Add validation during domain creation for locked down TLDs

During domain create/applicationcreate/allocate, domains that are on the reserved list(s) with nameserver restricted reservation type must set nameservers that are part of the allowed nameservers for that domain in the reserved list(s) applied to that TLD. Additionally a boolean is added to Registry to indicate if a TLD is restricting domain create. If it is, only domains that are nameserver restricted can be registered. For consistency with a similar feature that validates a TLD-wide nameserver whitelist, the per-domain nameserver validation is performed even when the operation is in super-user mode. Similarly, if a domain is nameserver restricted, nameservers must be supplied (i. e. the nameservers set cannot be empty) when registering the domain. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=150641269
2026-01-04 20:24:22 +00:00 · 2017-03-20 10:20:12 -07:00
parent 582469e052
commit 620d698479
15 changed files with 735 additions and 49 deletions
--- a/docs/flows.md
+++ b/docs/flows.md
@@ -274,7 +274,7 @@ the domain to convert to a normal create and be billed for accordingly.
    *   Resource status prohibits this operation.
    *   Linked resource in pending delete prohibits operation.
    *   Nameservers are not whitelisted for this TLD.
-    *   Nameservers not specified for this TLD with whitelist.
+    *   Nameservers not specified for domain on TLD with nameserver whitelist.
    *   Registrant is not whitelisted for this TLD.
 *   2306
    *   Cannot add and remove the same value.
@@ -650,11 +650,16 @@ An EPP flow that creates a new domain resource.
    *   Resource linked to this domain does not exist.
 *   2304
    *   The claims period for this TLD has ended.
+    *   Requested domain does not have nameserver-restricted reservation for a
+        TLD that requires such a reservation to create domains.
    *   Requested domain is reserved.
    *   Linked resource in pending delete prohibits operation.
    *   Requested domain requires a claims notice.
+    *   Nameservers are not whitelisted for this domain.
    *   Nameservers are not whitelisted for this TLD.
-    *   Nameservers not specified for this TLD with whitelist.
+    *   Nameservers not specified for domain with nameserver-restricted
+        reservation.
+    *   Nameservers not specified for domain on TLD with nameserver whitelist.
    *   The requested domain name is on the premium price list, and this
        registrar has blocked premium registrations.
    *   Registrant is not whitelisted for this TLD.
@@ -864,10 +869,15 @@ An EPP flow that creates a new application for a domain resource.
    *   Resource linked to this domain does not exist.
 *   2304
    *   The claims period for this TLD has ended.
+    *   Requested domain does not have nameserver-restricted reservation for a
+        TLD that requires such a reservation to create domains.
    *   Requested domain is reserved.
    *   Requested domain requires a claims notice.
+    *   Nameservers are not whitelisted for this domain.
    *   Nameservers are not whitelisted for this TLD.
-    *   Nameservers not specified for this TLD with whitelist.
+    *   Nameservers not specified for domain with nameserver-restricted
+        reservation.
+    *   Nameservers not specified for domain on TLD with nameserver whitelist.
    *   The requested domain name is on the premium price list, and this
        registrar has blocked premium registrations.
    *   Registrant is not whitelisted for this TLD.
@@ -921,6 +931,14 @@ An EPP flow that allocates a new domain resource from a domain application.
    *   Domain application with specific ROID does not exist.
 *   2304
    *   Domain application already has a final status.
+    *   Requested domain does not have nameserver-restricted reservation for a
+        TLD that requires such a reservation to create domains.
+    *   Registrant is not whitelisted for this TLD.
+    *   Nameservers are not whitelisted for this domain.
+    *   Nameservers are not whitelisted for this TLD.
+    *   Nameservers not specified for domain with nameserver-restricted
+        reservation.
+    *   Nameservers not specified for domain on TLD with nameserver whitelist.

 ## ClaimsCheckFlow

--- a/docs/operational-procedures/reserved-list-management.md
+++ b/docs/operational-procedures/reserved-list-management.md
@@ -16,7 +16,12 @@ a price, it has a reservation type. The valid values for reservation types are:
    domain with this label. If the a label in this type exists on multiple
    reserved lists that are applied to the same TLD. The set of allowed
    nameservers for that label in that TLD is the intersection of all applicable
-    nameservers.
+    nameservers. Note that this restriction is orthogonal to the TLD-wide
+    nameserver restrictions that may be otherwise imposed. The ultimate set of
+    allowed nameservers for a certain domain is the intersection of per-domain
+    and TLD-wide allowed nameservers set. Furthermore, a TLD can be set in a
+    domain create restricted mode, in which case **only** domains that are
+    reserved with this type can be registered.
 *   **`ALLOWED_IN_SUNRISE`** - The label can be registered during the sunrise
    period by a registrant with a valid claim but it is reserved thereafter.
 *   **`MISTAKEN_PREMIUM`** - The label is reserved because it was mistakenly put