Add validation during domain creation for locked down TLDs

During domain create/applicationcreate/allocate, domains that are on the reserved list(s) with nameserver restricted reservation type must set nameservers that are part of the allowed nameservers for that domain in the reserved list(s) applied to that TLD. Additionally a boolean is added to Registry to indicate if a TLD is restricting domain create. If it is, only domains that are nameserver restricted can be registered. For consistency with a similar feature that validates a TLD-wide nameserver whitelist, the per-domain nameserver validation is performed even when the operation is in super-user mode. Similarly, if a domain is nameserver restricted, nameservers must be supplied (i. e. the nameservers set cannot be empty) when registering the domain. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=150641269
2025-05-15 17:07:15 +02:00 · 2017-03-20 10:20:12 -07:00 · 2017-03-20 10:20:12 -07:00 · 620d698479
commit 620d698479
parent 582469e052
15 changed files with 735 additions and 49 deletions
--- a/docs/flows.md
+++ b/docs/flows.md
@ -274,7 +274,7 @@ the domain to convert to a normal create and be billed for accordingly.
    *   Resource status prohibits this operation.
    *   Linked resource in pending delete prohibits operation.
    *   Nameservers are not whitelisted for this TLD.
-    *   Nameservers not specified for this TLD with whitelist.
+    *   Nameservers not specified for domain on TLD with nameserver whitelist.
    *   Registrant is not whitelisted for this TLD.
 *   2306
    *   Cannot add and remove the same value.
@ -650,11 +650,16 @@ An EPP flow that creates a new domain resource.
    *   Resource linked to this domain does not exist.
 *   2304
    *   The claims period for this TLD has ended.
+    *   Requested domain does not have nameserver-restricted reservation for a
+        TLD that requires such a reservation to create domains.
    *   Requested domain is reserved.
    *   Linked resource in pending delete prohibits operation.
    *   Requested domain requires a claims notice.
+    *   Nameservers are not whitelisted for this domain.
    *   Nameservers are not whitelisted for this TLD.
-    *   Nameservers not specified for this TLD with whitelist.
+    *   Nameservers not specified for domain with nameserver-restricted
+        reservation.
+    *   Nameservers not specified for domain on TLD with nameserver whitelist.
    *   The requested domain name is on the premium price list, and this
        registrar has blocked premium registrations.
    *   Registrant is not whitelisted for this TLD.
@ -864,10 +869,15 @@ An EPP flow that creates a new application for a domain resource.
    *   Resource linked to this domain does not exist.
 *   2304
    *   The claims period for this TLD has ended.
+    *   Requested domain does not have nameserver-restricted reservation for a
+        TLD that requires such a reservation to create domains.
    *   Requested domain is reserved.
    *   Requested domain requires a claims notice.
+    *   Nameservers are not whitelisted for this domain.
    *   Nameservers are not whitelisted for this TLD.
-    *   Nameservers not specified for this TLD with whitelist.
+    *   Nameservers not specified for domain with nameserver-restricted
+        reservation.
+    *   Nameservers not specified for domain on TLD with nameserver whitelist.
    *   The requested domain name is on the premium price list, and this
        registrar has blocked premium registrations.
    *   Registrant is not whitelisted for this TLD.
@ -921,6 +931,14 @@ An EPP flow that allocates a new domain resource from a domain application.
    *   Domain application with specific ROID does not exist.
 *   2304
    *   Domain application already has a final status.
+    *   Requested domain does not have nameserver-restricted reservation for a
+        TLD that requires such a reservation to create domains.
+    *   Registrant is not whitelisted for this TLD.
+    *   Nameservers are not whitelisted for this domain.
+    *   Nameservers are not whitelisted for this TLD.
+    *   Nameservers not specified for domain with nameserver-restricted
+        reservation.
+    *   Nameservers not specified for domain on TLD with nameserver whitelist.

 ## ClaimsCheckFlow

--- a/docs/operational-procedures/reserved-list-management.md
+++ b/docs/operational-procedures/reserved-list-management.md
@ -16,7 +16,12 @@ a price, it has a reservation type. The valid values for reservation types are:
    domain with this label. If the a label in this type exists on multiple
    reserved lists that are applied to the same TLD. The set of allowed
    nameservers for that label in that TLD is the intersection of all applicable
-    nameservers.
+    nameservers. Note that this restriction is orthogonal to the TLD-wide
+    nameserver restrictions that may be otherwise imposed. The ultimate set of
+    allowed nameservers for a certain domain is the intersection of per-domain
+    and TLD-wide allowed nameservers set. Furthermore, a TLD can be set in a
+    domain create restricted mode, in which case **only** domains that are
+    reserved with this type can be registered.
 *   **`ALLOWED_IN_SUNRISE`** - The label can be registered during the sunrise
    period by a registrant with a valid claim but it is reserved thereafter.
 *   **`MISTAKEN_PREMIUM`** - The label is reserved because it was mistakenly put
--- a/java/google/registry/flows/domain/DomainAllocateFlow.java
+++ b/java/google/registry/flows/domain/DomainAllocateFlow.java
@ -53,6 +53,9 @@ import google.registry.flows.FlowModule.ClientId;
 import google.registry.flows.FlowModule.Superuser;
 import google.registry.flows.FlowModule.TargetId;
 import google.registry.flows.TransactionalFlow;
+import google.registry.flows.domain.DomainFlowUtils.DomainNotAllowedForTldWithCreateRestrictionException;
+import google.registry.flows.domain.DomainFlowUtils.NameserversNotSpecifiedForNameserverRestrictedDomainException;
+import google.registry.flows.domain.DomainFlowUtils.NameserversNotSpecifiedForTldWithNameserverWhitelistException;
 import google.registry.model.ImmutableObject;
 import google.registry.model.billing.BillingEvent;
 import google.registry.model.billing.BillingEvent.Flag;
@ -97,6 +100,12 @@ import org.joda.time.DateTime;
 * @error {@link DomainAllocateFlow.MissingApplicationException}
 * @error {@link DomainAllocateFlow.OnlySuperuserCanAllocateException}
 * @error {@link DomainFlowUtils.ExceedsMaxRegistrationYearsException}
+ * @error {@link DomainNotAllowedForTldWithCreateRestrictionException}
+ * @error {@link DomainFlowUtils.RegistrantNotAllowedException}
+ * @error {@link DomainFlowUtils.NameserversNotAllowedForDomainException}
+ * @error {@link DomainFlowUtils.NameserversNotAllowedForTldException}
+ * @error {@link NameserversNotSpecifiedForNameserverRestrictedDomainException}
+ * @error {@link NameserversNotSpecifiedForTldWithNameserverWhitelistException}
 */
 public class DomainAllocateFlow implements TransactionalFlow {

@ -138,7 +147,7 @@ public class DomainAllocateFlow implements TransactionalFlow {
    Integer years = period.getValue();
    verifyUnitIsYears(period);
    validateRegistrationPeriod(years);
-    validateCreateCommandContactsAndNameservers(command, registry.getTldStr());
+    validateCreateCommandContactsAndNameservers(command, registry, domainName);
    SecDnsCreateExtension secDnsCreate =
        validateSecDnsExtension(eppInput.getSingleExtension(SecDnsCreateExtension.class));
    boolean isSunrushAddGracePeriod = isNullOrEmpty(command.getNameservers());
--- a/java/google/registry/flows/domain/DomainApplicationCreateFlow.java
+++ b/java/google/registry/flows/domain/DomainApplicationCreateFlow.java
@ -63,6 +63,9 @@ import google.registry.flows.custom.DomainApplicationCreateFlowCustomLogic.After
 import google.registry.flows.custom.DomainApplicationCreateFlowCustomLogic.BeforeResponseParameters;
 import google.registry.flows.custom.DomainApplicationCreateFlowCustomLogic.BeforeResponseReturnData;
 import google.registry.flows.custom.EntityChanges;
+import google.registry.flows.domain.DomainFlowUtils.DomainNotAllowedForTldWithCreateRestrictionException;
+import google.registry.flows.domain.DomainFlowUtils.NameserversNotSpecifiedForNameserverRestrictedDomainException;
+import google.registry.flows.domain.DomainFlowUtils.NameserversNotSpecifiedForTldWithNameserverWhitelistException;
 import google.registry.model.ImmutableObject;
 import google.registry.model.domain.DomainApplication;
 import google.registry.model.domain.DomainCommand.Create;
@ -103,7 +106,8 @@ import org.joda.time.DateTime;
 * @error {@link DomainApplicationCreateFlow.LandrushApplicationDisallowedDuringSunriseException}
 * @error {@link DomainApplicationCreateFlow.NoticeCannotBeUsedWithSignedMarkException}
 * @error {@link DomainApplicationCreateFlow.SunriseApplicationDisallowedDuringLandrushException}
- * @error {@link DomainApplicationCreateFlow.UncontestedSunriseApplicationBlockedInLandrushException}
+ * @error {@link
+ *     DomainApplicationCreateFlow.UncontestedSunriseApplicationBlockedInLandrushException}
 * @error {@link DomainFlowUtils.AcceptedTooLongAgoException}
 * @error {@link DomainFlowUtils.BadCommandForRegistryPhaseException}
 * @error {@link DomainFlowUtils.BadDomainNameCharacterException}
@ -115,6 +119,7 @@ import org.joda.time.DateTime;
 * @error {@link DomainFlowUtils.CurrencyValueScaleException}
 * @error {@link DomainFlowUtils.DashesInThirdAndFourthException}
 * @error {@link DomainFlowUtils.DomainLabelTooLongException}
+ * @error {@link DomainNotAllowedForTldWithCreateRestrictionException}
 * @error {@link DomainFlowUtils.DomainReservedException}
 * @error {@link DomainFlowUtils.DuplicateContactForRoleException}
 * @error {@link DomainFlowUtils.EmptyDomainNamePartException}
@ -134,8 +139,10 @@ import org.joda.time.DateTime;
 * @error {@link DomainFlowUtils.MaxSigLifeNotSupportedException}
 * @error {@link DomainFlowUtils.MissingClaimsNoticeException}
 * @error {@link DomainFlowUtils.MissingContactTypeException}
- * @error {@link DomainFlowUtils.NameserversNotAllowedException}
- * @error {@link DomainFlowUtils.NameserversNotSpecifiedException}
+ * @error {@link DomainFlowUtils.NameserversNotAllowedForDomainException}
+ * @error {@link DomainFlowUtils.NameserversNotAllowedForTldException}
+ * @error {@link NameserversNotSpecifiedForNameserverRestrictedDomainException}
+ * @error {@link NameserversNotSpecifiedForTldWithNameserverWhitelistException}
 * @error {@link DomainFlowTmchUtils.NoMarksFoundMatchingDomainException}
 * @error {@link DomainFlowUtils.NotAuthorizedForTldException}
 * @error {@link DomainFlowUtils.PremiumNameBlockedException}
@ -206,7 +213,7 @@ public final class DomainApplicationCreateFlow implements TransactionalFlow {
    verifyUnitIsYears(command.getPeriod());
    int years = command.getPeriod().getValue();
    validateRegistrationPeriod(years);
-    validateCreateCommandContactsAndNameservers(command, tld);
+    validateCreateCommandContactsAndNameservers(command, registry, domainName);
    LaunchCreateExtension launchCreate = eppInput.getSingleExtension(LaunchCreateExtension.class);
    if (launchCreate != null) {
      validateLaunchCreateExtension(launchCreate, registry, domainName, now);
--- a/java/google/registry/flows/domain/DomainApplicationUpdateFlow.java
+++ b/java/google/registry/flows/domain/DomainApplicationUpdateFlow.java
@ -45,6 +45,7 @@ import static google.registry.model.ofy.ObjectifyService.ofy;
 import com.google.common.base.Optional;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Sets;
+import com.google.common.net.InternetDomainName;
 import com.googlecode.objectify.Key;
 import google.registry.flows.EppException;
 import google.registry.flows.EppException.StatusProhibitsOperationException;
@ -55,6 +56,7 @@ import google.registry.flows.FlowModule.Superuser;
 import google.registry.flows.FlowModule.TargetId;
 import google.registry.flows.TransactionalFlow;
 import google.registry.flows.domain.DomainFlowUtils.FeesRequiredForNonFreeOperationException;
+import google.registry.flows.domain.DomainFlowUtils.NameserversNotAllowedForTldException;
 import google.registry.model.ImmutableObject;
 import google.registry.model.domain.DomainApplication;
 import google.registry.model.domain.DomainCommand.Update;
@ -97,7 +99,7 @@ import org.joda.time.DateTime;
 * @error {@link DomainFlowUtils.MissingAdminContactException}
 * @error {@link DomainFlowUtils.MissingContactTypeException}
 * @error {@link DomainFlowUtils.MissingTechnicalContactException}
- * @error {@link DomainFlowUtils.NameserversNotAllowedException}
+ * @error {@link NameserversNotAllowedForTldException}
 * @error {@link DomainFlowUtils.NotAuthorizedForTldException}
 * @error {@link DomainFlowUtils.RegistrantNotAllowedException}
 * @error {@link DomainFlowUtils.SecDnsAllUsageException}
@ -240,7 +242,10 @@ public class DomainApplicationUpdateFlow implements TransactionalFlow {
    validateNoDuplicateContacts(newApplication.getContacts());
    validateRequiredContactsPresent(newApplication.getRegistrant(), newApplication.getContacts());
    validateDsData(newApplication.getDsData());
-    validateNameserversCountForTld(newApplication.getTld(), newApplication.getNameservers().size());
+    validateNameserversCountForTld(
+        newApplication.getTld(),
+        InternetDomainName.from(newApplication.getFullyQualifiedDomainName()),
+        newApplication.getNameservers().size());
  }

  /** Application status prohibits this domain update. */
--- a/java/google/registry/flows/domain/DomainCreateFlow.java
+++ b/java/google/registry/flows/domain/DomainCreateFlow.java
@ -62,6 +62,9 @@ import google.registry.flows.custom.DomainCreateFlowCustomLogic;
 import google.registry.flows.custom.DomainCreateFlowCustomLogic.BeforeResponseParameters;
 import google.registry.flows.custom.DomainCreateFlowCustomLogic.BeforeResponseReturnData;
 import google.registry.flows.custom.EntityChanges;
+import google.registry.flows.domain.DomainFlowUtils.DomainNotAllowedForTldWithCreateRestrictionException;
+import google.registry.flows.domain.DomainFlowUtils.NameserversNotSpecifiedForNameserverRestrictedDomainException;
+import google.registry.flows.domain.DomainFlowUtils.NameserversNotSpecifiedForTldWithNameserverWhitelistException;
 import google.registry.model.ImmutableObject;
 import google.registry.model.billing.BillingEvent;
 import google.registry.model.billing.BillingEvent.Flag;
@ -113,6 +116,7 @@ import org.joda.time.DateTime;
 * @error {@link DomainFlowUtils.CurrencyValueScaleException}
 * @error {@link DomainFlowUtils.DashesInThirdAndFourthException}
 * @error {@link DomainFlowUtils.DomainLabelTooLongException}
+ * @error {@link DomainNotAllowedForTldWithCreateRestrictionException}
 * @error {@link DomainFlowUtils.DomainReservedException}
 * @error {@link DomainFlowUtils.DuplicateContactForRoleException}
 * @error {@link DomainFlowUtils.EmptyDomainNamePartException}
@ -135,8 +139,10 @@ import org.joda.time.DateTime;
 * @error {@link DomainFlowUtils.MissingContactTypeException}
 * @error {@link DomainFlowUtils.MissingRegistrantException}
 * @error {@link DomainFlowUtils.MissingTechnicalContactException}
- * @error {@link DomainFlowUtils.NameserversNotAllowedException}
- * @error {@link DomainFlowUtils.NameserversNotSpecifiedException}
+ * @error {@link DomainFlowUtils.NameserversNotAllowedForDomainException}
+ * @error {@link DomainFlowUtils.NameserversNotAllowedForTldException}
+ * @error {@link NameserversNotSpecifiedForNameserverRestrictedDomainException}
+ * @error {@link NameserversNotSpecifiedForTldWithNameserverWhitelistException}
 * @error {@link DomainFlowUtils.PremiumNameBlockedException}
 * @error {@link DomainFlowUtils.RegistrantNotAllowedException}
 * @error {@link DomainFlowUtils.TldDoesNotExistException}
@ -149,7 +155,6 @@ import org.joda.time.DateTime;
 * @error {@link DomainCreateFlow.DomainHasOpenApplicationsException}
 * @error {@link DomainCreateFlow.NoGeneralRegistrationsInCurrentPhaseException}
 */
-
 public class DomainCreateFlow implements TransactionalFlow {

  private static final ImmutableSet<TldState> SUNRISE_STATES =
@ -191,7 +196,7 @@ public class DomainCreateFlow implements TransactionalFlow {
    InternetDomainName domainName = validateDomainName(command.getFullyQualifiedDomainName());
    String domainLabel = domainName.parts().get(0);
    Registry registry = Registry.get(domainName.parent().toString());
-    validateCreateCommandContactsAndNameservers(command, registry.getTldStr());
+    validateCreateCommandContactsAndNameservers(command, registry, domainName);
    TldState tldState = registry.getTldState(now);
    boolean isAnchorTenant = isAnchorTenant(domainName);
    LaunchCreateExtension launchCreate = eppInput.getSingleExtension(LaunchCreateExtension.class);
--- a/java/google/registry/flows/domain/DomainFlowUtils.java
+++ b/java/google/registry/flows/domain/DomainFlowUtils.java
@ -27,6 +27,8 @@ import static google.registry.model.domain.DomainResource.MAX_REGISTRATION_YEARS
 import static google.registry.model.domain.DomainResource.extendRegistrationWithCap;
 import static google.registry.model.ofy.ObjectifyService.ofy;
 import static google.registry.model.registry.Registries.findTldForName;
+import static google.registry.model.registry.label.ReservationType.NAMESERVER_RESTRICTED;
+import static google.registry.model.registry.label.ReservedList.getAllowedNameservers;
 import static google.registry.pricing.PricingEngineProxy.isDomainPremium;
 import static google.registry.tldconfig.idn.IdnLabelValidator.findValidIdnTableForTld;
 import static google.registry.util.CollectionUtils.nullToEmpty;
@ -281,11 +283,20 @@ public class DomainFlowUtils {
    }
  }

-  static void validateNameserversCountForTld(String tld, int count) throws EppException {
-    ImmutableSet<String> whitelist = Registry.get(tld).getAllowedFullyQualifiedHostNames();
+  static void validateNameserversCountForTld(String tld, InternetDomainName domainName, int count)
+      throws EppException {
    // For TLDs with a nameserver whitelist, all domains must have at least 1 nameserver.
-    if (!whitelist.isEmpty() && count == 0) {
-      throw new NameserversNotSpecifiedException();
+    ImmutableSet<String> tldNameserversWhitelist =
+        Registry.get(tld).getAllowedFullyQualifiedHostNames();
+    if (!tldNameserversWhitelist.isEmpty() && count == 0) {
+      throw new NameserversNotSpecifiedForTldWithNameserverWhitelistException(
+          domainName.toString());
+    }
+    // For domains with a nameserver restricted reservation, they must have at least 1 nameserver.
+    ImmutableSet<String> domainNameserversWhitelist = getAllowedNameservers(domainName);
+    if (!domainNameserversWhitelist.isEmpty() && count == 0) {
+      throw new NameserversNotSpecifiedForNameserverRestrictedDomainException(
+          domainName.toString());
    }
    if (count > MAX_NAMESERVERS_PER_DOMAIN) {
      throw new TooManyNameserversException(String.format(
@ -339,11 +350,38 @@ public class DomainFlowUtils {
    if (!whitelist.isEmpty()) { // Empty whitelist is ignored.
      Set<String> disallowedNameservers = difference(hostnames, whitelist);
      if (!disallowedNameservers.isEmpty()) {
-        throw new NameserversNotAllowedException(disallowedNameservers);
+        throw new NameserversNotAllowedForTldException(disallowedNameservers);
      }
    }
  }

+  /**
+   * Validates if the requested nameservers can be set on the requested domain.
+   *
+   * @param domainName the domain to be created.
+   * @param fullyQualifiedHostNames the set of nameservers to be set on the domain.
+   * @throws EppException
+   */
+  static void validateNameserversAllowedOnDomain(
+      InternetDomainName domainName, Set<String> fullyQualifiedHostNames) throws EppException {
+    ImmutableSet<ReservationType> reservationTypes = getReservationTypes(domainName);
+    if (reservationTypes.contains(NAMESERVER_RESTRICTED)) {
+      ImmutableSet<String> allowedNameservers = getAllowedNameservers(domainName);
+      Set<String> disallowedNameservers = difference(fullyQualifiedHostNames, allowedNameservers);
+      if (!disallowedNameservers.isEmpty()) {
+        throw new NameserversNotAllowedForDomainException(disallowedNameservers);
+      }
+    }
+  }
+
+  /** Validates if the requested domain can be reated on a domain create restricted TLD. */
+  static void validateDomainCreateAllowed(InternetDomainName domainName) throws EppException {
+    ImmutableSet<ReservationType> reservationTypes = getReservationTypes(domainName);
+    if (!reservationTypes.contains(NAMESERVER_RESTRICTED)) {
+      throw new DomainNotAllowedForTldWithCreateRestrictionException(domainName.toString());
+    }
+  }
+
  static void verifyNotReserved(InternetDomainName domainName, boolean isSunrise)
      throws EppException {
    if (isReserved(domainName, isSunrise)) {
@ -730,20 +768,23 @@ public class DomainFlowUtils {
  }

  /** Validate the contacts and nameservers specified in a domain or application create command. */
-  static void validateCreateCommandContactsAndNameservers(Create command, String tld)
-      throws EppException {
+  static void validateCreateCommandContactsAndNameservers(
+      Create command, Registry registry, InternetDomainName domainName) throws EppException {
    verifyNotInPendingDelete(
-        command.getContacts(),
-        command.getRegistrant(),
-        command.getNameservers());
+        command.getContacts(), command.getRegistrant(), command.getNameservers());
    validateContactsHaveTypes(command.getContacts());
+    String tld = registry.getTldStr();
    validateRegistrantAllowedOnTld(tld, command.getRegistrantContactId());
    validateNoDuplicateContacts(command.getContacts());
    validateRequiredContactsPresent(command.getRegistrant(), command.getContacts());
    Set<String> fullyQualifiedHostNames =
        nullToEmpty(command.getNameserverFullyQualifiedHostNames());
-    validateNameserversCountForTld(tld, fullyQualifiedHostNames.size());
+    validateNameserversCountForTld(tld, domainName, fullyQualifiedHostNames.size());
    validateNameserversAllowedOnTld(tld, fullyQualifiedHostNames);
+    if (registry.getDomainCreateRestricted()) {
+      validateDomainCreateAllowed(domainName);
+    }
+    validateNameserversAllowedOnDomain(domainName, fullyQualifiedHostNames);
  }

  /**
@ -1130,6 +1171,21 @@ public class DomainFlowUtils {
    }
  }

+  /**
+   * Requested domain does not have nameserver-restricted reservation for a TLD that requires such a
+   * reservation to create domains.
+   */
+  static class DomainNotAllowedForTldWithCreateRestrictionException
+      extends StatusProhibitsOperationException {
+    public DomainNotAllowedForTldWithCreateRestrictionException(String domainName) {
+      super(
+          String.format(
+              "%s is not allowed without a nameserver-restricted reservation"
+                  + " for a TLD that requires such reservation",
+              domainName));
+    }
+  }
+
  /**
   * The requested domain name is on the premium price list, and this registrar has blocked premium
   * registrations.
@ -1169,18 +1225,47 @@ public class DomainFlowUtils {
  }

  /** Nameservers are not whitelisted for this TLD. */
-  public static class NameserversNotAllowedException extends StatusProhibitsOperationException {
-    public NameserversNotAllowedException(Set<String> fullyQualifiedHostNames) {
+  public static class NameserversNotAllowedForTldException
+      extends StatusProhibitsOperationException {
+    public NameserversNotAllowedForTldException(Set<String> fullyQualifiedHostNames) {
      super(String.format(
          "Nameservers '%s' are not whitelisted for this TLD",
          Joiner.on(',').join(fullyQualifiedHostNames)));
    }
  }

-  /** Nameservers not specified for this TLD with whitelist. */
-  public static class NameserversNotSpecifiedException extends StatusProhibitsOperationException {
-    public NameserversNotSpecifiedException() {
-      super("At least one nameserver must be specified for this TLD");
+  /** Nameservers are not whitelisted for this domain. */
+  public static class NameserversNotAllowedForDomainException
+      extends StatusProhibitsOperationException {
+    public NameserversNotAllowedForDomainException(Set<String> fullyQualifiedHostNames) {
+      super(
+          String.format(
+              "Nameservers '%s' are not whitelisted for this domain",
+              Joiner.on(',').join(fullyQualifiedHostNames)));
+    }
+  }
+
+  /** Nameservers not specified for domain on TLD with nameserver whitelist. */
+  public static class NameserversNotSpecifiedForTldWithNameserverWhitelistException
+      extends StatusProhibitsOperationException {
+    public NameserversNotSpecifiedForTldWithNameserverWhitelistException(String domain) {
+      super(
+          String.format(
+              "At least one nameserver must be specified for domain %s"
+                  + " on a TLD with nameserver whitelist",
+              domain));
+    }
+  }
+
+  /** Nameservers not specified for domain with nameserver-restricted reservation. */
+  public static class NameserversNotSpecifiedForNameserverRestrictedDomainException
+      extends StatusProhibitsOperationException {
+    public NameserversNotSpecifiedForNameserverRestrictedDomainException(String domain) {
+      super(
+          String.format(
+              "At least one nameserver must be specified for domain %s"
+                  + " on a TLD with nameserver restriction",
+              domain));
    }
  }

--- a/java/google/registry/flows/domain/DomainUpdateFlow.java
+++ b/java/google/registry/flows/domain/DomainUpdateFlow.java
@ -43,6 +43,7 @@ import static google.registry.util.DateTimeUtils.earliestOf;

 import com.google.common.base.Optional;
 import com.google.common.collect.ImmutableSet;
+import com.google.common.net.InternetDomainName;
 import com.googlecode.objectify.Key;
 import google.registry.dns.DnsQueue;
 import google.registry.flows.EppException;
@ -113,8 +114,8 @@ import org.joda.time.DateTime;
 * @error {@link DomainFlowUtils.MissingAdminContactException}
 * @error {@link DomainFlowUtils.MissingContactTypeException}
 * @error {@link DomainFlowUtils.MissingTechnicalContactException}
- * @error {@link DomainFlowUtils.NameserversNotAllowedException}
- * @error {@link DomainFlowUtils.NameserversNotSpecifiedException}
+ * @error {@link DomainFlowUtils.NameserversNotAllowedForTldException}
+ * @error {@link DomainFlowUtils.NameserversNotSpecifiedForTldWithNameserverWhitelistException}
 * @error {@link DomainFlowUtils.NotAuthorizedForTldException}
 * @error {@link DomainFlowUtils.RegistrantNotAllowedException}
 * @error {@link DomainFlowUtils.SecDnsAllUsageException}
@ -315,7 +316,10 @@ public final class DomainUpdateFlow implements TransactionalFlow {
    validateNoDuplicateContacts(newDomain.getContacts());
    validateRequiredContactsPresent(newDomain.getRegistrant(), newDomain.getContacts());
    validateDsData(newDomain.getDsData());
-    validateNameserversCountForTld(newDomain.getTld(), newDomain.getNameservers().size());
+    validateNameserversCountForTld(
+        newDomain.getTld(),
+        InternetDomainName.from(newDomain.getFullyQualifiedDomainName()),
+        newDomain.getNameservers().size());
  }

  /** Some status updates cost money. Bill only once no matter how many of them are changed. */
--- a/java/google/registry/model/registry/Registry.java
+++ b/java/google/registry/model/registry/Registry.java
@ -63,6 +63,7 @@ import google.registry.model.common.TimedTransitionProperty.TimedTransition;
 import google.registry.model.domain.fee.BaseFee.FeeType;
 import google.registry.model.domain.fee.Fee;
 import google.registry.model.registry.label.PremiumList;
+import google.registry.model.registry.label.ReservationType;
 import google.registry.model.registry.label.ReservedList;
 import google.registry.model.registry.label.ReservedList.ReservedListEntry;
 import google.registry.util.Idn;
@ -318,6 +319,12 @@ public class Registry extends ImmutableObject implements Buildable {
  /** Whether the price must be acknowledged to register premiun names on this TLD. */
  boolean premiumPriceAckRequired = true;

+  /**
+   * Whether only domains with {@link ReservationType#NAMESERVER_RESTRICTED} reservation type in a
+   * reserved list can be registered on this TLD.
+   */
+  boolean domainCreateRestricted;
+
  /** The length of the add grace period for this TLD. */
  Duration addGracePeriodLength = DEFAULT_ADD_GRACE_PERIOD;

@ -454,6 +461,13 @@ public class Registry extends ImmutableObject implements Buildable {
    return premiumPriceAckRequired;
  }

+  /**
+   * Returns true if only domains with nameserver restricted reservation on this TLD can be created.
+   */
+  public boolean getDomainCreateRestricted() {
+    return domainCreateRestricted;
+  }
+
  public Duration getAddGracePeriodLength() {
    return addGracePeriodLength;
  }
@ -647,6 +661,11 @@ public class Registry extends ImmutableObject implements Buildable {
      return this;
    }

+    public Builder setDomainCreateRestricted(boolean domainCreateRestricted) {
+      getInstance().domainCreateRestricted = domainCreateRestricted;
+      return this;
+    }
+
    public Builder setPremiumPricingEngine(String pricingEngineClass) {
      getInstance().pricingEngineClassName = checkArgumentNotNull(pricingEngineClass);
      return this;
--- a/javatests/google/registry/flows/domain/DomainAllocateFlowTest.java
+++ b/javatests/google/registry/flows/domain/DomainAllocateFlowTest.java
@ -45,7 +45,13 @@ import google.registry.flows.ResourceFlowTestCase;
 import google.registry.flows.domain.DomainAllocateFlow.HasFinalStatusException;
 import google.registry.flows.domain.DomainAllocateFlow.MissingApplicationException;
 import google.registry.flows.domain.DomainAllocateFlow.OnlySuperuserCanAllocateException;
+import google.registry.flows.domain.DomainFlowUtils.DomainNotAllowedForTldWithCreateRestrictionException;
 import google.registry.flows.domain.DomainFlowUtils.ExceedsMaxRegistrationYearsException;
+import google.registry.flows.domain.DomainFlowUtils.NameserversNotAllowedForDomainException;
+import google.registry.flows.domain.DomainFlowUtils.NameserversNotAllowedForTldException;
+import google.registry.flows.domain.DomainFlowUtils.NameserversNotSpecifiedForNameserverRestrictedDomainException;
+import google.registry.flows.domain.DomainFlowUtils.NameserversNotSpecifiedForTldWithNameserverWhitelistException;
+import google.registry.flows.domain.DomainFlowUtils.RegistrantNotAllowedException;
 import google.registry.flows.exceptions.ResourceAlreadyExistsException;
 import google.registry.model.billing.BillingEvent;
 import google.registry.model.billing.BillingEvent.Flag;
@ -220,6 +226,208 @@ public class DomainAllocateFlowTest
    doSuccessfulTest(2);
  }

+  @Test
+  public void testSuccess_nameserverAndRegistrantWhitelisted() throws Exception {
+    setupDomainApplication("tld", TldState.QUIET_PERIOD);
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setAllowedRegistrantContactIds(ImmutableSet.of("jd1234"))
+            .setAllowedFullyQualifiedHostNames(
+                ImmutableSet.of("ns1.example.net", "ns2.example.net"))
+            .build());
+    doSuccessfulTest(2);
+  }
+
+  @Test
+  public void testFailure_nameserverNotWhitelisted() throws Exception {
+    setupDomainApplication("tld", TldState.QUIET_PERIOD);
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setAllowedRegistrantContactIds(ImmutableSet.of("jd1234"))
+            .setAllowedFullyQualifiedHostNames(ImmutableSet.of("ns2.example.net"))
+            .build());
+    thrown.expect(NameserversNotAllowedForTldException.class, "ns1.example.net");
+    runFlowAsSuperuser();
+  }
+
+  @Test
+  public void testFailure_registrantNotWhitelisted() throws Exception {
+    setupDomainApplication("tld", TldState.QUIET_PERIOD);
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setAllowedRegistrantContactIds(ImmutableSet.of("someone"))
+            .setAllowedFullyQualifiedHostNames(
+                ImmutableSet.of("ns1.example.net", "ns2.example.net"))
+            .build());
+    thrown.expect(RegistrantNotAllowedException.class, "jd1234");
+    runFlowAsSuperuser();
+  }
+
+  @Test
+  public void testFailure_emptyNameserverFailsWhitelist() throws Exception {
+    setupDomainApplication("tld", TldState.QUIET_PERIOD);
+    setEppInput("domain_allocate_no_nameservers.xml");
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setAllowedRegistrantContactIds(ImmutableSet.of("jd1234"))
+            .setAllowedFullyQualifiedHostNames(ImmutableSet.of("ns1.example.net, ns2.example.net"))
+            .build());
+    thrown.expect(NameserversNotSpecifiedForTldWithNameserverWhitelistException.class);
+    runFlowAsSuperuser();
+  }
+
+  @Test
+  public void testSuccess_domainNameserverRestricted_allNameserversAllowed() throws Exception {
+    setupDomainApplication("tld", TldState.QUIET_PERIOD);
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setReservedLists(
+                persistReservedList(
+                    "reserved",
+                    "example-one,NAMESERVER_RESTRICTED,"
+                        + "ns1.example.net:ns2.example.net:ns3.example.net"))
+            .build());
+    doSuccessfulTest(2);
+  }
+
+  @Test
+  public void testFailure_domainNameserverRestricted_someNameserversDisallowed() throws Exception {
+    setupDomainApplication("tld", TldState.QUIET_PERIOD);
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setReservedLists(
+                persistReservedList(
+                    "reserved",
+                    "example-one,NAMESERVER_RESTRICTED," + "ns2.example.net:ns3.example.net"))
+            .build());
+    thrown.expect(NameserversNotAllowedForDomainException.class, "ns1.example.net");
+    runFlowAsSuperuser();
+  }
+
+  @Test
+  public void testFailure_domainNameserverRestricted_noNameservers() throws Exception {
+    setupDomainApplication("tld", TldState.QUIET_PERIOD);
+    setEppInput("domain_allocate_no_nameservers.xml");
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setReservedLists(
+                persistReservedList(
+                    "reserved",
+                    "example-one,NAMESERVER_RESTRICTED," + "ns2.example.net:ns3.example.net"))
+            .build());
+    thrown.expect(NameserversNotSpecifiedForNameserverRestrictedDomainException.class);
+    runFlowAsSuperuser();
+  }
+
+  @Test
+  public void testFailure_domainCreateRestricted_domainNotReserved() throws Exception {
+    setupDomainApplication("tld", TldState.QUIET_PERIOD);
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setDomainCreateRestricted(true)
+            .setReservedLists(
+                persistReservedList(
+                    "reserved", "lol,NAMESERVER_RESTRICTED," + "ns2.example.net:ns3.example.net"))
+            .build());
+    thrown.expect(DomainNotAllowedForTldWithCreateRestrictionException.class, "example-one.tld");
+    runFlowAsSuperuser();
+  }
+
+  @Test
+  public void testSuccess_domainCreateNotRestricted_domainNotReserved() throws Exception {
+    setupDomainApplication("tld", TldState.QUIET_PERIOD);
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setReservedLists(
+                persistReservedList(
+                    "reserved", "lol,NAMESERVER_RESTRICTED," + "ns2.example.net:ns3.example.net"))
+            .build());
+    doSuccessfulTest(2);
+  }
+
+  @Test
+  public void testSuccess_tldAndDomainNameserversWhitelistBothSatistfied() throws Exception {
+    setupDomainApplication("tld", TldState.QUIET_PERIOD);
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setDomainCreateRestricted(true)
+            .setReservedLists(
+                persistReservedList(
+                    "reserved",
+                    "example-one,NAMESERVER_RESTRICTED,"
+                        + "ns1.example.net:ns2.example.net:ns3.example.net"))
+            .setAllowedFullyQualifiedHostNames(
+                ImmutableSet.of("ns1.example.net", "ns2.example.net", "ns4.example.net"))
+            .build());
+    doSuccessfulTest(2);
+  }
+
+  @Test
+  public void testFailure_domainNameserversDisallowed_tldNameserversAllowed() throws Exception {
+    setupDomainApplication("tld", TldState.QUIET_PERIOD);
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setReservedLists(
+                persistReservedList(
+                    "reserved",
+                    "example-one,NAMESERVER_RESTRICTED,"
+                        + "ns2.example.net:ns3.example.net:ns4.example.net"))
+            .setAllowedFullyQualifiedHostNames(
+                ImmutableSet.of("ns1.example.net", "ns2.example.net", "ns3.example.net"))
+            .build());
+    thrown.expect(NameserversNotAllowedForDomainException.class, "ns1.example.net");
+    runFlowAsSuperuser();
+  }
+
+  @Test
+  public void testFailure_domainNameserversAllowed_tldNameserversDisallowed() throws Exception {
+    setupDomainApplication("tld", TldState.QUIET_PERIOD);
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setReservedLists(
+                persistReservedList(
+                    "reserved",
+                    "example-one,NAMESERVER_RESTRICTED,"
+                        + "ns2.example.net:ns3.example.net:ns1.example.net"))
+            .setAllowedFullyQualifiedHostNames(
+                ImmutableSet.of("ns4.example.net", "ns2.example.net", "ns3.example.net"))
+            .build());
+    thrown.expect(NameserversNotAllowedForTldException.class, "ns1.example.net");
+    runFlowAsSuperuser();
+  }
+
+  @Test
+  public void testFailure_tldNameserversAllowed_domainCreateRestricted_domainNotReserved()
+      throws Exception {
+    setupDomainApplication("tld", TldState.QUIET_PERIOD);
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setDomainCreateRestricted(true)
+            .setReservedLists(
+                persistReservedList(
+                    "reserved",
+                    "lol,NAMESERVER_RESTRICTED,"
+                        + "ns2.example.net:ns3.example.net:ns1.example.net"))
+            .setAllowedFullyQualifiedHostNames(
+                ImmutableSet.of("ns1.example.net", "ns2.example.net", "ns3.example.net"))
+            .build());
+    thrown.expect(DomainNotAllowedForTldWithCreateRestrictionException.class, "example-one.tld");
+    runFlowAsSuperuser();
+  }
+
  @Test
  public void testSuccess_sunrushAddGracePeriod() throws Exception {
    setupDomainApplication("tld", TldState.QUIET_PERIOD);
--- a/javatests/google/registry/flows/domain/DomainApplicationCreateFlowTest.java
+++ b/javatests/google/registry/flows/domain/DomainApplicationCreateFlowTest.java
@ -71,6 +71,7 @@ import google.registry.flows.domain.DomainFlowUtils.CurrencyUnitMismatchExceptio
 import google.registry.flows.domain.DomainFlowUtils.CurrencyValueScaleException;
 import google.registry.flows.domain.DomainFlowUtils.DashesInThirdAndFourthException;
 import google.registry.flows.domain.DomainFlowUtils.DomainLabelTooLongException;
+import google.registry.flows.domain.DomainFlowUtils.DomainNotAllowedForTldWithCreateRestrictionException;
 import google.registry.flows.domain.DomainFlowUtils.DomainReservedException;
 import google.registry.flows.domain.DomainFlowUtils.DuplicateContactForRoleException;
 import google.registry.flows.domain.DomainFlowUtils.EmptyDomainNamePartException;
@ -90,8 +91,10 @@ import google.registry.flows.domain.DomainFlowUtils.MalformedTcnIdException;
 import google.registry.flows.domain.DomainFlowUtils.MaxSigLifeNotSupportedException;
 import google.registry.flows.domain.DomainFlowUtils.MissingClaimsNoticeException;
 import google.registry.flows.domain.DomainFlowUtils.MissingContactTypeException;
-import google.registry.flows.domain.DomainFlowUtils.NameserversNotAllowedException;
-import google.registry.flows.domain.DomainFlowUtils.NameserversNotSpecifiedException;
+import google.registry.flows.domain.DomainFlowUtils.NameserversNotAllowedForDomainException;
+import google.registry.flows.domain.DomainFlowUtils.NameserversNotAllowedForTldException;
+import google.registry.flows.domain.DomainFlowUtils.NameserversNotSpecifiedForNameserverRestrictedDomainException;
+import google.registry.flows.domain.DomainFlowUtils.NameserversNotSpecifiedForTldWithNameserverWhitelistException;
 import google.registry.flows.domain.DomainFlowUtils.NotAuthorizedForTldException;
 import google.registry.flows.domain.DomainFlowUtils.PremiumNameBlockedException;
 import google.registry.flows.domain.DomainFlowUtils.RegistrantNotAllowedException;
@ -1546,7 +1549,7 @@ public class DomainApplicationCreateFlowTest
    persistResource(Registry.get("tld").asBuilder()
        .setAllowedFullyQualifiedHostNames(ImmutableSet.of("ns2.example.net"))
        .build());
-    thrown.expect(NameserversNotAllowedException.class, "ns1.example.net");
+    thrown.expect(NameserversNotAllowedForTldException.class, "ns1.example.net");
    runFlow();
  }

@ -1572,7 +1575,173 @@ public class DomainApplicationCreateFlowTest
        .build());
    persistContactsAndHosts();
    clock.advanceOneMilli();
-    thrown.expect(NameserversNotSpecifiedException.class);
+    thrown.expect(NameserversNotSpecifiedForTldWithNameserverWhitelistException.class);
+    runFlow();
+  }
+
+  @Test
+  public void testSuccess_domainNameserverRestricted_allNameserversAllowed() throws Exception {
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setReservedLists(
+                persistReservedList(
+                    "reserved",
+                    "test-validate,NAMESERVER_RESTRICTED,"
+                        + "ns1.example.net:ns2.example.net:ns3.example.net"))
+            .build());
+    persistContactsAndHosts();
+    clock.advanceOneMilli();
+    doSuccessfulTest("domain_create_sunrise_encoded_signed_mark_response.xml", true);
+    assertAboutApplications()
+        .that(getOnlyGlobalResource(DomainApplication.class))
+        .hasApplicationStatus(ApplicationStatus.VALIDATED);
+  }
+
+  @Test
+  public void testFailure_domainNameserverRestricted_someNameserversDisallowed() throws Exception {
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setReservedLists(
+                persistReservedList(
+                    "reserved",
+                    "test-validate,NAMESERVER_RESTRICTED,ns2.example.net:ns3.example.net"))
+            .build());
+    persistContactsAndHosts();
+    clock.advanceOneMilli();
+    thrown.expect(NameserversNotAllowedForDomainException.class, "ns1.example.net");
+    runFlow();
+  }
+
+  @Test
+  public void testFailure_domainNameserverRestricted_noNameserversAllowed() throws Exception {
+    setEppInput("domain_create_sunrise_encoded_signed_mark_no_hosts.xml");
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setReservedLists(
+                persistReservedList(
+                    "reserved",
+                    "test-validate,NAMESERVER_RESTRICTED,ns2.example.net:ns3.example.net"))
+            .build());
+    persistContactsAndHosts();
+    clock.advanceOneMilli();
+    thrown.expect(NameserversNotSpecifiedForNameserverRestrictedDomainException.class);
+    runFlow();
+  }
+
+  @Test
+  public void testFailure_domainCreateRestricted_domainNotReserved() throws Exception {
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setDomainCreateRestricted(true)
+            .setReservedLists(
+                persistReservedList(
+                    "reserved", "test,NAMESERVER_RESTRICTED,ns2.example.net:ns3.example.net"))
+            .build());
+    persistContactsAndHosts();
+    clock.advanceOneMilli();
+    thrown.expect(DomainNotAllowedForTldWithCreateRestrictionException.class, "test-validate.tld");
+    runFlow();
+  }
+
+  @Test
+  public void testSuccess_domainCreateNotRestricted_domainNotReserved() throws Exception {
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setReservedLists(
+                persistReservedList(
+                    "reserved", "test,NAMESERVER_RESTRICTED,ns2.example.net:ns3.example.net"))
+            .build());
+    persistContactsAndHosts();
+    clock.advanceOneMilli();
+    doSuccessfulTest("domain_create_sunrise_encoded_signed_mark_response.xml", true);
+    assertAboutApplications()
+        .that(getOnlyGlobalResource(DomainApplication.class))
+        .hasApplicationStatus(ApplicationStatus.VALIDATED);
+  }
+
+  @Test
+  public void testSuccess_tldAndDomainNameserversWhitelistBothSatistfied() throws Exception {
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setDomainCreateRestricted(true)
+            .setReservedLists(
+                persistReservedList(
+                    "reserved",
+                    "test-validate,NAMESERVER_RESTRICTED,"
+                        + "ns1.example.net:ns2.example.net:ns3.example.net"))
+            .setAllowedFullyQualifiedHostNames(
+                ImmutableSet.of("ns1.example.net", "ns2.example.net", "ns4.examplet.net"))
+            .build());
+    persistContactsAndHosts();
+    clock.advanceOneMilli();
+    doSuccessfulTest("domain_create_sunrise_encoded_signed_mark_response.xml", true);
+    assertAboutApplications()
+        .that(getOnlyGlobalResource(DomainApplication.class))
+        .hasApplicationStatus(ApplicationStatus.VALIDATED);
+  }
+
+  @Test
+  public void testFailure_domainNameserversDisallowed_tldNameserversAllowed() throws Exception {
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setReservedLists(
+                persistReservedList(
+                    "reserved",
+                    "test-validate,NAMESERVER_RESTRICTED,"
+                        + "ns2.example.net:ns3.example.net:ns4.example.net"))
+            .setAllowedFullyQualifiedHostNames(
+                ImmutableSet.of("ns1.example.net", "ns2.example.net", "ns3.examplet.net"))
+            .build());
+    persistContactsAndHosts();
+    clock.advanceOneMilli();
+    thrown.expect(NameserversNotAllowedForDomainException.class, "ns1.example.net");
+    runFlow();
+  }
+
+  @Test
+  public void testFailure_domainNameserversAllowed_tldNameserversDisallowed() throws Exception {
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setReservedLists(
+                persistReservedList(
+                    "reserved",
+                    "test-validate,NAMESERVER_RESTRICTED,"
+                        + "ns1.example.net:ns2.example.net:ns3.example.net"))
+            .setAllowedFullyQualifiedHostNames(
+                ImmutableSet.of("ns2.example.net", "ns3.example.net", "ns4.examplet.net"))
+            .build());
+    persistContactsAndHosts();
+    clock.advanceOneMilli();
+    thrown.expect(NameserversNotAllowedForTldException.class, "ns1.example.net");
+    runFlow();
+  }
+
+  @Test
+  public void testFailure_tldNameserversAllowed_domainCreateRestricted_domainNotReserved()
+      throws Exception {
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setDomainCreateRestricted(true)
+            .setReservedLists(
+                persistReservedList(
+                    "reserved",
+                    "lol,NAMESERVER_RESTRICTED,"
+                        + "ns1.example.net:ns2.example.net:ns3.example.net"))
+            .setAllowedFullyQualifiedHostNames(
+                ImmutableSet.of("ns1.example.net", "ns2.example.net", "ns3.examplet.net"))
+            .build());
+    persistContactsAndHosts();
+    clock.advanceOneMilli();
+    thrown.expect(DomainNotAllowedForTldWithCreateRestrictionException.class, "test-validate.tld");
    runFlow();
  }

--- a/javatests/google/registry/flows/domain/DomainApplicationUpdateFlowTest.java
+++ b/javatests/google/registry/flows/domain/DomainApplicationUpdateFlowTest.java
@ -47,7 +47,7 @@ import google.registry.flows.domain.DomainFlowUtils.MaxSigLifeChangeNotSupported
 import google.registry.flows.domain.DomainFlowUtils.MissingAdminContactException;
 import google.registry.flows.domain.DomainFlowUtils.MissingContactTypeException;
 import google.registry.flows.domain.DomainFlowUtils.MissingTechnicalContactException;
-import google.registry.flows.domain.DomainFlowUtils.NameserversNotAllowedException;
+import google.registry.flows.domain.DomainFlowUtils.NameserversNotAllowedForTldException;
 import google.registry.flows.domain.DomainFlowUtils.NotAuthorizedForTldException;
 import google.registry.flows.domain.DomainFlowUtils.RegistrantNotAllowedException;
 import google.registry.flows.domain.DomainFlowUtils.SecDnsAllUsageException;
@ -655,7 +655,7 @@ public class DomainApplicationUpdateFlowTest
            .setAllowedFullyQualifiedHostNames(ImmutableSet.of("ns1.example.foo"))
            .build());
    clock.advanceOneMilli();
-    thrown.expect(NameserversNotAllowedException.class);
+    thrown.expect(NameserversNotAllowedForTldException.class);
    runFlow();
  }

--- a/javatests/google/registry/flows/domain/DomainCreateFlowTest.java
+++ b/javatests/google/registry/flows/domain/DomainCreateFlowTest.java
@ -67,6 +67,7 @@ import google.registry.flows.domain.DomainFlowUtils.CurrencyUnitMismatchExceptio
 import google.registry.flows.domain.DomainFlowUtils.CurrencyValueScaleException;
 import google.registry.flows.domain.DomainFlowUtils.DashesInThirdAndFourthException;
 import google.registry.flows.domain.DomainFlowUtils.DomainLabelTooLongException;
+import google.registry.flows.domain.DomainFlowUtils.DomainNotAllowedForTldWithCreateRestrictionException;
 import google.registry.flows.domain.DomainFlowUtils.DomainReservedException;
 import google.registry.flows.domain.DomainFlowUtils.DuplicateContactForRoleException;
 import google.registry.flows.domain.DomainFlowUtils.EmptyDomainNamePartException;
@ -89,8 +90,10 @@ import google.registry.flows.domain.DomainFlowUtils.MissingClaimsNoticeException
 import google.registry.flows.domain.DomainFlowUtils.MissingContactTypeException;
 import google.registry.flows.domain.DomainFlowUtils.MissingRegistrantException;
 import google.registry.flows.domain.DomainFlowUtils.MissingTechnicalContactException;
-import google.registry.flows.domain.DomainFlowUtils.NameserversNotAllowedException;
-import google.registry.flows.domain.DomainFlowUtils.NameserversNotSpecifiedException;
+import google.registry.flows.domain.DomainFlowUtils.NameserversNotAllowedForDomainException;
+import google.registry.flows.domain.DomainFlowUtils.NameserversNotAllowedForTldException;
+import google.registry.flows.domain.DomainFlowUtils.NameserversNotSpecifiedForNameserverRestrictedDomainException;
+import google.registry.flows.domain.DomainFlowUtils.NameserversNotSpecifiedForTldWithNameserverWhitelistException;
 import google.registry.flows.domain.DomainFlowUtils.NotAuthorizedForTldException;
 import google.registry.flows.domain.DomainFlowUtils.PremiumNameBlockedException;
 import google.registry.flows.domain.DomainFlowUtils.RegistrantNotAllowedException;
@ -1703,7 +1706,7 @@ public class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow,
    persistResource(Registry.get("tld").asBuilder()
        .setAllowedFullyQualifiedHostNames(ImmutableSet.of("ns2.example.net"))
        .build());
-    thrown.expect(NameserversNotAllowedException.class, "ns1.example.net");
+    thrown.expect(NameserversNotAllowedForTldException.class, "ns1.example.net");
    runFlow();
  }

@ -1714,7 +1717,7 @@ public class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow,
        .setAllowedFullyQualifiedHostNames(ImmutableSet.of("somethingelse.example.net"))
        .build());
    persistContactsAndHosts();
-    thrown.expect(NameserversNotSpecifiedException.class);
+    thrown.expect(NameserversNotSpecifiedForTldWithNameserverWhitelistException.class);
    runFlow();
  }

@ -1728,6 +1731,154 @@ public class DomainCreateFlowTest extends ResourceFlowTestCase<DomainCreateFlow,
    doSuccessfulTest();
  }

+  @Test
+  public void testSuccess_domainNameserverRestricted_allNameserversAllowed() throws Exception {
+    persistContactsAndHosts();
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setReservedLists(
+                persistReservedList(
+                    "reserved",
+                    "example,NAMESERVER_RESTRICTED,"
+                        + "ns1.example.net:ns2.example.net:ns3.example.net"))
+            .build());
+    doSuccessfulTest();
+  }
+
+  @Test
+  public void testFailure_domainNameserverRestricted_noNameservers() throws Exception {
+    setEppInput("domain_create_no_hosts_or_dsdata.xml");
+    persistContactsAndHosts();
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setReservedLists(
+                persistReservedList(
+                    "reserved",
+                    "example,NAMESERVER_RESTRICTED,"
+                        + "ns1.example.net:ns2.example.net:ns3.example.net"))
+            .build());
+    thrown.expect(NameserversNotSpecifiedForNameserverRestrictedDomainException.class);
+    runFlow();
+  }
+
+  @Test
+  public void testFailure_domainNameserverRestricted_someNameserversDisallowed() throws Exception {
+    persistContactsAndHosts();
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setReservedLists(
+                persistReservedList(
+                    "reserved", "example,NAMESERVER_RESTRICTED,ns2.example.net:ns3.example.net"))
+            .build());
+    thrown.expect(NameserversNotAllowedForDomainException.class, "ns1.example.net");
+    runFlow();
+  }
+
+  @Test
+  public void testFailure_domainCreateRestricted_domainNotReserved() throws Exception {
+    persistContactsAndHosts();
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setDomainCreateRestricted(true)
+            .setReservedLists(
+                persistReservedList(
+                    "reserved", "lol,NAMESERVER_RESTRICTED,ns1.example.net:ns2.example.net"))
+            .build());
+    thrown.expect(DomainNotAllowedForTldWithCreateRestrictionException.class, "example.tld");
+    runFlow();
+  }
+
+  @Test
+  public void testSuccess_domainCreateNotRestricted_domainNotReserved() throws Exception {
+    persistContactsAndHosts();
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setReservedLists(
+                persistReservedList(
+                    "reserved", "lol,NAMESERVER_RESTRICTED,ns1.example.net:ns2.example.net"))
+            .build());
+    doSuccessfulTest();
+  }
+
+  @Test
+  public void testSuccess_tldAndDomainNameserversWhitelistBothSatisfied() throws Exception {
+    persistContactsAndHosts();
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setDomainCreateRestricted(true)
+            .setAllowedFullyQualifiedHostNames(
+                ImmutableSet.of("ns1.example.net", "ns2.example.net", "ns3.example.net"))
+            .setReservedLists(
+                persistReservedList(
+                    "reserved",
+                    "example,NAMESERVER_RESTRICTED,"
+                        + "ns1.example.net:ns2.example.net:ns4.example.net"))
+            .build());
+    doSuccessfulTest();
+  }
+
+  @Test
+  public void testFailure_domainNameserversAllowed_tldNameserversDisallowed() throws Exception {
+    persistContactsAndHosts();
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setAllowedFullyQualifiedHostNames(
+                ImmutableSet.of("ns2.example.net", "ns3.example.net", "ns4.example.net"))
+            .setReservedLists(
+                persistReservedList(
+                    "reserved",
+                    "example,NAMESERVER_RESTRICTED,"
+                        + "ns1.example.net:ns2.example.net:ns3.example.net"))
+            .build());
+    thrown.expect(NameserversNotAllowedForTldException.class, "ns1.example.net");
+    runFlow();
+  }
+
+  @Test
+  public void testFailure_domainNameserversDisallowed_tldNameserversAllowed() throws Exception {
+    persistContactsAndHosts();
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setAllowedFullyQualifiedHostNames(
+                ImmutableSet.of("ns1.example.net", "ns2.example.net", "ns3.example.net"))
+            .setReservedLists(
+                persistReservedList(
+                    "reserved",
+                    "example,NAMESERVER_RESTRICTED,"
+                        + "ns2.example.net:ns3.example.net:ns4.example.net"))
+            .build());
+    thrown.expect(NameserversNotAllowedForDomainException.class, "ns1.example.net");
+    runFlow();
+  }
+
+  @Test
+  public void testFailure_tldNameserversAllowed_domainCreateRestricted_domainNotReserved()
+      throws Exception {
+    persistContactsAndHosts();
+    persistResource(
+        Registry.get("tld")
+            .asBuilder()
+            .setDomainCreateRestricted(true)
+            .setAllowedFullyQualifiedHostNames(
+                ImmutableSet.of("ns1.example.net", "ns2.example.net", "ns3.example.net"))
+            .setReservedLists(
+                persistReservedList(
+                    "reserved",
+                    "lol,NAMESERVER_RESTRICTED,"
+                        + "ns1.example.net:ns2.example.net:ns3.example.net"))
+            .build());
+    thrown.expect(DomainNotAllowedForTldWithCreateRestrictionException.class, "example.tld");
+    runFlow();
+  }
+
  @Test
  public void testSuccess_eapFeeApplied_v06() throws Exception {
    setEppInput("domain_create_eap_fee.xml", ImmutableMap.of("FEE_VERSION", "0.6"));
--- a/javatests/google/registry/flows/domain/DomainUpdateFlowTest.java
+++ b/javatests/google/registry/flows/domain/DomainUpdateFlowTest.java
@ -56,8 +56,8 @@ import google.registry.flows.domain.DomainFlowUtils.MaxSigLifeChangeNotSupported
 import google.registry.flows.domain.DomainFlowUtils.MissingAdminContactException;
 import google.registry.flows.domain.DomainFlowUtils.MissingContactTypeException;
 import google.registry.flows.domain.DomainFlowUtils.MissingTechnicalContactException;
-import google.registry.flows.domain.DomainFlowUtils.NameserversNotAllowedException;
-import google.registry.flows.domain.DomainFlowUtils.NameserversNotSpecifiedException;
+import google.registry.flows.domain.DomainFlowUtils.NameserversNotAllowedForTldException;
+import google.registry.flows.domain.DomainFlowUtils.NameserversNotSpecifiedForTldWithNameserverWhitelistException;
 import google.registry.flows.domain.DomainFlowUtils.NotAuthorizedForTldException;
 import google.registry.flows.domain.DomainFlowUtils.RegistrantNotAllowedException;
 import google.registry.flows.domain.DomainFlowUtils.SecDnsAllUsageException;
@ -1093,7 +1093,7 @@ public class DomainUpdateFlowTest extends ResourceFlowTestCase<DomainUpdateFlow,
            .setAllowedFullyQualifiedHostNames(ImmutableSet.of("ns1.example.foo"))
            .build());
    clock.advanceOneMilli();
-    thrown.expect(NameserversNotAllowedException.class);
+    thrown.expect(NameserversNotAllowedForTldException.class);
    runFlow();
  }

@ -1176,7 +1176,7 @@ public class DomainUpdateFlowTest extends ResourceFlowTestCase<DomainUpdateFlow,
        Registry.get("tld").asBuilder()
            .setAllowedFullyQualifiedHostNames(ImmutableSet.of("ns1.example.foo"))
            .build());
-    thrown.expect(NameserversNotSpecifiedException.class);
+    thrown.expect(NameserversNotSpecifiedForTldWithNameserverWhitelistException.class);
    runFlow();
  }

--- a/javatests/google/registry/model/schema.txt
+++ b/javatests/google/registry/model/schema.txt
@ -669,6 +669,7 @@ class google.registry.model.registry.Registry {
  @Id java.lang.String tldStrId;
  @Parent com.googlecode.objectify.Key<google.registry.model.common.EntityGroupRoot> parent;
  boolean dnsPaused;
+  boolean domainCreateRestricted;
  boolean escrowEnabled;
  boolean premiumPriceAckRequired;
  com.googlecode.objectify.Key<google.registry.model.registry.label.PremiumList> premiumList;