UCLS DNS/TLD Policy Library – SolveForce Unified Intelligence

A) JSON-LD Context (adds “policy pack” as data)

{
  "@context": {
    "ucls": "https://ucls.org/terms#",
    "PolicyPack": "ucls:PolicyPack",
    "appliesTo": {"@id":"ucls:appliesTo","@type":"@id"},
    "requires": {"@id":"ucls:requires","@type":"@id"},
    "enforces": {"@id":"ucls:enforces"},
    "controls": {"@id":"ucls:controls"},
    "metrics": {"@id":"ucls:metrics"},
    "overrides": {"@id":"ucls:overrides","@type":"@id"},
    "governedBy": {"@id":"ucls:governedBy","@type":"@id"},
    "policyVersion": "ucls:policyVersion",
    "packId": "ucls:packId",
    "targetKind": "ucls:targetKind",
    "DomainName": "ucls:DomainName",
    "TLD": "ucls:TLD",
    "Label": "ucls:Label",
    "DNSAnchor": "ucls:DNSAnchor",
    "EmailSecurity": "ucls:EmailSecurity",
    "HTTPSPolicy": "ucls:HTTPSPolicy"
  }
}

B) SHACL Shapes (validation gates, abridged)

B1. DomainNameShape

@prefix sh: <http://www.w3.org/ns/shacl#> .
@prefix ucls: <https://ucls.org/terms#> .

ucls:DomainNameShape a sh:NodeShape ;
  sh:targetClass ucls:DomainName ;
  sh:property [
    sh:path ucls:components ;
    sh:minCount 1
  ] ;
  sh:property [
    sh:path ucls:components ;
    sh:node [
      sh:property [ sh:path ucls:punycode ; sh:datatype xsd:string ; sh:minCount 1 ] ;
      sh:property [ sh:path ucls:unicode ;  sh:datatype xsd:string ; sh:minCount 1 ] ;
      sh:property [ sh:path ucls:tld ;      sh:class ucls:TLD ; sh:minCount 1 ]
    ]
  ] ;
  sh:property [
    sh:path ucls:anchor ;
    sh:minCount 1 ;
    sh:node ucls:DNSSECAnchorShape
  ] .

B2. DNSSECAnchorShape

ucls:DNSSECAnchorShape a sh:NodeShape ;
  sh:targetClass ucls:DNSAnchor ;
  sh:property [ sh:path ucls:dsRecord ;   sh:minCount 1 ] ;
  sh:property [ sh:path ucls:dnskey ;     sh:minCount 1 ] ;
  sh:property [ sh:path ucls:rrsig ;      sh:minCount 1 ] .

B3. EmailSecurityShape

ucls:EmailSecurityShape a sh:NodeShape ;
  sh:targetClass ucls:EmailSecurity ;
  sh:property [ sh:path ucls:spf ;   sh:pattern "^v=spf1\\s" ] ;
  sh:property [ sh:path ucls:dkim ;  sh:minCount 1 ] ;
  sh:property [ sh:path ucls:dmarc ; sh:pattern "v=DMARC1;" ] ;
  sh:sparql [
    sh:message "If DMARC policy is reject/quarantine, SPF and DKIM must exist."
  ] .

B4. HTTPSPolicyShape

ucls:HTTPSPolicyShape a sh:NodeShape ;
  sh:targetClass ucls:HTTPSPolicy ;
  sh:property [ sh:path ucls:hsts ; sh:pattern "max-age=" ] ;
  sh:property [ sh:path ucls:caa ;  sh:minCount 1 ] .

C) Packs (specs you can version under VaaS)

Each pack is a signed JSON (or YAML) object that PRaaS/GaaS can apply, override, or roll back. Dependencies let you compose policy like code.

C0. Manifest (what’s included right now)

ICANN-Core@1.0.0 ✅
TLD-Health@1.0.0 (.health) ✅
TLD-Gov@1.0.0 (.gov) ✅
TLD-Edu@1.0.0 (.edu) ✅
TLD-Mil@1.0.0 (.mil) ✅
TLD-Brand-Starter@1.0.0 (for .brand spaces) ✅
TLD-ccTLD-Template@1.0.0 (parameterized) ✅
IDN-Confusables@1.0.0 ✅
Security-Baseline@1.0.0 (DNSSEC/TLS/CT/CAA) ✅
Email-Auth-Baseline@1.0.0 (SPF/DKIM/DMARC/MTA-STS/TLS-RPT/BIMI) ✅
Phishing-Defense@1.0.0 (homoglyphs/typosquats/brand variants) ✅

All packs are machine-actionable (ProvAaaS-signed), with SLOs and controls that flow into ValaaS gates.

C1. ICANN-Core@1.0.0

packId: ICANN-Core
policyVersion: 1.0.0
appliesTo:
  - targetKind: DomainName
  - targetKind: TLD
requires: []
enforces:
  governance:
    - source: ICANN-Bylaws
    - source: RAA (Registrar Accreditation)
    - source: Base-Registry-Agreement
    - source: UDRP
    - source: URS
  operational:
    - RDAP availability ≥ 99.9%
    - Data escrow daily for registries
    - Zone file access logging & hashing
controls:
  - name: SunriseClaims
    rule: "Enforce TMCH sunrise/claims prior to GA"
  - name: NameCollisionBlock
    rule: "Block collision strings; PRaaS exception only"
  - name: DNSSECRootChain
    rule: "DS/DNSKEY continuity required to pass release"
  - name: RegistrarLock
    rule: "Require registry lock for hi-risk labels"
metrics:
  - key: udrp_turnaround_days
    target: 20
  - key: rdap_uptime
    target: ">=99.9%"
overrides: []

C2. TLD-Health@1.0.0 (.health)

packId: TLD-Health
policyVersion: 1.0.0
requires: [ICANN-Core, Security-Baseline, Email-Auth-Baseline, IDN-Confusables]
appliesTo: [{targetKind: DomainName, tld: ".health"}]
enforces:
  eligibility: ["Healthcare org VC", "Regulator VC or accreditation"]
  security:
    - HSTS: preload-required
    - DMARC: "p=reject" within 30 days of delegation
    - DNSSEC: mandatory
  content:
    - Prohibit misleading medical claims (PRaaS exception queue)
controls:
  - name: MedicalTermReserve
    rule: "Reserve critical terms; PRaaS approval to release"
  - name: SafeEmail
    rule: "MTA-STS enforce + TLS-RPT monitored"
metrics:
  - key: dmarc_pass_rate
    target: ">=98%"
  - key: dnssec_validation_rate
    target: ">=99.9%"

C3. TLD-Gov@1.0.0 (.gov)

packId: TLD-Gov
policyVersion: 1.0.0
requires: [ICANN-Core, Security-Baseline, Email-Auth-Baseline]
appliesTo: [{targetKind: DomainName, tld: ".gov"}]
enforces:
  delegation: ["Government VC with jurisdiction scope"]
  security:
    - HSTS: preload-required
    - CAA: locked to approved CAs
    - DNSSEC: mandatory
  provenance:
    - ACaaS: VC-based subdomain delegation
controls:
  - name: SubdomainDelegationRegister
    rule: "All subdelegations recorded with VC proof"
metrics:
  - key: unauthorized_cert_issuance
    target: "0"

C4. TLD-Edu@1.0.0 (.edu)

packId: TLD-Edu
policyVersion: 1.0.0
requires: [ICANN-Core, Security-Baseline, Email-Auth-Baseline, IDN-Confusables]
appliesTo: [{targetKind: DomainName, tld: ".edu"}]
enforces:
  eligibility: ["Accredited institution VC"]
  email:
    - DMARC: "p=reject" or documented phased plan to reject
  research:
    - DOI/ORCID linkage recommended for scholarly subdomains
metrics:
  - key: student_phish_rate
    target: "<=0.1%"

C5. TLD-Mil@1.0.0 (.mil)

packId: TLD-Mil
policyVersion: 1.0.0
requires: [ICANN-Core, Security-Baseline, Email-Auth-Baseline]
appliesTo: [{targetKind: DomainName, tld: ".mil"}]
enforces:
  crypto:
    - DNSSEC: mandatory + key rollover SOPs
    - DANE/TLSA: required for MX/SMTP
  mail:
    - DMARC: "p=reject"; ARC alignment
  ops:
    - Registry lock + out-of-band revocation protocol
metrics:
  - key: time_to_revoke_compromise
    target: "<=1h (P95)"

C6. TLD-Brand-Starter@1.0.0 (.brand)

packId: TLD-Brand-Starter
policyVersion: 1.0.0
requires: [ICANN-Core, Security-Baseline, Email-Auth-Baseline, Phishing-Defense]
appliesTo: [{targetKind: DomainName, tld: ".brand"}]
enforces:
  brand:
    - IDN variant bundles: reserved by default
    - CAA: restrict to brand-approved CAs
  posture:
    - DMARC: "p=reject"
    - BIMI: allowed if trademark VC present
metrics:
  - key: typosquat_surface
    target: "decreasing week-over-week"

C7. TLD-ccTLD-Template@1.0.0 (parameterized)

packId: TLD-ccTLD-Template
policyVersion: 1.0.0
parameters: [cc, registry, idnTableURI, reservedListURI]
requires: [ICANN-Core, Security-Baseline, Email-Auth-Baseline, IDN-Confusables]
appliesTo: [{targetKind: DomainName, tld: ".{cc}"}]
enforces:
  idn:
    - Use idnTableURI; variant mapping required
  reserved:
    - reservedListURI enforced; public-interest override via PRaaS

C8. IDN-Confusables@1.0.0

packId: IDN-Confusables
policyVersion: 1.0.0
appliesTo: [{targetKind: Label}]
enforces:
  - "Detect confusables across scripts; block unless in same-entity bundle"
  - "Script-mixing disallowed except approved locales"
controls:
  - name: ConfusableBundle
    rule: "Bundle variants to a single controller with VC"
metrics:
  - key: confusable_block_rate
    target: ">=99%"

C9. Security-Baseline@1.0.0

packId: Security-Baseline
policyVersion: 1.0.0
appliesTo: [{targetKind: DomainName}]
enforces:
  dnssec: required-for-critical-sectors
  tls:
    - CT-logged certificates 100%
    - HSTS recommended; preload for high-risk sectors
  caa: "0 issue one-of [letsencrypt.org, digicert.com, entrust.net]"
metrics:
  - key: ct_gap_seconds
    target: "<=300"

C10. Email-Auth-Baseline@1.0.0

packId: Email-Auth-Baseline
policyVersion: 1.0.0
appliesTo: [{targetKind: DomainName}]
enforces:
  spf: "v=spf1 ... -all"
  dkim: "≥1 selector, 2048-bit"
  dmarc: "p=reject (or staged plan to reject ≤30 days)"
  mta-sts: "mode=enforce"
  tls-rpt: required
  bimi: "optional; requires trademark VC"
metrics:
  - key: dmarc_pass_rate
    target: ">=98%"

C11. Phishing-Defense@1.0.0

packId: Phishing-Defense
policyVersion: 1.0.0
requires: [IDN-Confusables, Email-Auth-Baseline]
appliesTo: [{targetKind: DomainName}]
enforces:
  - "Monitor homograph registrations across TLDs"
  - "Auto-open PRaaS case on high-risk near-match"
  - "Quarantine MX until DMARC reject in place"
metrics:
  - key: near_match_takedown_ttd
    target: "<=24h"

D) How packs bind into UCLS flows

NaaS: normalizes domain tokens (IDNA, punycode, confusables).
AaaS: binds RDAP/WHOIS/EPP events, DNSSEC chain, CT proofs.
ValaaS: enforces SHACL + pack controls (e.g., HSTS preload required).
RegaaS: records registry/registrar facts; captures escrow/zone hashes.
PRaaS/GaaS: sunrise, UDRP/URS, policy exceptions; ballots & opinions.
VaaS: versioned zone snapshots, policy pack versions, and rollbacks.
ProvAaaS: signed lineage for every change (NS, DS, MX, CAA, SRV, etc.).
DaaS/AnaaS/VizaaS: posture search, risk analytics, propagation maps.

E) KPIs/SLOs (roll up per pack and per domain/TLD)

dnssec_validation_rate ≥ 99.9%
dmarc_pass_rate ≥ 98% (with p=reject by deadline)
ct_gap_seconds ≤ 300
change_propagation_p95 ≤ 15m (NS/DS)
confusable_block_rate ≥ 99%
udrp_turnaround_days ≤ 20

F) Governance Actions (machine-actionable examples)

opinion.udrpDecision.allow-transfer → registrar transfer + registry lock + zone freeze for 24h.
opinion.sunriseClaim.valid → permit create op; log TMCH proof.
exception.policy.hstsPreload.defer → time-boxed waiver with remediation plan.
security.forceCAA → push CAA record set; block issuance outside allow-list.

Every action emits ProvAaaS trails and a VaaS snapshot; search via GET /ucls/versions/{id}.

G) Example: one real domain across packs (composed posture)

{
  "token": {
    "value": "solveforce.health",
    "kind": "domainName",
    "components": {"unicode": "solveforce.health","punycode": "solveforce.health","tld": ".health"}
  },
  "governedBy": ["ICANN-Core","TLD-Health","Security-Baseline","Email-Auth-Baseline","IDN-Confusables","Phishing-Defense"],
  "emailSecurity": {
    "spf": "v=spf1 include:_spf.solveforce.net -all",
    "dkim": ["s1._domainkey.solveforce.health"],
    "dmarc": "v=DMARC1; p=reject; rua=mailto:dmarc@solveforce.health",
    "mtaSts": "mode=enforce; mx=mx.solveforce.net",
    "tlsRpt": "mailto:tlsrpt@solveforce.health"
  },
  "httpsPolicy": {
    "hsts": "max-age=31536000; includeSubDomains; preload",
    "caa": ["0 issue \"letsencrypt.org\"","0 issuewild \";\""]
  },
  "anchor": {
    "kind": "dnssecChain",
    "dsRecord": "…", "dnskey":"…","rrsig":"…",
    "ctProofs": ["ct:argon/entry/…"],
    "rdap": "https://rdap.registry.health/domain/solveforce.health"
  }
}