryption, signing, and delivery — the registry operator simply needs to ensure their chosen escrow agent is IANA-recognized.
Choosing an ICANN-recognized escrow agent
ICANN maintains a list of recognized Data Escrow Agents — third parties that have passed ICANN's vetting process and are authorized to receive TLD escrow data. Using a non-recognized agent does not fulfill ICANN's requirements.
Key considerations when selecting an escrow agent:
ADG's RSP service includes coordination with IANA-recognized escrow agents, automated escrow generation, and ongoing compliance monitoring.
Frequently Asked Questions
Is data escrow the same as a DNS zone backup?
No. DNS zone backups contain only the DNS records (A records, MX records, NS records, etc.) for the TLD's zone file. Data escrow is much broader, covering all registration data stored in the Shared Registration System (SRS): registrant details, domain history, registrar relationships, and more.
Who can access the escrowed data?
Escrowed data is only released in two circumstances: (1) a planned transition where the registry operator requests data for migration to a new system, or (2) an emergency designated by ICANN where the registry operator is unable to continue operations. The escrow agent cannot release data unilaterally.
Is GDPR compliance required for escrowed data?
Yes. If registrant data includes EU personal data, both the registry operator and the escrow agent must comply with GDPR. ICANN's framework allows registries to pseudonymize or limit personal data in escrow deposits to minimize GDPR exposure, within the bounds of the escrow specification.