[Note that this file is a concatenation of more than one RFC.]
Internet Engineering Task Force (IETF) A. Newton
Request for Comments: 7480 ARIN
Category: Standards Track B. Ellacott
ISSN: 2070-1721 APNIC
N. Kong
CNNIC
March 2015
HTTP Usage in the Registration Data Access Protocol (RDAP)
Abstract
This document is one of a collection that together describes the
Registration Data Access Protocol (RDAP). It describes how RDAP is
transported using the Hypertext Transfer Protocol (HTTP). RDAP is a
successor protocol to the very old WHOIS protocol. The purpose of
this document is to clarify the use of standard HTTP mechanisms for
this application.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7480.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
This document describes the usage of the Hypertext Transfer Protocol
(HTTP) [RFC7230] for the Registration Data Access Protocol (RDAP).
The goal of this document is to tie together usage patterns of HTTP
into a common profile applicable to the various types of directory
services serving registration data using practices informed by the
Representational State Transfer (REST) [REST] architectural style.
By giving the various directory services common behavior, a single
client is better able to retrieve data from directory services
adhering to this behavior.
Registration data expected to be presented by this service is
Internet resource registration data -- registration of domain names
and Internet number resources. This data is typically provided by
WHOIS [RFC3912] services, but the WHOIS protocol is insufficient to
modern registration data service requirements. A replacement
protocol is expected to retain the simple transactional nature of
WHOIS, while providing a specification for queries and responses,
redirection to authoritative sources, support for Internationalized
Domain Names (IDNs) [RFC5890], and support for localized registration
data such as addresses and organization or person names.
In designing these common usage patterns, this document introduces
considerations for a simple use of HTTP. Where complexity may
reside, it is the goal of this document to place it upon the server
and to keep the client as simple as possible. A client
implementation should be possible using common operating system
scripting tools (e.g., bash and wget).
This is the basic usage pattern for this protocol:
1. A client determines an appropriate server to query along with the
appropriate base Uniform Resource Locator (URL) to use in such
queries. [RFC7484] describes one method to determine the server
and the base URL. See Appendix C for more information.
2. A client issues an HTTP (or HTTPS) query using GET [RFC7231]. As
an example, a query URL for the network registration 192.0.2.0
might be
[RFC7482] details the various queries used in RDAP.
Newton, et al. Standards Track [Page 3]
RFC 7480 RDAP over HTTP March 2015
3. If the receiving server has the information for the query, it
examines the Accept header field of the query and returns a 200
response with a response entity appropriate for the requested
format. [RFC7483] details a response in JavaScript Object
Notation (JSON).
4. If the receiving server does not have the information for the
query but does have knowledge of where the information can be
found, it will return a redirection response (3xx) with the
Location header field containing an HTTP(S) URL pointing to the
information or another server known to have knowledge of the
location of the information. The client is expected to requery
using that HTTP URL.
5. If the receiving server does not have the information being
requested and does not have knowledge of where the information
can be found, it returns a 404 response.
6. If the receiving server will not answer a request for policy
reasons, it will return an error response (4xx) indicating the
reason for giving no answer.
It is not the intent of this document to redefine the meaning and
semantics of HTTP. The purpose of this document is to clarify the
use of standard HTTP mechanisms for this application.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
As is noted in "Security and Stability Advisory Committee (SSAC)
Report on WHOIS Terminology and Structure" [SAC-051], the term
"WHOIS" is overloaded, often referring to a protocol, a service, and
data. In accordance with [SAC-051], this document describes the base
behavior for an RDAP. [SAC-051] describes a protocol profile of RDAP
for Domain Name Registries (DNRs), the Domain Name Registration Data
Access Protocol (DNRD-AP).
In this document, an RDAP client is an HTTP user agent performing an
RDAP query, and an RDAP server is an HTTP server providing an RDAP
response. RDAP query and response formats are described in [RFC7482]
and [RFC7483], while this document describes how RDAP clients and
servers use HTTP to exchange queries and responses. [RFC7481]
describes security considerations for RDAP.
Newton, et al. Standards Track [Page 4]
RFC 7480 RDAP over HTTP March 2015
3. Design Intents
There are a few design criteria this document attempts to meet.
First, each query is meant to require only one path of execution to
obtain an answer. A response may contain an answer, no answer, or a
redirect, and clients are not expected to fork multiple paths of
execution to make a query.
Second, the semantics of the request/response allow for future and/or
non-standard response formats. In this document, only a JSON
[RFC7159] response media type is noted, with the response contents to
be described separately (see [RFC7483]). This document only
describes how RDAP is transported using HTTP with this format.
Third, this protocol is intended to be able to make use of the range
of mechanisms available for use with HTTP. HTTP offers a number of
mechanisms not described further in this document. Operators are
able to make use of these mechanisms according to their local policy,
including cache control, authorization, compression, and redirection.
HTTP also benefits from widespread investment in scalability,
reliability, and performance, as well as widespread programmer
understanding of client behaviors for web services styled after REST
[REST], reducing the cost to deploy Registration Data Directory
Services and clients. This protocol is forward compatible with HTTP
2.0.
4. Queries
4.1. HTTP Methods
Clients use the GET method to retrieve a response body and use the
HEAD method to determine existence of data on the server. Clients
SHOULD use either the HTTP GET or HEAD methods (see [RFC7231]).
Servers are under no obligation to support other HTTP methods;
therefore, clients using other methods will likely not interoperate
properly.
Clients and servers MUST support HTTPS to support security services.
4.2. Accept Header
To indicate to servers that an RDAP response is desired, clients
include an Accept header field with an RDAP-specific JSON media type,
the generic JSON media type, or both. Servers receiving an RDAP
request return an entity with a Content-Type header containing the
RDAP-specific JSON media type.
Newton, et al. Standards Track [Page 5]
RFC 7480 RDAP over HTTP March 2015
This specification does not define the responses a server returns to
a request with any other media types in the Accept header field, or
with no Accept header field. One possibility would be to return a
response in a media type suitable for rendering in a web browser.
4.3. Query Parameters
Servers MUST ignore unknown query parameters. Use of unknown query
parameters for cache busting is described in Appendix B.
5. Types of HTTP Response
This section describes the various types of responses a server may
send to a client. While no standard HTTP response code is forbidden
in usage, this section defines the minimal set of response codes in
common use by servers that a client will need to understand. While
some clients may be constructed with simple tooling that does not
account for all of these response codes, a more robust client
accounting for these codes will likely provide a better user
experience. It is expected that usage of response codes and types
for this application not defined here will be described in subsequent
documents.
5.1. Positive Answers
If a server has the information requested by the client and wishes to
respond to the client with the information according to its policies,
it returns that answer in the body of a 200 (OK) response (see
[RFC7231]).
5.2. Redirects
If a server wishes to inform a client that the answer to a given
query can be found elsewhere, it returns either a 301 (Moved
Permanently) response code to indicate a permanent move or a 302
(Found), 303 (See Other), or 307 (Temporary Redirect) response code
to indicate a non-permanent redirection, and it includes an HTTP(S)
URL in the Location header field (see [RFC7231]). The client is
expected to issue a subsequent request to satisfy the original query
using the given URL without any processing of the URL. In other
words, the server is to hand back a complete URL, and the client
should not have to transform the URL to follow it. Servers are under
no obligation to return a URL conformant to [RFC7482].
For this application, such an example of a permanent move might be a
Top-Level Domain (TLD) operator informing a client the information
Newton, et al. Standards Track [Page 6]
RFC 7480 RDAP over HTTP March 2015
being sought can be found with another TLD operator (i.e., a query
for the domain bar in foo.example is found at
http://foo.example/domain/bar).
If a server wishes to respond that it has an empty result set (that
is, no data appropriately satisfying the query), it returns a 404
(Not Found) response code. Optionally, it MAY include additional
information regarding the negative answer in the HTTP entity body.
If a server wishes to inform the client that information about the
query is available, but cannot include the information in the
response to the client for policy reasons, the server MUST respond
with an appropriate response code out of HTTP's 4xx range. A client
MAY retry the query if that is appropriate for the respective
response code.
5.4. Malformed Queries
If a server receives a query that it cannot interpret as an RDAP
query, it returns a 400 (Bad Request) response code. Optionally, it
MAY include additional information regarding this negative answer in
the HTTP entity body.
5.5. Rate Limits
Some servers apply rate limits to deter address scraping and other
abuses. When a server declines to answer a query due to rate limits,
it returns a 429 (Too Many Requests) response code as described in
[RFC6585]. A client that receives a 429 response SHOULD decrease its
query rate and honor the Retry-After header field if one is present.
Servers may place stricter limits upon clients that do not honor the
Retry-After header. Optionally, the server MAY include additional
information regarding the rate limiting in the HTTP entity body.
Newton, et al. Standards Track [Page 7]
RFC 7480 RDAP over HTTP March 2015
Note that this is not a defense against denial-of-service (DoS)
attacks, since a malicious client could ignore the code and continue
to send queries at a high rate. A server might use another response
code if it did not wish to reveal to a client that rate limiting is
the reason for the denial of a reply.
5.6. Cross-Origin Resource Sharing (CORS)
When responding to queries, it is RECOMMENDED that servers use the
Access-Control-Allow-Origin header field, as specified by
[W3C.REC-cors-20140116]. A value of "*" is suitable when RDAP is
used for public resources.
This header (often called the CORS header) helps in-browser web
applications by lifting the "same-origin" restriction (i.e., a
browser may load RDAP client code from one web server but query
others for RDAP data).
By default, browsers do not send cookies when cross origin requests
are allowed. Setting the Access-Control-Allow-Credentials header
field to "true" will send cookies. Use of the
Access-Control-Allow-Credentials header field is NOT RECOMMENDED.
6. Extensibility
For extensibility purposes, this document defines an IANA registry
for prefixes used in JSON [RFC7159] data serialization and URI path
segments (see Section 8).
Prefixes and identifiers SHOULD only consist of the alphabetic US-
ASCII characters A through Z in both uppercase and lowercase, the
numerical digits 0 through 9, and the underscore character, and they
SHOULD NOT begin with an underscore character, numerical digit, or
the characters "xml". The following describes the production of JSON
names in ABNF [RFC5234].
name = ALPHA *( ALPHA / DIGIT / "_" )
Figure 1: ABNF for JSON Names
This restriction is a union of the Ruby programming language
identifier syntax and the XML element name syntax and has two
purposes. First, client implementers using modern programming
languages such as Ruby or Java can use libraries that automatically
promote JSON names to first-order object attributes or members.
Second, a clean mapping between JSON and XML is easy to accomplish
using these rules.
Newton, et al. Standards Track [Page 8]
RFC 7480 RDAP over HTTP March 2015
7. Security Considerations
This document does not pose strong security requirements to the RDAP
protocol. However, it does not restrict against the use of security
mechanisms offered by the HTTP protocol. It does require that RDAP
clients and servers MUST support HTTPS.
This document makes recommendations for server implementations
against DoS (Section 5.5) and interoperability with existing security
mechanisms in HTTP clients (Section 5.6).
Additional security considerations to the RDAP protocol are covered
in [RFC7481].
8. IANA Considerations
8.1. RDAP Extensions Registry
IANA has created a new category in the protocol registries labeled
"Registration Data Access Protocol (RDAP)", and within that category,
has established a URL-referenceable, stand-alone registry labeled
"RDAP Extensions". The purpose of this registry is to ensure
uniqueness of extension identifiers. The extension identifier is
used as a prefix in JSON names and as a prefix of path segments in
RDAP URLs.
The production rule for these identifiers is specified in Section 6.
In accordance with [RFC5226], the IANA policy for assigning new
values, shall be Specification Required: values and their meanings
must be documented in an RFC or in some other permanent and readily
available reference, in sufficient detail that interoperability
between independent implementations is possible.
The following is a template for an RDAP extension registration:
Extension identifier: the identifier of the extension
Registry operator: the name of the registry operator
Published specification: RFC number, bibliographical reference, or
URL to a permanent and readily available specification
Person & email address to contact for further information: The
names and email addresses of individuals to contact regarding this
registry entry
Newton, et al. Standards Track [Page 9]
RFC 7480 RDAP over HTTP March 2015
Intended usage: brief reasons for this registry entry (as defined
by [RFC5226]).
The following is an example of a registration in the RDAP extension
registry:
Person & email address to contact for further information:
Professor Bernardo de la Paz <[email protected]>
Intended usage: COMMON
9. Internationalization Considerations
9.1. URIs and IRIs
Clients can use Internationalized Resource Identifiers (IRIs)
[RFC3987] for internal use as they see fit but MUST transform them to
URIs [RFC3986] for interaction with RDAP servers. RDAP servers MUST
use URIs in all responses, and again clients can transform these URIs
to IRIs for internal use as they see fit.
9.2. Language Identifiers in Queries and Responses
Under most scenarios, clients requesting data will not signal that
the data be returned in a particular language or script. On the
other hand, when servers return data and have knowledge that the data
is in a language or script, the data SHOULD be annotated with
language identifiers whenever they are available, thus allowing
clients to process and display the data accordingly.
[RFC7483] provides such a mechanism.
9.3. Language Identifiers in HTTP Headers
Given the description of the use of language identifiers in
Section 9.2, unless otherwise specified, servers SHOULD ignore the
HTTP [RFC7231] Accept-Language header field when formulating HTTP
entity responses, so that clients do not conflate the Accept-Language
header with the 'lang' values in the entity body.
Newton, et al. Standards Track [Page 10]
RFC 7480 RDAP over HTTP March 2015
However, servers MAY return language identifiers in the Content-
Language header field so as to inform clients of the intended
language of HTTP layer messages.
10. References
10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, RFC
3986, January 2005,
<http://www.rfc-editor.org/info/rfc3986>.
[RFC3987] Duerst, M. and M. Suignard, "Internationalized Resource
Identifiers (IRIs)", RFC 3987, January 2005,
<http://www.rfc-editor.org/info/rfc3987>.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226,
May 2008, <http://www.rfc-editor.org/info/rfc5226>.
[RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Message Syntax and Routing", RFC
7230, June 2014, <http://www.rfc-editor.org/info/rfc7230>.
[RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
June 2014, <http://www.rfc-editor.org/info/rfc7231>.
[RFC7481] Hollenbeck, S. and N. Kong, "Security Services for the
Registration Data Access Protocol (RDAP)", RFC 7481,
February 2015, <http://www.rfc-editor.org/info/rfc7481>.
[RFC7482] Newton, A. and S. Hollenbeck, "Registration Data Access
Protocol (RDAP) Query Format", RFC 7482, February 2015,
<http://www.rfc-editor.org/info/rfc7482>.
[RFC7483] Newton, A. and S. Hollenbeck, "JSON Responses for the
Registration Data Access Protocol (RDAP)", RFC 7483,
February 2015, <http://www.rfc-editor.org/info/rfc7483>.
Newton, et al. Standards Track [Page 11]
RFC 7480 RDAP over HTTP March 2015
[RFC7484] Blanchet, M., "Finding the Authoritative Registration Data
(RDAP) Service", RFC 7484, February 2015,
<http://www.rfc-editor.org/info/rfc7484>.
[REST] Fielding, R. and R. Taylor, "Principled Design of the
Modern Web Architecture", ACM Transactions on Internet
Technology, Vol. 2, No. 2, May 2002.
[RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, January 2008,
<http://www.rfc-editor.org/info/rfc5234>.
[RFC5890] Klensin, J., "Internationalized Domain Names for
Applications (IDNA): Definitions and Document Framework",
RFC 5890, August 2010,
<http://www.rfc-editor.org/info/rfc5890>.
[RFC7159] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
Interchange Format", RFC 7159, March 2014,
<http://www.rfc-editor.org/info/rfc7159>.
[SAC-051] Piscitello, D., Ed., "SSAC Report on Domain Name WHOIS
Terminology and Structure", A report from the ICANN
Security and Stability Advisory Committee (SSAC),
September 2011.
[lacnic-joint-whois]
LACNIC, "Joint Whois", December 2005,
<ftp://anonymous@ftp.registro.br/pub/gter/
gter20/02-jwhois-lacnic.pdf>.
Newton, et al. Standards Track [Page 12]
RFC 7480 RDAP over HTTP March 2015
Appendix A. Protocol Example
To demonstrate typical behavior of an RDAP client and server, the
following is an example of an exchange, including a redirect. The
data in the response has been elided for brevity, as the data format
is not described in this document. The media type used here is
described in [RFC7483].
An example of an RDAP client and server exchange:
Client:
<TCP connect to rdap.example.com port 80>
GET /rdap/ip/203.0.113.0/24 HTTP/1.1
Host: rdap.example.com
Accept: application/rdap+json
Client:
<TCP connect to rdap-ip.example.com port 80>
GET /rdap/ip/203.0.113.0/24 HTTP/1.1
Host: rdap-ip.example.com
Accept: application/rdap+json
rdap-ip.example.com:
HTTP/1.1 200 OK
Content-Type: application/rdap+json
Content-Length: 9001
{ ... }
<TCP disconnect>
Appendix B. Cache Busting
Some HTTP [RFC7230] cache infrastructures do not adhere to caching
standards adequately and could cache responses longer than is
intended by the server. To overcome these issues, clients can use an
ad hoc and improbably used query parameter with a random value of
their choosing. As Section 4.3 instructs servers to ignore unknown
parameters, this is compatible with the RDAP definition.
Newton, et al. Standards Track [Page 13]
RFC 7480 RDAP over HTTP March 2015
An example of using an unknown query parameter to bust caches:
Use of an unknown parameter to overcome misbehaving caches is not
part of any specification and is offered here for informational
purposes.
Appendix C. Bootstrapping and Redirection
The traditional deployment model of WHOIS [RFC3912] does not provide
a mechanism for determining the authoritative source for information.
Some approaches have been implemented in the past, most notably the
Joint WHOIS [lacnic-joint-whois] initiative. However, among other
shortcomings, Joint WHOIS is implemented using proxies and server-
side referrals.
These issues are solved in RDAP using HTTP redirects and
bootstrapping. Bootstrapping is discussed in [RFC7484]. In
constrained environments, the processes outlined in [RFC7484] may not
be viable, and there may be the need for servers acting as a
"redirector".
Redirector servers issue HTTP redirects to clients using a
redirection table informed by [RFC7484]. Figure 2 diagrams a client
using a redirector for bootstrapping.
In some cases, particularly sub-delegations made between Regional
Internet Registries (RIRs) known as "ERX space" and transfers of
networks, multiple HTTP redirects will be issued. Figure 3 shows
such a scenario.
Figure 3: Querying RDAP Data for Data That Has Been Transferred
Acknowledgements
John Levine provided text to tighten up the Accept header field usage
and the text for the section on 429 responses.
Marc Blanchet provided some clarifying text regarding the use of URLs
with redirects, as well as very useful feedback during Working Group
Last Call (WGLC).
Normative language reviews were provided by Murray S. Kucherawy,
Andrew Sullivan, Tom Harrison, Ed Lewis, and Alexander Mayrhofer.
Jean-Phillipe Dionne provided text for the Security Considerations
section.
The concept of the redirector server informatively discussed in
Appendix C was documented by Carlos M. Martinez and Gerardo Rada of
Newton, et al. Standards Track [Page 15]
RFC 7480 RDAP over HTTP March 2015
LACNIC and Linlin Zhou of CNNIC and subsequently incorporated into
this document.
This document is the work product of the IETF's WEIRDS working group,
of which Olaf Kolkman and Murray Kucherawy were chairs.
Authors' Addresses
Andrew Lee Newton
American Registry for Internet Numbers
3635 Concorde Parkway
Chantilly, VA 20151
United States
Internet Engineering Task Force (IETF) S. Hollenbeck
Request for Comments: 7481 Verisign Labs
Category: Standards Track N. Kong
ISSN: 2070-1721 CNNIC
March 2015
Security Services for the Registration Data Access Protocol (RDAP)
Abstract
The Registration Data Access Protocol (RDAP) provides "RESTful" web
services to retrieve registration metadata from Domain Name and
Regional Internet Registries. This document describes information
security services, including access control, authentication,
authorization, availability, data confidentiality, and data integrity
for RDAP.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7481.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
The Registration Data Access Protocol (RDAP) is specified in multiple
documents, including "Registration Data Access Protocol (RDAP) Query
Format" [RFC7482], "JSON Responses for the Registration Data Access
Protocol (RDAP)" [RFC7483], and "HTTP Usage in the Registration Data
Access Protocol (RDAP)" [RFC7480].
One goal of RDAP is to provide security services that do not exist in
the WHOIS [RFC3912] protocol, including access control,
authentication, authorization, availability, data confidentiality,
and data integrity. This document describes how each of these
services is achieved by RDAP using features that are available in
other protocol layers. Additional or alternative mechanisms can be
added in the future. Where applicable, informative references to
requirements for a WHOIS replacement service [RFC3707] are noted.
2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Hollenbeck & Kong Standards Track [Page 2]
RFC 7481 RDAP Security Services March 2015
2.1. Acronyms and Abbreviations
DNR: Domain Name Registry
HTTP: Hypertext Transfer Protocol
JSON: JavaScript Object Notation
RDAP: Registration Data Access Protocol
RIR: Regional Internet Registry
TLS: Transport Layer Security
3. Information Security Services and RDAP
RDAP itself does not include native security services. Instead, RDAP
relies on features that are available in other protocol layers to
provide needed security services, including access control,
authentication, authorization, availability, data confidentiality,
and data integrity. A description of each of these security services
can be found in "Internet Security Glossary, Version 2" [RFC4949].
No requirements have been identified for other security services.
3.1. Access Control
WHOIS does not include specific features to control access to
registration information. As described in the following sections,
RDAP includes features to identify, authenticate, and authorize
clients, allowing server operators to control access to information
based on a client's identity and associated authorizations.
Information returned to a client can be clearly marked with a status
value (see Section 10.2.2 of [RFC7483]) that identifies the access
granted to the client.
3.2. Authentication
This section describes security authentication mechanisms and the
need for authorization policies to include them. It describes
requirements for the implementations of clients and servers but does
not dictate the policies of server operators. For example, a server
operator with no policy regarding differentiated or tiered access to
data will have no authorization mechanisms and will have no need for
any type of authentication. A server operator with policies on
differentiated access will have to construct an authorization scheme
and will need to follow the specified authentication requirements.
Hollenbeck & Kong Standards Track [Page 3]
RFC 7481 RDAP Security Services March 2015
WHOIS does not provide features to identify and authenticate clients.
As noted in Section 3.1.4.2 of "Cross Registry Internet Service
Protocol (CRISP) Requirements" [RFC3707], there is utility in
allowing server operators to offer "varying degrees of access
depending on policy and need." Clients have to be identified and
authenticated to provide that utility.
RDAP's authentication framework needs to accommodate anonymous access
as well as verification of identities using a range of authentication
methods and credential services. To that end, RDAP clients and
servers MUST implement the authentication framework specified in
"Hypertext Transfer Protocol (HTTP/1.1): Authentication" [RFC7235].
The "basic" scheme can be used to send a client's user name and
password to a server in plaintext, base64-encoded form. The "digest"
scheme can be used to authenticate a client without exposing the
client's plaintext password. If the "basic" scheme is used, HTTP
over TLS [RFC2818] MUST be used to protect the client's credentials
from disclosure while in transit (see Section 3.5).
Servers MUST support either Basic or Digest authentication; they are
not required to support both. Clients MUST support both to
interoperate with servers that support one or the other. Servers may
provide a login page that triggers HTTP authentication. Clients
should continue sending the HTTP authentication header once they
receive an initial 401 (Unauthorized) response from the HTTP server
as long as the scheme portion of the URL doesn't change.
The Transport Layer Security protocol [RFC5246] includes an optional
feature to identify and authenticate clients who possess and present
a valid X.509 digital certificate [RFC5280]. Support for this
feature is OPTIONAL.
RDAP does not impose any unique server authentication requirements.
The server authentication provided by TLS fully addresses the needs
of RDAP. In general, transports for RDAP must either provide a
TLS-protected transport (e.g., HTTPS) or a mechanism that provides an
equivalent level of server authentication.
Work on HTTP authentication methods continues. RDAP is designed to
be agile enough to support additional methods as they are defined.
3.2.1. Federated Authentication
The traditional client-server authentication model requires clients
to maintain distinct credentials for every RDAP server. This
situation can become unwieldy as the number of RDAP servers
increases. Federated authentication mechanisms allow clients to use
one credential to access multiple RDAP servers and reduce client
Hollenbeck & Kong Standards Track [Page 4]
RFC 7481 RDAP Security Services March 2015
credential management complexity. RDAP MAY include a federated
authentication mechanism that permits a client to access multiple
RDAP servers in the same federation with one credential.
Federated authentication mechanisms used by RDAP MUST be fully
supported by HTTP. OAuth, OpenID, Security Assertion Markup Language
(SAML), and mechanisms based on Certification Authority (CA) are all
possible approaches to provide federated authentication. At the time
of this document's publication, negotiation or advertisement of
federated authentication services is still an undefined mechanism by
the noted federated authentication protocols. Developing this
mechanism is beyond the scope of this document.
The OAuth authorization framework [RFC6749] describes a method for
users to access protected web resources without having to hand out
their credentials. Instead, clients are issued access tokens by
authorization servers with the permission of the resource owners.
Using OAuth, multiple RDAP servers can form a federation, and the
clients can access any server in the same federation by providing one
credential registered in any server in that federation. The OAuth
authorization framework is designed for use with HTTP and thus can be
used with RDAP.
OpenID [OpenID] is a decentralized single sign-on authentication
system that allows users to log in at multiple web sites with one ID
instead of having to create multiple unique accounts. An end user
can freely choose which OpenID provider to use and can preserve their
Identifier if they switch OpenID providers.
Note that OAuth and OpenID do not consistently require data
confidentiality services to protect interactions between providers
and consumers. HTTP over TLS [RFC2818] can be used as needed to
provide protection against man-in-the-middle attacks.
SAML 2.0 [SAML] is an XML-based protocol that can be used to
implement web-based authentication and authorization services,
including single sign on. It uses security tokens containing
assertions to exchange information about an end user between an
identity provider and a service provider.
The Transport Layer Security protocol describes the specification of
a client certificate in Section 7.4.6 of [RFC5246]. Clients who
possess and present a valid X.509 digital certificate, issued by a
CA, could be identified and authenticated by a server who trusts the
corresponding CA. A certificate authentication method can be used to
achieve federated authentication in which multiple RDAP servers all
trust the same CAs, and then any client with a certificate issued by
a trusted CA can access any RDAP server in the federation. This
Hollenbeck & Kong Standards Track [Page 5]
RFC 7481 RDAP Security Services March 2015
certificate-based mechanism is supported by HTTPS and can be used
with RDAP.
3.3. Authorization
WHOIS does not provide services to grant different levels of access
to clients based on a client's authenticated identity. As noted in
Section 3.1.4.2 of "Cross Registry Internet Service Protocol (CRISP)
Requirements" [RFC3707], there is utility in allowing server
operators to offer "varying degrees of access depending on policy and
need." Access control decisions can be made once a client's identity
has been established and authenticated (see Section 3.2).
Server operators MAY offer varying degrees of access depending on
policy and need in conjunction with the authentication methods
described in Section 3.2. If such varying degrees of access are
supported, an RDAP server MUST provide granular access controls (that
is, per registration data object) in order to implement authorization
policies. Some examples:
- Clients will be allowed access only to data for which they have a
relationship.
- Unauthenticated or anonymous access status may not yield any
contact information.
- Full access may be granted to a special group of authenticated
clients.
The type of access allowed by a server will most likely vary from one
operator to the next. A description of the response privacy
considerations associated with different levels of authorization can
be found in Section 13 of [RFC7483].
3.4. Availability
An RDAP service has to be available to be useful. There are no RDAP-
unique requirements to provide availability, but as a general
security consideration, a service operator needs to be aware of the
issues associated with denial of service. A thorough reading of
"Internet Denial-of-Service Considerations" [RFC4732] is advised.
An RDAP service MAY use an HTTP throttling mechanism to limit the
number of queries that a single client can send in a given period of
time. If used, the server SHOULD return an HTTP 429 (Too Many
Requests) response code as described in "Additional HTTP Status
Codes" [RFC6585]. A client that receives a 429 response SHOULD
decrease its query rate and honor the Retry-After header field if one
Hollenbeck & Kong Standards Track [Page 6]
RFC 7481 RDAP Security Services March 2015
is present. Note that this is not a defense against
denial-of-service attacks, since a malicious client could ignore the
code and continue to send queries at a high rate. A server might use
another response code if it did not wish to reveal to a client that
rate limiting is the reason for the denial of a reply.
3.5. Data Confidentiality
WHOIS does not provide the ability to protect data from inadvertent
disclosure while in transit. RDAP uses HTTP over TLS [RFC2818] to
provide that protection by encrypting all traffic sent on the
connection between client and server. HTTP over TLS MUST be used to
protect all client-server exchanges unless operational constraints
make it impossible to meet this requirement. It is also possible to
encrypt discrete objects (such as command path segments and JSON-
encoded response objects) at one endpoint, send them to the other
endpoint via an unprotected transport protocol, and decrypt the
object on receipt. Encryption algorithms as described in "Internet
Security Glossary, Version 2" [RFC4949] are commonly used to provide
data confidentiality at the object level.
There are no current requirements for object-level data
confidentiality using encryption. Support for this feature could be
added to RDAP in the future.
As noted in Section 3.2, the HTTP "basic" authentication scheme can
be used to authenticate a client. When this scheme is used, HTTP
over TLS MUST be used to protect the client's credentials from
disclosure while in transit. If the policy of the server operator
requires encryption to protect client-server data exchanges (such as
to protect non-public data that cannot be accessed without client
identification and authentication), HTTP over TLS MUST be used to
protect those exchanges.
A description of privacy threats that can be addressed with
confidentiality services can be found in Section 4. Section 10.2.2
of [RFC7483] describes status values that can be used to describe
operator actions used to protect response data from disclosure to
unauthorized clients.
3.6. Data Integrity
WHOIS does not provide the ability to protect data from modification
while in transit. Web services such as RDAP commonly use HTTP over
TLS [RFC2818] to provide that protection by using a keyed Message
Authentication Code (MAC) to detect modifications. It is also
possible to sign discrete objects (such as command path segments and
JSON-encoded response objects) at one endpoint, send them to the
Hollenbeck & Kong Standards Track [Page 7]
RFC 7481 RDAP Security Services March 2015
other endpoint via a transport protocol, and validate the signature
of the object on receipt. Digital signature algorithms as described
in "Internet Security Glossary, Version 2" [RFC4949] are commonly
used to provide data integrity at the object level.
There are no current requirements for object-level data integrity
using digital signatures. Support for this feature could be added to
RDAP in the future.
The most specific need for this service is to provide assurance that
HTTP 30x redirection hints [RFC7231] and response elements returned
from the server are not modified while in transit. If the policy of
the server operator requires message integrity for client-server data
exchanges, HTTP over TLS MUST be used to protect those exchanges.
4. Privacy Threats Associated with Registration Data
Registration data has historically included personal data about
registrants. WHOIS services have historically made this information
available to the public, creating a privacy risk by revealing the
personal details of registrants. WHOIS services have not had the
benefit of authentication or access control mechanisms to gate access
to registration data. As a result of this, proxy and privacy
services have arisen to shield the identities of registrants.
The standardization of RDAP does not change or impact the data that
operators may require to be collected from registrants, but it
provides support for a number of mechanisms that may be used to
mitigate privacy threats to registrants should operators choose to
use them.
RDAP includes mechanisms that can be used to authenticate clients,
allowing servers to support tiered access based on local policy.
This means that all registration data need no longer be public, and
personal data or data that may be considered more sensitive can have
its access restricted to specifically privileged clients.
RDAP data structures allow servers to indicate via status values when
data returned to clients has been made private, redacted, obscured,
or registered by a proxy. "Private" means that the data is not
designated for public consumption. "Redacted" means that some
registration data fields are not being made available. "Obscured"
means that data has been altered for the purposes of not readily
revealing the actual registration information. One option that
operators have available to them to reduce privacy risks to
registrants is to adopt policies that make use of these status values
to restrict the registrant data shared with any or all clients
Hollenbeck & Kong Standards Track [Page 8]
RFC 7481 RDAP Security Services March 2015
according to the sensitivity of the data, the privileges of the
clients, or some other heuristics.
RDAP uses the jCard [RFC7095] standard format for entity
representation. Operators may find that many of the jCard fields are
irrelevant for registry operation purposes or that they have no
reason to collect information from registrants that would correspond
to certain fields. Operators wishing to reduce privacy risks for
registrants may restrict which information they collect and/or which
fields they populate in responses.
In addition to privacy risks to registrants, there are also potential
privacy risks for those who query registration data. For example,
the fact that a registry employee performs a particular query may
reveal information about the employee's activities that he or she
would have preferred to keep private. RDAP supports the use of HTTP
over TLS to provide privacy protection for those querying registrant
data as well as registrants, unless operational constraints make it
impossible to meet this requirement.
5. Security Considerations
One of the goals of RDAP is to provide security services that do not
exist in the WHOIS protocol. This document describes the security
services provided by RDAP and associated protocol layers, including
authentication, authorization, availability, data confidentiality,
and data integrity. Non-repudiation services were also considered
and ultimately rejected due to a lack of requirements. There are,
however, currently deployed WHOIS servers that can return signed
responses that provide non-repudiation with proof of origin. RDAP
might need to be extended to provide this service in the future.
As an HTTP-based protocol, RDAP is susceptible to code injection
attacks. Code injection refers to adding code into a computer system
or program to alter the course of execution. There are many types of
code injection, including SQL injection, dynamic variable or function
injection, include-file injection, shell injection, and HTML-script
injection, among others. Data confidentiality and integrity services
provide a measure of defense against man-in-the-middle injection
attacks, but vulnerabilities in both client- and server-side software
make it possible for injection attacks to succeed. Consistently
checking and validating server credentials can help detect
man-in-the-middle attacks.
As noted in Section 3.2.1, digital certificates can be used to
implement federated authentication. There is a risk of too
promiscuous, or even rogue, CAs being included in the list of
acceptable CAs that the TLS server sends the client as part of the
Hollenbeck & Kong Standards Track [Page 9]
RFC 7481 RDAP Security Services March 2015
TLS client-authentication handshake and lending the appearance of
trust to certificates signed by those CAs. Periodic monitoring of
the list of CAs that RDAP servers trust for client authentication can
help reduce this risk.
The Transport Layer Security protocol [RFC5246] includes a null
cipher suite that does not encrypt data and thus does not provide
data confidentiality. This option MUST NOT be used when data
confidentiality services are needed. Additional considerations for
secure use of TLS are described in [SECURE-TLS-DTLS].
Data integrity services are sometimes mistakenly associated with
directory service operational policy requirements focused on data
accuracy. "Accuracy" refers to the truthful association of data
elements (such as names, addresses, and telephone numbers) in the
context of a particular directory object (such as a domain name).
Accuracy requirements are out of scope for this protocol.
Additional security considerations are described in the
specifications for HTTP [RFC7231], HTTP Basic and Digest access
authentication [RFC7235], HTTP over TLS [RFC2818], and additional
HTTP status codes [RFC6585]. Security considerations for federated
authentication systems can be found in the OAuth [RFC6749] and OpenID
[OpenID] specifications.
6. References
6.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
June 2014, <http://www.rfc-editor.org/info/rfc7231>.
[RFC7235] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Authentication", RFC 7235, June 2014,
<http://www.rfc-editor.org/info/rfc7235>.
Hollenbeck & Kong Standards Track [Page 10]
RFC 7481 RDAP Security Services March 2015
[RFC7480] Newton, A., Ellacott, B., and N. Kong, "HTTP Usage in the
Registration Data Access Protocol (RDAP)", RFC 7480, March
2015, <http://www.rfc-editor.org/info/rfc7480>.
[RFC7482] Newton, A. and S. Hollenbeck, "Registration Data Access
Protocol (RDAP) Query Format", RFC 7482, March 2015,
<http://www.rfc-editor.org/info/rfc7482>.
[RFC7483] Newton, A. and S. Hollenbeck, "JSON Responses for the
Registration Data Access Protocol (RDAP)", RFC 7483, March
2015, <http://www.rfc-editor.org/info/rfc7483>.
[RFC3707] Newton, A., "Cross Registry Internet Service Protocol
(CRISP) Requirements", RFC 3707, February 2004,
<http://www.rfc-editor.org/info/rfc3707>.
[RFC4732] Handley, M., Ed., Rescorla, E., Ed., and IAB, "Internet
Denial-of-Service Considerations", RFC 4732, December
2006, <http://www.rfc-editor.org/info/rfc4732>.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008,
<http://www.rfc-editor.org/info/rfc5246>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008,
<http://www.rfc-editor.org/info/rfc5280>.
[SAML] OASIS, "Security Assertion Markup Language (SAML) v2.0",
March 2005, <https://www.oasis-open.org/
standards#samlv2.0>.
[SECURE-TLS-DTLS]
Sheffer, Y., Holz, R., and P. Saint-Andre,
"Recommendations for Secure Use of TLS and DTLS", Work in
Progress, draft-ietf-uta-tls-bcp-09, February 2015.
Hollenbeck & Kong Standards Track [Page 12]
RFC 7481 RDAP Security Services March 2015
Acknowledgements
The authors would like to acknowledge the following individuals for
their contributions to this document: Richard Barnes, Marc Blanchet,
Alissa Cooper, Ernie Dainow, Spencer Dawkins, Jean-Philippe Dionne,
Byron Ellacott, Stephen Farrell, Tony Hansen, Peter Koch, Murray
Kucherawy, Barry Leiba, Andrew Newton, and Linlin Zhou.
Authors' Addresses
Scott Hollenbeck
Verisign Labs
12061 Bluemont Way
Reston, VA 20190
United States
Internet Engineering Task Force (IETF) S. Hollenbeck
Request for Comments: 9082 Verisign Labs
STD: 95 A. Newton
Obsoletes: 7482 AWS
Category: Standards Track June 2021
ISSN: 2070-1721
Registration Data Access Protocol (RDAP) Query Format
Abstract
This document describes uniform patterns to construct HTTP URLs that
may be used to retrieve registration information from registries
(including both Regional Internet Registries (RIRs) and Domain Name
Registries (DNRs)) using "RESTful" web access patterns. These
uniform patterns define the query syntax for the Registration Data
Access Protocol (RDAP). This document obsoletes RFC 7482.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9082.
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction
2. Conventions Used in This Document
2.1. Acronyms and Abbreviations
3. Path Segment Specification
3.1. Lookup Path Segment Specification
3.1.1. IP Network Path Segment Specification
3.1.2. Autonomous System Path Segment Specification
3.1.3. Domain Path Segment Specification
3.1.4. Nameserver Path Segment Specification
3.1.5. Entity Path Segment Specification
3.1.6. Help Path Segment Specification
3.2. Search Path Segment Specification
3.2.1. Domain Search
3.2.2. Nameserver Search
3.2.3. Entity Search
4. Query Processing
4.1. Partial String Searching
4.2. Associated Records
5. Extensibility
6. Internationalization Considerations
6.1. Character Encoding Considerations
7. IANA Considerations
8. Security Considerations
9. References
9.1. Normative References
9.2. Informative References
Appendix A. Changes from RFC 7482
Acknowledgments
Authors' Addresses
1. Introduction
This document describes a specification for querying registration
data using a RESTful web service and uniform query patterns. The
service is implemented using the Hypertext Transfer Protocol (HTTP)
[RFC7230] and the conventions described in [RFC7480]. These uniform
patterns define the query syntax for the Registration Data Access
Protocol (RDAP). This document obsoletes RFC 7482.
The protocol described in this specification is intended to address
deficiencies with the WHOIS protocol [RFC3912] that have been
identified over time, including:
* lack of standardized command structures;
* lack of standardized output and error structures;
* lack of support for internationalization and localization; and
* lack of support for user identification, authentication, and
access control.
The patterns described in this document purposefully do not encompass
all of the methods employed in the WHOIS and other RESTful web
services used by the RIRs and DNRs. The intent of the patterns
described here is to enable queries of:
* networks by IP address;
* Autonomous System (AS) numbers by number;
* reverse DNS metadata by domain;
* nameservers by name; and
* entities (such as registrars and contacts) by identifier.
Server implementations are free to support only a subset of these
features depending on local requirements. Servers MUST return an
HTTP 501 (Not Implemented) [RFC7231] response to inform clients of
unsupported query types. It is also envisioned that each registry
will continue to maintain WHOIS and/or other RESTful web services
specific to their needs and those of their constituencies, and the
information retrieved through the patterns described here may
reference such services.
Likewise, future IETF specifications may add additional patterns for
additional query types. A simple pattern namespacing scheme is
described in Section 5 to accommodate custom extensions that will not
interfere with the patterns defined in this document or patterns
defined in future IETF specifications.
WHOIS services, in general, are read-only services. Accordingly, URL
[RFC3986] patterns specified in this document are only applicable to
the HTTP [RFC7231] GET and HEAD methods.
This document does not describe the results or entities returned from
issuing the described URLs with an HTTP GET. The specification of
these entities is described in [RFC9083].
Additionally, resource management, provisioning, and update functions
are out of scope for this document. Registries have various and
divergent methods covering these functions, and it is unlikely a
uniform approach is needed for interoperability.
HTTP contains mechanisms for servers to authenticate clients and for
clients to authenticate servers (from which authorization schemes may
be built), so such mechanisms are not described in this document.
Policy, provisioning, and processing of authentication and
authorization are out of scope for this document as deployments will
have to make choices based on local criteria. Supported
authentication mechanisms are described in [RFC7481].
2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
2.1. Acronyms and Abbreviations
IDN: Internationalized Domain Name, a fully-qualified domain name
containing one or more labels that are intended to include one or
more Unicode code points outside the ASCII range (cf. "domain
name", "fully-qualified domain name", and "internationalized
domain name" in RFC 8499 [RFC8499]).
IDNA: Internationalized Domain Names in Applications, a protocol for
the handling of IDNs. In this document, "IDNA" refers
specifically to the version of those specifications known as
"IDNA2008" [RFC5890].
DNR: Domain Name Registry or Domain Name Registrar
NFC: Unicode Normalization Form C [Unicode-UAX15]
NFKC: Unicode Normalization Form KC [Unicode-UAX15]
RDAP: Registration Data Access Protocol
REST: Representational State Transfer. The term was first described
in a doctoral dissertation [REST].
RESTful: An adjective that describes a service using HTTP and the
principles of REST.
RIR: Regional Internet Registry
3. Path Segment Specification
The base URLs used to construct RDAP queries are maintained in an
IANA registry (the "bootstrap registry") described in [RFC7484].
Queries are formed by retrieving an appropriate base URL from the
registry and appending a path segment specified in either Sections
3.1 or 3.2. Generally, a registry or other service provider will
provide a base URL that identifies the protocol, host, and port, and
this will be used as a base URL that the complete URL is resolved
against, as per Section 5 of RFC 3986 [RFC3986]. For example, if the
base URL is "https://example.com/rdap/", all RDAP query URLs will
begin with "https://example.com/rdap/".
The bootstrap registry does not contain information for query objects
that are not part of a global namespace, including entities and help.
A base URL for an associated object is required to construct a
complete query. This limitation can be overcome for entities by
using the practice described in RFC 8521 [RFC8521].
For entities, a base URL is retrieved for the service (domain,
address, etc.) associated with a given entity. The query URL is
constructed by concatenating the base URL with the entity path
segment specified in either Sections 3.1.5 or 3.2.3.
For help, a base URL is retrieved for any service (domain, address,
etc.) for which additional information is required. The query URL is
constructed by concatenating the base URL with the help path segment
specified in Section 3.1.6.
3.1. Lookup Path Segment Specification
A simple lookup to determine if an object exists (or not) without
returning RDAP-encoded results can be performed using the HTTP HEAD
method as described in Section 4.1 of [RFC7480].
The resource type path segments for exact match lookup are:
'ip': Used to identify IP networks and associated data referenced
using either an IPv4 or IPv6 address.
'autnum': Used to identify Autonomous System number registrations
and associated data referenced using an asplain Autonomous System
number.
'domain': Used to identify reverse DNS (RIR) or domain name (DNR)
information and associated data referenced using a fully qualified
domain name.
'nameserver': Used to identify a nameserver information query using
a host name.
'entity': Used to identify an entity information query using a
string identifier.
3.1.1. IP Network Path Segment Specification
Syntax: ip/<IP address> or ip/<CIDR prefix>/<CIDR length>
Queries for information about IP networks are of the form /ip/XXX or
/ip/XXX/YY where the path segment following 'ip' is either an IPv4
dotted decimal or IPv6 [RFC5952] address (i.e., XXX) or an IPv4 or
IPv6 Classless Inter-domain Routing (CIDR) [RFC4632] notation address
block (i.e., XXX/YY). Semantically, the simpler form using the
address can be thought of as a CIDR block with a prefix length of 32
for IPv4 and a prefix length of 128 for IPv6. A given specific
address or CIDR may fall within multiple IP networks in a hierarchy
of networks; therefore, this query targets the "most-specific" or
smallest IP network that completely encompasses it in a hierarchy of
IP networks.
The IPv4 and IPv6 address formats supported in this query are
described in Section 3.2.2 of RFC 3986 [RFC3986] as IPv4address and
IPv6address ABNF definitions. Any valid IPv6 text address format
[RFC4291] can be used. This includes IPv6 addresses written using
with or without compressed zeros and IPv6 addresses containing
embedded IPv4 addresses. The rules to write a text representation of
an IPv6 address [RFC5952] are RECOMMENDED. However, the zone_id
[RFC4007] is not appropriate in this context; therefore, the
corresponding syntax extension in RFC 6874 [RFC6874] MUST NOT be
used, and servers SHOULD ignore it.
For example, the following URL would be used to find information for
the most specific network containing 192.0.2.0:
3.1.2. Autonomous System Path Segment Specification
Syntax: autnum/<autonomous system number>
Queries for information regarding Autonomous System number
registrations are of the form /autnum/XXX where XXX is an asplain
Autonomous System number [RFC5396]. In some registries, registration
of Autonomous System numbers is done on an individual number basis,
while other registries may register blocks of Autonomous System
numbers. The semantics of this query are such that if a number falls
within a range of registered blocks, the target of the query is the
block registration and that individual number registrations are
considered a block of numbers with a size of 1.
For example, the following URL would be used to find information
describing Autonomous System number 12 (a number within a range of
registered blocks):
Queries for domain information are of the form /domain/XXXX, where
XXXX is a fully qualified (relative to the root) domain name (as
specified in [RFC0952] and [RFC1123]) in either the in-addr.arpa or
ip6.arpa zones (for RIRs) or a fully qualified domain name in a zone
administered by the server operator (for DNRs). Internationalized
Domain Names (IDNs) represented in either A-label or U-label format
[RFC5890] are also valid domain names. See Section 6.1 for
information on character encoding for the U-label format.
IDNs SHOULD NOT be represented as a mixture of A-labels and U-labels;
that is, internationalized labels in an IDN SHOULD be either all
A-labels or all U-labels. It is possible for an RDAP client to
assemble a query string from multiple independent data sources. Such
a client might not be able to perform conversions between A-labels
and U-labels. An RDAP server that receives a query string with a
mixture of A-labels and U-labels MAY convert all the U-labels to
A-labels, perform IDNA processing, and proceed with exact-match
lookup. In such cases, the response to be returned to the query
source may not match the input from the query source. Alternatively,
the server MAY refuse to process the query.
The server MAY perform the match using either the A-label or U-label
form. Using one consistent form for matching every label is likely
to be more reliable.
The following URL would be used to find information describing the
zone serving the network 192.0.2/24:
The <nameserver name> parameter represents a fully qualified host
name as specified in [RFC0952] and [RFC1123]. Internationalized
names represented in either A-label or U-label format [RFC5890] are
also valid nameserver names. IDN processing for nameserver names
uses the domain name processing instructions specified in
Section 3.1.3. See Section 6.1 for information on character encoding
for the U-label format.
The following URL would be used to find information for the
ns1.example.com nameserver:
The <handle> parameter represents an entity (such as a contact,
registrant, or registrar) identifier whose syntax is specific to the
registration provider. For example, for some DNRs, contact
identifiers are specified in [RFC5730] and [RFC5733].
The following URL would be used to find information for the entity
associated with handle XXXX:
The help path segment can be used to request helpful information
(command syntax, terms of service, privacy policy, rate-limiting
policy, supported authentication methods, supported extensions,
technical support contact, etc.) from an RDAP server. The response
to "help" should provide basic information that a client needs to
successfully use the service. The following URL would be used to
return "help" information:
Pattern matching semantics are described in Section 4.1. The
resource type path segments for search are:
'domains': Used to identify a domain name information search using a
pattern to match a fully qualified domain name.
'nameservers': Used to identify a nameserver information search
using a pattern to match a host name.
'entities': Used to identify an entity information search using a
pattern to match a string identifier.
RDAP search path segments are formed using a concatenation of the
plural form of the object being searched for and an HTTP query
string. The HTTP query string is formed using a concatenation of the
question mark character ('?', US-ASCII value 0x003F), a noun
representing the JSON object property associated with the object
being searched for, the equal sign character ('=', US-ASCII value
0x003D), and the search pattern (this is in contrast to the more
generic HTTP query string that allows multiple simultaneous
parameters). Search pattern query processing is described more fully
in Section 4. For the domain, nameserver, and entity objects
described in this document, the plural object forms are "domains",
"nameservers", and "entities".
Detailed results can be retrieved using the HTTP GET method and the
path segments specified here.
Searches for domain information by name are specified using this
form:
domains?name=XXXX
XXXX is a search pattern representing a domain name in "letters,
digits, hyphen" (LDH) format [RFC5890]. The following URL would be
used to find DNR information for domain names matching the
"example*.com" pattern:
IDNs in U-label format [RFC5890] can also be used as search patterns
(see Section 4). Searches for these names are of the form
/domains?name=XXXX, where XXXX is a search pattern representing a
domain name in U-label format [RFC5890]. See Section 6.1 for
information on character encoding for the U-label format.
Searches for domain information by nameserver name are specified
using this form:
domains?nsLdhName=YYYY
YYYY is a search pattern representing a host name in "letters,
digits, hyphen" format [RFC5890]. The following URL would be used to
search for domains delegated to nameservers matching the
"ns1.example*.com" pattern:
Searches for domain information by nameserver IP address are
specified using this form:
domains?nsIp=ZZZZ
ZZZZ is an IPv4 [RFC1166] or IPv6 [RFC5952] address. The following
URL would be used to search for domains that have been delegated to
nameservers that resolve to the "192.0.2.0" address:
Searches for nameserver information by nameserver name are specified
using this form:
nameservers?name=XXXX
XXXX is a search pattern representing a host name in "letters,
digits, hyphen" format [RFC5890]. The following URL would be used to
find information for nameserver names matching the "ns1.example*.com"
pattern:
Internationalized nameserver names in U-label format [RFC5890] can
also be used as search patterns (see Section 4). Searches for these
names are of the form /nameservers?name=XXXX, where XXXX is a search
pattern representing a nameserver name in U-label format [RFC5890].
See Section 6.1 for information on character encoding for the U-label
format.
Searches for nameserver information by nameserver IP address are
specified using this form:
nameservers?ip=YYYY
YYYY is an IPv4 [RFC1166] or IPv6 [RFC5952] address. The following
URL would be used to search for nameserver names that resolve to the
"192.0.2.0" address:
Searches for entity information by name are specified using this
form:
entities?fn=XXXX
XXXX is a search pattern representing the "fn" property of an entity
(such as a contact, registrant, or registrar) name as described in
Section 5.1 of [RFC9083]. The following URL would be used to find
information for entity names matching the "Bobby Joe*" pattern:
Searches for entity information by handle are specified using this
form:
entities?handle=XXXX
XXXX is a search pattern representing an entity (such as a contact,
registrant, or registrar) identifier whose syntax is specific to the
registration provider. The following URL would be used to find
information for entity handles matching the "CID-40*" pattern:
URLs MUST be properly encoded according to the rules of [RFC3986].
In the example above, "Bobby Joe*" is encoded to "Bobby%20Joe*".
4. Query Processing
Servers indicate the success or failure of query processing by
returning an appropriate HTTP response code to the client. Response
codes not specifically identified in this document are described in
[RFC7480].
4.1. Partial String Searching
Partial string searching uses the asterisk ('*', US-ASCII value 0x2A)
character to match zero or more trailing characters. A character
string representing a domain label suffix MAY be concatenated to the
end of the search pattern to limit the scope of the search. For
example, the search pattern "exam*" will match "example.com" and
"example.net". The search pattern "exam*.com" will match
"example.com". If an asterisk appears in a search string, any label
that contains the non-asterisk characters in sequence plus zero or
more characters in sequence in place of the asterisk would match. A
partial string search MUST NOT include more than one asterisk.
Additional pattern matching processing is beyond the scope of this
specification.
If a server receives a search request but cannot process the request
because it does not support a particular style of partial match
searching, it SHOULD return an HTTP 422 (Unprocessable Entity)
[RFC4918] response (unless another response code is more appropriate
based on a server's policy settings) to note that search
functionality is supported, but this particular query cannot be
processed. When returning a 422 error, the server MAY also return an
error response body as specified in Section 6 of [RFC9083] if the
requested media type is one that is specified in [RFC7480].
Partial matching is not feasible across combinations of Unicode
characters because Unicode characters can be combined with each
other. Servers SHOULD NOT partially match combinations of Unicode
characters where a legal combination is possible. It should be
noted, though, that it may not always be possible to detect cases
where a character could have been combined with another character,
but was not, because characters can be combined in many different
ways.
Clients SHOULD NOT submit a partial match search of Unicode
characters where a Unicode character may be legally combined with
another Unicode character or characters. Partial match searches with
incomplete combinations of characters where a character must be
combined with another character or characters are invalid. Partial
match searches with characters that may be combined with another
character or characters are to be considered non-combined characters
(that is, if character x may be combined with character y but
character y is not submitted in the search string, then character x
is a complete character and no combinations of character x are to be
searched).
4.2. Associated Records
Conceptually, any query-matching record in a server's database might
be a member of a set of related records, related in some fashion as
defined by the server -- for example, variants of an IDN. The entire
set ought to be considered as candidates for inclusion when
constructing the response. However, the construction of the final
response needs to be mindful of privacy and other data-releasing
policies when assembling the RDAP response set.
Note too that due to the nature of searching, there may be a list of
query-matching records. Each one of those is subject to being a
member of a set as described in the previous paragraph. What is
ultimately returned in a response will be the union of all the sets
that has been filtered by whatever policies are in place.
Note that this model includes arrangements for associated names,
including those that are linked by policy mechanisms and names bound
together for some other purposes. Note also that returning
information that was not explicitly selected by an exact-match
lookup, including additional names that match a relatively fuzzy
search as well as lists of names that are linked together, may cause
privacy issues.
Note that there might not be a single, static information return
policy that applies to all clients equally. Client identity and
associated authorizations can be a relevant factor in determining how
broad the response set will be for any particular query.
5. Extensibility
This document describes path segment specifications for a limited
number of objects commonly registered in both RIRs and DNRs. It does
not attempt to describe path segments for all of the objects
registered in all registries. Custom path segments can be created
for objects not specified here using the process described in
Section 6 of "HTTP Usage in the Registration Data Access Protocol
(RDAP)" [RFC7480].
Custom path segments can be created by prefixing the segment with a
unique identifier followed by an underscore character (0x5F). For
example, a custom entity path segment could be created by prefixing
"entity" with "custom_", producing "custom_entity". Servers MUST
return an appropriate failure status code for a request with an
unrecognized path segment.
6. Internationalization Considerations
There is value in supporting the ability to submit either a U-label
(Unicode form of an IDN label) or an A-label (US-ASCII form of an IDN
label) as a query argument to an RDAP service. Clients capable of
processing non-US-ASCII characters may prefer a U-label since this is
more visually recognizable and familiar than A-label strings, but
clients using programmatic interfaces might find it easier to submit
and display A-labels if they are unable to input U-labels with their
keyboard configuration. Both query forms are acceptable.
Internationalized domain and nameserver names can contain character
variants and variant labels as described in [RFC4290]. Clients that
support queries for internationalized domain and nameserver names
MUST accept service provider responses that describe variants as
specified in "JSON Responses for the Registration Data Access
Protocol (RDAP)" [RFC9083].
6.1. Character Encoding Considerations
Servers can expect to receive search patterns from clients that
contain character strings encoded in different forms supported by
HTTP. It is entirely possible to apply filters and normalization
rules to search patterns prior to making character comparisons, but
this type of processing is more typically needed to determine the
validity of registered strings than to match patterns.
An RDAP client submitting a query string containing non-US-ASCII
characters converts such strings into Unicode in UTF-8 encoding. It
then performs any local case mapping deemed necessary. Strings are
normalized using Normalization Form C (NFC) [Unicode-UAX15]; note
that clients might not be able to do this reliably. UTF-8 encoded
strings are then appropriately percent-encoded [RFC3986] in the query
URL.
After parsing any percent-encoding, an RDAP server treats each query
string as Unicode in UTF-8 encoding. If a string is not valid UTF-8,
the server can immediately stop processing the query and return an
HTTP 400 (Bad Request) response.
When processing queries, there is a difference in handling DNS names,
including those with putative U-labels, and everything else. DNS
names are treated according to the DNS matching rules as described in
Section 3.1 of RFC 1035 [RFC1035] for Non-Reserved LDH (NR-LDH)
labels and the matching rules described in Section 5.4 of RFC 5891
[RFC5891] for U-labels. Matching of DNS names proceeds one label at
a time because it is possible for a combination of U-labels and NR-
LDH labels to be found in a single domain or host name. The
determination of whether a label is a U-label or an NR-LDH label is
based on whether the label contains any characters outside of the US-
ASCII letters, digits, or hyphen (the so-called LDH rule).
For everything else, servers map fullwidth and halfwidth characters
to their decomposition equivalents. Servers convert strings to the
same coded character set of the target data that is to be looked up
or searched, and each string is normalized using the same
normalization that was used on the target data. In general, storage
of strings as Unicode is RECOMMENDED. For the purposes of
comparison, Normalization Form KC (NFKC) [Unicode-UAX15] with case
folding is used to maximize predictability and the number of matches.
Note the use of case-folded NFKC as opposed to NFC in this case.
7. IANA Considerations
This document has no IANA actions.
8. Security Considerations
Security services for the operations specified in this document are
described in "Security Services for the Registration Data Access
Protocol (RDAP)" [RFC7481].
Search functionality typically requires more server resources (such
as memory, CPU cycles, and network bandwidth) when compared to basic
lookup functionality. This increases the risk of server resource
exhaustion and subsequent denial of service due to abuse. This risk
can be mitigated by developing and implementing controls to restrict
search functionality to identified and authorized clients. If those
clients behave badly, their search privileges can be suspended or
revoked. Rate limiting as described in Section 5.5 of "HTTP Usage in
the Registration Data Access Protocol (RDAP)" [RFC7480] can also be
used to control the rate of received search requests. Server
operators can also reduce their risk by restricting the amount of
information returned in response to a search request.
Search functionality also increases the privacy risk of disclosing
object relationships that might not otherwise be obvious. For
example, a search that returns IDN variants [RFC6927] that do not
explicitly match a client-provided search pattern can disclose
information about registered domain names that might not be otherwise
available. Implementers need to consider the policy and privacy
implications of returning information that was not explicitly
requested.
Note that there might not be a single, static information return
policy that applies to all clients equally. Client identity and
associated authorizations can be a relevant factor in determining how
broad the response set will be for any particular query.
9. References
9.1. Normative References
[RFC0952] Harrenstien, K., Stahl, M., and E. Feinler, "DoD Internet
host table specification", RFC 952, DOI 10.17487/RFC0952,
October 1985, <https://www.rfc-editor.org/info/rfc952>.
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, <https://www.rfc-editor.org/info/rfc1035>.
[RFC1123] Braden, R., Ed., "Requirements for Internet Hosts -
Application and Support", STD 3, RFC 1123,
DOI 10.17487/RFC1123, October 1989,
<https://www.rfc-editor.org/info/rfc1123>.
[RFC1166] Kirkpatrick, S., Stahl, M., and M. Recker, "Internet
numbers", RFC 1166, DOI 10.17487/RFC1166, July 1990,
<https://www.rfc-editor.org/info/rfc1166>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005,
<https://www.rfc-editor.org/info/rfc3986>.
[RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing
Architecture", RFC 4291, DOI 10.17487/RFC4291, February
2006, <https://www.rfc-editor.org/info/rfc4291>.
[RFC4632] Fuller, V. and T. Li, "Classless Inter-domain Routing
(CIDR): The Internet Address Assignment and Aggregation
Plan", BCP 122, RFC 4632, DOI 10.17487/RFC4632, August
2006, <https://www.rfc-editor.org/info/rfc4632>.
[RFC4918] Dusseault, L., Ed., "HTTP Extensions for Web Distributed
Authoring and Versioning (WebDAV)", RFC 4918,
DOI 10.17487/RFC4918, June 2007,
<https://www.rfc-editor.org/info/rfc4918>.
[RFC5396] Huston, G. and G. Michaelson, "Textual Representation of
Autonomous System (AS) Numbers", RFC 5396,
DOI 10.17487/RFC5396, December 2008,
<https://www.rfc-editor.org/info/rfc5396>.
[RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)",
STD 69, RFC 5730, DOI 10.17487/RFC5730, August 2009,
<https://www.rfc-editor.org/info/rfc5730>.
[RFC5733] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)
Contact Mapping", STD 69, RFC 5733, DOI 10.17487/RFC5733,
August 2009, <https://www.rfc-editor.org/info/rfc5733>.
[RFC5890] Klensin, J., "Internationalized Domain Names for
Applications (IDNA): Definitions and Document Framework",
RFC 5890, DOI 10.17487/RFC5890, August 2010,
<https://www.rfc-editor.org/info/rfc5890>.
[RFC5891] Klensin, J., "Internationalized Domain Names in
Applications (IDNA): Protocol", RFC 5891,
DOI 10.17487/RFC5891, August 2010,
<https://www.rfc-editor.org/info/rfc5891>.
[RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6
Address Text Representation", RFC 5952,
DOI 10.17487/RFC5952, August 2010,
<https://www.rfc-editor.org/info/rfc5952>.
[RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Message Syntax and Routing",
RFC 7230, DOI 10.17487/RFC7230, June 2014,
<https://www.rfc-editor.org/info/rfc7230>.
[RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
DOI 10.17487/RFC7231, June 2014,
<https://www.rfc-editor.org/info/rfc7231>.
[RFC7480] Newton, A., Ellacott, B., and N. Kong, "HTTP Usage in the
Registration Data Access Protocol (RDAP)", STD 95,
RFC 7480, DOI 10.17487/RFC7480, March 2015,
<https://www.rfc-editor.org/info/rfc7480>.
[RFC7481] Hollenbeck, S. and N. Kong, "Security Services for the
Registration Data Access Protocol (RDAP)", STD 95,
RFC 7481, DOI 10.17487/RFC7481, March 2015,
<https://www.rfc-editor.org/info/rfc7481>.
[RFC7484] Blanchet, M., "Finding the Authoritative Registration Data
(RDAP) Service", RFC 7484, DOI 10.17487/RFC7484, March
2015, <https://www.rfc-editor.org/info/rfc7484>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499,
January 2019, <https://www.rfc-editor.org/info/rfc8499>.
[RFC9083] Hollenbeck, S. and A. Newton, "JSON Responses for the
Registration Data Access Protocol (RDAP)", STD 95,
RFC 9083, DOI 10.17487/RFC9083, June 2021,
<https://www.rfc-editor.org/info/rfc9083>.
[Unicode-UAX15]
The Unicode Consortium, "Unicode Standard Annex #15:
Unicode Normalization Forms", September 2013,
<https://www.unicode.org/reports/tr15/>.
9.2. Informative References
[REST] Fielding, R., "Architectural Styles and the Design of
Network-based Software Architectures", Ph.D.
Dissertation, University of California, Irvine, 2000,
<https://www.ics.uci.edu/~fielding/pubs/dissertation/
fielding_dissertation.pdf>.
[RFC4007] Deering, S., Haberman, B., Jinmei, T., Nordmark, E., and
B. Zill, "IPv6 Scoped Address Architecture", RFC 4007,
DOI 10.17487/RFC4007, March 2005,
<https://www.rfc-editor.org/info/rfc4007>.
[RFC4290] Klensin, J., "Suggested Practices for Registration of
Internationalized Domain Names (IDN)", RFC 4290,
DOI 10.17487/RFC4290, December 2005,
<https://www.rfc-editor.org/info/rfc4290>.
[RFC6874] Carpenter, B., Cheshire, S., and R. Hinden, "Representing
IPv6 Zone Identifiers in Address Literals and Uniform
Resource Identifiers", RFC 6874, DOI 10.17487/RFC6874,
February 2013, <https://www.rfc-editor.org/info/rfc6874>.
[RFC6927] Levine, J. and P. Hoffman, "Variants in Second-Level Names
Registered in Top-Level Domains", RFC 6927,
DOI 10.17487/RFC6927, May 2013,
<https://www.rfc-editor.org/info/rfc6927>.
[RFC8521] Hollenbeck, S. and A. Newton, "Registration Data Access
Protocol (RDAP) Object Tagging", BCP 221, RFC 8521,
DOI 10.17487/RFC8521, November 2018,
<https://www.rfc-editor.org/info/rfc8521>.
Appendix A. Changes from RFC 7482
* Addressed known errata.
* Addressed other reported clarifications and corrections: IDN,
IDNA, and DNR definitions. Noted that registrars are entities.
Added a reference to RFC 8521 to address the bootstrap registry
limitation. Removed extraneous "...". Clarified HTTP query
string, search pattern, name server search, domain label suffix,
and asterisk search.
* Addressed "The HTTP query string" clarification.
* Modified coauthor address.
* Updated references to RFC 7483 to RFC 9083.
* Added an IANA Considerations section. Changed references to use
HTTPS for targets.
* Changed "XXXX is a search pattern representing the "FN" property
of an entity (such as a contact, registrant, or registrar) name as
specified in Section 5.1" to "Changed "XXXX is a search pattern
representing the "fn" property of an entity (such as a contact,
registrant, or registrar) name as described in Section 5.1".
* Added acknowledgments.
* Changed "The intent of the patterns described here are to enable
queries" to "The intent of the patterns described here is to
enable queries".
* Changed "the corresponding syntax extension in RFC 6874 [RFC6874]
MUST NOT be used, and servers are to ignore it if possible" to
"the corresponding syntax extension in RFC 6874 [RFC6874] MUST NOT
be used, and servers SHOULD ignore it".
* Changed "Only a single asterisk is allowed for a partial string
search" to "A partial string search MUST NOT include more than one
asterisk".
* Changed "Clients should avoid submitting a partial match search of
Unicode characters where a Unicode character may be legally
combined with another Unicode character or characters" to "Clients
SHOULD NOT submit a partial match search of Unicode characters
where a Unicode character may be legally combined with another
Unicode character or characters".
* Changed description of nameserver IP address "search pattern" in
Sections 3.2.1 and 3.2.2.
* IESG review feedback: Added "obsoletes 7482" to the headers,
Abstract, and Introduction. Changed "IETF standards" to "IETF
specifications" and "Therefore" to "Accordingly" in Section 1.
Updated the BCP 14 boilerplate. Added definition of "bootstrap
registry" and changed "concatenating ... to" to "concatenating ...
with" in Section 3. Changed "bitmask length" to "prefix length"
and "2001:db8::0" to "2001:db8::" in Section 3.1.1. Added "in
contrast to the more generic HTTP query string that admits
multiple simultaneous parameters" in Section 3.2. Changed
"0x002A" to "0x2A" in Section 4.1. Clarified use of HTTP 422
SHOULD in Section 4.1.
Acknowledgments
This document is derived from original work on RIR query formats
developed by Byron J. Ellacott of APNIC, Arturo L. Servin of LACNIC,
Kaveh Ranjbar of the RIPE NCC, and Andrew L. Newton of ARIN.
Additionally, this document incorporates DNR query formats originally
described by Francisco Arias and Steve Sheng of ICANN and Scott
Hollenbeck of Verisign Labs.
The authors would like to acknowledge the following individuals for
their contributions to this document: Francisco Arias, Marc Blanchet,
Ernie Dainow, Jean-Philippe Dionne, Byron J. Ellacott, Behnam
Esfahbod, John Klensin, John Levine, Edward Lewis, Mario Loffredo,
Patrick Mevzek, Mark Nottingham, Kaveh Ranjbar, Arturo L. Servin,
Steve Sheng, Jasdip Singh, and Andrew Sullivan.
Authors' Addresses
Scott Hollenbeck
Verisign Labs
12061 Bluemont Way
Reston, VA 20190
United States of America
Internet Engineering Task Force (IETF) S. Hollenbeck
Request for Comments: 9083 Verisign Labs
STD: 95 A. Newton
Obsoletes: 7483 AWS
Category: Standards Track June 2021
ISSN: 2070-1721
JSON Responses for the Registration Data Access Protocol (RDAP)
Abstract
This document describes JSON data structures representing
registration information maintained by Regional Internet Registries
(RIRs) and Domain Name Registries (DNRs). These data structures are
used to form Registration Data Access Protocol (RDAP) query
responses. This document obsoletes RFC 7483.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9083.
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction
1.1. Terminology and Definitions
1.2. Data Model
2. Use of JSON
2.1. Naming
3. Common Data Types
4. Common Data Structures
4.1. RDAP Conformance
4.2. Links
4.3. Notices and Remarks
4.4. Language Identifier
4.5. Events
4.6. Status
4.7. Port 43 WHOIS Server
4.8. Public IDs
4.9. Object Class Name
4.10. An Example
5. Object Classes
5.1. The Entity Object Class
5.2. The Nameserver Object Class
5.3. The Domain Object Class
5.4. The IP Network Object Class
5.5. The Autonomous System Number Object Class
6. Error Response Body
7. Responding to Help Queries
8. Responding To Searches
9. Indicating Truncated Responses
10. IANA Considerations
10.1. RDAP JSON Media Type Registration
10.2. JSON Values Registry
10.2.1. Notice and Remark Types
10.2.2. Status
10.2.3. Event Actions
10.2.4. Roles
10.2.5. Variant Relations
11. Security Considerations
12. Internationalization Considerations
12.1. Character Encoding
12.2. URIs and IRIs
12.3. Language Tags
12.4. Internationalized Domain Names
13. Privacy Considerations
14. References
14.1. Normative References
14.2. Informative References
Appendix A. Suggested Data Modeling with the Entity Object Class
A.1. Registrants and Contacts
A.2. Registrars
Appendix B. Modeling Events
Appendix C. Structured vs. Unstructured Addresses
Appendix D. Secure DNS
Appendix E. Motivations for Using JSON
Appendix F. Changes from RFC 7483
Acknowledgments
Authors' Addresses
1. Introduction
This document describes responses in the JSON [RFC8259] format for
the queries as defined by the Registration Data Access Protocol Query
Format [RFC9082]. A communication protocol for exchanging queries
and responses is described in [RFC7480]. This document obsoletes RFC
7483.
1.1. Terminology and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
The following list describes terminology and definitions used
throughout this document:
DNR: Domain Name Registry or Domain Name Registrar
LDH: letters, digits, hyphen
member: data found within an object as defined by JSON [RFC8259]
object: a data structure as defined by JSON [RFC8259]
object class: the definition of members that may be found in JSON
objects described in this document
object instance: an instantiation or specific instance of an object
class
RDAP: Registration Data Access Protocol
RIR: Regional Internet Registry
1.2. Data Model
The data model for JSON responses is specified in five sections:
1. simple data types conveyed in JSON primitive types (strings,
numbers, booleans, and null)
2. data structures specified as JSON arrays or objects that are used
repeatedly when building up larger objects
3. object classes representing structured data corresponding to a
lookup of a single object
4. arrays of objects representing structured data corresponding to a
search for multiple objects
5. the response to an error
The object classes represent responses for two major categories of
data: responses returned by RIRs for registration data related to IP
addresses, reverse DNS names, and Autonomous System numbers and
responses returned by DNRs for registration data related to forward
DNS names. The following object classes are returned by both RIRs
and DNRs:
1. domains
2. nameservers
3. entities
The information served by both RIRs and DNRs for these object classes
overlap extensively and are given in this document as a unified model
for both classes of service.
In addition to the object classes listed above, RIRs also serve the
following object classes:
1. IP networks
2. Autonomous System numbers
Object classes defined in this document represent a minimal set of
what a compliant client/server needs to understand to function
correctly; however, some deployments may want to include additional
object classes to suit individual needs. Anticipating this need for
extension, Section 2.1 of this document defines a mechanism for
extending the JSON objects that are described in this document.
Positive responses take two forms. A response to a lookup of a
single object in the registration system yields a JSON object, which
is the subject of the lookup. A response to a search for multiple
objects yields a JSON object that contains an array of JSON objects
that are the subject of the search. In each type of response, other
data structures are present within the topmost JSON object.
2. Use of JSON
2.1. Naming
Clients of these JSON responses SHOULD ignore unrecognized JSON
members in responses. Servers can insert members into the JSON
responses, which are not specified in this document, but that does
not constitute an error in the response. Servers that insert such
unspecified members into JSON responses SHOULD have member names
prefixed with a short identifier followed by an underscore followed
by a meaningful name. It has been observed that these short
identifiers aid software implementers with identifying the
specification of the JSON member, and failure to use one could cause
an implementer to assume the server is erroneously using a name from
this specification. This allowance does not apply to jCard [RFC7095]
objects. The full JSON name (the prefix plus the underscore plus the
meaningful name) SHOULD adhere to the character and name limitations
of the prefix registry described in [RFC7480]. Failure to use these
limitations could result in slower adoption as these limitations have
been observed to aid some client programming models.
Consider the following JSON response with JSON members, all of which
are specified in this document.
{
"handle" : "ABC123",
"remarks" :
[
{
"description" :
[
"She sells sea shells down by the sea shore.",
"Originally written by Terry Sullivan."
]
}
]
}
Figure 1
If The Registry of the Moon desires to express information not found
in this specification, it might select "lunarNIC" as its identifying
prefix and insert, as an example, the member named
"lunarNIC_beforeOneSmallStep" to signify registrations occurring
before the first moon landing and the member named
"lunarNIC_harshMistressNotes" that contains other descriptive text.
Consider the following JSON response with JSON names, some of which
should be ignored by clients without knowledge of their meaning.
{
"handle" : "ABC123",
"lunarNIC_beforeOneSmallStep" : "TRUE THAT!",
"remarks" :
[
{
"description" :
[
"She sells sea shells down by the sea shore.",
"Originally written by Terry Sullivan."
]
}
],
"lunarNIC_harshMistressNotes" :
[
"In space,",
"nobody can hear you scream."
]
}
Figure 2
Insertion of unrecognized members ignored by clients may also be used
for future revisions to this specification.
Clients processing JSON responses need to be prepared for members
representing registration data specified in this document to be
absent from a response. In other words, servers are free to omit
unrequired/optional JSON members containing registration data based
on their own policies.
Finally, all JSON names specified in this document are case
sensitive. Both servers and clients MUST transmit and process them
using the specified character case.
3. Common Data Types
JSON [RFC8259] defines the data types of a number, character string,
boolean, array, object, and null. This section describes the
semantics and/or syntax reference for common, JSON character strings
used in this document.
handle: DNRs and RIRs have registry-unique identifiers that
may be used to specifically reference an object
instance. The semantics of this data type as found
in this document are to be a registry-unique
reference to the closest enclosing object where the
value is found. The data type names "registryId",
"roid", "nic-handle", "registrationNo", etc., are
terms often synonymous with this data type. In
this document, the term "handle" is used. The term
exposed to users by clients is a presentation issue
beyond the scope of this document. This value is a
simple character string.
IPv4 addresses: The representation of IPv4 addresses in this
document uses the dotted-decimal notation. An
example of this textual representation is
"192.0.2.0".
IPv6 addresses: The representation of IPv6 addresses in this
document follow the forms outlined in [RFC5952].
An example of this textual representation is
"2001:db8::1:0:0:1".
country codes: Where the identity of a geopolitical nation or
country is needed, these identities are represented
with the alpha-2 or two-character country code
designation as defined in [ISO.3166.2020]. The
alpha-2 representation is used because it is freely
available, whereas the alpha-3 and numeric-3
standards are not.
LDH names: Textual representations of DNS names where the
labels of the domain are all "letters, digits,
hyphen" labels as described by [RFC5890]. Trailing
periods are optional.
Unicode names: Textual representations of DNS names where one or
more of the labels are U-labels as described by
[RFC5890]. Trailing periods are optional.
dates and times: The syntax for values denoting dates and times is
defined in [RFC3339].
URIs: The syntax for values denoting a Uniform Resource
Identifier (URI) is defined by [RFC3986].
Contact information is defined using jCards as described in
[RFC7095]. The "fn" member is required and MUST NOT be null
according to [RFC6350]. An empty "fn" member MAY be used when the
contact name does not exist or is redacted.
4. Common Data Structures
This section defines common data structures used in responses and
object classes.
4.1. RDAP Conformance
The data structure named "rdapConformance" is an array of strings,
each providing a hint as to the specifications used in the
construction of the response. This data structure MUST appear in the
topmost JSON object of a response and MUST NOT appear anywhere else.
A response to a "help" request will include identifiers for all of
the specifications supported by the server. A response to any other
request will include only identifiers for the specifications used in
the construction of the response. The set of returned identifiers
MAY vary depending on the authorization level of the client.
An example rdapConformance data structure:
"rdapConformance" :
[
"rdap_level_0"
]
Figure 3
The string literal "rdap_level_0" signifies conformance with this
specification. When custom JSON values are inserted into responses,
conformance to those custom specifications MUST be indicated by
including a unique string literal value registered in the IANA RDAP
Extensions registry specified in [RFC7480]. For example, if the
fictional Registry of the Moon wants to signify that their JSON
responses are conformant with their registered extensions, the string
used might be "lunarNIC_level_0". These registered values aid the
identification of specifications for software implementers, and
failure to use them could result in slower adoption of extensions.
Example rdapConformance structure with custom extensions noted:
The "links" array is found in data structures to signify links to
other resources on the Internet. The relationship of these links is
defined by the IANA registry described by [RFC8288].
The following is an example of the link structure:
The JSON name/values of "rel", "href", "hreflang", "title", "media",
and "type" correspond to values found in Section 3 of [RFC8288]. The
"value" JSON value is the context URI as described by [RFC8288]. The
"value", "rel", and "href" JSON values MUST be specified. All other
JSON values are OPTIONAL. A "related" link relation MUST NOT include
an "href" URI that is the same as the "self" link relation "href" URI
to reduce the risk of infinite client processing loops.
Internationalized Domain Names (IDNs) returned in URIs SHOULD be
consistently returned in LDH name format to allow clients to process
these IDNs according to their capabilities.
This is an example of the "links" array as it might be found in an
object class:
The "notices" and "remarks" data structures take the same form. The
notices structure denotes information about the service providing
RDAP information and/or information about the entire response,
whereas the remarks structure denotes information about the object
class that contains it (see Section 5 regarding object classes).
Both are arrays of objects. Each object contains a "title" string
representing the title of the object, a "type" string denoting a
registered type of remark or notice (see Section 10.2.1), an array of
strings named "description" for the purposes of conveying any
descriptive text, and a "links" array as described in Section 4.2.
The "description" array MUST be included. All other JSON values are
OPTIONAL.
An example of the notices data structure:
"notices" :
[
{
"title" : "Terms of Use",
"description" :
[
"Service subject to The Registry of the Moon's TOS.",
"Copyright (c) 2020 LunarNIC"
],
"links" :
[
{
"value" : "https://example.net/entity/XXXX",
"rel" : "alternate",
"type" : "text/html",
"href" : "https://www.example.com/terms_of_use.html"
}
]
}
]
Figure 7
It is the job of the clients to determine line breaks, spacing, and
display issues for sentences within the character strings of the
"description" array. Each string in the "description" array contains
a single complete division of human-readable text indicating to
clients where there are semantic breaks.
An example of the remarks data structure:
"remarks" :
[
{
"description" :
[
"She sells sea shells down by the sea shore.",
"Originally written by Terry Sullivan."
]
}
]
Figure 8
Note that objects in the "remarks" array may also have a "links"
array.
While the "title" and "description" fields are intended primarily for
human consumption, the "type" string contains a well-known value to
be registered with IANA (see Section 10.2.1) for programmatic use.
An example of the remarks data structure:
"remarks" :
[
{
"type" : "object truncated due to authorization",
"description" :
[
"Some registration data may not have been given.",
"Use proper authorization credentials to see all of it."
]
}
]
Figure 9
While the "remarks" array will appear in many object classes in a
response, the "notices" array appears only in the topmost object of a
response.
4.4. Language Identifier
This data structure consists solely of a name/value pair, where the
name is "lang" and the value is a string containing a language
identifier as described in [RFC5646].
"lang" : "mn-Cyrl-MN"
Figure 10
The "lang" attribute as defined in this section MAY appear anywhere
in an object class or data structure, except for in jCard objects.
vCard supports similar functionality by way of the LANGUAGE property
parameter (see Section 5.1 of RFC 6350 [RFC6350]).
4.5. Events
This data structure represents events that have occurred on an
instance of an object class (see Section 5 regarding object classes).
The "events" array consists of objects, each with the following
members:
* "eventAction" -- a REQUIRED string denoting the reason for the
event
* "eventActor" -- an OPTIONAL identifier denoting the actor
responsible for the event
* "eventDate" -- a REQUIRED string containing the time and date the
event occurred
* "links" -- OPTIONAL; see Section 4.2
Events can be future dated. One use case for future dating of events
is to denote when an object expires from a registry.
The "links" array in this data structure is provided for references
to the event actor. In order to reference an RDAP entity, a "rel" of
"related" and a "type" of "application/rdap+json" is used in the link
reference.
See Section 10.2.3 for a list of values for the "eventAction" string.
See Appendix B regarding the various ways events can be modeled.
4.6. Status
This data structure, named "status", is an array of strings
indicating the state of a registered object (see Section 10.2.2 for a
list of values).
4.7. Port 43 WHOIS Server
This data structure, a member named "port43", is a simple character
string containing the fully qualified host name or IP address of the
WHOIS [RFC3912] server where the containing object instance may be
found. Note that this is not a URI, as there is no WHOIS URI scheme.
4.8. Public IDs
This data structure maps a public identifier to an object class. It
is named "publicIds" and is an array of objects, with each object
containing the following REQUIRED members:
* type -- a string denoting the type of public identifier
* identifier -- a string denoting a public identifier of the type
related to "type"
The following is an example of a publicIds structure.
This data structure, a member named "objectClassName", gives the
object class name of a particular object as a string. This
identifies the type of object being processed. An objectClassName is
REQUIRED in all RDAP response objects so that the type of the object
can be interpreted.
4.10. An Example
This is an example response with both rdapConformance and notices
embedded:
{
"description" :
[
"She sells sea shells down by the sea shore.",
"Originally written by Terry Sullivan."
]
}
]
}
Figure 13
5. Object Classes
Object classes represent structures appropriate for a response from
the queries specified in [RFC9082].
Each object class contains a "links" array as specified in
Section 4.2. For every object class instance in a response, whether
the object class instance is directly representing the response to a
query or is embedded in other object class instances or is an item in
a search result set, servers SHOULD provide a link representing a URI
for that object class instance using the "self" relationship as
described in the IANA registry specified by [RFC8288]. As explained
in Section 5.2, this may be not always be possible for nameserver
data. Clients MUST be able to process object instances without a
self link. When present, clients can use the self link for caching
data. Servers MAY provide more than one self link for any given
object instance. Failure to provide any self link by a server may
result in clients being unable to cache object class instances.
Clients using self links for caching SHOULD NOT cache any object
class instances where the authority of the self link is different
than the authority of the server returning the data. Failing to do
so might result in cache poisoning.
Self links MUST contain a "type" element containing the "application/
rdap+json" media type when referencing RDAP object instances as
defined by this document.
This is an example of the "links" array with a self link to an object
class:
The entity object class appears throughout this document and is an
appropriate response for the /entity/XXXX query defined in
"Registration Data Access Protocol (RDAP) Query Format" [RFC9082].
This object class represents the information of organizations,
corporations, governments, non-profits, clubs, individual persons,
and informal groups of people. All of these representations are so
similar that it is best to represent them in JSON [RFC8259] with one
construct, the entity object class, to aid in the reuse of code by
implementers.
The entity object class uses jCard [RFC7095] to represent contact
information, such as postal addresses, email addresses, phone numbers
and names of organizations and individuals. Many of the types of
information that can be represented with jCard have little or no use
in RDAP, such as birthdays, anniversaries, and gender.
The entity object is served by both RIRs and DNRs. The following is
an example of an entity that might be served by an RIR.
The entity object class can contain the following members:
* objectClassName -- the string "entity"
* handle -- a string representing a registry-unique identifier of
the entity
* vcardArray -- a jCard with the entity's contact information
* roles -- an array of strings, each signifying the relationship an
object would have with its closest containing object (see
Section 10.2.4 for a list of values)
* publicIds -- see Section 4.8
* entities -- an array of entity objects as defined by this section
* remarks -- see Section 4.3
* links -- see Section 4.2
* events -- see Section 4.5
* asEventActor -- this data structure takes the same form as the
events data structure (see Section 4.5), but each object in the
array MUST NOT have an "eventActor" member. These objects denote
that the entity is an event actor for the given events. See
Appendix B regarding the various ways events can be modeled.
* status -- see Section 4.6
* port43 -- see Section 4.7
* networks -- an array of IP network objects as defined in
Section 5.4
* autnums -- an array of autnum objects as defined in Section 5.5
Entities may also have other entities embedded with them in an array.
This can be used to model an organization with specific individuals
fulfilling designated roles of responsibility.
The following is an elided example of an entity with embedded
entities.
See Appendix A for use of the entity object class to model various
types of entities found in both RIRs and DNRs. See Appendix C
regarding structured vs. unstructured postal addresses in entities.
5.2. The Nameserver Object Class
The nameserver object class represents information regarding DNS
nameservers used in both forward and reverse DNS. RIRs and some DNRs
register or expose nameserver information as an attribute of a domain
name, while other DNRs model nameservers as "first class objects".
Please note that some of the examples in this section include lines
that have been wrapped for reading clarity.
The nameserver object class accommodates both models and degrees of
variation in between.
The following is an example of a nameserver object.
Figure 18 is an example of a nameserver object with all appropriate
values given. Registries using a first-class nameserver data model
would embed this in domain objects as well as allowing references to
it with the "/nameserver" query type (all depending on the registry
operators policy). Other registries may pare back the information as
needed. Figure 19 is an example of a nameserver object as would be
found in RIRs and some DNRs, while Figure 20 is an example of a
nameserver object as would be found in other DNRs.
The following is an example of the simplest nameserver object:
As nameservers can be modeled by some registries to be first-class
objects, they may also have an array of entities (Section 5.1)
embedded to signify parties responsible for the maintenance,
registrations, etc., of the nameservers.
The following is an elided example of a nameserver with embedded
entities.
The nameserver object class can contain the following members:
* objectClassName -- the string "nameserver"
* handle -- a string representing a registry-unique identifier of
the nameserver
* ldhName -- a string containing the LDH name of the nameserver (see
Section 3)
* unicodeName -- a string containing a DNS Unicode name of the
nameserver (see Section 3)
* ipAddresses -- an object containing the following members:
- v6 -- an array of strings containing IPv6 addresses of the
nameserver
- v4 -- an array of strings containing IPv4 addresses of the
nameserver
* entities -- an array of entity objects as defined by Section 5.1
* status -- see Section 4.6
* remarks -- see Section 4.3
* links -- see Section 4.2
* port43 -- see Section 4.7
* events -- see Section 4.5
5.3. The Domain Object Class
The domain object class represents a DNS name and point of
delegation. For RIRs, these delegation points are in the reverse DNS
tree, whereas for DNRs, these delegation points are in the forward
DNS tree.
In both cases, the high-level structure of the domain object class
consists of information about the domain registration, nameserver
information related to the domain name, and entities related to the
domain name (e.g., registrant information, contacts, etc.).
The following is an elided example of the domain object showing the
high-level structure:
The domain object class can contain the following members:
* objectClassName -- the string "domain"
* handle -- a string representing a registry-unique identifier of
the domain object instance
* ldhName -- a string describing a domain name in LDH form as
described in Section 3
* unicodeName -- a string containing a domain name with U-labels as
described in Section 3
* variants -- an array of objects, each containing the following
values:
- relation -- an array of strings, with each string denoting the
relationship between the variants and the containing domain
object (see Section 10.2.5 for a list of suggested variant
relations).
- idnTable -- the character string literal that represents the
Internationalized Domain Name (IDN) table that has been
registered in the IANA Repository of IDN Practices
[IANA_IDNTABLES].
- variantNames -- an array of objects, with each object
containing an "ldhName" member and a "unicodeName" member (see
Section 3).
* nameservers -- an array of nameserver objects as defined by
Section 5.2
* secureDNS -- an object with the following members:
- zoneSigned -- boolean true if the zone has been signed, false
otherwise.
- delegationSigned -- boolean true if there are DS records in the
parent, false otherwise.
- maxSigLife -- an integer representing the signature lifetime in
seconds to be used when creating the RRSIG DS record in the
parent zone [RFC5910].
- dsData -- an array of objects, each with the following members:
o keyTag -- an integer as specified by the key tag field of a
DNS DS record as specified by [RFC4034] in presentation
format
o algorithm -- an integer as specified by the algorithm field
of a DNS DS record as described by RFC 4034 in presentation
format
o digest -- a string as specified by the digest field of a DNS
DS record as specified by RFC 4034 in presentation format
o digestType -- an integer as specified by the digest type
field of a DNS DS record as specified by RFC 4034 in
presentation format
o events -- see Section 4.5
o links -- see Section 4.2
- keyData -- an array of objects, each with the following
members:
o flags -- an integer representing the flags field value in
the DNSKEY record [RFC4034] in presentation format
o protocol -- an integer representation of the protocol field
value of the DNSKEY record [RFC4034] in presentation format
o publicKey -- a string representation of the public key in
the DNSKEY record [RFC4034] in presentation format
o algorithm -- an integer as specified by the algorithm field
of a DNSKEY record as specified by [RFC4034] in presentation
format
o events -- see Section 4.5
o links -- see Section 4.2
See Appendix D for background information on these objects.
* entities -- an array of entity objects as defined by Section 5.1
* status -- see Section 4.6
* publicIds -- see Section 4.8
* remarks -- see Section 4.3
* links -- see Section 4.2
* port43 -- see Section 4.7
* events -- see Section 4.5
* network -- represents the IP network for which a reverse DNS
domain is referenced; see Section 5.4
The following is an example of a JSON domain object representing a
reverse DNS delegation point that might be served by an RIR (note
that the dsData digest value has been modified to fit on one line).
The following is an example of a JSON domain object representing a
forward DNS delegation point that might be served by a DNR. Note
that the secureDNS keyData publicKey value has been modified to fit
on a single line.
The IP network object class models IP network registrations found in
RIRs and is the expected response for the "/ip" query as defined by
[RFC9082]. There is no equivalent object class for DNRs. The high-
level structure of the IP network object class consists of
information about the network registration and entities related to
the IP network (e.g., registrant information, contacts, etc.).
The following is an elided example of the IP network object type
showing the high-level structure:
The IP network object class can contain the following members:
* objectClassName -- the string "ip network"
* handle -- a string representing the RIR-unique identifier of the
network registration
* startAddress -- a string representing the starting IP address of
the network, either IPv4 or IPv6
* endAddress -- a string representing the ending IP address of the
network, either IPv4 or IPv6
* ipVersion -- a string signifying the IP protocol version of the
network: "v4" signifies an IPv4 network, and "v6" signifies an
IPv6 network
* name -- a string representing an identifier assigned to the
network registration by the registration holder
* type -- a string containing an RIR-specific classification of the
network per that RIR's registration model
* country -- a string containing the two-character country code of
the network
* parentHandle -- a string containing an RIR-unique identifier of
the parent network of this network registration
* status -- an array of strings indicating the state of the IP
network as defined by Section 4.6
* entities -- an array of entity objects as defined by Section 5.1
* remarks -- see Section 4.3
* links -- see Section 4.2
* port43 -- see Section 4.7
* events -- see Section 4.5
5.5. The Autonomous System Number Object Class
The Autonomous System number (autnum) object class models Autonomous
System number registrations found in RIRs and represents the expected
response to an "/autnum" query as defined by [RFC9082]. There is no
equivalent object class for DNRs. The high-level structure of the
autnum object class consists of information about the Autonomous
System number registration and entities related to the autnum
registration (e.g., registrant information, contacts, etc.) and is
similar to the IP network object class.
The following is an example of a JSON object representing an autnum.
The Autonomous System number object class can contain the following
members:
* objectClassName -- the string "autnum"
* handle -- a string representing the RIR-unique identifier of the
autnum registration
* startAutnum -- an unsigned 32-bit integer representing the
starting number [RFC5396] in the block of Autonomous System
numbers
* endAutnum -- an unsigned 32-bit integer representing the ending
number [RFC5396] in the block of Autonomous System numbers
* name -- a string representing an identifier assigned to the autnum
registration by the registration holder
* type -- a string containing an RIR-specific classification of the
autnum per that RIR's registration model
* status -- an array of strings indicating the state of the autnum
as defined by Section 4.6
* country -- a string containing the two-character country code of
the autnum
* entities -- an array of entity objects as defined by Section 5.1
* remarks -- see Section 4.3
* links -- see Section 4.2
* port43 -- see Section 4.7
* events -- see Section 4.5
6. Error Response Body
Some non-answer responses MAY return entity bodies with information
that could be more descriptive.
The basic structure of that response is an object class containing a
REQUIRED error code number (corresponding to the HTTP response code)
followed by an OPTIONAL string named "title" and an OPTIONAL array of
strings named "description".
This is an example of the common response body.
{
"errorCode": 418,
"title": "Your Beverage Choice is Not Available",
"description":
[
"I know coffee has more ummppphhh.",
"Sorry, dude!"
]
}
Figure 28
This is an example of the common response body with an
rdapConformance and notices data structures:
{
"rdapConformance" :
[
"rdap_level_0"
],
"notices" :
[
{
"title" : "Beverage Policy",
"description" :
[
"Beverages with caffeine for keeping horses awake."
],
"links" :
[
{
"value" : "https://example.net/ip/192.0.2.0/24",
"rel" : "alternate",
"type" : "text/html",
"href" : "https://www.example.com/redaction_policy.html"
}
]
}
],
"lang" : "en",
"errorCode": 418,
"title": "Your beverage choice is not available",
"description":
[
"I know coffee has more ummppphhh.",
"Sorry, dude!"
]
}
Figure 29
7. Responding to Help Queries
The appropriate response to /help queries as defined by [RFC9082] is
to use the notices structure as defined in Section 4.3.
This is an example of a response to a /help query including the
rdapConformance data structure.
[RFC9082] specifies three types of searches: domains, nameservers,
and entities. Responses to these searches take the form of an array
of object instances where each instance is an appropriate object
class for the search (i.e., a search for /domains yields an array of
domain object instances). These arrays are contained within the
response object.
The names of the arrays are as follows:
* for /domains searches, the array is "domainSearchResults"
* for /nameservers searches, the array is "nameserverSearchResults"
* for /entities searches, the array is "entitySearchResults"
The following is an elided example of a response to a /domains
search.
In cases where the data of a response needs to be limited or parts of
the data need to be omitted, the response is considered "truncated".
A truncated response is still valid JSON, but some of the results in
a search set or some of the data in an object are not provided by the
server. A server may indicate this by including a typed notice in
the response object.
The following is an elided example of a search response that has been
truncated.
{
"rdapConformance" :
[
"rdap_level_0"
],
"notices" :
[
{
"title" : "Search Policy",
"type" : "result set truncated due to authorization",
"description" :
[
"Search results are limited to 25 per day per querying IP."
],
"links" :
[
{
"value" : "https://example.net/help",
"rel" : "alternate",
"type" : "text/html",
"href" : "https://www.example.com/search_policy.html"
}
]
}
],
"domainSearchResults" :
[
...
]
}
Figure 32
A similar technique can be used with a typed remark where a single
object has been returned and data in that object has been truncated.
Such an example might be an entity object with only a partial set of
the IP networks associated with it.
The following is an elided example of an entity truncated data.
{
"objectClassName" : "entity",
"handle" : "ANENTITY",
"roles" : [ "registrant" ],
...
"entities" :
[
{
"objectClassName" : "entity",
"handle": "ANEMBEDDEDENTITY",
"roles" : [ "technical" ],
...
},
...
],
"networks" :
[
...
],
...
"remarks" :
[
{
"title" : "Data Policy",
"type" : "object truncated due to unexplainable reason",
"description" :
[
"Some of the data in this object has been removed."
],
"links" :
[
{
"value" : "https://example.net/help",
"rel" : "alternate",
"type" : "text/html",
"href" : "https://www.example.com/data_policy.html"
}
]
}
]
}
Figure 33
10. IANA Considerations
IANA has updated the description of the "transfer" event action as
described in Section 10.2.3.
10.1. RDAP JSON Media Type Registration
IANA has updated the media type registration as described below.
This specification registers the "application/rdap+json" media type.
Type name: application
Subtype name: rdap+json
Required parameters: n/a
Encoding considerations: See Section 3.1 of [RFC6839].
Security considerations: The media represented by this identifier
does not have security considerations beyond that found in
Section 12 of [RFC8259].
Interoperability considerations: There are no known interoperability
problems regarding this media format.
Published specification: RFC 9083
Applications that use this media type: Implementations of the
Registration Data Access Protocol (RDAP).
Additional information: This media type is a product of the IETF
REGEXT Working Group. The REGEXT charter, information on the
REGEXT mailing list, and other documents produced by the REGEXT
Working Group can be found at https://datatracker.ietf.org/wg/
regext/.
Person & email address to contact for further information:
IESG <[email protected]>
Intended usage: COMMON
Restrictions on usage: none
Author: Andy Newton
Change controller: IETF
Provisional Registration: No
10.2. JSON Values Registry
IANA has created a category in the protocol registries labeled
"Registration Data Access Protocol (RDAP)", and within that category,
IANA has established a URL-referenceable, stand-alone registry
labeled "RDAP JSON Values". This new registry is for use in the
notices and remarks (Section 4.3), status (Section 4.6), role
(Section 5.1), event action (Section 4.5), and domain variant
relation (Section 5.3) fields specified in RDAP.
Each entry in the registry contains the following fields:
1. Value -- the string value being registered.
2. Type -- the type of value being registered. It should be one of
the following:
* "notice or remark type" -- denotes a type of notice or remark.
* "status" -- denotes a value for the "status" object member as
defined by Section 4.6.
* "role" -- denotes a value for the "role" array as defined in
Section 5.1.
* "event action" -- denotes a value for an event action as
defined in Section 4.5.
* "domain variant relation" -- denotes a relationship between a
domain and a domain variant as defined in Section 5.3.
3. Description -- a one- or two-sentence description regarding the
meaning of the value, how it might be used, and/or how it should
be interpreted by clients.
4. Registrant Name -- the name of the person registering the value.
5. Registrant Contact Information -- an email address, postal
address, or some other information to be used to contact the
registrant.
This registry is operated under the "Expert Review" policy defined in
[RFC8126].
Review of registrations into this registry by the designated
expert(s) should be narrowly judged on the following criteria:
1. Values in need of being placed into multiple types must be
assigned a separate registration for each type.
2. Values must be strings. They should be multiple words separated
by single space characters. Every character should be
lowercased. If possible, every word should be given in English
and each character should be US-ASCII.
3. Registrations should not duplicate the meaning of any existing
registration. That is, if a request for a registration is
significantly similar in nature to an existing registration, the
request should be denied. For example, the terms "maintainer"
and "registrant" are significantly similar in nature as they both
denote a holder of a domain name or Internet number resource. In
cases where it may be reasonably argued that machine
interpretation of two similar values may alter the operation of
client software, designated experts should not judge the values
to be of significant similarity.
4. Registrations should be relevant to the common usages of RDAP.
Designated experts may rely upon the serving of the value by a
DNR or RIR to make this determination.
The following sections provide initial registrations into this
registry.
10.2.1. Notice and Remark Types
The following values have been registered in the "RDAP JSON Values"
registry:
Value: result set truncated due to authorization
Type: notice and remark type
Description: The list of results does not contain all results due to
lack of authorization. This may indicate to some clients that
proper authorization will yield a longer result set.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: result set truncated due to excessive load
Type: notice and remark type
Description: The list of results does not contain all results due to
an excessively heavy load on the server. This may indicate to
some clients that requerying at a later time will yield a longer
result set.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: result set truncated due to unexplainable reasons
Type: notice and remark type
Description: The list of results does not contain all results for an
unexplainable reason. This may indicate to some clients that
requerying for any reason will not yield a longer result set.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: object truncated due to authorization
Type: notice and remark type
Description: The object does not contain all data due to lack of
authorization.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: object truncated due to excessive load
Type: notice and remark type
Description: The object does not contain all data due to an
excessively heavy load on the server. This may indicate to some
clients that requerying at a later time will yield all data of the
object.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: object truncated due to unexplainable reasons
Type: notice and remark type
Description: The object does not contain all data for an
unexplainable reason.
Registrant Name: IESG
Registrant Contact Information: [email protected]
10.2.2. Status
The following values have been registered in the "RDAP JSON Values"
registry:
Value: validated
Type: status
Description: Signifies that the data of the object instance has been
found to be accurate. This type of status is usually found on
entity object instances to note the validity of identifying
contact information.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: renew prohibited
Type: status
Description: Renewal or reregistration of the object instance is
forbidden.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: update prohibited
Type: status
Description: Updates to the object instance are forbidden.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: transfer prohibited
Type: status
Description: Transfers of the registration from one registrar to
another are forbidden. This type of status normally applies to
DNR domain names.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: delete prohibited
Type: status
Description: Deletion of the registration of the object instance is
forbidden. This type of status normally applies to DNR domain
names.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: proxy
Type: status
Description: The registration of the object instance has been
performed by a third party. This is most commonly applied to
entities.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: private
Type: status
Description: The information of the object instance is not
designated for public consumption. This is most commonly applied
to entities.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: removed
Type: status
Description: Some of the information of the object instance has not
been made available and has been removed. This is most commonly
applied to entities.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: obscured
Type: status
Description: Some of the information of the object instance has been
altered for the purposes of not readily revealing the actual
information of the object instance. This is most commonly applied
to entities.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: associated
Type: status
Description: The object instance is associated with other object
instances in the registry. This is most commonly used to signify
that a nameserver is associated with a domain or that an entity is
associated with a network resource or domain.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: active
Type: status
Description: The object instance is in use. For domain names, it
signifies that the domain name is published in DNS. For network
and autnum registrations, it signifies that they are allocated or
assigned for use in operational networks. This maps to the "OK"
status of the Extensible Provisioning Protocol (EPP) [RFC5730].
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: inactive
Type: status
Description: The object instance is not in use. See "active".
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: locked
Type: status
Description: Changes to the object instance cannot be made,
including the association of other object instances.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: pending create
Type: status
Description: A request has been received for the creation of the
object instance, but this action is not yet complete.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: pending renew
Type: status
Description: A request has been received for the renewal of the
object instance, but this action is not yet complete.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: pending transfer
Type: status
Description: A request has been received for the transfer of the
object instance, but this action is not yet complete.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: pending update
Type: status
Description: A request has been received for the update or
modification of the object instance, but this action is not yet
complete.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: pending delete
Type: status
Description: A request has been received for the deletion or removal
of the object instance, but this action is not yet complete. For
domains, this might mean that the name is no longer published in
DNS but has not yet been purged from the registry database.
Registrant Name: IESG
Registrant Contact Information: [email protected]
10.2.3. Event Actions
The following values have been registered in the "RDAP JSON Values"
registry:
Value: registration
Type: event action
Description: The object instance was initially registered.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: reregistration
Type: event action
Description: The object instance was registered subsequently to
initial registration.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: last changed
Type: event action
Description: An action noting when the information in the object
instance was last changed.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: expiration
Type: event action
Description: The object instance has been removed or will be removed
at a predetermined date and time from the registry.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: deletion
Type: event action
Description: The object instance was removed from the registry at a
point in time that was not predetermined.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: reinstantiation
Type: event action
Description: The object instance was reregistered after having been
removed from the registry.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: transfer
Type: event action
Description: The object instance was transferred from one registrar
to another.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: locked
Type: event action
Description: The object instance was locked (see the "locked"
status).
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: unlocked
Type: event action
Description: The object instance was unlocked (see the "locked"
status).
Registrant Name: IESG
Registrant Contact Information: [email protected]
10.2.4. Roles
The following values have been registered in the "RDAP JSON Values"
registry:
Value: registrant
Type: role
Description: The entity object instance is the registrant of the
registration. In some registries, this is known as a maintainer.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: technical
Type: role
Description: The entity object instance is a technical contact for
the registration.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: administrative
Type: role
Description: The entity object instance is an administrative contact
for the registration.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: abuse
Type: role
Description: The entity object instance handles network abuse issues
on behalf of the registrant of the registration.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: billing
Type: role
Description: The entity object instance handles payment and billing
issues on behalf of the registrant of the registration.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: registrar
Type: role
Description: The entity object instance represents the authority
responsible for the registration in the registry.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: reseller
Type: role
Description: The entity object instance represents a third party
through which the registration was conducted (i.e., not the
registry or registrar).
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: sponsor
Type: role
Description: The entity object instance represents a domain policy
sponsor, such as an ICANN-approved sponsor.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: proxy
Type: role
Description: The entity object instance represents a proxy for
another entity object, such as a registrant.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: notifications
Type: role
Description: An entity object instance designated to receive
notifications about association object instances.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: noc
Type: role
Description: The entity object instance handles communications
related to a network operations center (NOC).
Registrant Name: IESG
Registrant Contact Information: [email protected]
10.2.5. Variant Relations
The following values have been registered in the "RDAP JSON Values"
registry:
Value: registered
Type: domain variant relation
Description: The variant names are registered in the registry.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: unregistered
Type: domain variant relation
Description: The variant names are not found in the registry.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: registration restricted
Type: domain variant relation
Description: Registration of the variant names is restricted to
certain parties or within certain rules.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: open registration
Type: domain variant relation
Description: Registration of the variant names is available to
generally qualified registrants.
Registrant Name: IESG
Registrant Contact Information: [email protected]
Value: conjoined
Type: domain variant relation
Description: Registration of the variant names occurs automatically
with the registration of the containing domain registration.
Registrant Name: IESG
Registrant Contact Information: [email protected]
11. Security Considerations
This specification models information serialized in JSON format. As
JSON is a subset of JavaScript, implementations are advised to follow
the security considerations outlined in Section 12 of [RFC8259] to
prevent code injection.
Though not specific to JSON, RDAP implementers should be aware of the
security considerations specified in [RFC7480] and the security
requirements and considerations in [RFC7481].
RDAP responses allow for retrieval of DNSSEC (key) related
information, but the RRSIG DS from the parent zone is not conveyed
alongside it. This means that the DNSSEC keys retrieved by RDAP are
disconnected from their containing PKI, and as such are not generally
expected to be trusted without additional information. In
particular, the HTTPS channel protecting the RDAP connection is not
expected to be authorized to certify the validity of the DNSSEC keys.
Clients caching data, especially clients using RDAP-specific caches
(instead of HTTP-layer caches), should have safeguards to prevent
cache poisoning. See Section 5 for advice on using the self links
for caching.
Finally, service operators should be aware of the privacy mechanisms
noted in Section 13.
12. Internationalization Considerations
12.1. Character Encoding
The default text encoding for JSON responses in RDAP is UTF-8
[RFC3629], and all servers and clients MUST support UTF-8.
12.2. URIs and IRIs
[RFC7480] defines the use of URIs and IRIs in RDAP.
12.3. Language Tags
Section 4.4 defines the use of language tags in the JSON responses
defined in this document.
12.4. Internationalized Domain Names
IDNs are denoted in this specification by the separation of DNS names
in LDH form and Unicode form (see Section 3). Representation of IDNs
in registries is described by the "variants" object in Section 5.3
and the suggested values listed in Section 10.2.5.
13. Privacy Considerations
This specification suggests status values to denote contact and
registrant information that has been marked as private and/or has
been removed or obscured. See Section 10.2.2 for the complete list
of status values. A few of the status values indicate that there are
privacy concerns associated with the object instance. The following
status codes SHOULD be used to describe data elements of a response
when appropriate:
* private -- The object is not be shared in query responses, unless
the user is authorized to view this information.
* removed -- Data elements within the object have been collected but
have been omitted from the response. This option can be used to
prevent unauthorized access to associated object instances without
the need to mark them as private.
* obscured -- Data elements within the object have been collected,
but the response value has been altered so that values are not
easily discernible. A value changed from "1212" to "XXXX" is an
example of obscured data. This option may reveal privacy
sensitive information and should only be used when data
sensitivity does not require a more protective option like
"private" or "removed".
See Appendix A.1 for an example of applying those values to contacts
and registrants.
14. References
14.1. Normative References
[ISO.3166.2020]
International Organization for Standardization, "Codes for
the representation of names of countries and their
subdivisions", Fourth edition, ISO Standard 3166, August
2020.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC3339] Klyne, G. and C. Newman, "Date and Time on the Internet:
Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002,
<https://www.rfc-editor.org/info/rfc3339>.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
2003, <https://www.rfc-editor.org/info/rfc3629>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005,
<https://www.rfc-editor.org/info/rfc3986>.
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, DOI 10.17487/RFC4034, March 2005,
<https://www.rfc-editor.org/info/rfc4034>.
[RFC5396] Huston, G. and G. Michaelson, "Textual Representation of
Autonomous System (AS) Numbers", RFC 5396,
DOI 10.17487/RFC5396, December 2008,
<https://www.rfc-editor.org/info/rfc5396>.
[RFC5646] Phillips, A., Ed. and M. Davis, Ed., "Tags for Identifying
Languages", BCP 47, RFC 5646, DOI 10.17487/RFC5646,
September 2009, <https://www.rfc-editor.org/info/rfc5646>.
[RFC5890] Klensin, J., "Internationalized Domain Names for
Applications (IDNA): Definitions and Document Framework",
RFC 5890, DOI 10.17487/RFC5890, August 2010,
<https://www.rfc-editor.org/info/rfc5890>.
[RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6
Address Text Representation", RFC 5952,
DOI 10.17487/RFC5952, August 2010,
<https://www.rfc-editor.org/info/rfc5952>.
[RFC7480] Newton, A., Ellacott, B., and N. Kong, "HTTP Usage in the
Registration Data Access Protocol (RDAP)", STD 95,
RFC 7480, DOI 10.17487/RFC7480, March 2015,
<https://www.rfc-editor.org/info/rfc7480>.
[RFC7481] Hollenbeck, S. and N. Kong, "Security Services for the
Registration Data Access Protocol (RDAP)", STD 95,
RFC 7481, DOI 10.17487/RFC7481, March 2015,
<https://www.rfc-editor.org/info/rfc7481>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
Interchange Format", STD 90, RFC 8259,
DOI 10.17487/RFC8259, December 2017,
<https://www.rfc-editor.org/info/rfc8259>.
[RFC9082] Hollenbeck, S. and A. Newton, "Registration Data Access
Protocol (RDAP) Query Format", STD 95, RFC 9082,
DOI 10.17487/RFC9082, June 2021,
<https://www.rfc-editor.org/info/rfc9082>.
[JSON_performance_study]
Nurseitov, N., Paulson, M., Reynolds, R., and C. Izurieta,
"Comparison of JSON and XML Data Interchange Formats: A
Case Study", 2009,
<https://www.cs.montana.edu/izurieta/pubs/caine2009.pdf>.
[RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)",
STD 69, RFC 5730, DOI 10.17487/RFC5730, August 2009,
<https://www.rfc-editor.org/info/rfc5730>.
[RFC5910] Gould, J. and S. Hollenbeck, "Domain Name System (DNS)
Security Extensions Mapping for the Extensible
Provisioning Protocol (EPP)", RFC 5910,
DOI 10.17487/RFC5910, May 2010,
<https://www.rfc-editor.org/info/rfc5910>.
[RFC6839] Hansen, T. and A. Melnikov, "Additional Media Type
Structured Syntax Suffixes", RFC 6839,
DOI 10.17487/RFC6839, January 2013,
<https://www.rfc-editor.org/info/rfc6839>.
Appendix A. Suggested Data Modeling with the Entity Object Class
A.1. Registrants and Contacts
This document does not provide specific object classes for
registrants and contacts. Instead, the entity object class may be
used to represent a registrant or contact. When the entity object is
embedded inside a containing object such as a domain name or IP
network, the "roles" string array can be used to signify the
relationship. It is recommended that the values from Section 10.2.4
be used.
The following is an example of an elided containing object with an
embedded entity that is both a registrant and administrative contact:
In many use cases, it is necessary to hide or obscure the information
of a registrant or contact due to policy or other operational
matters. Registries can denote these situations with "status" values
(see Section 10.2.2).
The following is an elided example of a registrant with information
changed to reflect that of a third party.
This document does not provide a specific object class for
registrars, but like registrants and contacts (see Appendix A.1), the
"roles" string array maybe used. Additionally, many registrars have
publicly assigned identifiers. The publicIds structure (Section 4.8)
represents that information.
The following is an example of an elided containing object with an
embedded entity that is a registrar:
Events represent actions that have taken place against a registered
object at a certain date and time. Events have three properties: the
action, the actor, and the date and time of the event (which is
sometimes in the future). In some cases, the identity of the actor
is not captured.
Events can be modeled in three ways:
1. events with no designated actor
2. events where the actor is only designated by an identifier
3. events where the actor can be modeled as an entity
For the first use case, the events data structure (Section 4.5) is
used without the "eventActor" object member.
This is an example of an "events" array without the "eventActor".
For the third use case, the "asEventActor" array is used when an
entity (Section 5.1) is embedded into another object class. The
"asEventActor" array follows the same structure as the "events" array
but does not have "eventActor" attributes.
The following is an elided example of a domain object with an entity
as an event actor.
The entity (Section 5.1) object class uses jCard [RFC7095] to
represent contact information, including postal addresses. jCard has
the ability to represent multiple language preferences, multiple
email address and phone numbers, and multiple postal addresses in
both a structured and unstructured format. This section describes
the use of jCard for representing structured and unstructured
addresses.
The arrays in Figure 40 with the first member of "adr" represent
postal addresses. In the first example, the postal address is given
as an array of strings and constitutes a structured address. For
components of the structured address that are not applicable, an
empty string is given. Each member of that array aligns with the
positions of a vCard as given in [RFC6350]. In this example, the
following data corresponds to the following positional meanings:
1. post office box -- not applicable; empty string
2. extended address (e.g., apartment or suite number) -- Suite 1234
3. street address -- 4321 Rue Somewhere
4. locality (e.g., city) -- Quebec
5. region (e.g., state or province) -- QC
6. postal code -- G1V 2M2
7. country name (full name) -- Canada
The second example is an unstructured address. It uses the "label"
attribute, which is a string containing a newline (\n) character to
separate address components in an unordered, unspecified manner.
Note that in this example, the structured address array is still
given but that each string is an empty string.
Appendix D. Secure DNS
Section 5.3 defines the "secureDNS" member to represent secure DNS
information about domain names.
DNSSEC provides data integrity for DNS through the digital signing of
resource records. To enable DNSSEC, the zone is signed by one or
more private keys and the signatures are stored as RRSIG records. To
complete the chain of trust in the DNS zone hierarchy, a digest of
each DNSKEY record (which contains the public key) must be loaded
into the parent zone, stored as DS records, and signed by the
parent's private key (RRSIG DS record), as indicated in "Resource
Records for the DNS Security Extensions" [RFC4034]. Creating the DS
records in the parent zone can be done by the registration authority
"Domain Name System (DNS) Security Extensions Mapping for the
Extensible Provisioning Protocol (EPP)" [RFC5910].
Only DS-related information is provided by RDAP, since other
information is not generally stored in the registration database.
Other DNSSEC-related information can be retrieved with other DNS
tools such as dig.
The domain object class (Section 5.3) can represent this information
using either the "dsData" or "keyData" object arrays. Client
implementers should be aware that some registries do not collect or
do not publish all of the secure DNS meta-information.
Appendix E. Motivations for Using JSON
This section addresses a common question regarding the use of JSON
over other data formats, most notably XML.
It is often pointed out that many DNRs and one RIR support the EPP
[RFC5730] standard, which is an XML serialized protocol. The logic
is that since EPP is a common protocol in the industry, it follows
that XML would be a more natural choice. While EPP does influence
this specification quite a bit, EPP serves a different purpose, which
is the provisioning of Internet resources between registries and
accredited registrars and serving a much narrower audience than that
envisioned for RDAP.
By contrast, RDAP has a broader audience and is designed for public
consumption of data. Experience from RIRs with first generation
RESTful web services for WHOIS indicate that a large percentage of
clients operate within browsers and other platforms where full-blown
XML stacks are not readily available and where JSON is a better fit.
Additionally, while EPP is used in much of the DNR community it is
not a universal constant in that industry. And finally, EPP's use of
XML predates the specification of JSON. If EPP had been defined
today, it may very well have used JSON instead of XML.
Beyond the specific DNR and RIR communities, the trend in the broader
Internet industry is also switching to JSON over XML, especially in
the area of RESTful web services (see [JSON_ascendancy]). Studies
have also found that JSON is generally less bulky and consequently
faster to parse (see [JSON_performance_study]).
Appendix F. Changes from RFC 7483
* Addressed known errata.
* Updated references to 7482 to RFC 9082. Adjusted case of "xxxx"
used in examples where "XXXX" was previously used, and removed an
"X" from "XXXXX". Changed IPv6 address example using "C00" to
"c00". Added "a string representing" to the definitions of
startAddress and endAddress. Removed "entity" from "Autonomous
System Number Entity Object Class". Added "an unsigned 32-bit
integer" to the definition of startAutnum and endAutnum. Added "a
string representing" to the definition of name in the IP network
and ASN object classes. Clarified rdapConformance identifier
registration expectations in Section 4.1. Changed
"lunarNic_level_0" to "lunarNIC_level_0".
* Clarified that the "value", "rel" and "href" JSON values MUST be
specified in the "links" array.
* Clarified that the "description" array is required in the Notices
and Remarks data structures and other values are OPTIONAL.
* Noted that all members of the "events" and "Public IDs" arrays are
REQUIRED.
* Fix "self" link values in examples. Changed "http" to "https"
link values in examples. Noted that Figure 18 is an example of a
nameserver object with all "appropriate" values given. In
Appendix C, quoted the word "label" in "label attribute". Added
reference to "status" definition in the descriptions for IP
networks and autnums. Fixed a 404 for the informative reference
to "The Stealthy Ascendancy of JSON". Added "boolean" to the
definition of zoneSigned.
* Clarified REQUIRED and OPTIONAL members of the "events" array.
* Changed "SHOULD not" to "SHOULD NOT" in Section 5.
* Updated normative references (RFC 5226 to RFC 8126, RFC 5988 to
RFC 8288, RFC 7159 to RFC 8259). Changed examples using "ns1.xn--
fo-5ja.example" to split URLs to avoid long lines.
* Added acknowledgments.
* Changed "The "lang" attribute may appear anywhere in an object
class or data structure except for in jCard objects" to "The
"lang" attribute as defined in this section MAY appear anywhere in
an object class or data structure, except for in jCard objects.
jCard supports similar functionality by way of the LANGUAGE
property parameter (see Section 5.1 of RFC 6350 [RFC6350]".
* Changed "simple data types conveyed in JSON strings" to "simple
data types conveyed in JSON primitive types (strings, numbers,
booleans, and null)". Changed "In other words, servers are free
to not include JSON members containing registration data based on
their own policies" to "In other words, servers are free to omit
unrequired/optional JSON members containing registration data
based on their own policies".
* Changed "This data structure appears only in the topmost JSON
object of a response" to "This data structure MUST appear in the
topmost JSON object of a response".
* Changed "Some non-answer responses may return entity bodies with
information that could be more descriptive" to "Some non-answer
responses MAY return entity bodies with information that could be
more descriptive".
* Changed "The basic structure of that response is an object class
containing an error code number (corresponding to the HTTP
response code) followed by a string named "title" and an array of
strings named "description"" to "The basic structure of that
response is an object class containing a REQUIRED error code
number (corresponding to the HTTP response code) followed by an
OPTIONAL string named "title" and an OPTIONAL array of strings
named "description"".
* Changed the "Autonomous System Number Object Class" section title
to "The Autonomous System Number Object Class" for consistency
with other section titles. Removed trailing periods in the
"Terminology and Definitions" section for consistency. Changed
instances of "lunarNic" to "lunarNIC" for consistency. Removed an
extraneous trailing period after the eventDate description.
Changed a "." to ";" in the description of the "network" member of
the domain object class. Changed "The high-level structure of the
autnum object class consists of information about the network
registration" to "The high-level structure of the autnum object
class consists of information about the Autonomous System number
registration". Changed "registry unique" to "registry-unique".
* Changed "registrant" to "registrar" in the description of the
"transfer" event action to address erratum 6158. Added IANA
instructions to correct the description of the value in the
registry.
* Added text to Section 4.2 to note that "self" and "related" "href"
URIs MUST NOT be the same.
* Added text to Section 4.2 to describe return of IDNs in LDH name
format.
* Added text to note that the "fn" member of a contact object MAY be
empty in Section 3.
* Added text to clarify rdapConformance requirements in Section 4.1.
* Added "obsoletes 7483" to the headers, Abstract, and Introduction.
Updated BCP 14 boilerplate. Updated IANA Considerations to note
that this RFC (a product of the REGEXT Working Group) replaces RFC
7483. Changed "simple string" to "simple character string" in
Sections 3 and 4.7. Clarified requirement for the "fn" member in
Section 3. Modified the requirement for rdapConformance placement
in Section 4.1. Changed "jCard" to "vCard" LANGUAGE property
reference in Section 4.4. Changed "no use" to "little or no use"
in Section 5.1. Added example line wrap note in Section 5.2.
Modified the definition of "idnTable" in Section 5.3. Modified
the dsData and keyData examples in Section 5.3. Changed
"2001:c00::/23" to "2001:db8::/32" in Section 5.4. Expanded the
definition of "type" in Sections 5.4 and 5.5. Modified example
autnums in Section 5.5. Added text to the Security Considerations
section to note that DNSSEC information returned in a response
cannot be trusted directly.
Acknowledgments
This document is derived from original work on RIR responses in JSON
by Byron J. Ellacott, Arturo L. Servin, Kaveh Ranjbar, and Andrew L.
Newton. Additionally, this document incorporates work on DNR
responses in JSON by Ning Kong, Linlin Zhou, Jiagui Xie, and Sean
Shen.
The components of the DNR object classes are derived from a
categorization of WHOIS response formats created by Ning Kong, Linlin
Zhou, Guangqing Deng, Steve Sheng, Francisco Arias, Ray Bellis, and
Frederico Neves.
Tom Harrison, Murray Kucherawy, Ed Lewis, Audric Schiltknecht, Naoki
Kambe, Maarten Bosteels, Mario Loffredo, and Jasdip Singh contributed
significant review comments and provided clarifying text. James
Mitchell provided text regarding the processing of unknown JSON
attributes and identified issues leading to the remodeling of events.
Ernie Dainow and Francisco Obispo provided concrete suggestions that
led to a better variant model for domain names.
Ernie Dainow provided the background information on the secure DNS
attributes and objects for domains, informative text on DNSSEC, and
many other attributes that appear throughout the object classes of
this document.
The switch to and incorporation of jCard was performed by Simon
Perreault.
Olaf Kolkman and Murray Kucherawy chaired the IETF's WEIRDS Working
Group from which this document was originally created. James Galvin
and Antoin Verschuren chaired the REGEXT Working Group that worked on
this document.
Authors' Addresses
Scott Hollenbeck
Verisign Labs
12061 Bluemont Way
Reston, VA 20190
United States of America
Internet Engineering Task Force (IETF) M. Blanchet
Request for Comments: 9224 Viagenie
STD: 95 March 2022
Obsoletes: 7484
Category: Standards Track
ISSN: 2070-1721
Finding the Authoritative Registration Data Access Protocol (RDAP)
Service
Abstract
This document specifies a method to find which Registration Data
Access Protocol (RDAP) server is authoritative to answer queries for
a requested scope, such as domain names, IP addresses, or Autonomous
System numbers. This document obsoletes RFC 7484.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9224.
Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Revised BSD License text as described in Section 4.e of the
Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents
1. Introduction
2. Conventions Used in This Document
3. Structure of the RDAP Bootstrap Service Registries
4. Bootstrap Service Registry for Domain Name Space
5. Bootstrap Service Registries for Internet Numbers
5.1. Bootstrap Service Registry for IPv4 Address Space
5.2. Bootstrap Service Registry for IPv6 Address Space
5.3. Bootstrap Service Registry for AS Number Space
6. Entity
7. Non-existent Entries or RDAP URL Values
8. Deployment and Implementation Considerations
9. Limitations
10. Formal Definition
10.1. Imported JSON Terms
10.2. Registry Syntax
11. Security Considerations
12. IANA Considerations
12.1. Bootstrap Service Registry for IPv4 Address Space
12.2. Bootstrap Service Registry for IPv6 Address Space
12.3. Bootstrap Service Registry for AS Number Space
12.4. Bootstrap Service Registry for Domain Name Space
13. References
13.1. Normative References
13.2. Informative References
Appendix A. Changes since RFC 7484
Acknowledgements
Author's Address
1. Introduction
Querying and retrieving registration data from registries are defined
in the Registration Data Access Protocol (RDAP) [RFC7480] [RFC7481]
[RFC9082] [RFC9083]. These documents do not specify where to send
the queries. This document specifies a method to find which server
is authoritative to answer queries for the requested scope.
Top-Level Domains (TLDs), Autonomous System (AS) numbers, and network
blocks are delegated by IANA to Internet registries such as TLD
registries and Regional Internet Registries (RIRs) that then issue
further delegations and maintain information about them. Thus, the
bootstrap information needed by RDAP clients is best generated from
data and processes already maintained by IANA; the relevant
registries already exist at [ipv4reg], [ipv6reg], [asreg], and
[domainreg]. This document obsoletes [RFC7484].
Per this document, IANA has created new registries based on a JSON
format specified in this document, herein named RDAP Bootstrap
Service Registries. These new registries are based on the existing
entries of the above-mentioned registries. An RDAP client fetches
the RDAP Bootstrap Service Registries, extracts the data, and then
performs a match with the query data to find the authoritative
registration data server and appropriate query base URL.
2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. Structure of the RDAP Bootstrap Service Registries
The RDAP Bootstrap Service Registries, as specified in Section 12
below, have been made available as JSON [RFC8259] objects, which can
be retrieved via HTTP from locations specified by IANA. The JSON
object for each registry contains a series of members containing
metadata about the registry such as a version identifier, a timestamp
of the publication date of the registry, and a description.
Additionally, a "services" member contains the registry items
themselves, as an array. Each item of the array contains a second-
level array, with two elements, each of them being a third-level
array.
Each element of the Services Array is a second-level array with two
elements: in order, an Entry Array and a Service URL Array.
The Entry Array contains all entries that have the same set of base
RDAP URLs. The Service URL Array contains the list of base RDAP URLs
usable for the entries found in the Entry Array. Elements within
these two arrays are not ordered in any way.
An example structure of the JSON output of an RDAP Bootstrap Service
Registry is illustrated:
The "version" corresponds to the format version of the registry.
This specification defines version "1.0".
The syntax of the "publication" value conforms to the Internet date/
time format [RFC3339]. The value is the latest update date of the
registry by IANA.
The optional "description" string can contain a comment regarding the
content of the bootstrap object.
Per [RFC7258], in each array of base RDAP URLs, the secure versions
of the transport protocol SHOULD be preferred and tried first. For
example, if the base RDAP URLs array contains both HTTPS and HTTP
URLs, the bootstrap client SHOULD try the HTTPS version first.
Base RDAP URLs MUST have a trailing "/" character because they are
concatenated to the various segments defined in [RFC9082].
JSON names MUST follow the format recommendations of Section 6 of
[RFC7480]. Any unrecognized JSON object properties or values MUST be
ignored by implementations.
Internationalized Domain Name labels used as entries or base RDAP
URLs in the registries defined in this document MUST be only
represented using their A-label form as defined in [RFC5890].
All Domain Name labels used as entries or base RDAP URLs in the
registries defined in this document MUST be only represented in
lowercase.
4. Bootstrap Service Registry for Domain Name Space
The JSON output of this registry contains domain label entries
attached to the root, grouped by base RDAP URLs, as shown in this
example.
The domain name's authoritative registration data service is found by
doing the label-wise longest match of the target domain name with the
domain values in the Entry Arrays in the IANA "Bootstrap Service
Registry for Domain Name Space". The match is done per label, from
right to left. If the longest match results in multiple entries,
then those entries are considered equivalent. The values contained
in the Service URL Array of the matching second-level array are the
valid base RDAP URLs as described in [RFC9082].
For example, a domain RDAP query for a.b.example.com matches the com
entry in one of the arrays of the registry. The base RDAP URL for
this query is then taken from the second element of the array, which
is an array of base RDAP URLs valid for this entry. The client
chooses one of the base URLs from this array; in this example, it
chooses the only one available, "https://registry.example.com/
myrdap/". The segment specified in [RFC9082] is then appended to the
base URL to complete the query. The complete query is then
"https://registry.example.com/myrdap/domain/a.b.example.com".
If a domain RDAP query for a.b.example.com matches both com and
example.com entries in the registry, then the longest match applies
and the example.com entry is used by the client.
If the registry contains entries such as com and goodexample.com,
then a domain RDAP query for example.com only matches the com entry
because matching is done on a per-label basis.
The entry for the root of the domain name space is specified as "".
5. Bootstrap Service Registries for Internet Numbers
This section discusses IPv4 and IPv6 address space and Autonomous
System numbers.
For IP address space, the authoritative registration data service is
found by doing a longest match of the target address with the values
of the arrays in the corresponding RDAP Bootstrap Service Registry
for Address Space. The longest match is done the same way as in
packet forwarding: the addresses are converted in binary form and
then the binary strings are compared to find the longest match up to
the specified prefix length. The values contained in the second
element of the array are the base RDAP URLs as described in
[RFC9082]. The longest match method enables covering prefixes of a
larger address space pointing to one base RDAP URL while more
specific prefixes within the covering prefix are being served by
another base RDAP URL.
5.1. Bootstrap Service Registry for IPv4 Address Space
The JSON output of this registry contains IPv4 prefix entries,
specified in Classless Inter-domain Routing (CIDR) format [RFC4632]
and grouped by RDAP URLs, as shown in this example.
For example, a query for "192.0.2.1/25" matches the "192.0.0.0/8"
entry and the "192.0.2.0/24" entry in the example registry above.
The latter is chosen by the client because it is the longest match.
The base RDAP URL for this query is then taken from the second
element of the array, which is an array of base RDAP URLs valid for
this entry. The client chooses one of the base URLs from this array;
in this example, it chooses the only one available,
"https://example.org/". The {resource} specified in [RFC9082] is
then appended to the base URL to complete the query. The complete
query is then "https://example.org/ip/192.0.2.1/25".
5.2. Bootstrap Service Registry for IPv6 Address Space
The JSON output of this registry contains IPv6 prefix entries, using
[RFC5952] text representation of the address prefixes format, grouped
by base RDAP URLs, as shown in this example.
For example, a query for "2001:db8:1000::/48" matches the
"2001:db8::/34" entry and the "2001:db8:1000::/36" entry in the
example registry above. The latter is chosen by the client because
it is the longest match. The base RDAP URL for this query is then
taken from the second element of the array, which is an array of base
RDAP URLs valid for this entry. The client chooses one of the base
URLs from this array; in this example, it chooses
"https://example.net/rdaprir2/" because it's the secure version of
the protocol. The segment specified in [RFC9082] is then appended to
the base URL to complete the query. The complete query is therefore
"https://example.net/rdaprir2/ip/2001:db8:1000::/48". If the target
RDAP server does not answer, the client can then use another URL
prefix from the array.
5.3. Bootstrap Service Registry for AS Number Space
The JSON output of this registry contains entries for AS number
ranges, grouped by base RDAP URLs, as shown in this example. The
Entry Array is an array containing the list of AS number ranges
served by the base RDAP URLs found in the second element. Each
element of the array contains two AS numbers represented in decimal
format, separated by a hyphen, that represents the range of AS
numbers between the two AS numbers (inclusive), where values are in
increasing order (e.g., 100-200, not 200-100). A single AS number is
represented as a range of two identical AS numbers. AS numbers are
represented as 'asplain' as defined in [RFC5396]. Ranges MUST NOT
overlap.
For example, a query for AS 65411 matches the 64512-65534 entry in
the example registry above. The base RDAP URL for this query is then
taken from the second element of the array, which is an array of base
RDAP URLs valid for this entry. The client chooses one of the base
URLs from this array; in this example, it chooses
"https://example.net/rdaprir2/". The segment specified in [RFC9082]
is then appended to the base URL to complete the query. The complete
query is, therefore, "https://example.net/rdaprir2/autnum/65411". If
the server does not answer, the client can then use another URL
prefix from the array.
6. Entity
Entities (such as contacts, registrants, or registrars) can be
queried by handle as described in [RFC9082]. Since there is no
global name space for entities, this document does not describe how
to find the authoritative RDAP server for entities. However, it is
possible that, if the entity identifier was received from a previous
query, the same RDAP server could be queried for that entity, or the
entity identifier itself is a fully qualified URL that can be
queried. The mechanism described in [RFC8521] MAY also be used.
7. Non-existent Entries or RDAP URL Values
The registries may not contain the requested value. In these cases,
there is no known RDAP server for that requested value, and the
client SHOULD provide an appropriate error message to the user.
8. Deployment and Implementation Considerations
This method relies on the fact that RDAP clients are fetching the
IANA registries to then find the servers locally. Clients SHOULD NOT
fetch the registry on every RDAP request. Clients SHOULD cache the
registry, but use underlying protocol signaling, such as the HTTP
Expires header field [RFC7234], to identify when it is time to
refresh the cached registry.
Some authorities of registration data may work together on sharing
their information for a common service, including mutual redirection
[REDIRECT-RDAP].
When a new object is allocated, such as a new AS range, a new TLD, or
a new IP address range, there is no guarantee that this new object
will have an entry in the corresponding bootstrap RDAP registry,
since the setup of the RDAP server for this new entry may become live
and registered later. Therefore, the clients should expect that even
if an object, such as TLD, IP address range, or AS range is
allocated, the existence of the entry in the corresponding bootstrap
registry is not guaranteed.
9. Limitations
This method does not provide a direct way to find authoritative RDAP
servers for any other objects than the ones described in this
document. In particular, the following objects are not bootstrapped
with the method described in this document:
* entities
* queries using search patterns that do not contain a terminating
string that matches some entries in the registries
* nameservers
* help
10. Formal Definition
This section is the formal definition of the registries. The
structure of JSON objects and arrays using a set of primitive
elements is defined in [RFC8259]. Those elements are used to
describe the JSON structure of the registries.
10.1. Imported JSON Terms
OBJECT: a JSON object, defined in Section 4 of [RFC8259]
MEMBER: a member of a JSON object, defined in Section 4 of [RFC8259]
MEMBER-NAME: the name of a MEMBER, defined as a "string" in
Section 4 of [RFC8259]
MEMBER-VALUE: the value of a MEMBER, defined as a "value" in
Section 4 of [RFC8259]
ARRAY: an array, defined in Section 5 of [RFC8259]
ARRAY-VALUE: an element of an ARRAY, defined in Section 5 of
[RFC8259]
STRING: a "string", as defined in Section 7 of [RFC8259]
10.2. Registry Syntax
Using the above terms for the JSON structures, the syntax of a
registry is defined as follows:
rdap-bootstrap-registry: an OBJECT containing a MEMBER version and a
MEMBER publication, an optional MEMBER description, and a MEMBER
services-list
version: a MEMBER with MEMBER-NAME "version" and MEMBER-VALUE a
STRING
publication: a MEMBER with MEMBER-NAME "publication" and MEMBER-
VALUE a STRING
description: a MEMBER with MEMBER-NAME "description" and MEMBER-
VALUE a STRING
services-list: a MEMBER with MEMBER-NAME "services" and MEMBER-VALUE
a services-array
services-array: an ARRAY, where each ARRAY-VALUE is a service
service: an ARRAY of 2 elements, where the first ARRAY-VALUE is an
entry-list and the second ARRAY-VALUE is a service-uri-list
entry-list: an ARRAY, where each ARRAY-VALUE is an entry
entry: a STRING
service-uri-list: an ARRAY, where each ARRAY-VALUE is a service-uri
service-uri: a STRING
11. Security Considerations
By providing a bootstrap method to find RDAP servers, this document
helps to ensure that the end users will get the RDAP data from an
authoritative source instead of from rogue sources. The method has
the same security properties as the RDAP protocols themselves. The
transport used to access the registries uses TLS [RFC8446].
Additional considerations on using RDAP are described in [RFC7481].
12. IANA Considerations
IANA has created the RDAP Bootstrap Services Registries listed below
and made them available as JSON objects. The contents of these
registries are described in Sections 3, 4, and 5, with the formal
syntax specified in Section 10. The registries MUST be accessible
only through HTTPS (TLS [RFC8446]) transport.
The process for adding or updating entries in these registries
differs from the normal IANA registry processes: these registries are
generated from the data, processes, and policies maintained by IANA
in their allocation registries ([ipv4reg], [ipv6reg], [asreg], and
[domainreg]), with the addition of new RDAP server information.
IANA updates RDAP Bootstrap Services Registries entries from the
allocation registries as those registries are updated.
This document does not change any policies related to the allocation
registries; IANA has provided a mechanism for collecting the RDAP
server information.
IANA has created a new top-level category on the Protocol Registries
page: <https://www.iana.org/protocols>. The group is called
"Registration Data Access Protocol (RDAP)". Each of the RDAP
Bootstrap Services Registries has been made available for on-demand
download in the JSON format by the general public, and that
registry's URI is listed directly on the Protocol Registries page.
Other normal registries will be added to this group by other
documents, but the reason the URIs for these registries are clearly
listed on the main page is to make those URIs obvious to implementers
-- these are registries that will be accessed by software, as well as
by humans using them for reference information.
Because these registries will be accessed by software, the download
demand for the RDAP Bootstrap Services Registries may be unusually
high compared to normal IANA registries. The technical
infrastructure by which registries are published has been put in
place by IANA to support the load. Since the publication of
[RFC7484], no issues have been reported regarding the load or the
service.
As discussed in Section 8, software that accesses these registries
will depend on the HTTP Expires header field to limit their query
rate. It is, therefore, important for that header field to be
properly set to provide timely information as the registries change,
while maintaining a reasonable load on the IANA servers.
The HTTP Content-Type returned to clients accessing these JSON-
formatted registries MUST be "application/json", as defined in
[RFC8259].
Because of how information in the RDAP Bootstrap Services Registries
is grouped and formatted, the registry entries may not be sortable.
It is, therefore, not required or expected that the entries be
ordered in any way.
12.1. Bootstrap Service Registry for IPv4 Address Space
Entries in this registry contain at least the following:
* a CIDR [RFC4632] specification of the network block being
registered
* one or more URLs that provide the RDAP service regarding this
registration
12.2. Bootstrap Service Registry for IPv6 Address Space
Entries in this registry contain at least the following:
* an IPv6 prefix [RFC5952] specification of the network block being
registered
* one or more URLs that provide the RDAP service regarding this
registration
12.3. Bootstrap Service Registry for AS Number Space
Entries in this registry contain at least the following:
* a range of Autonomous System numbers being registered
* one or more URLs that provide the RDAP service regarding this
registration
12.4. Bootstrap Service Registry for Domain Name Space
Entries in this registry contain at least the following:
* a domain name attached to the root being registered
* one or more URLs that provide the RDAP service regarding this
registration
13. References
13.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC3339] Klyne, G. and C. Newman, "Date and Time on the Internet:
Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002,
<https://www.rfc-editor.org/info/rfc3339>.
[RFC4632] Fuller, V. and T. Li, "Classless Inter-domain Routing
(CIDR): The Internet Address Assignment and Aggregation
Plan", BCP 122, RFC 4632, DOI 10.17487/RFC4632, August
2006, <https://www.rfc-editor.org/info/rfc4632>.
[RFC5396] Huston, G. and G. Michaelson, "Textual Representation of
Autonomous System (AS) Numbers", RFC 5396,
DOI 10.17487/RFC5396, December 2008,
<https://www.rfc-editor.org/info/rfc5396>.
[RFC5890] Klensin, J., "Internationalized Domain Names for
Applications (IDNA): Definitions and Document Framework",
RFC 5890, DOI 10.17487/RFC5890, August 2010,
<https://www.rfc-editor.org/info/rfc5890>.
[RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6
Address Text Representation", RFC 5952,
DOI 10.17487/RFC5952, August 2010,
<https://www.rfc-editor.org/info/rfc5952>.
[RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May
2014, <https://www.rfc-editor.org/info/rfc7258>.
[RFC7480] Newton, A., Ellacott, B., and N. Kong, "HTTP Usage in the
Registration Data Access Protocol (RDAP)", STD 95,
RFC 7480, DOI 10.17487/RFC7480, March 2015,
<https://www.rfc-editor.org/info/rfc7480>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
Interchange Format", STD 90, RFC 8259,
DOI 10.17487/RFC8259, December 2017,
<https://www.rfc-editor.org/info/rfc8259>.
[REDIRECT-RDAP]
Martinez, C.M., Ed., Zhou, L., Ed., and G. Rada,
"Redirection Service for Registration Data Access
Protocol", Work in Progress, Internet-Draft, draft-ietf-
weirds-redirects-04, July 2014,
<https://datatracker.ietf.org/doc/html/draft-ietf-weirds-
redirects-04>.
[RFC7071] Borenstein, N. and M. Kucherawy, "A Media Type for
Reputation Interchange", RFC 7071, DOI 10.17487/RFC7071,
November 2013, <https://www.rfc-editor.org/info/rfc7071>.
[RFC7234] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching",
RFC 7234, DOI 10.17487/RFC7234, June 2014,
<https://www.rfc-editor.org/info/rfc7234>.
[RFC7481] Hollenbeck, S. and N. Kong, "Security Services for the
Registration Data Access Protocol (RDAP)", STD 95,
RFC 7481, DOI 10.17487/RFC7481, March 2015,
<https://www.rfc-editor.org/info/rfc7481>.
[RFC7484] Blanchet, M., "Finding the Authoritative Registration Data
(RDAP) Service", RFC 7484, DOI 10.17487/RFC7484, March
2015, <https://www.rfc-editor.org/info/rfc7484>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>.
[RFC8521] Hollenbeck, S. and A. Newton, "Registration Data Access
Protocol (RDAP) Object Tagging", BCP 221, RFC 8521,
DOI 10.17487/RFC8521, November 2018,
<https://www.rfc-editor.org/info/rfc8521>.
[RFC9082] Hollenbeck, S. and A. Newton, "Registration Data Access
Protocol (RDAP) Query Format", STD 95, RFC 9082,
DOI 10.17487/RFC9082, June 2021,
<https://www.rfc-editor.org/info/rfc9082>.
[RFC9083] Hollenbeck, S. and A. Newton, "JSON Responses for the
Registration Data Access Protocol (RDAP)", STD 95,
RFC 9083, DOI 10.17487/RFC9083, June 2021,
<https://www.rfc-editor.org/info/rfc9083>.
Appendix A. Changes since RFC 7484
There are no substantive changes except for minor clarifications.
This update is primarily to meet the requirements for moving to an
Internet Standard.
Acknowledgements
The WEIRDS Working Group had multiple discussions on this topic,
including a session during IETF 84, where various methods such as in-
DNS and others were debated. The idea of using IANA registries was
discovered by the author during discussions with his colleagues as
well as by a comment from Andy Newton. All the people involved in
these discussions are herein acknowledged. Linlin Zhou, Jean-
Philippe Dionne, John Levine, Kim Davies, Ernie Dainow, Scott
Hollenbeck, Arturo Servin, Andy Newton, Murray Kucherawy, Tom
Harrison, Naoki Kambe, Alexander Mayrhofer, Edward Lewis, Pete
Resnick, Alessandro Vesely, Bert Greevenbosch, Barry Leiba, Jari
Arkko, Kathleen Moriaty, Stephen Farrell, Richard Barnes, and Jean-
Francois Tremblay provided input and suggestions to the first version
of this document.
Guillaume Leclanche was a coauthor of this document for some
revisions; his support is therein acknowledged and greatly
appreciated. The section on formal definition was inspired by
Section 6.2 of [RFC7071]. This new version [This document] received
comments and suggestions from Gavin Brown, Patrick Mevzek, John
Levine, Jasdip Singh, George Michaelson, Scott Hollenbeck, Russ
Housley, Joel Halpern, Lars Eggert, Benjamin Kaduk, Scott Kelly, Éric
Vyncke, John Scudder, Erik Kline, and Robert Wilton. Errata for RFC
7484 were submitted by Pieter Vandepitte and were applied to this
document.
