(also RFC 7480, RFC 7481, RFC 9082, RFC 9083, RFC 9224)
[Note that this file is a concatenation of more than one RFC.] Internet Engineering Task Force (IETF) A. Newton Request for Comments: 7480 ARIN Category: Standards Track B. Ellacott ISSN: 2070-1721 APNIC N. Kong CNNIC March 2015 HTTP Usage in the Registration Data Access Protocol (RDAP) Abstract This document is one of a collection that together describes the Registration Data Access Protocol (RDAP). It describes how RDAP is transported using the Hypertext Transfer Protocol (HTTP). RDAP is a successor protocol to the very old WHOIS protocol. The purpose of this document is to clarify the use of standard HTTP mechanisms for this application. Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7480. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Newton, et al. Standards Track [Page 1]
RFC 7480 RDAP over HTTP March 2015 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Design Intents . . . . . . . . . . . . . . . . . . . . . . . 5 4. Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 4.1. HTTP Methods . . . . . . . . . . . . . . . . . . . . . . 5 4.2. Accept Header . . . . . . . . . . . . . . . . . . . . . . 5 4.3. Query Parameters . . . . . . . . . . . . . . . . . . . . 6 5. Types of HTTP Response . . . . . . . . . . . . . . . . . . . 6 5.1. Positive Answers . . . . . . . . . . . . . . . . . . . . 6 5.2. Redirects . . . . . . . . . . . . . . . . . . . . . . . . 6 5.3. Negative Answers . . . . . . . . . . . . . . . . . . . . 7 5.4. Malformed Queries . . . . . . . . . . . . . . . . . . . . 7 5.5. Rate Limits . . . . . . . . . . . . . . . . . . . . . . . 7 5.6. Cross-Origin Resource Sharing (CORS) . . . . . . . . . . 8 6. Extensibility . . . . . . . . . . . . . . . . . . . . . . . . 8 7. Security Considerations . . . . . . . . . . . . . . . . . . . 9 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 8.1. RDAP Extensions Registry . . . . . . . . . . . . . . . . 9 9. Internationalization Considerations . . . . . . . . . . . . . 10 9.1. URIs and IRIs . . . . . . . . . . . . . . . . . . . . . . 10 9.2. Language Identifiers in Queries and Responses . . . . . . 10 9.3. Language Identifiers in HTTP Headers . . . . . . . . . . 10 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 10.1. Normative References . . . . . . . . . . . . . . . . . . 11 10.2. Informative References . . . . . . . . . . . . . . . . . 12 Appendix A. Protocol Example . . . . . . . . . . . . . . . . . . 13 Appendix B. Cache Busting . . . . . . . . . . . . . . . . . . . 13 Appendix C. Bootstrapping and Redirection . . . . . . . . . . . 14 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . 15 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 Newton, et al. Standards Track [Page 2]
RFC 7480 RDAP over HTTP March 2015 1. Introduction This document describes the usage of the Hypertext Transfer Protocol (HTTP) [RFC7230] for the Registration Data Access Protocol (RDAP). The goal of this document is to tie together usage patterns of HTTP into a common profile applicable to the various types of directory services serving registration data using practices informed by the Representational State Transfer (REST) [REST] architectural style. By giving the various directory services common behavior, a single client is better able to retrieve data from directory services adhering to this behavior. Registration data expected to be presented by this service is Internet resource registration data -- registration of domain names and Internet number resources. This data is typically provided by WHOIS [RFC3912] services, but the WHOIS protocol is insufficient to modern registration data service requirements. A replacement protocol is expected to retain the simple transactional nature of WHOIS, while providing a specification for queries and responses, redirection to authoritative sources, support for Internationalized Domain Names (IDNs) [RFC5890], and support for localized registration data such as addresses and organization or person names. In designing these common usage patterns, this document introduces considerations for a simple use of HTTP. Where complexity may reside, it is the goal of this document to place it upon the server and to keep the client as simple as possible. A client implementation should be possible using common operating system scripting tools (e.g., bash and wget). This is the basic usage pattern for this protocol: 1. A client determines an appropriate server to query along with the appropriate base Uniform Resource Locator (URL) to use in such queries. [RFC7484] describes one method to determine the server and the base URL. See Appendix C for more information. 2. A client issues an HTTP (or HTTPS) query using GET [RFC7231]. As an example, a query URL for the network registration 192.0.2.0 might be http://example.com/rdap/ip/192.0.2.0 [RFC7482] details the various queries used in RDAP. Newton, et al. Standards Track [Page 3]
RFC 7480 RDAP over HTTP March 2015 3. If the receiving server has the information for the query, it examines the Accept header field of the query and returns a 200 response with a response entity appropriate for the requested format. [RFC7483] details a response in JavaScript Object Notation (JSON). 4. If the receiving server does not have the information for the query but does have knowledge of where the information can be found, it will return a redirection response (3xx) with the Location header field containing an HTTP(S) URL pointing to the information or another server known to have knowledge of the location of the information. The client is expected to requery using that HTTP URL. 5. If the receiving server does not have the information being requested and does not have knowledge of where the information can be found, it returns a 404 response. 6. If the receiving server will not answer a request for policy reasons, it will return an error response (4xx) indicating the reason for giving no answer. It is not the intent of this document to redefine the meaning and semantics of HTTP. The purpose of this document is to clarify the use of standard HTTP mechanisms for this application. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. As is noted in "Security and Stability Advisory Committee (SSAC) Report on WHOIS Terminology and Structure" [SAC-051], the term "WHOIS" is overloaded, often referring to a protocol, a service, and data. In accordance with [SAC-051], this document describes the base behavior for an RDAP. [SAC-051] describes a protocol profile of RDAP for Domain Name Registries (DNRs), the Domain Name Registration Data Access Protocol (DNRD-AP). In this document, an RDAP client is an HTTP user agent performing an RDAP query, and an RDAP server is an HTTP server providing an RDAP response. RDAP query and response formats are described in [RFC7482] and [RFC7483], while this document describes how RDAP clients and servers use HTTP to exchange queries and responses. [RFC7481] describes security considerations for RDAP. Newton, et al. Standards Track [Page 4]
RFC 7480 RDAP over HTTP March 2015 3. Design Intents There are a few design criteria this document attempts to meet. First, each query is meant to require only one path of execution to obtain an answer. A response may contain an answer, no answer, or a redirect, and clients are not expected to fork multiple paths of execution to make a query. Second, the semantics of the request/response allow for future and/or non-standard response formats. In this document, only a JSON [RFC7159] response media type is noted, with the response contents to be described separately (see [RFC7483]). This document only describes how RDAP is transported using HTTP with this format. Third, this protocol is intended to be able to make use of the range of mechanisms available for use with HTTP. HTTP offers a number of mechanisms not described further in this document. Operators are able to make use of these mechanisms according to their local policy, including cache control, authorization, compression, and redirection. HTTP also benefits from widespread investment in scalability, reliability, and performance, as well as widespread programmer understanding of client behaviors for web services styled after REST [REST], reducing the cost to deploy Registration Data Directory Services and clients. This protocol is forward compatible with HTTP 2.0. 4. Queries 4.1. HTTP Methods Clients use the GET method to retrieve a response body and use the HEAD method to determine existence of data on the server. Clients SHOULD use either the HTTP GET or HEAD methods (see [RFC7231]). Servers are under no obligation to support other HTTP methods; therefore, clients using other methods will likely not interoperate properly. Clients and servers MUST support HTTPS to support security services. 4.2. Accept Header To indicate to servers that an RDAP response is desired, clients include an Accept header field with an RDAP-specific JSON media type, the generic JSON media type, or both. Servers receiving an RDAP request return an entity with a Content-Type header containing the RDAP-specific JSON media type. Newton, et al. Standards Track [Page 5]
RFC 7480 RDAP over HTTP March 2015 This specification does not define the responses a server returns to a request with any other media types in the Accept header field, or with no Accept header field. One possibility would be to return a response in a media type suitable for rendering in a web browser. 4.3. Query Parameters Servers MUST ignore unknown query parameters. Use of unknown query parameters for cache busting is described in Appendix B. 5. Types of HTTP Response This section describes the various types of responses a server may send to a client. While no standard HTTP response code is forbidden in usage, this section defines the minimal set of response codes in common use by servers that a client will need to understand. While some clients may be constructed with simple tooling that does not account for all of these response codes, a more robust client accounting for these codes will likely provide a better user experience. It is expected that usage of response codes and types for this application not defined here will be described in subsequent documents. 5.1. Positive Answers If a server has the information requested by the client and wishes to respond to the client with the information according to its policies, it returns that answer in the body of a 200 (OK) response (see [RFC7231]). 5.2. Redirects If a server wishes to inform a client that the answer to a given query can be found elsewhere, it returns either a 301 (Moved Permanently) response code to indicate a permanent move or a 302 (Found), 303 (See Other), or 307 (Temporary Redirect) response code to indicate a non-permanent redirection, and it includes an HTTP(S) URL in the Location header field (see [RFC7231]). The client is expected to issue a subsequent request to satisfy the original query using the given URL without any processing of the URL. In other words, the server is to hand back a complete URL, and the client should not have to transform the URL to follow it. Servers are under no obligation to return a URL conformant to [RFC7482]. For this application, such an example of a permanent move might be a Top-Level Domain (TLD) operator informing a client the information Newton, et al. Standards Track [Page 6]
RFC 7480 RDAP over HTTP March 2015 being sought can be found with another TLD operator (i.e., a query for the domain bar in foo.example is found at http://foo.example/domain/bar). For example, if the client uses http://serv1.example.com/weirds/domain/example.com the server redirecting to https://serv2.example.net/weirds2/ would set the Location: field to the value https://serv2.example.net/weirds2/domain/example.com 5.3. Negative Answers If a server wishes to respond that it has an empty result set (that is, no data appropriately satisfying the query), it returns a 404 (Not Found) response code. Optionally, it MAY include additional information regarding the negative answer in the HTTP entity body. If a server wishes to inform the client that information about the query is available, but cannot include the information in the response to the client for policy reasons, the server MUST respond with an appropriate response code out of HTTP's 4xx range. A client MAY retry the query if that is appropriate for the respective response code. 5.4. Malformed Queries If a server receives a query that it cannot interpret as an RDAP query, it returns a 400 (Bad Request) response code. Optionally, it MAY include additional information regarding this negative answer in the HTTP entity body. 5.5. Rate Limits Some servers apply rate limits to deter address scraping and other abuses. When a server declines to answer a query due to rate limits, it returns a 429 (Too Many Requests) response code as described in [RFC6585]. A client that receives a 429 response SHOULD decrease its query rate and honor the Retry-After header field if one is present. Servers may place stricter limits upon clients that do not honor the Retry-After header. Optionally, the server MAY include additional information regarding the rate limiting in the HTTP entity body. Newton, et al. Standards Track [Page 7]
RFC 7480 RDAP over HTTP March 2015 Note that this is not a defense against denial-of-service (DoS) attacks, since a malicious client could ignore the code and continue to send queries at a high rate. A server might use another response code if it did not wish to reveal to a client that rate limiting is the reason for the denial of a reply. 5.6. Cross-Origin Resource Sharing (CORS) When responding to queries, it is RECOMMENDED that servers use the Access-Control-Allow-Origin header field, as specified by [W3C.REC-cors-20140116]. A value of "*" is suitable when RDAP is used for public resources. This header (often called the CORS header) helps in-browser web applications by lifting the "same-origin" restriction (i.e., a browser may load RDAP client code from one web server but query others for RDAP data). By default, browsers do not send cookies when cross origin requests are allowed. Setting the Access-Control-Allow-Credentials header field to "true" will send cookies. Use of the Access-Control-Allow-Credentials header field is NOT RECOMMENDED. 6. Extensibility For extensibility purposes, this document defines an IANA registry for prefixes used in JSON [RFC7159] data serialization and URI path segments (see Section 8). Prefixes and identifiers SHOULD only consist of the alphabetic US- ASCII characters A through Z in both uppercase and lowercase, the numerical digits 0 through 9, and the underscore character, and they SHOULD NOT begin with an underscore character, numerical digit, or the characters "xml". The following describes the production of JSON names in ABNF [RFC5234]. name = ALPHA *( ALPHA / DIGIT / "_" ) Figure 1: ABNF for JSON Names This restriction is a union of the Ruby programming language identifier syntax and the XML element name syntax and has two purposes. First, client implementers using modern programming languages such as Ruby or Java can use libraries that automatically promote JSON names to first-order object attributes or members. Second, a clean mapping between JSON and XML is easy to accomplish using these rules. Newton, et al. Standards Track [Page 8]
RFC 7480 RDAP over HTTP March 2015 7. Security Considerations This document does not pose strong security requirements to the RDAP protocol. However, it does not restrict against the use of security mechanisms offered by the HTTP protocol. It does require that RDAP clients and servers MUST support HTTPS. This document makes recommendations for server implementations against DoS (Section 5.5) and interoperability with existing security mechanisms in HTTP clients (Section 5.6). Additional security considerations to the RDAP protocol are covered in [RFC7481]. 8. IANA Considerations 8.1. RDAP Extensions Registry IANA has created a new category in the protocol registries labeled "Registration Data Access Protocol (RDAP)", and within that category, has established a URL-referenceable, stand-alone registry labeled "RDAP Extensions". The purpose of this registry is to ensure uniqueness of extension identifiers. The extension identifier is used as a prefix in JSON names and as a prefix of path segments in RDAP URLs. The production rule for these identifiers is specified in Section 6. In accordance with [RFC5226], the IANA policy for assigning new values, shall be Specification Required: values and their meanings must be documented in an RFC or in some other permanent and readily available reference, in sufficient detail that interoperability between independent implementations is possible. The following is a template for an RDAP extension registration: Extension identifier: the identifier of the extension Registry operator: the name of the registry operator Published specification: RFC number, bibliographical reference, or URL to a permanent and readily available specification Person & email address to contact for further information: The names and email addresses of individuals to contact regarding this registry entry Newton, et al. Standards Track [Page 9]
RFC 7480 RDAP over HTTP March 2015 Intended usage: brief reasons for this registry entry (as defined by [RFC5226]). The following is an example of a registration in the RDAP extension registry: Extension identifier: lunarNic Registry operator: The Registry of the Moon, LLC Published specification: http://www.example/moon_apis/rdap Person & email address to contact for further information: Professor Bernardo de la Paz <berny@moon.example> Intended usage: COMMON 9. Internationalization Considerations 9.1. URIs and IRIs Clients can use Internationalized Resource Identifiers (IRIs) [RFC3987] for internal use as they see fit but MUST transform them to URIs [RFC3986] for interaction with RDAP servers. RDAP servers MUST use URIs in all responses, and again clients can transform these URIs to IRIs for internal use as they see fit. 9.2. Language Identifiers in Queries and Responses Under most scenarios, clients requesting data will not signal that the data be returned in a particular language or script. On the other hand, when servers return data and have knowledge that the data is in a language or script, the data SHOULD be annotated with language identifiers whenever they are available, thus allowing clients to process and display the data accordingly. [RFC7483] provides such a mechanism. 9.3. Language Identifiers in HTTP Headers Given the description of the use of language identifiers in Section 9.2, unless otherwise specified, servers SHOULD ignore the HTTP [RFC7231] Accept-Language header field when formulating HTTP entity responses, so that clients do not conflate the Accept-Language header with the 'lang' values in the entity body. Newton, et al. Standards Track [Page 10]
RFC 7480 RDAP over HTTP March 2015 However, servers MAY return language identifiers in the Content- Language header field so as to inform clients of the intended language of HTTP layer messages. 10. References 10.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>. [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, January 2005, <http://www.rfc-editor.org/info/rfc3986>. [RFC3987] Duerst, M. and M. Suignard, "Internationalized Resource Identifiers (IRIs)", RFC 3987, January 2005, <http://www.rfc-editor.org/info/rfc3987>. [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008, <http://www.rfc-editor.org/info/rfc5226>. [RFC6585] Nottingham, M. and R. Fielding, "Additional HTTP Status Codes", RFC 6585, April 2012, <http://www.rfc-editor.org/info/rfc6585>. [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing", RFC 7230, June 2014, <http://www.rfc-editor.org/info/rfc7230>. [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content", RFC 7231, June 2014, <http://www.rfc-editor.org/info/rfc7231>. [RFC7481] Hollenbeck, S. and N. Kong, "Security Services for the Registration Data Access Protocol (RDAP)", RFC 7481, February 2015, <http://www.rfc-editor.org/info/rfc7481>. [RFC7482] Newton, A. and S. Hollenbeck, "Registration Data Access Protocol (RDAP) Query Format", RFC 7482, February 2015, <http://www.rfc-editor.org/info/rfc7482>. [RFC7483] Newton, A. and S. Hollenbeck, "JSON Responses for the Registration Data Access Protocol (RDAP)", RFC 7483, February 2015, <http://www.rfc-editor.org/info/rfc7483>. Newton, et al. Standards Track [Page 11]
RFC 7480 RDAP over HTTP March 2015 [RFC7484] Blanchet, M., "Finding the Authoritative Registration Data (RDAP) Service", RFC 7484, February 2015, <http://www.rfc-editor.org/info/rfc7484>. [W3C.REC-cors-20140116] Kesteren, A., "Cross-Origin Resource Sharing", W3C Recommendation, REC-cors-20140116, January 2014, <http://www.w3.org/TR/2014/REC-cors-20140116/>. 10.2. Informative References [REST] Fielding, R. and R. Taylor, "Principled Design of the Modern Web Architecture", ACM Transactions on Internet Technology, Vol. 2, No. 2, May 2002. [RFC3912] Daigle, L., "WHOIS Protocol Specification", RFC 3912, September 2004, <http://www.rfc-editor.org/info/rfc3912>. [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", STD 68, RFC 5234, January 2008, <http://www.rfc-editor.org/info/rfc5234>. [RFC5890] Klensin, J., "Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework", RFC 5890, August 2010, <http://www.rfc-editor.org/info/rfc5890>. [RFC7159] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data Interchange Format", RFC 7159, March 2014, <http://www.rfc-editor.org/info/rfc7159>. [SAC-051] Piscitello, D., Ed., "SSAC Report on Domain Name WHOIS Terminology and Structure", A report from the ICANN Security and Stability Advisory Committee (SSAC), September 2011. [lacnic-joint-whois] LACNIC, "Joint Whois", December 2005, <ftp://anonymous@ftp.registro.br/pub/gter/ gter20/02-jwhois-lacnic.pdf>. Newton, et al. Standards Track [Page 12]
RFC 7480 RDAP over HTTP March 2015 Appendix A. Protocol Example To demonstrate typical behavior of an RDAP client and server, the following is an example of an exchange, including a redirect. The data in the response has been elided for brevity, as the data format is not described in this document. The media type used here is described in [RFC7483]. An example of an RDAP client and server exchange: Client: <TCP connect to rdap.example.com port 80> GET /rdap/ip/203.0.113.0/24 HTTP/1.1 Host: rdap.example.com Accept: application/rdap+json rdap.example.com: HTTP/1.1 301 Moved Permanently Location: http://rdap-ip.example.com/rdap/ip/203.0.113.0/24 Content-Length: 0 Content-Type: application/rdap+json <TCP disconnect> Client: <TCP connect to rdap-ip.example.com port 80> GET /rdap/ip/203.0.113.0/24 HTTP/1.1 Host: rdap-ip.example.com Accept: application/rdap+json rdap-ip.example.com: HTTP/1.1 200 OK Content-Type: application/rdap+json Content-Length: 9001 { ... } <TCP disconnect> Appendix B. Cache Busting Some HTTP [RFC7230] cache infrastructures do not adhere to caching standards adequately and could cache responses longer than is intended by the server. To overcome these issues, clients can use an ad hoc and improbably used query parameter with a random value of their choosing. As Section 4.3 instructs servers to ignore unknown parameters, this is compatible with the RDAP definition. Newton, et al. Standards Track [Page 13]
RFC 7480 RDAP over HTTP March 2015 An example of using an unknown query parameter to bust caches: http://example.com/ip/192.0.2.0?__fuhgetaboutit=xyz123 Use of an unknown parameter to overcome misbehaving caches is not part of any specification and is offered here for informational purposes. Appendix C. Bootstrapping and Redirection The traditional deployment model of WHOIS [RFC3912] does not provide a mechanism for determining the authoritative source for information. Some approaches have been implemented in the past, most notably the Joint WHOIS [lacnic-joint-whois] initiative. However, among other shortcomings, Joint WHOIS is implemented using proxies and server- side referrals. These issues are solved in RDAP using HTTP redirects and bootstrapping. Bootstrapping is discussed in [RFC7484]. In constrained environments, the processes outlined in [RFC7484] may not be viable, and there may be the need for servers acting as a "redirector". Redirector servers issue HTTP redirects to clients using a redirection table informed by [RFC7484]. Figure 2 diagrams a client using a redirector for bootstrapping. REDIRECTOR ARIN RDAP RDAP . . | | Q: 23.1.1.1? -----------------> | | | | <---------- HTTP 301 --------| | ('Try ARIN RDAP') | | | | | Q: 23.1.1.1? -------------------------------> | | <---------- HTTP 200 --------------------- | (JSON response is returned) | | | . Figure 2: Querying RDAP Data for 23.1.1.1 Newton, et al. Standards Track [Page 14]
RFC 7480 RDAP over HTTP March 2015 In some cases, particularly sub-delegations made between Regional Internet Registries (RIRs) known as "ERX space" and transfers of networks, multiple HTTP redirects will be issued. Figure 3 shows such a scenario. REDIRECTOR LACNIC ARIN RDAP RDAP RDAP . . . Q: 23.1.1.1? ----> | | | | | | <-- HTTP 301 --- | | | ('Try LACNIC') | | | | | | | | | Q: 23.1.1.1? -----------------> | | | | <---------- HTTP 301 --------| | ('Try ARIN RDAP') | | | | | Q: 23.1.1.1? -------------------------------> | | <---------- HTTP 200 --------------------- | (JSON response is returned) | | | . Figure 3: Querying RDAP Data for Data That Has Been Transferred Acknowledgements John Levine provided text to tighten up the Accept header field usage and the text for the section on 429 responses. Marc Blanchet provided some clarifying text regarding the use of URLs with redirects, as well as very useful feedback during Working Group Last Call (WGLC). Normative language reviews were provided by Murray S. Kucherawy, Andrew Sullivan, Tom Harrison, Ed Lewis, and Alexander Mayrhofer. Jean-Phillipe Dionne provided text for the Security Considerations section. The concept of the redirector server informatively discussed in Appendix C was documented by Carlos M. Martinez and Gerardo Rada of Newton, et al. Standards Track [Page 15]
RFC 7480 RDAP over HTTP March 2015 LACNIC and Linlin Zhou of CNNIC and subsequently incorporated into this document. This document is the work product of the IETF's WEIRDS working group, of which Olaf Kolkman and Murray Kucherawy were chairs. Authors' Addresses Andrew Lee Newton American Registry for Internet Numbers 3635 Concorde Parkway Chantilly, VA 20151 United States EMail: andy@arin.net URI: http://www.arin.net Byron J. Ellacott Asia Pacific Network Information Centre 6 Cordelia Street South Brisbane QLD 4101 Australia EMail: bje@apnic.net URI: http://www.apnic.net Ning Kong China Internet Network Information Center 4 South 4th Street, Zhongguancun, Haidian District Beijing 100190 China Phone: +86 10 5881 3147 EMail: nkong@cnnic.cn Newton, et al. Standards Track [Page 16]
========================================================================= Internet Engineering Task Force (IETF) S. Hollenbeck Request for Comments: 7481 Verisign Labs Category: Standards Track N. Kong ISSN: 2070-1721 CNNIC March 2015 Security Services for the Registration Data Access Protocol (RDAP) Abstract The Registration Data Access Protocol (RDAP) provides "RESTful" web services to retrieve registration metadata from Domain Name and Regional Internet Registries. This document describes information security services, including access control, authentication, authorization, availability, data confidentiality, and data integrity for RDAP. Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7481. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Hollenbeck & Kong Standards Track [Page 1]
RFC 7481 RDAP Security Services March 2015 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Conventions Used in This Document . . . . . . . . . . . . . . 2 2.1. Acronyms and Abbreviations . . . . . . . . . . . . . . . 3 3. Information Security Services and RDAP . . . . . . . . . . . 3 3.1. Access Control . . . . . . . . . . . . . . . . . . . . . 3 3.2. Authentication . . . . . . . . . . . . . . . . . . . . . 3 3.2.1. Federated Authentication . . . . . . . . . . . . . . 4 3.3. Authorization . . . . . . . . . . . . . . . . . . . . . . 6 3.4. Availability . . . . . . . . . . . . . . . . . . . . . . 6 3.5. Data Confidentiality . . . . . . . . . . . . . . . . . . 7 3.6. Data Integrity . . . . . . . . . . . . . . . . . . . . . 7 4. Privacy Threats Associated with Registration Data . . . . . . 8 5. Security Considerations . . . . . . . . . . . . . . . . . . . 9 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 6.1. Normative References . . . . . . . . . . . . . . . . . . 10 6.2. Informative References . . . . . . . . . . . . . . . . . 11 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 1. Introduction The Registration Data Access Protocol (RDAP) is specified in multiple documents, including "Registration Data Access Protocol (RDAP) Query Format" [RFC7482], "JSON Responses for the Registration Data Access Protocol (RDAP)" [RFC7483], and "HTTP Usage in the Registration Data Access Protocol (RDAP)" [RFC7480]. One goal of RDAP is to provide security services that do not exist in the WHOIS [RFC3912] protocol, including access control, authentication, authorization, availability, data confidentiality, and data integrity. This document describes how each of these services is achieved by RDAP using features that are available in other protocol layers. Additional or alternative mechanisms can be added in the future. Where applicable, informative references to requirements for a WHOIS replacement service [RFC3707] are noted. 2. Conventions Used in This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Hollenbeck & Kong Standards Track [Page 2]
RFC 7481 RDAP Security Services March 2015 2.1. Acronyms and Abbreviations DNR: Domain Name Registry HTTP: Hypertext Transfer Protocol JSON: JavaScript Object Notation RDAP: Registration Data Access Protocol RIR: Regional Internet Registry TLS: Transport Layer Security 3. Information Security Services and RDAP RDAP itself does not include native security services. Instead, RDAP relies on features that are available in other protocol layers to provide needed security services, including access control, authentication, authorization, availability, data confidentiality, and data integrity. A description of each of these security services can be found in "Internet Security Glossary, Version 2" [RFC4949]. No requirements have been identified for other security services. 3.1. Access Control WHOIS does not include specific features to control access to registration information. As described in the following sections, RDAP includes features to identify, authenticate, and authorize clients, allowing server operators to control access to information based on a client's identity and associated authorizations. Information returned to a client can be clearly marked with a status value (see Section 10.2.2 of [RFC7483]) that identifies the access granted to the client. 3.2. Authentication This section describes security authentication mechanisms and the need for authorization policies to include them. It describes requirements for the implementations of clients and servers but does not dictate the policies of server operators. For example, a server operator with no policy regarding differentiated or tiered access to data will have no authorization mechanisms and will have no need for any type of authentication. A server operator with policies on differentiated access will have to construct an authorization scheme and will need to follow the specified authentication requirements. Hollenbeck & Kong Standards Track [Page 3]
RFC 7481 RDAP Security Services March 2015 WHOIS does not provide features to identify and authenticate clients. As noted in Section 3.1.4.2 of "Cross Registry Internet Service Protocol (CRISP) Requirements" [RFC3707], there is utility in allowing server operators to offer "varying degrees of access depending on policy and need." Clients have to be identified and authenticated to provide that utility. RDAP's authentication framework needs to accommodate anonymous access as well as verification of identities using a range of authentication methods and credential services. To that end, RDAP clients and servers MUST implement the authentication framework specified in "Hypertext Transfer Protocol (HTTP/1.1): Authentication" [RFC7235]. The "basic" scheme can be used to send a client's user name and password to a server in plaintext, base64-encoded form. The "digest" scheme can be used to authenticate a client without exposing the client's plaintext password. If the "basic" scheme is used, HTTP over TLS [RFC2818] MUST be used to protect the client's credentials from disclosure while in transit (see Section 3.5). Servers MUST support either Basic or Digest authentication; they are not required to support both. Clients MUST support both to interoperate with servers that support one or the other. Servers may provide a login page that triggers HTTP authentication. Clients should continue sending the HTTP authentication header once they receive an initial 401 (Unauthorized) response from the HTTP server as long as the scheme portion of the URL doesn't change. The Transport Layer Security protocol [RFC5246] includes an optional feature to identify and authenticate clients who possess and present a valid X.509 digital certificate [RFC5280]. Support for this feature is OPTIONAL. RDAP does not impose any unique server authentication requirements. The server authentication provided by TLS fully addresses the needs of RDAP. In general, transports for RDAP must either provide a TLS-protected transport (e.g., HTTPS) or a mechanism that provides an equivalent level of server authentication. Work on HTTP authentication methods continues. RDAP is designed to be agile enough to support additional methods as they are defined. 3.2.1. Federated Authentication The traditional client-server authentication model requires clients to maintain distinct credentials for every RDAP server. This situation can become unwieldy as the number of RDAP servers increases. Federated authentication mechanisms allow clients to use one credential to access multiple RDAP servers and reduce client Hollenbeck & Kong Standards Track [Page 4]
RFC 7481 RDAP Security Services March 2015 credential management complexity. RDAP MAY include a federated authentication mechanism that permits a client to access multiple RDAP servers in the same federation with one credential. Federated authentication mechanisms used by RDAP MUST be fully supported by HTTP. OAuth, OpenID, Security Assertion Markup Language (SAML), and mechanisms based on Certification Authority (CA) are all possible approaches to provide federated authentication. At the time of this document's publication, negotiation or advertisement of federated authentication services is still an undefined mechanism by the noted federated authentication protocols. Developing this mechanism is beyond the scope of this document. The OAuth authorization framework [RFC6749] describes a method for users to access protected web resources without having to hand out their credentials. Instead, clients are issued access tokens by authorization servers with the permission of the resource owners. Using OAuth, multiple RDAP servers can form a federation, and the clients can access any server in the same federation by providing one credential registered in any server in that federation. The OAuth authorization framework is designed for use with HTTP and thus can be used with RDAP. OpenID [OpenID] is a decentralized single sign-on authentication system that allows users to log in at multiple web sites with one ID instead of having to create multiple unique accounts. An end user can freely choose which OpenID provider to use and can preserve their Identifier if they switch OpenID providers. Note that OAuth and OpenID do not consistently require data confidentiality services to protect interactions between providers and consumers. HTTP over TLS [RFC2818] can be used as needed to provide protection against man-in-the-middle attacks. SAML 2.0 [SAML] is an XML-based protocol that can be used to implement web-based authentication and authorization services, including single sign on. It uses security tokens containing assertions to exchange information about an end user between an identity provider and a service provider. The Transport Layer Security protocol describes the specification of a client certificate in Section 7.4.6 of [RFC5246]. Clients who possess and present a valid X.509 digital certificate, issued by a CA, could be identified and authenticated by a server who trusts the corresponding CA. A certificate authentication method can be used to achieve federated authentication in which multiple RDAP servers all trust the same CAs, and then any client with a certificate issued by a trusted CA can access any RDAP server in the federation. This Hollenbeck & Kong Standards Track [Page 5]
RFC 7481 RDAP Security Services March 2015 certificate-based mechanism is supported by HTTPS and can be used with RDAP. 3.3. Authorization WHOIS does not provide services to grant different levels of access to clients based on a client's authenticated identity. As noted in Section 3.1.4.2 of "Cross Registry Internet Service Protocol (CRISP) Requirements" [RFC3707], there is utility in allowing server operators to offer "varying degrees of access depending on policy and need." Access control decisions can be made once a client's identity has been established and authenticated (see Section 3.2). Server operators MAY offer varying degrees of access depending on policy and need in conjunction with the authentication methods described in Section 3.2. If such varying degrees of access are supported, an RDAP server MUST provide granular access controls (that is, per registration data object) in order to implement authorization policies. Some examples: - Clients will be allowed access only to data for which they have a relationship. - Unauthenticated or anonymous access status may not yield any contact information. - Full access may be granted to a special group of authenticated clients. The type of access allowed by a server will most likely vary from one operator to the next. A description of the response privacy considerations associated with different levels of authorization can be found in Section 13 of [RFC7483]. 3.4. Availability An RDAP service has to be available to be useful. There are no RDAP- unique requirements to provide availability, but as a general security consideration, a service operator needs to be aware of the issues associated with denial of service. A thorough reading of "Internet Denial-of-Service Considerations" [RFC4732] is advised. An RDAP service MAY use an HTTP throttling mechanism to limit the number of queries that a single client can send in a given period of time. If used, the server SHOULD return an HTTP 429 (Too Many Requests) response code as described in "Additional HTTP Status Codes" [RFC6585]. A client that receives a 429 response SHOULD decrease its query rate and honor the Retry-After header field if one Hollenbeck & Kong Standards Track [Page 6]
RFC 7481 RDAP Security Services March 2015 is present. Note that this is not a defense against denial-of-service attacks, since a malicious client could ignore the code and continue to send queries at a high rate. A server might use another response code if it did not wish to reveal to a client that rate limiting is the reason for the denial of a reply. 3.5. Data Confidentiality WHOIS does not provide the ability to protect data from inadvertent disclosure while in transit. RDAP uses HTTP over TLS [RFC2818] to provide that protection by encrypting all traffic sent on the connection between client and server. HTTP over TLS MUST be used to protect all client-server exchanges unless operational constraints make it impossible to meet this requirement. It is also possible to encrypt discrete objects (such as command path segments and JSON- encoded response objects) at one endpoint, send them to the other endpoint via an unprotected transport protocol, and decrypt the object on receipt. Encryption algorithms as described in "Internet Security Glossary, Version 2" [RFC4949] are commonly used to provide data confidentiality at the object level. There are no current requirements for object-level data confidentiality using encryption. Support for this feature could be added to RDAP in the future. As noted in Section 3.2, the HTTP "basic" authentication scheme can be used to authenticate a client. When this scheme is used, HTTP over TLS MUST be used to protect the client's credentials from disclosure while in transit. If the policy of the server operator requires encryption to protect client-server data exchanges (such as to protect non-public data that cannot be accessed without client identification and authentication), HTTP over TLS MUST be used to protect those exchanges. A description of privacy threats that can be addressed with confidentiality services can be found in Section 4. Section 10.2.2 of [RFC7483] describes status values that can be used to describe operator actions used to protect response data from disclosure to unauthorized clients. 3.6. Data Integrity WHOIS does not provide the ability to protect data from modification while in transit. Web services such as RDAP commonly use HTTP over TLS [RFC2818] to provide that protection by using a keyed Message Authentication Code (MAC) to detect modifications. It is also possible to sign discrete objects (such as command path segments and JSON-encoded response objects) at one endpoint, send them to the Hollenbeck & Kong Standards Track [Page 7]
RFC 7481 RDAP Security Services March 2015 other endpoint via a transport protocol, and validate the signature of the object on receipt. Digital signature algorithms as described in "Internet Security Glossary, Version 2" [RFC4949] are commonly used to provide data integrity at the object level. There are no current requirements for object-level data integrity using digital signatures. Support for this feature could be added to RDAP in the future. The most specific need for this service is to provide assurance that HTTP 30x redirection hints [RFC7231] and response elements returned from the server are not modified while in transit. If the policy of the server operator requires message integrity for client-server data exchanges, HTTP over TLS MUST be used to protect those exchanges. 4. Privacy Threats Associated with Registration Data Registration data has historically included personal data about registrants. WHOIS services have historically made this information available to the public, creating a privacy risk by revealing the personal details of registrants. WHOIS services have not had the benefit of authentication or access control mechanisms to gate access to registration data. As a result of this, proxy and privacy services have arisen to shield the identities of registrants. The standardization of RDAP does not change or impact the data that operators may require to be collected from registrants, but it provides support for a number of mechanisms that may be used to mitigate privacy threats to registrants should operators choose to use them. RDAP includes mechanisms that can be used to authenticate clients, allowing servers to support tiered access based on local policy. This means that all registration data need no longer be public, and personal data or data that may be considered more sensitive can have its access restricted to specifically privileged clients. RDAP data structures allow servers to indicate via status values when data returned to clients has been made private, redacted, obscured, or registered by a proxy. "Private" means that the data is not designated for public consumption. "Redacted" means that some registration data fields are not being made available. "Obscured" means that data has been altered for the purposes of not readily revealing the actual registration information. One option that operators have available to them to reduce privacy risks to registrants is to adopt policies that make use of these status values to restrict the registrant data shared with any or all clients Hollenbeck & Kong Standards Track [Page 8]
RFC 7481 RDAP Security Services March 2015 according to the sensitivity of the data, the privileges of the clients, or some other heuristics. RDAP uses the jCard [RFC7095] standard format for entity representation. Operators may find that many of the jCard fields are irrelevant for registry operation purposes or that they have no reason to collect information from registrants that would correspond to certain fields. Operators wishing to reduce privacy risks for registrants may restrict which information they collect and/or which fields they populate in responses. In addition to privacy risks to registrants, there are also potential privacy risks for those who query registration data. For example, the fact that a registry employee performs a particular query may reveal information about the employee's activities that he or she would have preferred to keep private. RDAP supports the use of HTTP over TLS to provide privacy protection for those querying registrant data as well as registrants, unless operational constraints make it impossible to meet this requirement. 5. Security Considerations One of the goals of RDAP is to provide security services that do not exist in the WHOIS protocol. This document describes the security services provided by RDAP and associated protocol layers, including authentication, authorization, availability, data confidentiality, and data integrity. Non-repudiation services were also considered and ultimately rejected due to a lack of requirements. There are, however, currently deployed WHOIS servers that can return signed responses that provide non-repudiation with proof of origin. RDAP might need to be extended to provide this service in the future. As an HTTP-based protocol, RDAP is susceptible to code injection attacks. Code injection refers to adding code into a computer system or program to alter the course of execution. There are many types of code injection, including SQL injection, dynamic variable or function injection, include-file injection, shell injection, and HTML-script injection, among others. Data confidentiality and integrity services provide a measure of defense against man-in-the-middle injection attacks, but vulnerabilities in both client- and server-side software make it possible for injection attacks to succeed. Consistently checking and validating server credentials can help detect man-in-the-middle attacks. As noted in Section 3.2.1, digital certificates can be used to implement federated authentication. There is a risk of too promiscuous, or even rogue, CAs being included in the list of acceptable CAs that the TLS server sends the client as part of the Hollenbeck & Kong Standards Track [Page 9]
RFC 7481 RDAP Security Services March 2015 TLS client-authentication handshake and lending the appearance of trust to certificates signed by those CAs. Periodic monitoring of the list of CAs that RDAP servers trust for client authentication can help reduce this risk. The Transport Layer Security protocol [RFC5246] includes a null cipher suite that does not encrypt data and thus does not provide data confidentiality. This option MUST NOT be used when data confidentiality services are needed. Additional considerations for secure use of TLS are described in [SECURE-TLS-DTLS]. Data integrity services are sometimes mistakenly associated with directory service operational policy requirements focused on data accuracy. "Accuracy" refers to the truthful association of data elements (such as names, addresses, and telephone numbers) in the context of a particular directory object (such as a domain name). Accuracy requirements are out of scope for this protocol. Additional security considerations are described in the specifications for HTTP [RFC7231], HTTP Basic and Digest access authentication [RFC7235], HTTP over TLS [RFC2818], and additional HTTP status codes [RFC6585]. Security considerations for federated authentication systems can be found in the OAuth [RFC6749] and OpenID [OpenID] specifications. 6. References 6.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>. [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000, <http://www.rfc-editor.org/info/rfc2818>. [RFC6585] Nottingham, M. and R. Fielding, "Additional HTTP Status Codes", RFC 6585, April 2012, <http://www.rfc-editor.org/info/rfc6585>. [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content", RFC 7231, June 2014, <http://www.rfc-editor.org/info/rfc7231>. [RFC7235] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Authentication", RFC 7235, June 2014, <http://www.rfc-editor.org/info/rfc7235>. Hollenbeck & Kong Standards Track [Page 10]
RFC 7481 RDAP Security Services March 2015 [RFC7480] Newton, A., Ellacott, B., and N. Kong, "HTTP Usage in the Registration Data Access Protocol (RDAP)", RFC 7480, March 2015, <http://www.rfc-editor.org/info/rfc7480>. [RFC7482] Newton, A. and S. Hollenbeck, "Registration Data Access Protocol (RDAP) Query Format", RFC 7482, March 2015, <http://www.rfc-editor.org/info/rfc7482>. [RFC7483] Newton, A. and S. Hollenbeck, "JSON Responses for the Registration Data Access Protocol (RDAP)", RFC 7483, March 2015, <http://www.rfc-editor.org/info/rfc7483>. 6.2. Informative References [OpenID] OpenID Foundation, "OpenID Authentication 2.0 - Final", December 2007, <http://specs.openid.net/auth/2.0>. [RFC3707] Newton, A., "Cross Registry Internet Service Protocol (CRISP) Requirements", RFC 3707, February 2004, <http://www.rfc-editor.org/info/rfc3707>. [RFC3912] Daigle, L., "WHOIS Protocol Specification", RFC 3912, September 2004, <http://www.rfc-editor.org/info/rfc3912>. [RFC4732] Handley, M., Ed., Rescorla, E., Ed., and IAB, "Internet Denial-of-Service Considerations", RFC 4732, December 2006, <http://www.rfc-editor.org/info/rfc4732>. [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", FYI 36, RFC 4949, August 2007, <http://www.rfc-editor.org/info/rfc4949>. [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008, <http://www.rfc-editor.org/info/rfc5246>. [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, May 2008, <http://www.rfc-editor.org/info/rfc5280>. [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", RFC 6749, October 2012, <http://www.rfc-editor.org/info/rfc6749>. [RFC7095] Kewisch, P., "jCard: The JSON Format for vCard", RFC 7095, January 2014, <http://www.rfc-editor.org/info/rfc7095>. Hollenbeck & Kong Standards Track [Page 11]
RFC 7481 RDAP Security Services March 2015 [SAML] OASIS, "Security Assertion Markup Language (SAML) v2.0", March 2005, <https://www.oasis-open.org/ standards#samlv2.0>. [SECURE-TLS-DTLS] Sheffer, Y., Holz, R., and P. Saint-Andre, "Recommendations for Secure Use of TLS and DTLS", Work in Progress, draft-ietf-uta-tls-bcp-09, February 2015. Hollenbeck & Kong Standards Track [Page 12]
RFC 7481 RDAP Security Services March 2015 Acknowledgements The authors would like to acknowledge the following individuals for their contributions to this document: Richard Barnes, Marc Blanchet, Alissa Cooper, Ernie Dainow, Spencer Dawkins, Jean-Philippe Dionne, Byron Ellacott, Stephen Farrell, Tony Hansen, Peter Koch, Murray Kucherawy, Barry Leiba, Andrew Newton, and Linlin Zhou. Authors' Addresses Scott Hollenbeck Verisign Labs 12061 Bluemont Way Reston, VA 20190 United States EMail: shollenbeck@verisign.com URI: http://www.verisignlabs.com/ Ning Kong China Internet Network Information Center 4 South 4th Street, Zhongguancun, Haidian District Beijing 100190 China Phone: +86 10 5881 3147 EMail: nkong@cnnic.cn Hollenbeck & Kong Standards Track [Page 13]
========================================================================= Internet Engineering Task Force (IETF) S. Hollenbeck Request for Comments: 9082 Verisign Labs STD: 95 A. Newton Obsoletes: 7482 AWS Category: Standards Track June 2021 ISSN: 2070-1721 Registration Data Access Protocol (RDAP) Query Format Abstract This document describes uniform patterns to construct HTTP URLs that may be used to retrieve registration information from registries (including both Regional Internet Registries (RIRs) and Domain Name Registries (DNRs)) using "RESTful" web access patterns. These uniform patterns define the query syntax for the Registration Data Access Protocol (RDAP). This document obsoletes RFC 7482. Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc9082. Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction 2. Conventions Used in This Document 2.1. Acronyms and Abbreviations 3. Path Segment Specification 3.1. Lookup Path Segment Specification 3.1.1. IP Network Path Segment Specification 3.1.2. Autonomous System Path Segment Specification 3.1.3. Domain Path Segment Specification 3.1.4. Nameserver Path Segment Specification 3.1.5. Entity Path Segment Specification 3.1.6. Help Path Segment Specification 3.2. Search Path Segment Specification 3.2.1. Domain Search 3.2.2. Nameserver Search 3.2.3. Entity Search 4. Query Processing 4.1. Partial String Searching 4.2. Associated Records 5. Extensibility 6. Internationalization Considerations 6.1. Character Encoding Considerations 7. IANA Considerations 8. Security Considerations 9. References 9.1. Normative References 9.2. Informative References Appendix A. Changes from RFC 7482 Acknowledgments Authors' Addresses 1. Introduction This document describes a specification for querying registration data using a RESTful web service and uniform query patterns. The service is implemented using the Hypertext Transfer Protocol (HTTP) [RFC7230] and the conventions described in [RFC7480]. These uniform patterns define the query syntax for the Registration Data Access Protocol (RDAP). This document obsoletes RFC 7482. The protocol described in this specification is intended to address deficiencies with the WHOIS protocol [RFC3912] that have been identified over time, including: * lack of standardized command structures; * lack of standardized output and error structures; * lack of support for internationalization and localization; and * lack of support for user identification, authentication, and access control. The patterns described in this document purposefully do not encompass all of the methods employed in the WHOIS and other RESTful web services used by the RIRs and DNRs. The intent of the patterns described here is to enable queries of: * networks by IP address; * Autonomous System (AS) numbers by number; * reverse DNS metadata by domain; * nameservers by name; and * entities (such as registrars and contacts) by identifier. Server implementations are free to support only a subset of these features depending on local requirements. Servers MUST return an HTTP 501 (Not Implemented) [RFC7231] response to inform clients of unsupported query types. It is also envisioned that each registry will continue to maintain WHOIS and/or other RESTful web services specific to their needs and those of their constituencies, and the information retrieved through the patterns described here may reference such services. Likewise, future IETF specifications may add additional patterns for additional query types. A simple pattern namespacing scheme is described in Section 5 to accommodate custom extensions that will not interfere with the patterns defined in this document or patterns defined in future IETF specifications. WHOIS services, in general, are read-only services. Accordingly, URL [RFC3986] patterns specified in this document are only applicable to the HTTP [RFC7231] GET and HEAD methods. This document does not describe the results or entities returned from issuing the described URLs with an HTTP GET. The specification of these entities is described in [RFC9083]. Additionally, resource management, provisioning, and update functions are out of scope for this document. Registries have various and divergent methods covering these functions, and it is unlikely a uniform approach is needed for interoperability. HTTP contains mechanisms for servers to authenticate clients and for clients to authenticate servers (from which authorization schemes may be built), so such mechanisms are not described in this document. Policy, provisioning, and processing of authentication and authorization are out of scope for this document as deployments will have to make choices based on local criteria. Supported authentication mechanisms are described in [RFC7481]. 2. Conventions Used in This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 2.1. Acronyms and Abbreviations IDN: Internationalized Domain Name, a fully-qualified domain name containing one or more labels that are intended to include one or more Unicode code points outside the ASCII range (cf. "domain name", "fully-qualified domain name", and "internationalized domain name" in RFC 8499 [RFC8499]). IDNA: Internationalized Domain Names in Applications, a protocol for the handling of IDNs. In this document, "IDNA" refers specifically to the version of those specifications known as "IDNA2008" [RFC5890]. DNR: Domain Name Registry or Domain Name Registrar NFC: Unicode Normalization Form C [Unicode-UAX15] NFKC: Unicode Normalization Form KC [Unicode-UAX15] RDAP: Registration Data Access Protocol REST: Representational State Transfer. The term was first described in a doctoral dissertation [REST]. RESTful: An adjective that describes a service using HTTP and the principles of REST. RIR: Regional Internet Registry 3. Path Segment Specification The base URLs used to construct RDAP queries are maintained in an IANA registry (the "bootstrap registry") described in [RFC7484]. Queries are formed by retrieving an appropriate base URL from the registry and appending a path segment specified in either Sections 3.1 or 3.2. Generally, a registry or other service provider will provide a base URL that identifies the protocol, host, and port, and this will be used as a base URL that the complete URL is resolved against, as per Section 5 of RFC 3986 [RFC3986]. For example, if the base URL is "https://example.com/rdap/", all RDAP query URLs will begin with "https://example.com/rdap/". The bootstrap registry does not contain information for query objects that are not part of a global namespace, including entities and help. A base URL for an associated object is required to construct a complete query. This limitation can be overcome for entities by using the practice described in RFC 8521 [RFC8521]. For entities, a base URL is retrieved for the service (domain, address, etc.) associated with a given entity. The query URL is constructed by concatenating the base URL with the entity path segment specified in either Sections 3.1.5 or 3.2.3. For help, a base URL is retrieved for any service (domain, address, etc.) for which additional information is required. The query URL is constructed by concatenating the base URL with the help path segment specified in Section 3.1.6. 3.1. Lookup Path Segment Specification A simple lookup to determine if an object exists (or not) without returning RDAP-encoded results can be performed using the HTTP HEAD method as described in Section 4.1 of [RFC7480]. The resource type path segments for exact match lookup are: 'ip': Used to identify IP networks and associated data referenced using either an IPv4 or IPv6 address. 'autnum': Used to identify Autonomous System number registrations and associated data referenced using an asplain Autonomous System number. 'domain': Used to identify reverse DNS (RIR) or domain name (DNR) information and associated data referenced using a fully qualified domain name. 'nameserver': Used to identify a nameserver information query using a host name. 'entity': Used to identify an entity information query using a string identifier. 3.1.1. IP Network Path Segment Specification Syntax: ip/<IP address> or ip/<CIDR prefix>/<CIDR length> Queries for information about IP networks are of the form /ip/XXX or /ip/XXX/YY where the path segment following 'ip' is either an IPv4 dotted decimal or IPv6 [RFC5952] address (i.e., XXX) or an IPv4 or IPv6 Classless Inter-domain Routing (CIDR) [RFC4632] notation address block (i.e., XXX/YY). Semantically, the simpler form using the address can be thought of as a CIDR block with a prefix length of 32 for IPv4 and a prefix length of 128 for IPv6. A given specific address or CIDR may fall within multiple IP networks in a hierarchy of networks; therefore, this query targets the "most-specific" or smallest IP network that completely encompasses it in a hierarchy of IP networks. The IPv4 and IPv6 address formats supported in this query are described in Section 3.2.2 of RFC 3986 [RFC3986] as IPv4address and IPv6address ABNF definitions. Any valid IPv6 text address format [RFC4291] can be used. This includes IPv6 addresses written using with or without compressed zeros and IPv6 addresses containing embedded IPv4 addresses. The rules to write a text representation of an IPv6 address [RFC5952] are RECOMMENDED. However, the zone_id [RFC4007] is not appropriate in this context; therefore, the corresponding syntax extension in RFC 6874 [RFC6874] MUST NOT be used, and servers SHOULD ignore it. For example, the following URL would be used to find information for the most specific network containing 192.0.2.0: https://example.com/rdap/ip/192.0.2.0 The following URL would be used to find information for the most specific network containing 192.0.2.0/24: https://example.com/rdap/ip/192.0.2.0/24 The following URL would be used to find information for the most specific network containing 2001:db8:: https://example.com/rdap/ip/2001:db8:: 3.1.2. Autonomous System Path Segment Specification Syntax: autnum/<autonomous system number> Queries for information regarding Autonomous System number registrations are of the form /autnum/XXX where XXX is an asplain Autonomous System number [RFC5396]. In some registries, registration of Autonomous System numbers is done on an individual number basis, while other registries may register blocks of Autonomous System numbers. The semantics of this query are such that if a number falls within a range of registered blocks, the target of the query is the block registration and that individual number registrations are considered a block of numbers with a size of 1. For example, the following URL would be used to find information describing Autonomous System number 12 (a number within a range of registered blocks): https://example.com/rdap/autnum/12 The following URL would be used to find information describing 4-byte Autonomous System number 65538: https://example.com/rdap/autnum/65538 3.1.3. Domain Path Segment Specification Syntax: domain/<domain name> Queries for domain information are of the form /domain/XXXX, where XXXX is a fully qualified (relative to the root) domain name (as specified in [RFC952] and [RFC1123]) in either the in-addr.arpa or ip6.arpa zones (for RIRs) or a fully qualified domain name in a zone administered by the server operator (for DNRs). Internationalized Domain Names (IDNs) represented in either A-label or U-label format [RFC5890] are also valid domain names. See Section 6.1 for information on character encoding for the U-label format. IDNs SHOULD NOT be represented as a mixture of A-labels and U-labels; that is, internationalized labels in an IDN SHOULD be either all A-labels or all U-labels. It is possible for an RDAP client to assemble a query string from multiple independent data sources. Such a client might not be able to perform conversions between A-labels and U-labels. An RDAP server that receives a query string with a mixture of A-labels and U-labels MAY convert all the U-labels to A-labels, perform IDNA processing, and proceed with exact-match lookup. In such cases, the response to be returned to the query source may not match the input from the query source. Alternatively, the server MAY refuse to process the query. The server MAY perform the match using either the A-label or U-label form. Using one consistent form for matching every label is likely to be more reliable. The following URL would be used to find information describing the zone serving the network 192.0.2/24: https://example.com/rdap/domain/2.0.192.in-addr.arpa The following URL would be used to find information describing the zone serving the network 2001:db8:1::/48: https://example.com/rdap/domain/1.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa The following URL would be used to find information for the blah.example.com domain name: https://example.com/rdap/domain/blah.example.com The following URL would be used to find information for the xn--fo-5ja.example IDN: https://example.com/rdap/domain/xn--fo-5ja.example 3.1.4. Nameserver Path Segment Specification Syntax: nameserver/<nameserver name> The <nameserver name> parameter represents a fully qualified host name as specified in [RFC952] and [RFC1123]. Internationalized names represented in either A-label or U-label format [RFC5890] are also valid nameserver names. IDN processing for nameserver names uses the domain name processing instructions specified in Section 3.1.3. See Section 6.1 for information on character encoding for the U-label format. The following URL would be used to find information for the ns1.example.com nameserver: https://example.com/rdap/nameserver/ns1.example.com The following URL would be used to find information for the ns1.xn--fo-5ja.example nameserver: https://example.com/rdap/nameserver/ns1.xn--fo-5ja.example 3.1.5. Entity Path Segment Specification Syntax: entity/<handle> The <handle> parameter represents an entity (such as a contact, registrant, or registrar) identifier whose syntax is specific to the registration provider. For example, for some DNRs, contact identifiers are specified in [RFC5730] and [RFC5733]. The following URL would be used to find information for the entity associated with handle XXXX: https://example.com/rdap/entity/XXXX 3.1.6. Help Path Segment Specification Syntax: help The help path segment can be used to request helpful information (command syntax, terms of service, privacy policy, rate-limiting policy, supported authentication methods, supported extensions, technical support contact, etc.) from an RDAP server. The response to "help" should provide basic information that a client needs to successfully use the service. The following URL would be used to return "help" information: https://example.com/rdap/help 3.2. Search Path Segment Specification Pattern matching semantics are described in Section 4.1. The resource type path segments for search are: 'domains': Used to identify a domain name information search using a pattern to match a fully qualified domain name. 'nameservers': Used to identify a nameserver information search using a pattern to match a host name. 'entities': Used to identify an entity information search using a pattern to match a string identifier. RDAP search path segments are formed using a concatenation of the plural form of the object being searched for and an HTTP query string. The HTTP query string is formed using a concatenation of the question mark character ('?', US-ASCII value 0x003F), a noun representing the JSON object property associated with the object being searched for, the equal sign character ('=', US-ASCII value 0x003D), and the search pattern (this is in contrast to the more generic HTTP query string that allows multiple simultaneous parameters). Search pattern query processing is described more fully in Section 4. For the domain, nameserver, and entity objects described in this document, the plural object forms are "domains", "nameservers", and "entities". Detailed results can be retrieved using the HTTP GET method and the path segments specified here. 3.2.1. Domain Search Syntax: domains?name=<domain search pattern> Syntax: domains?nsLdhName=<nameserver search pattern> Syntax: domains?nsIp=<nameserver IP address> Searches for domain information by name are specified using this form: domains?name=XXXX XXXX is a search pattern representing a domain name in "letters, digits, hyphen" (LDH) format [RFC5890]. The following URL would be used to find DNR information for domain names matching the "example*.com" pattern: https://example.com/rdap/domains?name=example*.com IDNs in U-label format [RFC5890] can also be used as search patterns (see Section 4). Searches for these names are of the form /domains?name=XXXX, where XXXX is a search pattern representing a domain name in U-label format [RFC5890]. See Section 6.1 for information on character encoding for the U-label format. Searches for domain information by nameserver name are specified using this form: domains?nsLdhName=YYYY YYYY is a search pattern representing a host name in "letters, digits, hyphen" format [RFC5890]. The following URL would be used to search for domains delegated to nameservers matching the "ns1.example*.com" pattern: https://example.com/rdap/domains?nsLdhName=ns1.example*.com Searches for domain information by nameserver IP address are specified using this form: domains?nsIp=ZZZZ ZZZZ is an IPv4 [RFC1166] or IPv6 [RFC5952] address. The following URL would be used to search for domains that have been delegated to nameservers that resolve to the "192.0.2.0" address: https://example.com/rdap/domains?nsIp=192.0.2.0 3.2.2. Nameserver Search Syntax: nameservers?name=<nameserver search pattern> Syntax: nameservers?ip=<nameserver IP address> Searches for nameserver information by nameserver name are specified using this form: nameservers?name=XXXX XXXX is a search pattern representing a host name in "letters, digits, hyphen" format [RFC5890]. The following URL would be used to find information for nameserver names matching the "ns1.example*.com" pattern: https://example.com/rdap/nameservers?name=ns1.example*.com Internationalized nameserver names in U-label format [RFC5890] can also be used as search patterns (see Section 4). Searches for these names are of the form /nameservers?name=XXXX, where XXXX is a search pattern representing a nameserver name in U-label format [RFC5890]. See Section 6.1 for information on character encoding for the U-label format. Searches for nameserver information by nameserver IP address are specified using this form: nameservers?ip=YYYY YYYY is an IPv4 [RFC1166] or IPv6 [RFC5952] address. The following URL would be used to search for nameserver names that resolve to the "192.0.2.0" address: https://example.com/rdap/nameservers?ip=192.0.2.0 3.2.3. Entity Search Syntax: entities?fn=<entity name search pattern> Syntax: entities?handle=<entity handle search pattern> Searches for entity information by name are specified using this form: entities?fn=XXXX XXXX is a search pattern representing the "fn" property of an entity (such as a contact, registrant, or registrar) name as described in Section 5.1 of [RFC9083]. The following URL would be used to find information for entity names matching the "Bobby Joe*" pattern: https://example.com/rdap/entities?fn=Bobby%20Joe* Searches for entity information by handle are specified using this form: entities?handle=XXXX XXXX is a search pattern representing an entity (such as a contact, registrant, or registrar) identifier whose syntax is specific to the registration provider. The following URL would be used to find information for entity handles matching the "CID-40*" pattern: https://example.com/rdap/entities?handle=CID-40* URLs MUST be properly encoded according to the rules of [RFC3986]. In the example above, "Bobby Joe*" is encoded to "Bobby%20Joe*". 4. Query Processing Servers indicate the success or failure of query processing by returning an appropriate HTTP response code to the client. Response codes not specifically identified in this document are described in [RFC7480]. 4.1. Partial String Searching Partial string searching uses the asterisk ('*', US-ASCII value 0x2A) character to match zero or more trailing characters. A character string representing a domain label suffix MAY be concatenated to the end of the search pattern to limit the scope of the search. For example, the search pattern "exam*" will match "example.com" and "example.net". The search pattern "exam*.com" will match "example.com". If an asterisk appears in a search string, any label that contains the non-asterisk characters in sequence plus zero or more characters in sequence in place of the asterisk would match. A partial string search MUST NOT include more than one asterisk. Additional pattern matching processing is beyond the scope of this specification. If a server receives a search request but cannot process the request because it does not support a particular style of partial match searching, it SHOULD return an HTTP 422 (Unprocessable Entity) [RFC4918] response (unless another response code is more appropriate based on a server's policy settings) to note that search functionality is supported, but this particular query cannot be processed. When returning a 422 error, the server MAY also return an error response body as specified in Section 6 of [RFC9083] if the requested media type is one that is specified in [RFC7480]. Partial matching is not feasible across combinations of Unicode characters because Unicode characters can be combined with each other. Servers SHOULD NOT partially match combinations of Unicode characters where a legal combination is possible. It should be noted, though, that it may not always be possible to detect cases where a character could have been combined with another character, but was not, because characters can be combined in many different ways. Clients SHOULD NOT submit a partial match search of Unicode characters where a Unicode character may be legally combined with another Unicode character or characters. Partial match searches with incomplete combinations of characters where a character must be combined with another character or characters are invalid. Partial match searches with characters that may be combined with another character or characters are to be considered non-combined characters (that is, if character x may be combined with character y but character y is not submitted in the search string, then character x is a complete character and no combinations of character x are to be searched). 4.2. Associated Records Conceptually, any query-matching record in a server's database might be a member of a set of related records, related in some fashion as defined by the server -- for example, variants of an IDN. The entire set ought to be considered as candidates for inclusion when constructing the response. However, the construction of the final response needs to be mindful of privacy and other data-releasing policies when assembling the RDAP response set. Note too that due to the nature of searching, there may be a list of query-matching records. Each one of those is subject to being a member of a set as described in the previous paragraph. What is ultimately returned in a response will be the union of all the sets that has been filtered by whatever policies are in place. Note that this model includes arrangements for associated names, including those that are linked by policy mechanisms and names bound together for some other purposes. Note also that returning information that was not explicitly selected by an exact-match lookup, including additional names that match a relatively fuzzy search as well as lists of names that are linked together, may cause privacy issues. Note that there might not be a single, static information return policy that applies to all clients equally. Client identity and associated authorizations can be a relevant factor in determining how broad the response set will be for any particular query. 5. Extensibility This document describes path segment specifications for a limited number of objects commonly registered in both RIRs and DNRs. It does not attempt to describe path segments for all of the objects registered in all registries. Custom path segments can be created for objects not specified here using the process described in Section 6 of "HTTP Usage in the Registration Data Access Protocol (RDAP)" [RFC7480]. Custom path segments can be created by prefixing the segment with a unique identifier followed by an underscore character (0x5F). For example, a custom entity path segment could be created by prefixing "entity" with "custom_", producing "custom_entity". Servers MUST return an appropriate failure status code for a request with an unrecognized path segment. 6. Internationalization Considerations There is value in supporting the ability to submit either a U-label (Unicode form of an IDN label) or an A-label (US-ASCII form of an IDN label) as a query argument to an RDAP service. Clients capable of processing non-US-ASCII characters may prefer a U-label since this is more visually recognizable and familiar than A-label strings, but clients using programmatic interfaces might find it easier to submit and display A-labels if they are unable to input U-labels with their keyboard configuration. Both query forms are acceptable. Internationalized domain and nameserver names can contain character variants and variant labels as described in [RFC4290]. Clients that support queries for internationalized domain and nameserver names MUST accept service provider responses that describe variants as specified in "JSON Responses for the Registration Data Access Protocol (RDAP)" [RFC9083]. 6.1. Character Encoding Considerations Servers can expect to receive search patterns from clients that contain character strings encoded in different forms supported by HTTP. It is entirely possible to apply filters and normalization rules to search patterns prior to making character comparisons, but this type of processing is more typically needed to determine the validity of registered strings than to match patterns. An RDAP client submitting a query string containing non-US-ASCII characters converts such strings into Unicode in UTF-8 encoding. It then performs any local case mapping deemed necessary. Strings are normalized using Normalization Form C (NFC) [Unicode-UAX15]; note that clients might not be able to do this reliably. UTF-8 encoded strings are then appropriately percent-encoded [RFC3986] in the query URL. After parsing any percent-encoding, an RDAP server treats each query string as Unicode in UTF-8 encoding. If a string is not valid UTF-8, the server can immediately stop processing the query and return an HTTP 400 (Bad Request) response. When processing queries, there is a difference in handling DNS names, including those with putative U-labels, and everything else. DNS names are treated according to the DNS matching rules as described in Section 3.1 of RFC 1035 [RFC1035] for Non-Reserved LDH (NR-LDH) labels and the matching rules described in Section 5.4 of RFC 5891 [RFC5891] for U-labels. Matching of DNS names proceeds one label at a time because it is possible for a combination of U-labels and NR- LDH labels to be found in a single domain or host name. The determination of whether a label is a U-label or an NR-LDH label is based on whether the label contains any characters outside of the US- ASCII letters, digits, or hyphen (the so-called LDH rule). For everything else, servers map fullwidth and halfwidth characters to their decomposition equivalents. Servers convert strings to the same coded character set of the target data that is to be looked up or searched, and each string is normalized using the same normalization that was used on the target data. In general, storage of strings as Unicode is RECOMMENDED. For the purposes of comparison, Normalization Form KC (NFKC) [Unicode-UAX15] with case folding is used to maximize predictability and the number of matches. Note the use of case-folded NFKC as opposed to NFC in this case. 7. IANA Considerations This document has no IANA actions. 8. Security Considerations Security services for the operations specified in this document are described in "Security Services for the Registration Data Access Protocol (RDAP)" [RFC7481]. Search functionality typically requires more server resources (such as memory, CPU cycles, and network bandwidth) when compared to basic lookup functionality. This increases the risk of server resource exhaustion and subsequent denial of service due to abuse. This risk can be mitigated by developing and implementing controls to restrict search functionality to identified and authorized clients. If those clients behave badly, their search privileges can be suspended or revoked. Rate limiting as described in Section 5.5 of "HTTP Usage in the Registration Data Access Protocol (RDAP)" [RFC7480] can also be used to control the rate of received search requests. Server operators can also reduce their risk by restricting the amount of information returned in response to a search request. Search functionality also increases the privacy risk of disclosing object relationships that might not otherwise be obvious. For example, a search that returns IDN variants [RFC6927] that do not explicitly match a client-provided search pattern can disclose information about registered domain names that might not be otherwise available. Implementers need to consider the policy and privacy implications of returning information that was not explicitly requested. Note that there might not be a single, static information return policy that applies to all clients equally. Client identity and associated authorizations can be a relevant factor in determining how broad the response set will be for any particular query. 9. References 9.1. Normative References [RFC952] Harrenstien, K., Stahl, M., and E. Feinler, "DoD Internet host table specification", RFC 952, DOI 10.17487/RFC952, October 1985, <https://www.rfc-editor.org/info/rfc952>. [RFC1035] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, November 1987, <https://www.rfc-editor.org/info/rfc1035>. [RFC1123] Braden, R., Ed., "Requirements for Internet Hosts - Application and Support", STD 3, RFC 1123, DOI 10.17487/RFC1123, October 1989, <https://www.rfc-editor.org/info/rfc1123>. [RFC1166] Kirkpatrick, S., Stahl, M., and M. Recker, "Internet numbers", RFC 1166, DOI 10.17487/RFC1166, July 1990, <https://www.rfc-editor.org/info/rfc1166>. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>. [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, <https://www.rfc-editor.org/info/rfc3986>. [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 4291, DOI 10.17487/RFC4291, February 2006, <https://www.rfc-editor.org/info/rfc4291>. [RFC4632] Fuller, V. and T. Li, "Classless Inter-domain Routing (CIDR): The Internet Address Assignment and Aggregation Plan", BCP 122, RFC 4632, DOI 10.17487/RFC4632, August 2006, <https://www.rfc-editor.org/info/rfc4632>. [RFC4918] Dusseault, L., Ed., "HTTP Extensions for Web Distributed Authoring and Versioning (WebDAV)", RFC 4918, DOI 10.17487/RFC4918, June 2007, <https://www.rfc-editor.org/info/rfc4918>. [RFC5396] Huston, G. and G. Michaelson, "Textual Representation of Autonomous System (AS) Numbers", RFC 5396, DOI 10.17487/RFC5396, December 2008, <https://www.rfc-editor.org/info/rfc5396>. [RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)", STD 69, RFC 5730, DOI 10.17487/RFC5730, August 2009, <https://www.rfc-editor.org/info/rfc5730>. [RFC5733] Hollenbeck, S., "Extensible Provisioning Protocol (EPP) Contact Mapping", STD 69, RFC 5733, DOI 10.17487/RFC5733, August 2009, <https://www.rfc-editor.org/info/rfc5733>. [RFC5890] Klensin, J., "Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework", RFC 5890, DOI 10.17487/RFC5890, August 2010, <https://www.rfc-editor.org/info/rfc5890>. [RFC5891] Klensin, J., "Internationalized Domain Names in Applications (IDNA): Protocol", RFC 5891, DOI 10.17487/RFC5891, August 2010, <https://www.rfc-editor.org/info/rfc5891>. [RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6 Address Text Representation", RFC 5952, DOI 10.17487/RFC5952, August 2010, <https://www.rfc-editor.org/info/rfc5952>. [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing", RFC 7230, DOI 10.17487/RFC7230, June 2014, <https://www.rfc-editor.org/info/rfc7230>. [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content", RFC 7231, DOI 10.17487/RFC7231, June 2014, <https://www.rfc-editor.org/info/rfc7231>. [RFC7480] Newton, A., Ellacott, B., and N. Kong, "HTTP Usage in the Registration Data Access Protocol (RDAP)", STD 95, RFC 7480, DOI 10.17487/RFC7480, March 2015, <https://www.rfc-editor.org/info/rfc7480>. [RFC7481] Hollenbeck, S. and N. Kong, "Security Services for the Registration Data Access Protocol (RDAP)", STD 95, RFC 7481, DOI 10.17487/RFC7481, March 2015, <https://www.rfc-editor.org/info/rfc7481>. [RFC7484] Blanchet, M., "Finding the Authoritative Registration Data (RDAP) Service", RFC 7484, DOI 10.17487/RFC7484, March 2015, <https://www.rfc-editor.org/info/rfc7484>. [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>. [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, January 2019, <https://www.rfc-editor.org/info/rfc8499>. [RFC9083] Hollenbeck, S. and A. Newton, "JSON Responses for the Registration Data Access Protocol (RDAP)", STD 95, RFC 9083, DOI 10.17487/RFC9083, June 2021, <https://www.rfc-editor.org/info/rfc9083>. [Unicode-UAX15] The Unicode Consortium, "Unicode Standard Annex #15: Unicode Normalization Forms", September 2013, <https://www.unicode.org/reports/tr15/>. 9.2. Informative References [REST] Fielding, R., "Architectural Styles and the Design of Network-based Software Architectures", Ph.D. Dissertation, University of California, Irvine, 2000, <https://www.ics.uci.edu/~fielding/pubs/dissertation/ fielding_dissertation.pdf>. [RFC3912] Daigle, L., "WHOIS Protocol Specification", RFC 3912, DOI 10.17487/RFC3912, September 2004, <https://www.rfc-editor.org/info/rfc3912>. [RFC4007] Deering, S., Haberman, B., Jinmei, T., Nordmark, E., and B. Zill, "IPv6 Scoped Address Architecture", RFC 4007, DOI 10.17487/RFC4007, March 2005, <https://www.rfc-editor.org/info/rfc4007>. [RFC4290] Klensin, J., "Suggested Practices for Registration of Internationalized Domain Names (IDN)", RFC 4290, DOI 10.17487/RFC4290, December 2005, <https://www.rfc-editor.org/info/rfc4290>. [RFC6874] Carpenter, B., Cheshire, S., and R. Hinden, "Representing IPv6 Zone Identifiers in Address Literals and Uniform Resource Identifiers", RFC 6874, DOI 10.17487/RFC6874, February 2013, <https://www.rfc-editor.org/info/rfc6874>. [RFC6927] Levine, J. and P. Hoffman, "Variants in Second-Level Names Registered in Top-Level Domains", RFC 6927, DOI 10.17487/RFC6927, May 2013, <https://www.rfc-editor.org/info/rfc6927>. [RFC8521] Hollenbeck, S. and A. Newton, "Registration Data Access Protocol (RDAP) Object Tagging", BCP 221, RFC 8521, DOI 10.17487/RFC8521, November 2018, <https://www.rfc-editor.org/info/rfc8521>. Appendix A. Changes from RFC 7482 * Addressed known errata. * Addressed other reported clarifications and corrections: IDN, IDNA, and DNR definitions. Noted that registrars are entities. Added a reference to RFC 8521 to address the bootstrap registry limitation. Removed extraneous "...". Clarified HTTP query string, search pattern, name server search, domain label suffix, and asterisk search. * Addressed "The HTTP query string" clarification. * Modified coauthor address. * Updated references to RFC 7483 to RFC 9083. * Added an IANA Considerations section. Changed references to use HTTPS for targets. * Changed "XXXX is a search pattern representing the "FN" property of an entity (such as a contact, registrant, or registrar) name as specified in Section 5.1" to "Changed "XXXX is a search pattern representing the "fn" property of an entity (such as a contact, registrant, or registrar) name as described in Section 5.1". * Added acknowledgments. * Changed "The intent of the patterns described here are to enable queries" to "The intent of the patterns described here is to enable queries". * Changed "the corresponding syntax extension in RFC 6874 [RFC6874] MUST NOT be used, and servers are to ignore it if possible" to "the corresponding syntax extension in RFC 6874 [RFC6874] MUST NOT be used, and servers SHOULD ignore it". * Changed "Only a single asterisk is allowed for a partial string search" to "A partial string search MUST NOT include more than one asterisk". * Changed "Clients should avoid submitting a partial match search of Unicode characters where a Unicode character may be legally combined with another Unicode character or characters" to "Clients SHOULD NOT submit a partial match search of Unicode characters where a Unicode character may be legally combined with another Unicode character or characters". * Changed description of nameserver IP address "search pattern" in Sections 3.2.1 and 3.2.2. * IESG review feedback: Added "obsoletes 7482" to the headers, Abstract, and Introduction. Changed "IETF standards" to "IETF specifications" and "Therefore" to "Accordingly" in Section 1. Updated the BCP 14 boilerplate. Added definition of "bootstrap registry" and changed "concatenating ... to" to "concatenating ... with" in Section 3. Changed "bitmask length" to "prefix length" and "2001:db8::0" to "2001:db8::" in Section 3.1.1. Added "in contrast to the more generic HTTP query string that admits multiple simultaneous parameters" in Section 3.2. Changed "0x002A" to "0x2A" in Section 4.1. Clarified use of HTTP 422 SHOULD in Section 4.1. Acknowledgments This document is derived from original work on RIR query formats developed by Byron J. Ellacott of APNIC, Arturo L. Servin of LACNIC, Kaveh Ranjbar of the RIPE NCC, and Andrew L. Newton of ARIN. Additionally, this document incorporates DNR query formats originally described by Francisco Arias and Steve Sheng of ICANN and Scott Hollenbeck of Verisign Labs. The authors would like to acknowledge the following individuals for their contributions to this document: Francisco Arias, Marc Blanchet, Ernie Dainow, Jean-Philippe Dionne, Byron J. Ellacott, Behnam Esfahbod, John Klensin, John Levine, Edward Lewis, Mario Loffredo, Patrick Mevzek, Mark Nottingham, Kaveh Ranjbar, Arturo L. Servin, Steve Sheng, Jasdip Singh, and Andrew Sullivan. Authors' Addresses Scott Hollenbeck Verisign Labs 12061 Bluemont Way Reston, VA 20190 United States of America Email: shollenbeck@verisign.com URI: https://www.verisignlabs.com/ Andy Newton Amazon Web Services, Inc. 13200 Woodland Park Road Herndon, VA 20171 United States of America Email: andy@hxr.us ========================================================================= Internet Engineering Task Force (IETF) S. Hollenbeck Request for Comments: 9083 Verisign Labs STD: 95 A. Newton Obsoletes: 7483 AWS Category: Standards Track June 2021 ISSN: 2070-1721 JSON Responses for the Registration Data Access Protocol (RDAP) Abstract This document describes JSON data structures representing registration information maintained by Regional Internet Registries (RIRs) and Domain Name Registries (DNRs). These data structures are used to form Registration Data Access Protocol (RDAP) query responses. This document obsoletes RFC 7483. Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc9083. Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction 1.1. Terminology and Definitions 1.2. Data Model 2. Use of JSON 2.1. Naming 3. Common Data Types 4. Common Data Structures 4.1. RDAP Conformance 4.2. Links 4.3. Notices and Remarks 4.4. Language Identifier 4.5. Events 4.6. Status 4.7. Port 43 WHOIS Server 4.8. Public IDs 4.9. Object Class Name 4.10. An Example 5. Object Classes 5.1. The Entity Object Class 5.2. The Nameserver Object Class 5.3. The Domain Object Class 5.4. The IP Network Object Class 5.5. The Autonomous System Number Object Class 6. Error Response Body 7. Responding to Help Queries 8. Responding To Searches 9. Indicating Truncated Responses 10. IANA Considerations 10.1. RDAP JSON Media Type Registration 10.2. JSON Values Registry 10.2.1. Notice and Remark Types 10.2.2. Status 10.2.3. Event Actions 10.2.4. Roles 10.2.5. Variant Relations 11. Security Considerations 12. Internationalization Considerations 12.1. Character Encoding 12.2. URIs and IRIs 12.3. Language Tags 12.4. Internationalized Domain Names 13. Privacy Considerations 14. References 14.1. Normative References 14.2. Informative References Appendix A. Suggested Data Modeling with the Entity Object Class A.1. Registrants and Contacts A.2. Registrars Appendix B. Modeling Events Appendix C. Structured vs. Unstructured Addresses Appendix D. Secure DNS Appendix E. Motivations for Using JSON Appendix F. Changes from RFC 7483 Acknowledgments Authors' Addresses 1. Introduction This document describes responses in the JSON [RFC8259] format for the queries as defined by the Registration Data Access Protocol Query Format [RFC9082]. A communication protocol for exchanging queries and responses is described in [RFC7480]. This document obsoletes RFC 7483. 1.1. Terminology and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. The following list describes terminology and definitions used throughout this document: DNR: Domain Name Registry or Domain Name Registrar LDH: letters, digits, hyphen member: data found within an object as defined by JSON [RFC8259] object: a data structure as defined by JSON [RFC8259] object class: the definition of members that may be found in JSON objects described in this document object instance: an instantiation or specific instance of an object class RDAP: Registration Data Access Protocol RIR: Regional Internet Registry 1.2. Data Model The data model for JSON responses is specified in five sections: 1. simple data types conveyed in JSON primitive types (strings, numbers, booleans, and null) 2. data structures specified as JSON arrays or objects that are used repeatedly when building up larger objects 3. object classes representing structured data corresponding to a lookup of a single object 4. arrays of objects representing structured data corresponding to a search for multiple objects 5. the response to an error The object classes represent responses for two major categories of data: responses returned by RIRs for registration data related to IP addresses, reverse DNS names, and Autonomous System numbers and responses returned by DNRs for registration data related to forward DNS names. The following object classes are returned by both RIRs and DNRs: 1. domains 2. nameservers 3. entities The information served by both RIRs and DNRs for these object classes overlap extensively and are given in this document as a unified model for both classes of service. In addition to the object classes listed above, RIRs also serve the following object classes: 1. IP networks 2. Autonomous System numbers Object classes defined in this document represent a minimal set of what a compliant client/server needs to understand to function correctly; however, some deployments may want to include additional object classes to suit individual needs. Anticipating this need for extension, Section 2.1 of this document defines a mechanism for extending the JSON objects that are described in this document. Positive responses take two forms. A response to a lookup of a single object in the registration system yields a JSON object, which is the subject of the lookup. A response to a search for multiple objects yields a JSON object that contains an array of JSON objects that are the subject of the search. In each type of response, other data structures are present within the topmost JSON object. 2. Use of JSON 2.1. Naming Clients of these JSON responses SHOULD ignore unrecognized JSON members in responses. Servers can insert members into the JSON responses, which are not specified in this document, but that does not constitute an error in the response. Servers that insert such unspecified members into JSON responses SHOULD have member names prefixed with a short identifier followed by an underscore followed by a meaningful name. It has been observed that these short identifiers aid software implementers with identifying the specification of the JSON member, and failure to use one could cause an implementer to assume the server is erroneously using a name from this specification. This allowance does not apply to jCard [RFC7095] objects. The full JSON name (the prefix plus the underscore plus the meaningful name) SHOULD adhere to the character and name limitations of the prefix registry described in [RFC7480]. Failure to use these limitations could result in slower adoption as these limitations have been observed to aid some client programming models. Consider the following JSON response with JSON members, all of which are specified in this document. { "handle" : "ABC123", "remarks" : [ { "description" : [ "She sells sea shells down by the sea shore.", "Originally written by Terry Sullivan." ] } ] } Figure 1 If The Registry of the Moon desires to express information not found in this specification, it might select "lunarNIC" as its identifying prefix and insert, as an example, the member named "lunarNIC_beforeOneSmallStep" to signify registrations occurring before the first moon landing and the member named "lunarNIC_harshMistressNotes" that contains other descriptive text. Consider the following JSON response with JSON names, some of which should be ignored by clients without knowledge of their meaning. { "handle" : "ABC123", "lunarNIC_beforeOneSmallStep" : "TRUE THAT!", "remarks" : [ { "description" : [ "She sells sea shells down by the sea shore.", "Originally written by Terry Sullivan." ] } ], "lunarNIC_harshMistressNotes" : [ "In space,", "nobody can hear you scream." ] } Figure 2 Insertion of unrecognized members ignored by clients may also be used for future revisions to this specification. Clients processing JSON responses need to be prepared for members representing registration data specified in this document to be absent from a response. In other words, servers are free to omit unrequired/optional JSON members containing registration data based on their own policies. Finally, all JSON names specified in this document are case sensitive. Both servers and clients MUST transmit and process them using the specified character case. 3. Common Data Types JSON [RFC8259] defines the data types of a number, character string, boolean, array, object, and null. This section describes the semantics and/or syntax reference for common, JSON character strings used in this document. handle: DNRs and RIRs have registry-unique identifiers that may be used to specifically reference an object instance. The semantics of this data type as found in this document are to be a registry-unique reference to the closest enclosing object where the value is found. The data type names "registryId", "roid", "nic-handle", "registrationNo", etc., are terms often synonymous with this data type. In this document, the term "handle" is used. The term exposed to users by clients is a presentation issue beyond the scope of this document. This value is a simple character string. IPv4 addresses: The representation of IPv4 addresses in this document uses the dotted-decimal notation. An example of this textual representation is "192.0.2.0". IPv6 addresses: The representation of IPv6 addresses in this document follow the forms outlined in [RFC5952]. An example of this textual representation is "2001:db8::1:0:0:1". country codes: Where the identity of a geopolitical nation or country is needed, these identities are represented with the alpha-2 or two-character country code designation as defined in [ISO.3166.2020]. The alpha-2 representation is used because it is freely available, whereas the alpha-3 and numeric-3 standards are not. LDH names: Textual representations of DNS names where the labels of the domain are all "letters, digits, hyphen" labels as described by [RFC5890]. Trailing periods are optional. Unicode names: Textual representations of DNS names where one or more of the labels are U-labels as described by [RFC5890]. Trailing periods are optional. dates and times: The syntax for values denoting dates and times is defined in [RFC3339]. URIs: The syntax for values denoting a Uniform Resource Identifier (URI) is defined by [RFC3986]. Contact information is defined using jCards as described in [RFC7095]. The "fn" member is required and MUST NOT be null according to [RFC6350]. An empty "fn" member MAY be used when the contact name does not exist or is redacted. 4. Common Data Structures This section defines common data structures used in responses and object classes. 4.1. RDAP Conformance The data structure named "rdapConformance" is an array of strings, each providing a hint as to the specifications used in the construction of the response. This data structure MUST appear in the topmost JSON object of a response and MUST NOT appear anywhere else. A response to a "help" request will include identifiers for all of the specifications supported by the server. A response to any other request will include only identifiers for the specifications used in the construction of the response. The set of returned identifiers MAY vary depending on the authorization level of the client. An example rdapConformance data structure: "rdapConformance" : [ "rdap_level_0" ] Figure 3 The string literal "rdap_level_0" signifies conformance with this specification. When custom JSON values are inserted into responses, conformance to those custom specifications MUST be indicated by including a unique string literal value registered in the IANA RDAP Extensions registry specified in [RFC7480]. For example, if the fictional Registry of the Moon wants to signify that their JSON responses are conformant with their registered extensions, the string used might be "lunarNIC_level_0". These registered values aid the identification of specifications for software implementers, and failure to use them could result in slower adoption of extensions. Example rdapConformance structure with custom extensions noted: "rdapConformance" : [ "rdap_level_0", "lunarNIC_level_0" ] Figure 4 4.2. Links The "links" array is found in data structures to signify links to other resources on the Internet. The relationship of these links is defined by the IANA registry described by [RFC8288]. The following is an example of the link structure: { "value" : "https://example.com/context_uri", "rel" : "self", "href" : "https://example.com/target_uri", "hreflang" : [ "en", "ch" ], "title" : "title", "media" : "screen", "type" : "application/json" } Figure 5 The JSON name/values of "rel", "href", "hreflang", "title", "media", and "type" correspond to values found in Section 3 of [RFC8288]. The "value" JSON value is the context URI as described by [RFC8288]. The "value", "rel", and "href" JSON values MUST be specified. All other JSON values are OPTIONAL. A "related" link relation MUST NOT include an "href" URI that is the same as the "self" link relation "href" URI to reduce the risk of infinite client processing loops. Internationalized Domain Names (IDNs) returned in URIs SHOULD be consistently returned in LDH name format to allow clients to process these IDNs according to their capabilities. This is an example of the "links" array as it might be found in an object class: "links" : [ { "value" : "https://example.com/ip/2001:db8::123", "rel" : "self", "href" : "https://example.com/ip/2001:db8::123", "type" : "application/rdap+json" }, { "value" : "https://example.com/ip/2001:db8::123", "rel" : "up", "href" : "https://example.com/ip/2001:db8::/48", "type" : "application/rdap+json" } ] Figure 6 4.3. Notices and Remarks The "notices" and "remarks" data structures take the same form. The notices structure denotes information about the service providing RDAP information and/or information about the entire response, whereas the remarks structure denotes information about the object class that contains it (see Section 5 regarding object classes). Both are arrays of objects. Each object contains a "title" string representing the title of the object, a "type" string denoting a registered type of remark or notice (see Section 10.2.1), an array of strings named "description" for the purposes of conveying any descriptive text, and a "links" array as described in Section 4.2. The "description" array MUST be included. All other JSON values are OPTIONAL. An example of the notices data structure: "notices" : [ { "title" : "Terms of Use", "description" : [ "Service subject to The Registry of the Moon's TOS.", "Copyright (c) 2020 LunarNIC" ], "links" : [ { "value" : "https://example.net/entity/XXXX", "rel" : "alternate", "type" : "text/html", "href" : "https://www.example.com/terms_of_use.html" } ] } ] Figure 7 It is the job of the clients to determine line breaks, spacing, and display issues for sentences within the character strings of the "description" array. Each string in the "description" array contains a single complete division of human-readable text indicating to clients where there are semantic breaks. An example of the remarks data structure: "remarks" : [ { "description" : [ "She sells sea shells down by the sea shore.", "Originally written by Terry Sullivan." ] } ] Figure 8 Note that objects in the "remarks" array may also have a "links" array. While the "title" and "description" fields are intended primarily for human consumption, the "type" string contains a well-known value to be registered with IANA (see Section 10.2.1) for programmatic use. An example of the remarks data structure: "remarks" : [ { "type" : "object truncated due to authorization", "description" : [ "Some registration data may not have been given.", "Use proper authorization credentials to see all of it." ] } ] Figure 9 While the "remarks" array will appear in many object classes in a response, the "notices" array appears only in the topmost object of a response. 4.4. Language Identifier This data structure consists solely of a name/value pair, where the name is "lang" and the value is a string containing a language identifier as described in [RFC5646]. "lang" : "mn-Cyrl-MN" Figure 10 The "lang" attribute as defined in this section MAY appear anywhere in an object class or data structure, except for in jCard objects. vCard supports similar functionality by way of the LANGUAGE property parameter (see Section 5.1 of RFC 6350 [RFC6350]). 4.5. Events This data structure represents events that have occurred on an instance of an object class (see Section 5 regarding object classes). This is an example of an "events" array. "events" : [ { "eventAction" : "registration", "eventActor" : "SOMEID-LUNARNIC", "eventDate" : "1990-12-31T23:59:59Z" }, { "eventAction" : "last changed", "eventActor" : "OTHERID-LUNARNIC", "eventDate" : "1991-12-31T23:59:59Z" } ] Figure 11 The "events" array consists of objects, each with the following members: * "eventAction" -- a REQUIRED string denoting the reason for the event * "eventActor" -- an OPTIONAL identifier denoting the actor responsible for the event * "eventDate" -- a REQUIRED string containing the time and date the event occurred * "links" -- OPTIONAL; see Section 4.2 Events can be future dated. One use case for future dating of events is to denote when an object expires from a registry. The "links" array in this data structure is provided for references to the event actor. In order to reference an RDAP entity, a "rel" of "related" and a "type" of "application/rdap+json" is used in the link reference. See Section 10.2.3 for a list of values for the "eventAction" string. See Appendix B regarding the various ways events can be modeled. 4.6. Status This data structure, named "status", is an array of strings indicating the state of a registered object (see Section 10.2.2 for a list of values). 4.7. Port 43 WHOIS Server This data structure, a member named "port43", is a simple character string containing the fully qualified host name or IP address of the WHOIS [RFC3912] server where the containing object instance may be found. Note that this is not a URI, as there is no WHOIS URI scheme. 4.8. Public IDs This data structure maps a public identifier to an object class. It is named "publicIds" and is an array of objects, with each object containing the following REQUIRED members: * type -- a string denoting the type of public identifier * identifier -- a string denoting a public identifier of the type related to "type" The following is an example of a publicIds structure. "publicIds": [ { "type":"IANA Registrar ID", "identifier":"1" } ] Figure 12 4.9. Object Class Name This data structure, a member named "objectClassName", gives the object class name of a particular object as a string. This identifies the type of object being processed. An objectClassName is REQUIRED in all RDAP response objects so that the type of the object can be interpreted. 4.10. An Example This is an example response with both rdapConformance and notices embedded: { "rdapConformance" : [ "rdap_level_0" ], "notices" : [ { "title" : "Content Removed", "description" : [ "Without full authorization, content has been removed.", "Sorry, dude!" ], "links" : [ { "value" : "https://example.net/ip/192.0.2.0/24", "rel" : "alternate", "type" : "text/html", "href" : "https://www.example.com/redaction_policy.html" } ] } ], "lang" : "en", "objectClassName" : "ip network", "startAddress" : "192.0.2.0", "endAddress" : "192.0.2.255", "handle" : "XXXX-RIR", "ipVersion" : "v4", "name": "NET-RTR-1", "parentHandle" : "YYYY-RIR", "remarks" : [ { "description" : [ "She sells sea shells down by the sea shore.", "Originally written by Terry Sullivan." ] } ] } Figure 13 5. Object Classes Object classes represent structures appropriate for a response from the queries specified in [RFC9082]. Each object class contains a "links" array as specified in Section 4.2. For every object class instance in a response, whether the object class instance is directly representing the response to a query or is embedded in other object class instances or is an item in a search result set, servers SHOULD provide a link representing a URI for that object class instance using the "self" relationship as described in the IANA registry specified by [RFC8288]. As explained in Section 5.2, this may be not always be possible for nameserver data. Clients MUST be able to process object instances without a self link. When present, clients can use the self link for caching data. Servers MAY provide more than one self link for any given object instance. Failure to provide any self link by a server may result in clients being unable to cache object class instances. Clients using self links for caching SHOULD NOT cache any object class instances where the authority of the self link is different than the authority of the server returning the data. Failing to do so might result in cache poisoning. Self links MUST contain a "type" element containing the "application/ rdap+json" media type when referencing RDAP object instances as defined by this document. This is an example of the "links" array with a self link to an object class: "links" : [ { "value" : "https://example.com/ip/2001:db8::123", "rel" : "self", "href" : "https://example.com/ip/2001:db8::123", "type" : "application/rdap+json" } ] Figure 14 5.1. The Entity Object Class The entity object class appears throughout this document and is an appropriate response for the /entity/XXXX query defined in "Registration Data Access Protocol (RDAP) Query Format" [RFC9082]. This object class represents the information of organizations, corporations, governments, non-profits, clubs, individual persons, and informal groups of people. All of these representations are so similar that it is best to represent them in JSON [RFC8259] with one construct, the entity object class, to aid in the reuse of code by implementers. The entity object class uses jCard [RFC7095] to represent contact information, such as postal addresses, email addresses, phone numbers and names of organizations and individuals. Many of the types of information that can be represented with jCard have little or no use in RDAP, such as birthdays, anniversaries, and gender. The entity object is served by both RIRs and DNRs. The following is an example of an entity that might be served by an RIR. { "objectClassName" : "entity", "handle":"XXXX", "vcardArray":[ "vcard", [ ["version", {}, "text", "4.0"], ["fn", {}, "text", "Joe User"], ["n", {}, "text", ["User", "Joe", "", "", ["ing. jr", "M.Sc."]] ], ["kind", {}, "text", "individual"], ["lang", { "pref":"1" }, "language-tag", "fr"], ["lang", { "pref":"2" }, "language-tag", "en"], ["org", { "type":"work" }, "text", "Example"], ["title", {}, "text", "Research Scientist"], ["role", {}, "text", "Project Lead"], ["adr", { "type":"work" }, "text", [ "", "Suite 1234", "4321 Rue Somewhere", "Quebec", "QC", "G1V 2M2", "Canada" ] ], ["adr", { "type":"home", "label":"123 Maple Ave\nSuite 90001\nVancouver\nBC\n1239\n" }, "text", [ "", "", "", "", "", "", "" ] ], ["tel", { "type":["work", "voice"], "pref":"1" }, "uri", "tel:+1-555-555-1234;ext=102" ], ["tel", { "type":["work", "cell", "voice", "video", "text"] }, "uri", "tel:+1-555-555-4321" ], ["email", { "type":"work" }, "text", "joe.user@example.com" ], ["geo", { "type":"work" }, "uri", "geo:46.772673,-71.282945"], ["key", { "type":"work" }, "uri", "https://www.example.com/joe.user/joe.asc" ], ["tz", {}, "utc-offset", "-05:00"], ["url", { "type":"home" }, "uri", "https://example.org"] ] ], "roles":[ "registrar" ], "publicIds":[ { "type":"IANA Registrar ID", "identifier":"1" } ], "remarks":[ { "description":[ "She sells sea shells down by the sea shore.", "Originally written by Terry Sullivan." ] } ], "links":[ { "value":"https://example.com/entity/XXXX", "rel":"self", "href":"https://example.com/entity/XXXX", "type" : "application/rdap+json" } ], "events":[ { "eventAction":"registration", "eventDate":"1990-12-31T23:59:59Z" } ], "asEventActor":[ { "eventAction":"last changed", "eventDate":"1991-12-31T23:59:59Z" } ] } Figure 15 The entity object class can contain the following members: * objectClassName -- the string "entity" * handle -- a string representing a registry-unique identifier of the entity * vcardArray -- a jCard with the entity's contact information * roles -- an array of strings, each signifying the relationship an object would have with its closest containing object (see Section 10.2.4 for a list of values) * publicIds -- see Section 4.8 * entities -- an array of entity objects as defined by this section * remarks -- see Section 4.3 * links -- see Section 4.2 * events -- see Section 4.5 * asEventActor -- this data structure takes the same form as the events data structure (see Section 4.5), but each object in the array MUST NOT have an "eventActor" member. These objects denote that the entity is an event actor for the given events. See Appendix B regarding the various ways events can be modeled. * status -- see Section 4.6 * port43 -- see Section 4.7 * networks -- an array of IP network objects as defined in Section 5.4 * autnums -- an array of autnum objects as defined in Section 5.5 Entities may also have other entities embedded with them in an array. This can be used to model an organization with specific individuals fulfilling designated roles of responsibility. The following is an elided example of an entity with embedded entities. { "objectClassName" : "entity", "handle" : "ANENTITY", "roles" : [ "registrar" ], ... "entities" : [ { "objectClassName" : "entity", "handle": "ANEMBEDDEDENTITY", "roles" : [ "technical" ], ... }, ... ], ... } Figure 16 The following is an example of an entity that might be served by a DNR. { "objectClassName" : "entity", "handle":"XXXX", "vcardArray":[ "vcard", [ ["version", {}, "text", "4.0"], ["fn", {}, "text", "Joe User"], ["kind", {}, "text", "individual"], ["lang", { "pref":"1" }, "language-tag", "fr"], ["lang", { "pref":"2" }, "language-tag", "en"], ["org", { "type":"work" }, "text", "Example"], ["title", {}, "text", "Research Scientist"], ["role", {}, "text", "Project Lead"], ["adr", { "type":"work" }, "text", [ "", "Suite 1234", "4321 Rue Somewhere", "Quebec", "QC", "G1V 2M2", "Canada" ] ], ["tel", { "type":["work", "voice"], "pref":"1" }, "uri", "tel:+1-555-555-1234;ext=102" ], ["email", { "type":"work" }, "text", "joe.user@example.com" ] ] ], "status":[ "validated", "locked" ], "remarks":[ { "description":[ "She sells sea shells down by the sea shore.", "Originally written by Terry Sullivan." ] } ], "links":[ { "value":"https://example.com/entity/XXXX", "rel":"self", "href":"https://example.com/entity/XXXX", "type":"application/rdap+json" } ], "port43":"whois.example.net", "events":[ { "eventAction":"registration", "eventDate":"1990-12-31T23:59:59Z" }, { "eventAction":"last changed", "eventDate":"1991-12-31T23:59:59Z", "eventActor":"joe@example.com" } ] } Figure 17 See Appendix A for use of the entity object class to model various types of entities found in both RIRs and DNRs. See Appendix C regarding structured vs. unstructured postal addresses in entities. 5.2. The Nameserver Object Class The nameserver object class represents information regarding DNS nameservers used in both forward and reverse DNS. RIRs and some DNRs register or expose nameserver information as an attribute of a domain name, while other DNRs model nameservers as "first class objects". Please note that some of the examples in this section include lines that have been wrapped for reading clarity. The nameserver object class accommodates both models and degrees of variation in between. The following is an example of a nameserver object. { "objectClassName" : "nameserver", "handle" : "XXXX", "ldhName" : "ns1.xn--fo-5ja.example", "unicodeName" : "ns.fóo.example", "status" : [ "active" ], "ipAddresses" : { "v4": [ "192.0.2.1", "192.0.2.2" ], "v6": [ "2001:db8::123" ] }, "remarks" : [ { "description" : [ "She sells sea shells down by the sea shore.", "Originally written by Terry Sullivan." ] } ], "links" : [ { "value" : "https://example.net/nameserver/ ns1.xn--fo-5ja.example", "rel" : "self", "href" : "https://example.net/nameserver/ ns1.xn--fo-5ja.example", "type" : "application/rdap+json" } ], "port43" : "whois.example.net", "events" : [ { "eventAction" : "registration", "eventDate" : "1990-12-31T23:59:59Z" }, { "eventAction" : "last changed", "eventDate" : "1991-12-31T23:59:59Z", "eventActor" : "joe@example.com" } ] } Figure 18 Figure 18 is an example of a nameserver object with all appropriate values given. Registries using a first-class nameserver data model would embed this in domain objects as well as allowing references to it with the "/nameserver" query type (all depending on the registry operators policy). Other registries may pare back the information as needed. Figure 19 is an example of a nameserver object as would be found in RIRs and some DNRs, while Figure 20 is an example of a nameserver object as would be found in other DNRs. The following is an example of the simplest nameserver object: { "objectClassName" : "nameserver", "ldhName" : "ns1.example.com" } Figure 19 The following is an example of a simple nameserver object that might be commonly used by DNRs: { "objectClassName" : "nameserver", "ldhName" : "ns1.example.com", "ipAddresses" : { "v6" : [ "2001:db8::123", "2001:db8::124" ] } } Figure 20 As nameservers can be modeled by some registries to be first-class objects, they may also have an array of entities (Section 5.1) embedded to signify parties responsible for the maintenance, registrations, etc., of the nameservers. The following is an elided example of a nameserver with embedded entities. { "objectClassName" : "nameserver", "handle" : "XXXX", "ldhName" : "ns.xn--fo-5ja.example", ... "entities" : [ ... ], ... } Figure 21 The nameserver object class can contain the following members: * objectClassName -- the string "nameserver" * handle -- a string representing a registry-unique identifier of the nameserver * ldhName -- a string containing the LDH name of the nameserver (see Section 3) * unicodeName -- a string containing a DNS Unicode name of the nameserver (see Section 3) * ipAddresses -- an object containing the following members: - v6 -- an array of strings containing IPv6 addresses of the nameserver - v4 -- an array of strings containing IPv4 addresses of the nameserver * entities -- an array of entity objects as defined by Section 5.1 * status -- see Section 4.6 * remarks -- see Section 4.3 * links -- see Section 4.2 * port43 -- see Section 4.7 * events -- see Section 4.5 5.3. The Domain Object Class The domain object class represents a DNS name and point of delegation. For RIRs, these delegation points are in the reverse DNS tree, whereas for DNRs, these delegation points are in the forward DNS tree. In both cases, the high-level structure of the domain object class consists of information about the domain registration, nameserver information related to the domain name, and entities related to the domain name (e.g., registrant information, contacts, etc.). The following is an elided example of the domain object showing the high-level structure: { "objectClassName" : "domain", "handle" : "XXX", "ldhName" : "blah.example.com", ... "nameservers" : [ ... ], ... "entities" : [ ... ] } Figure 22 The domain object class can contain the following members: * objectClassName -- the string "domain" * handle -- a string representing a registry-unique identifier of the domain object instance * ldhName -- a string describing a domain name in LDH form as described in Section 3 * unicodeName -- a string containing a domain name with U-labels as described in Section 3 * variants -- an array of objects, each containing the following values: - relation -- an array of strings, with each string denoting the relationship between the variants and the containing domain object (see Section 10.2.5 for a list of suggested variant relations). - idnTable -- the character string literal that represents the Internationalized Domain Name (IDN) table that has been registered in the IANA Repository of IDN Practices [IANA_IDNTABLES]. - variantNames -- an array of objects, with each object containing an "ldhName" member and a "unicodeName" member (see Section 3). * nameservers -- an array of nameserver objects as defined by Section 5.2 * secureDNS -- an object with the following members: - zoneSigned -- boolean true if the zone has been signed, false otherwise. - delegationSigned -- boolean true if there are DS records in the parent, false otherwise. - maxSigLife -- an integer representing the signature lifetime in seconds to be used when creating the RRSIG DS record in the parent zone [RFC5910]. - dsData -- an array of objects, each with the following members: o keyTag -- an integer as specified by the key tag field of a DNS DS record as specified by [RFC4034] in presentation format o algorithm -- an integer as specified by the algorithm field of a DNS DS record as described by RFC 4034 in presentation format o digest -- a string as specified by the digest field of a DNS DS record as specified by RFC 4034 in presentation format o digestType -- an integer as specified by the digest type field of a DNS DS record as specified by RFC 4034 in presentation format o events -- see Section 4.5 o links -- see Section 4.2 - keyData -- an array of objects, each with the following members: o flags -- an integer representing the flags field value in the DNSKEY record [RFC4034] in presentation format o protocol -- an integer representation of the protocol field value of the DNSKEY record [RFC4034] in presentation format o publicKey -- a string representation of the public key in the DNSKEY record [RFC4034] in presentation format o algorithm -- an integer as specified by the algorithm field of a DNSKEY record as specified by [RFC4034] in presentation format o events -- see Section 4.5 o links -- see Section 4.2 See Appendix D for background information on these objects. * entities -- an array of entity objects as defined by Section 5.1 * status -- see Section 4.6 * publicIds -- see Section 4.8 * remarks -- see Section 4.3 * links -- see Section 4.2 * port43 -- see Section 4.7 * events -- see Section 4.5 * network -- represents the IP network for which a reverse DNS domain is referenced; see Section 5.4 The following is an example of a JSON domain object representing a reverse DNS delegation point that might be served by an RIR (note that the dsData digest value has been modified to fit on one line). { "objectClassName" : "domain", "handle" : "XXXX", "ldhName" : "0.2.192.in-addr.arpa", "nameservers" : [ { "objectClassName" : "nameserver", "ldhName" : "ns1.rir.example" }, { "objectClassName" : "nameserver", "ldhName" : "ns2.rir.example" } ], "secureDNS": { "delegationSigned": true, "dsData": [ { "keyTag": 25345, "algorithm": 8, "digestType": 2, "digest": "2788970E18EA14...C890C85B8205B94" } ] }, "remarks" : [ { "description" : [ "She sells sea shells down by the sea shore.", "Originally written by Terry Sullivan." ] } ], "links" : [ { "value": "https://example.net/domain/0.2.192.in-addr.arpa", "rel" : "self", "href" : "https://example.net/domain/0.2.192.in-addr.arpa", "type" : "application/rdap+json" } ], "events" : [ { "eventAction" : "registration", "eventDate" : "1990-12-31T23:59:59Z" }, { "eventAction" : "last changed", "eventDate" : "1991-12-31T23:59:59Z", "eventActor" : "joe@example.com" } ], "entities" : [ { "objectClassName" : "entity", "handle" : "XXXX", "vcardArray":[ "vcard", [ ["version", {}, "text", "4.0"], ["fn", {}, "text", "Joe User"], ["kind", {}, "text", "individual"], ["lang", { "pref":"1" }, "language-tag", "fr"], ["lang", { "pref":"2" }, "language-tag", "en"], ["org", { "type":"work" }, "text", "Example"], ["title", {}, "text", "Research Scientist"], ["role", {}, "text", "Project Lead"], ["adr", { "type":"work" }, "text", [ "", "Suite 1234", "4321 Rue Somewhere", "Quebec", "QC", "G1V 2M2", "Canada" ] ], ["tel", { "type":["work", "voice"], "pref":"1" }, "uri", "tel:+1-555-555-1234;ext=102" ], ["email", { "type":"work" }, "text", "joe.user@example.com" ] ] ], "roles" : [ "registrant" ], "remarks" : [ { "description" : [ "She sells sea shells down by the sea shore.", "Originally written by Terry Sullivan." ] } ], "links" : [ { "value": "https://example.net/entity/XXXX", "rel" : "self", "href" : "https://example.net/entity/XXXX", "type" : "application/rdap+json" } ], "events" : [ { "eventAction" : "registration", "eventDate" : "1990-12-31T23:59:59Z" }, { "eventAction" : "last changed", "eventDate" : "1991-12-31T23:59:59Z", "eventActor" : "joe@example.com" } ] } ], "network" : { "objectClassName" : "ip network", "handle" : "XXXX-RIR", "startAddress" : "192.0.2.0", "endAddress" : "192.0.2.255", "ipVersion" : "v4", "name": "NET-RTR-1", "type" : "DIRECT ALLOCATION", "country" : "AU", "parentHandle" : "YYYY-RIR", "status" : [ "active" ] } } Figure 23 The following is an example of a JSON domain object representing a forward DNS delegation point that might be served by a DNR. Note that the secureDNS keyData publicKey value has been modified to fit on a single line. { "objectClassName" : "domain", "handle" : "XXXX", "ldhName" : "xn--fo-5ja.example", "unicodeName" : "fóo.example", "variants" : [ { "relation" : [ "registered", "conjoined" ], "variantNames" : [ { "ldhName" : "xn--fo-cka.example", "unicodeName" : "fõo.example" }, { "ldhName" : "xn--fo-fka.example", "unicodeName" : "föo.example" } ] }, { "relation" : [ "unregistered", "registration restricted" ], "idnTable": ".EXAMPLE Swedish", "variantNames" : [ { "ldhName": "xn--fo-8ja.example", "unicodeName" : "fôo.example" } ] } ], "status" : [ "locked", "transfer prohibited" ], "publicIds":[ { "type":"ENS_Auth ID", "identifier":"1234567890" } ], "nameservers" : [ { "objectClassName" : "nameserver", "handle" : "XXXX", "ldhName" : "ns1.example.com", "status" : [ "active" ], "ipAddresses" : { "v6": [ "2001:db8::123", "2001:db8::124" ], "v4": [ "192.0.2.1", "192.0.2.2" ] }, "remarks" : [ { "description" : [ "She sells sea shells down by the sea shore.", "Originally written by Terry Sullivan." ] } ], "links" : [ { "value" : "https://example.net/nameserver/ns1.example.com", "rel" : "self", "href" : "https://example.net/nameserver/ns1.example.com", "type" : "application/rdap+json" } ], "events" : [ { "eventAction" : "registration", "eventDate" : "1990-12-31T23:59:59Z" }, { "eventAction" : "last changed", "eventDate" : "1991-12-31T23:59:59Z" } ] }, { "objectClassName" : "nameserver", "handle" : "XXXX", "ldhName" : "ns2.example.com", "status" : [ "active" ], "ipAddresses" : { "v6" : [ "2001:db8::125", "2001:db8::126" ], "v4" : [ "192.0.2.3", "192.0.2.4" ] }, "remarks" : [ { "description" : [ "She sells sea shells down by the sea shore.", "Originally written by Terry Sullivan." ] } ], "links" : [ { "value" : "https://example.net/nameserver/ns2.example.com", "rel" : "self", "href" : "https://example.net/nameserver/ns2.example.com", "type" : "application/rdap+json" } ], "events" : [ { "eventAction" : "registration", "eventDate" : "1990-12-31T23:59:59Z" }, { "eventAction" : "last changed", "eventDate" : "1991-12-31T23:59:59Z" } ] } ], "secureDNS": { "zoneSigned": true, "delegationSigned": true, "maxSigLife": 604800, "keyData": [ { "flags": 257, "protocol": 3, "algorithm": 8, "publicKey": "AwEAAa6eDzronzjEDbT...Jg1M5N rBSPkuXpdFE=", "events": [ { "eventAction": "last changed", "eventDate": "2012-07-23T05:15:47Z" } ] } ] }, "remarks" : [ { "description" : [ "She sells sea shells down by the sea shore.", "Originally written by Terry Sullivan." ] } ], "links" : [ { "value": "https://example.net/domain/xn--fo-5ja.example", "rel" : "self", "href" : "https://example.net/domain/xn--fo-5ja.example", "type" : "application/rdap+json" } ], "port43" : "whois.example.net", "events" : [ { "eventAction" : "registration", "eventDate" : "1990-12-31T23:59:59Z" }, { "eventAction" : "last changed", "eventDate" : "1991-12-31T23:59:59Z", "eventActor" : "joe@example.com" }, { "eventAction" : "transfer", "eventDate" : "1991-12-31T23:59:59Z", "eventActor" : "joe@example.com" }, { "eventAction" : "expiration", "eventDate" : "2016-12-31T23:59:59Z", "eventActor" : "joe@example.com" } ], "entities" : [ { "objectClassName" : "entity", "handle" : "XXXX", "vcardArray":[ "vcard", [ ["version", {}, "text", "4.0"], ["fn", {}, "text", "Joe User"], ["kind", {}, "text", "individual"], ["lang", { "pref":"1" }, "language-tag", "fr"], ["lang", { "pref":"2" }, "language-tag", "en"], ["org", { "type":"work" }, "text", "Example"], ["title", {}, "text", "Research Scientist"], ["role", {}, "text", "Project Lead"], ["adr", { "type":"work" }, "text", [ "", "Suite 1234", "4321 Rue Somewhere", "Quebec", "QC", "G1V 2M2", "Canada" ] ], ["tel", { "type":["work", "voice"], "pref":"1" }, "uri", "tel:+1-555-555-1234;ext=102" ], ["email", { "type":"work" }, "text", "joe.user@example.com" ] ] ], "status" : [ "validated", "locked" ], "roles" : [ "registrant" ], "remarks" : [ { "description" : [ "She sells sea shells down by the sea shore.", "Originally written by Terry Sullivan." ] } ], "links" : [ { "value" : "https://example.net/entity/XXXX", "rel" : "self", "href" : "https://example.net/entity/XXXX", "type" : "application/rdap+json" } ], "events" : [ { "eventAction" : "registration", "eventDate" : "1990-12-31T23:59:59Z" }, { "eventAction" : "last changed", "eventDate" : "1991-12-31T23:59:59Z" } ] } ] } Figure 24 5.4. The IP Network Object Class The IP network object class models IP network registrations found in RIRs and is the expected response for the "/ip" query as defined by [RFC9082]. There is no equivalent object class for DNRs. The high- level structure of the IP network object class consists of information about the network registration and entities related to the IP network (e.g., registrant information, contacts, etc.). The following is an elided example of the IP network object type showing the high-level structure: { "objectClassName" : "ip network", "handle" : "XXX", ... "entities" : [ ... ] } Figure 25 The following is an example of the JSON object for the network registration information. { "objectClassName" : "ip network", "handle" : "XXXX-RIR", "startAddress" : "2001:db8::", "endAddress" : "2001:db8:0:ffff:ffff:ffff:ffff:ffff", "ipVersion" : "v6", "name": "NET-RTR-1", "type" : "DIRECT ALLOCATION", "country" : "AU", "parentHandle" : "YYYY-RIR", "status" : [ "active" ], "remarks" : [ { "description" : [ "She sells sea shells down by the sea shore.", "Originally written by Terry Sullivan." ] } ], "links" : [ { "value" : "https://example.net/ip/2001:db8::/48", "rel" : "self", "href" : "https://example.net/ip/2001:db8::/48", "type" : "application/rdap+json" }, { "value" : "https://example.net/ip/2001:db8::/48", "rel" : "up", "href" : "https://example.net/ip/2001:db8::/32", "type" : "application/rdap+json" } ], "events" : [ { "eventAction" : "registration", "eventDate" : "1990-12-31T23:59:59Z" }, { "eventAction" : "last changed", "eventDate" : "1991-12-31T23:59:59Z" } ], "entities" : [ { "objectClassName" : "entity", "handle" : "XXXX", "vcardArray":[ "vcard", [ ["version", {}, "text", "4.0"], ["fn", {}, "text", "Joe User"], ["kind", {}, "text", "individual"], ["lang", { "pref":"1" }, "language-tag", "fr"], ["lang", { "pref":"2" }, "language-tag", "en"], ["org", { "type":"work" }, "text", "Example"], ["title", {}, "text", "Research Scientist"], ["role", {}, "text", "Project Lead"], ["adr", { "type":"work" }, "text", [ "", "Suite 1234", "4321 Rue Somewhere", "Quebec", "QC", "G1V 2M2", "Canada" ] ], ["tel", { "type":["work", "voice"], "pref":"1" }, "uri", "tel:+1-555-555-1234;ext=102" ], ["email", { "type":"work" }, "text", "joe.user@example.com" ] ] ], "roles" : [ "registrant" ], "remarks" : [ { "description" : [ "She sells sea shells down by the sea shore.", "Originally written by Terry Sullivan." ] } ], "links" : [ { "value" : "https://example.net/entity/xxxx", "rel" : "self", "href" : "https://example.net/entity/xxxx", "type" : "application/rdap+json" } ], "events" : [ { "eventAction" : "registration", "eventDate" : "1990-12-31T23:59:59Z" }, { "eventAction" : "last changed", "eventDate" : "1991-12-31T23:59:59Z" } ] } ] } Figure 26 The IP network object class can contain the following members: * objectClassName -- the string "ip network" * handle -- a string representing the RIR-unique identifier of the network registration * startAddress -- a string representing the starting IP address of the network, either IPv4 or IPv6 * endAddress -- a string representing the ending IP address of the network, either IPv4 or IPv6 * ipVersion -- a string signifying the IP protocol version of the network: "v4" signifies an IPv4 network, and "v6" signifies an IPv6 network * name -- a string representing an identifier assigned to the network registration by the registration holder * type -- a string containing an RIR-specific classification of the network per that RIR's registration model * country -- a string containing the two-character country code of the network * parentHandle -- a string containing an RIR-unique identifier of the parent network of this network registration * status -- an array of strings indicating the state of the IP network as defined by Section 4.6 * entities -- an array of entity objects as defined by Section 5.1 * remarks -- see Section 4.3 * links -- see Section 4.2 * port43 -- see Section 4.7 * events -- see Section 4.5 5.5. The Autonomous System Number Object Class The Autonomous System number (autnum) object class models Autonomous System number registrations found in RIRs and represents the expected response to an "/autnum" query as defined by [RFC9082]. There is no equivalent object class for DNRs. The high-level structure of the autnum object class consists of information about the Autonomous System number registration and entities related to the autnum registration (e.g., registrant information, contacts, etc.) and is similar to the IP network object class. The following is an example of a JSON object representing an autnum. { "objectClassName" : "autnum", "handle" : "XXXX-RIR", "startAutnum" : 65536, "endAutnum" : 65541, "name": "AS-RTR-1", "type" : "DIRECT ALLOCATION", "status" : [ "active" ], "country": "AU", "remarks" : [ { "description" : [ "She sells sea shells down by the sea shore.", "Originally written by Terry Sullivan." ] } ], "links" : [ { "value" : "https://example.net/autnum/65537", "rel" : "self", "href" : "https://example.net/autnum/65537", "type" : "application/rdap+json" } ], "events" : [ { "eventAction" : "registration", "eventDate" : "1990-12-31T23:59:59Z" }, { "eventAction" : "last changed", "eventDate" : "1991-12-31T23:59:59Z" } ], "entities" : [ { "objectClassName" : "entity", "handle" : "XXXX", "vcardArray":[ "vcard", [ ["version", {}, "text", "4.0"], ["fn", {}, "text", "Joe User"], ["kind", {}, "text", "individual"], ["lang", { "pref":"1" }, "language-tag", "fr"], ["lang", { "pref":"2" }, "language-tag", "en"], ["org", { "type":"work" }, "text", "Example"], ["title", {}, "text", "Research Scientist"], ["role", {}, "text", "Project Lead"], ["adr", { "type":"work" }, "text", [ "", "Suite 1234", "4321 Rue Somewhere", "Quebec", "QC", "G1V 2M2", "Canada" ] ], ["tel", { "type":["work", "voice"], "pref":"1" }, "uri", "tel:+1-555-555-1234;ext=102" ], ["email", { "type":"work" }, "text", "joe.user@example.com" ] ] ], "roles" : [ "registrant" ], "remarks" : [ { "description" : [ "She sells sea shells down by the sea shore.", "Originally written by Terry Sullivan." ] } ], "links" : [ { "value" : "https://example.net/entity/XXXX", "rel" : "self", "href" : "https://example.net/entity/XXXX", "type" : "application/rdap+json" } ], "events" : [ { "eventAction" : "registration", "eventDate" : "1990-12-31T23:59:59Z" }, { "eventAction" : "last changed", "eventDate" : "1991-12-31T23:59:59Z" } ] } ] } Figure 27 The Autonomous System number object class can contain the following members: * objectClassName -- the string "autnum" * handle -- a string representing the RIR-unique identifier of the autnum registration * startAutnum -- an unsigned 32-bit integer representing the starting number [RFC5396] in the block of Autonomous System numbers * endAutnum -- an unsigned 32-bit integer representing the ending number [RFC5396] in the block of Autonomous System numbers * name -- a string representing an identifier assigned to the autnum registration by the registration holder * type -- a string containing an RIR-specific classification of the autnum per that RIR's registration model * status -- an array of strings indicating the state of the autnum as defined by Section 4.6 * country -- a string containing the two-character country code of the autnum * entities -- an array of entity objects as defined by Section 5.1 * remarks -- see Section 4.3 * links -- see Section 4.2 * port43 -- see Section 4.7 * events -- see Section 4.5 6. Error Response Body Some non-answer responses MAY return entity bodies with information that could be more descriptive. The basic structure of that response is an object class containing a REQUIRED error code number (corresponding to the HTTP response code) followed by an OPTIONAL string named "title" and an OPTIONAL array of strings named "description". This is an example of the common response body. { "errorCode": 418, "title": "Your Beverage Choice is Not Available", "description": [ "I know coffee has more ummppphhh.", "Sorry, dude!" ] } Figure 28 This is an example of the common response body with an rdapConformance and notices data structures: { "rdapConformance" : [ "rdap_level_0" ], "notices" : [ { "title" : "Beverage Policy", "description" : [ "Beverages with caffeine for keeping horses awake." ], "links" : [ { "value" : "https://example.net/ip/192.0.2.0/24", "rel" : "alternate", "type" : "text/html", "href" : "https://www.example.com/redaction_policy.html" } ] } ], "lang" : "en", "errorCode": 418, "title": "Your beverage choice is not available", "description": [ "I know coffee has more ummppphhh.", "Sorry, dude!" ] } Figure 29 7. Responding to Help Queries The appropriate response to /help queries as defined by [RFC9082] is to use the notices structure as defined in Section 4.3. This is an example of a response to a /help query including the rdapConformance data structure. { "rdapConformance" : [ "rdap_level_0" ], "notices" : [ { "title" : "Authentication Policy", "description" : [ "Access to sensitive data for users with proper credentials." ], "links" : [ { "value" : "https://example.net/help", "rel" : "alternate", "type" : "text/html", "href" : "https://www.example.com/auth_policy.html" } ] } ] } Figure 30 8. Responding To Searches [RFC9082] specifies three types of searches: domains, nameservers, and entities. Responses to these searches take the form of an array of object instances where each instance is an appropriate object class for the search (i.e., a search for /domains yields an array of domain object instances). These arrays are contained within the response object. The names of the arrays are as follows: * for /domains searches, the array is "domainSearchResults" * for /nameservers searches, the array is "nameserverSearchResults" * for /entities searches, the array is "entitySearchResults" The following is an elided example of a response to a /domains search. { "rdapConformance" : [ "rdap_level_0" ], ... "domainSearchResults" : [ { "objectClassName" : "domain", "handle" : "1-XXXX", "ldhName" : "1.example.com", ... }, { "objectClassName" : "domain", "handle" : "2-XXXX", "ldhName" : "2.example.com", ... } ] } Figure 31 9. Indicating Truncated Responses In cases where the data of a response needs to be limited or parts of the data need to be omitted, the response is considered "truncated". A truncated response is still valid JSON, but some of the results in a search set or some of the data in an object are not provided by the server. A server may indicate this by including a typed notice in the response object. The following is an elided example of a search response that has been truncated. { "rdapConformance" : [ "rdap_level_0" ], "notices" : [ { "title" : "Search Policy", "type" : "result set truncated due to authorization", "description" : [ "Search results are limited to 25 per day per querying IP." ], "links" : [ { "value" : "https://example.net/help", "rel" : "alternate", "type" : "text/html", "href" : "https://www.example.com/search_policy.html" } ] } ], "domainSearchResults" : [ ... ] } Figure 32 A similar technique can be used with a typed remark where a single object has been returned and data in that object has been truncated. Such an example might be an entity object with only a partial set of the IP networks associated with it. The following is an elided example of an entity truncated data. { "objectClassName" : "entity", "handle" : "ANENTITY", "roles" : [ "registrant" ], ... "entities" : [ { "objectClassName" : "entity", "handle": "ANEMBEDDEDENTITY", "roles" : [ "technical" ], ... }, ... ], "networks" : [ ... ], ... "remarks" : [ { "title" : "Data Policy", "type" : "object truncated due to unexplainable reason", "description" : [ "Some of the data in this object has been removed." ], "links" : [ { "value" : "https://example.net/help", "rel" : "alternate", "type" : "text/html", "href" : "https://www.example.com/data_policy.html" } ] } ] } Figure 33 10. IANA Considerations IANA has updated the description of the "transfer" event action as described in Section 10.2.3. 10.1. RDAP JSON Media Type Registration IANA has updated the media type registration as described below. This specification registers the "application/rdap+json" media type. Type name: application Subtype name: rdap+json Required parameters: n/a Encoding considerations: See Section 3.1 of [RFC6839]. Security considerations: The media represented by this identifier does not have security considerations beyond that found in Section 12 of [RFC8259]. Interoperability considerations: There are no known interoperability problems regarding this media format. Published specification: RFC 9083 Applications that use this media type: Implementations of the Registration Data Access Protocol (RDAP). Additional information: This media type is a product of the IETF REGEXT Working Group. The REGEXT charter, information on the REGEXT mailing list, and other documents produced by the REGEXT Working Group can be found at https://datatracker.ietf.org/wg/ regext/. Person & email address to contact for further information: IESG <iesg@ietf.org> Intended usage: COMMON Restrictions on usage: none Author: Andy Newton Change controller: IETF Provisional Registration: No 10.2. JSON Values Registry IANA has created a category in the protocol registries labeled "Registration Data Access Protocol (RDAP)", and within that category, IANA has established a URL-referenceable, stand-alone registry labeled "RDAP JSON Values". This new registry is for use in the notices and remarks (Section 4.3), status (Section 4.6), role (Section 5.1), event action (Section 4.5), and domain variant relation (Section 5.3) fields specified in RDAP. Each entry in the registry contains the following fields: 1. Value -- the string value being registered. 2. Type -- the type of value being registered. It should be one of the following: * "notice or remark type" -- denotes a type of notice or remark. * "status" -- denotes a value for the "status" object member as defined by Section 4.6. * "role" -- denotes a value for the "role" array as defined in Section 5.1. * "event action" -- denotes a value for an event action as defined in Section 4.5. * "domain variant relation" -- denotes a relationship between a domain and a domain variant as defined in Section 5.3. 3. Description -- a one- or two-sentence description regarding the meaning of the value, how it might be used, and/or how it should be interpreted by clients. 4. Registrant Name -- the name of the person registering the value. 5. Registrant Contact Information -- an email address, postal address, or some other information to be used to contact the registrant. This registry is operated under the "Expert Review" policy defined in [RFC8126]. Review of registrations into this registry by the designated expert(s) should be narrowly judged on the following criteria: 1. Values in need of being placed into multiple types must be assigned a separate registration for each type. 2. Values must be strings. They should be multiple words separated by single space characters. Every character should be lowercased. If possible, every word should be given in English and each character should be US-ASCII. 3. Registrations should not duplicate the meaning of any existing registration. That is, if a request for a registration is significantly similar in nature to an existing registration, the request should be denied. For example, the terms "maintainer" and "registrant" are significantly similar in nature as they both denote a holder of a domain name or Internet number resource. In cases where it may be reasonably argued that machine interpretation of two similar values may alter the operation of client software, designated experts should not judge the values to be of significant similarity. 4. Registrations should be relevant to the common usages of RDAP. Designated experts may rely upon the serving of the value by a DNR or RIR to make this determination. The following sections provide initial registrations into this registry. 10.2.1. Notice and Remark Types The following values have been registered in the "RDAP JSON Values" registry: Value: result set truncated due to authorization Type: notice and remark type Description: The list of results does not contain all results due to lack of authorization. This may indicate to some clients that proper authorization will yield a longer result set. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: result set truncated due to excessive load Type: notice and remark type Description: The list of results does not contain all results due to an excessively heavy load on the server. This may indicate to some clients that requerying at a later time will yield a longer result set. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: result set truncated due to unexplainable reasons Type: notice and remark type Description: The list of results does not contain all results for an unexplainable reason. This may indicate to some clients that requerying for any reason will not yield a longer result set. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: object truncated due to authorization Type: notice and remark type Description: The object does not contain all data due to lack of authorization. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: object truncated due to excessive load Type: notice and remark type Description: The object does not contain all data due to an excessively heavy load on the server. This may indicate to some clients that requerying at a later time will yield all data of the object. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: object truncated due to unexplainable reasons Type: notice and remark type Description: The object does not contain all data for an unexplainable reason. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org 10.2.2. Status The following values have been registered in the "RDAP JSON Values" registry: Value: validated Type: status Description: Signifies that the data of the object instance has been found to be accurate. This type of status is usually found on entity object instances to note the validity of identifying contact information. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: renew prohibited Type: status Description: Renewal or reregistration of the object instance is forbidden. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: update prohibited Type: status Description: Updates to the object instance are forbidden. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: transfer prohibited Type: status Description: Transfers of the registration from one registrar to another are forbidden. This type of status normally applies to DNR domain names. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: delete prohibited Type: status Description: Deletion of the registration of the object instance is forbidden. This type of status normally applies to DNR domain names. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: proxy Type: status Description: The registration of the object instance has been performed by a third party. This is most commonly applied to entities. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: private Type: status Description: The information of the object instance is not designated for public consumption. This is most commonly applied to entities. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: removed Type: status Description: Some of the information of the object instance has not been made available and has been removed. This is most commonly applied to entities. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: obscured Type: status Description: Some of the information of the object instance has been altered for the purposes of not readily revealing the actual information of the object instance. This is most commonly applied to entities. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: associated Type: status Description: The object instance is associated with other object instances in the registry. This is most commonly used to signify that a nameserver is associated with a domain or that an entity is associated with a network resource or domain. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: active Type: status Description: The object instance is in use. For domain names, it signifies that the domain name is published in DNS. For network and autnum registrations, it signifies that they are allocated or assigned for use in operational networks. This maps to the "OK" status of the Extensible Provisioning Protocol (EPP) [RFC5730]. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: inactive Type: status Description: The object instance is not in use. See "active". Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: locked Type: status Description: Changes to the object instance cannot be made, including the association of other object instances. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: pending create Type: status Description: A request has been received for the creation of the object instance, but this action is not yet complete. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: pending renew Type: status Description: A request has been received for the renewal of the object instance, but this action is not yet complete. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: pending transfer Type: status Description: A request has been received for the transfer of the object instance, but this action is not yet complete. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: pending update Type: status Description: A request has been received for the update or modification of the object instance, but this action is not yet complete. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: pending delete Type: status Description: A request has been received for the deletion or removal of the object instance, but this action is not yet complete. For domains, this might mean that the name is no longer published in DNS but has not yet been purged from the registry database. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org 10.2.3. Event Actions The following values have been registered in the "RDAP JSON Values" registry: Value: registration Type: event action Description: The object instance was initially registered. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: reregistration Type: event action Description: The object instance was registered subsequently to initial registration. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: last changed Type: event action Description: An action noting when the information in the object instance was last changed. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: expiration Type: event action Description: The object instance has been removed or will be removed at a predetermined date and time from the registry. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: deletion Type: event action Description: The object instance was removed from the registry at a point in time that was not predetermined. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: reinstantiation Type: event action Description: The object instance was reregistered after having been removed from the registry. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: transfer Type: event action Description: The object instance was transferred from one registrar to another. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: locked Type: event action Description: The object instance was locked (see the "locked" status). Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: unlocked Type: event action Description: The object instance was unlocked (see the "locked" status). Registrant Name: IESG Registrant Contact Information: iesg@ietf.org 10.2.4. Roles The following values have been registered in the "RDAP JSON Values" registry: Value: registrant Type: role Description: The entity object instance is the registrant of the registration. In some registries, this is known as a maintainer. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: technical Type: role Description: The entity object instance is a technical contact for the registration. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: administrative Type: role Description: The entity object instance is an administrative contact for the registration. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: abuse Type: role Description: The entity object instance handles network abuse issues on behalf of the registrant of the registration. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: billing Type: role Description: The entity object instance handles payment and billing issues on behalf of the registrant of the registration. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: registrar Type: role Description: The entity object instance represents the authority responsible for the registration in the registry. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: reseller Type: role Description: The entity object instance represents a third party through which the registration was conducted (i.e., not the registry or registrar). Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: sponsor Type: role Description: The entity object instance represents a domain policy sponsor, such as an ICANN-approved sponsor. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: proxy Type: role Description: The entity object instance represents a proxy for another entity object, such as a registrant. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: notifications Type: role Description: An entity object instance designated to receive notifications about association object instances. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: noc Type: role Description: The entity object instance handles communications related to a network operations center (NOC). Registrant Name: IESG Registrant Contact Information: iesg@ietf.org 10.2.5. Variant Relations The following values have been registered in the "RDAP JSON Values" registry: Value: registered Type: domain variant relation Description: The variant names are registered in the registry. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: unregistered Type: domain variant relation Description: The variant names are not found in the registry. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: registration restricted Type: domain variant relation Description: Registration of the variant names is restricted to certain parties or within certain rules. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: open registration Type: domain variant relation Description: Registration of the variant names is available to generally qualified registrants. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org Value: conjoined Type: domain variant relation Description: Registration of the variant names occurs automatically with the registration of the containing domain registration. Registrant Name: IESG Registrant Contact Information: iesg@ietf.org 11. Security Considerations This specification models information serialized in JSON format. As JSON is a subset of JavaScript, implementations are advised to follow the security considerations outlined in Section 12 of [RFC8259] to prevent code injection. Though not specific to JSON, RDAP implementers should be aware of the security considerations specified in [RFC7480] and the security requirements and considerations in [RFC7481]. RDAP responses allow for retrieval of DNSSEC (key) related information, but the RRSIG DS from the parent zone is not conveyed alongside it. This means that the DNSSEC keys retrieved by RDAP are disconnected from their containing PKI, and as such are not generally expected to be trusted without additional information. In particular, the HTTPS channel protecting the RDAP connection is not expected to be authorized to certify the validity of the DNSSEC keys. Clients caching data, especially clients using RDAP-specific caches (instead of HTTP-layer caches), should have safeguards to prevent cache poisoning. See Section 5 for advice on using the self links for caching. Finally, service operators should be aware of the privacy mechanisms noted in Section 13. 12. Internationalization Considerations 12.1. Character Encoding The default text encoding for JSON responses in RDAP is UTF-8 [RFC3629], and all servers and clients MUST support UTF-8. 12.2. URIs and IRIs [RFC7480] defines the use of URIs and IRIs in RDAP. 12.3. Language Tags Section 4.4 defines the use of language tags in the JSON responses defined in this document. 12.4. Internationalized Domain Names IDNs are denoted in this specification by the separation of DNS names in LDH form and Unicode form (see Section 3). Representation of IDNs in registries is described by the "variants" object in Section 5.3 and the suggested values listed in Section 10.2.5. 13. Privacy Considerations This specification suggests status values to denote contact and registrant information that has been marked as private and/or has been removed or obscured. See Section 10.2.2 for the complete list of status values. A few of the status values indicate that there are privacy concerns associated with the object instance. The following status codes SHOULD be used to describe data elements of a response when appropriate: * private -- The object is not be shared in query responses, unless the user is authorized to view this information. * removed -- Data elements within the object have been collected but have been omitted from the response. This option can be used to prevent unauthorized access to associated object instances without the need to mark them as private. * obscured -- Data elements within the object have been collected, but the response value has been altered so that values are not easily discernible. A value changed from "1212" to "XXXX" is an example of obscured data. This option may reveal privacy sensitive information and should only be used when data sensitivity does not require a more protective option like "private" or "removed". See Appendix A.1 for an example of applying those values to contacts and registrants. 14. References 14.1. Normative References [ISO.3166.2020] International Organization for Standardization, "Codes for the representation of names of countries and their subdivisions", Fourth edition, ISO Standard 3166, August 2020. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>. [RFC3339] Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002, <https://www.rfc-editor.org/info/rfc3339>. [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 2003, <https://www.rfc-editor.org/info/rfc3629>. [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, <https://www.rfc-editor.org/info/rfc3986>. [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Resource Records for the DNS Security Extensions", RFC 4034, DOI 10.17487/RFC4034, March 2005, <https://www.rfc-editor.org/info/rfc4034>. [RFC5396] Huston, G. and G. Michaelson, "Textual Representation of Autonomous System (AS) Numbers", RFC 5396, DOI 10.17487/RFC5396, December 2008, <https://www.rfc-editor.org/info/rfc5396>. [RFC5646] Phillips, A., Ed. and M. Davis, Ed., "Tags for Identifying Languages", BCP 47, RFC 5646, DOI 10.17487/RFC5646, September 2009, <https://www.rfc-editor.org/info/rfc5646>. [RFC5890] Klensin, J., "Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework", RFC 5890, DOI 10.17487/RFC5890, August 2010, <https://www.rfc-editor.org/info/rfc5890>. [RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6 Address Text Representation", RFC 5952, DOI 10.17487/RFC5952, August 2010, <https://www.rfc-editor.org/info/rfc5952>. [RFC7095] Kewisch, P., "jCard: The JSON Format for vCard", RFC 7095, DOI 10.17487/RFC7095, January 2014, <https://www.rfc-editor.org/info/rfc7095>. [RFC7480] Newton, A., Ellacott, B., and N. Kong, "HTTP Usage in the Registration Data Access Protocol (RDAP)", STD 95, RFC 7480, DOI 10.17487/RFC7480, March 2015, <https://www.rfc-editor.org/info/rfc7480>. [RFC7481] Hollenbeck, S. and N. Kong, "Security Services for the Registration Data Access Protocol (RDAP)", STD 95, RFC 7481, DOI 10.17487/RFC7481, March 2015, <https://www.rfc-editor.org/info/rfc7481>. [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 8126, DOI 10.17487/RFC8126, June 2017, <https://www.rfc-editor.org/info/rfc8126>. [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>. [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data Interchange Format", STD 90, RFC 8259, DOI 10.17487/RFC8259, December 2017, <https://www.rfc-editor.org/info/rfc8259>. [RFC8288] Nottingham, M., "Web Linking", RFC 8288, DOI 10.17487/RFC8288, October 2017, <https://www.rfc-editor.org/info/rfc8288>. [RFC9082] Hollenbeck, S. and A. Newton, "Registration Data Access Protocol (RDAP) Query Format", STD 95, RFC 9082, DOI 10.17487/RFC9082, June 2021, <https://www.rfc-editor.org/info/rfc9082>. 14.2. Informative References [IANA_IDNTABLES] IANA, "Repository of IDN Practices", <https://www.iana.org/domains/idn-tables>. [JSON_ascendancy] MacVittie, L., "The Stealthy Ascendancy of JSON", April 2011, <https://devcentral.f5.com/s/articles/the-stealthy- ascendancy-of-json>. [JSON_performance_study] Nurseitov, N., Paulson, M., Reynolds, R., and C. Izurieta, "Comparison of JSON and XML Data Interchange Formats: A Case Study", 2009, <https://www.cs.montana.edu/izurieta/pubs/caine2009.pdf>. [RFC3912] Daigle, L., "WHOIS Protocol Specification", RFC 3912, DOI 10.17487/RFC3912, September 2004, <https://www.rfc-editor.org/info/rfc3912>. [RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)", STD 69, RFC 5730, DOI 10.17487/RFC5730, August 2009, <https://www.rfc-editor.org/info/rfc5730>. [RFC5910] Gould, J. and S. Hollenbeck, "Domain Name System (DNS) Security Extensions Mapping for the Extensible Provisioning Protocol (EPP)", RFC 5910, DOI 10.17487/RFC5910, May 2010, <https://www.rfc-editor.org/info/rfc5910>. [RFC6350] Perreault, S., "vCard Format Specification", RFC 6350, DOI 10.17487/RFC6350, August 2011, <https://www.rfc-editor.org/info/rfc6350>. [RFC6839] Hansen, T. and A. Melnikov, "Additional Media Type Structured Syntax Suffixes", RFC 6839, DOI 10.17487/RFC6839, January 2013, <https://www.rfc-editor.org/info/rfc6839>. Appendix A. Suggested Data Modeling with the Entity Object Class A.1. Registrants and Contacts This document does not provide specific object classes for registrants and contacts. Instead, the entity object class may be used to represent a registrant or contact. When the entity object is embedded inside a containing object such as a domain name or IP network, the "roles" string array can be used to signify the relationship. It is recommended that the values from Section 10.2.4 be used. The following is an example of an elided containing object with an embedded entity that is both a registrant and administrative contact: { ... "entities" : [ { "objectClassName" : "entity", "handle" : "XXXX", "vcardArray":[ "vcard", [ ["version", {}, "text", "4.0"], ["fn", {}, "text", "Joe User"], ["kind", {}, "text", "individual"], ["lang", { "pref":"1" }, "language-tag", "fr"], ["lang", { "pref":"2" }, "language-tag", "en"], ["org", { "type":"work" }, "text", "Example"], ["title", {}, "text", "Research Scientist"], ["role", {}, "text", "Project Lead"], ["adr", { "type":"work" }, "text", [ "", "Suite 1234", "4321 Rue Somewhere", "Quebec", "QC", "G1V 2M2", "Canada" ] ], ["tel", { "type":["work", "voice"], "pref":"1" }, "uri", "tel:+1-555-555-1234;ext=102" ], ["email", { "type":"work" }, "text", "joe.user@example.com" ] ] ], "roles" : [ "registrant", "administrative" ], "remarks" : [ { "description" : [ "She sells sea shells down by the sea shore.", "Originally written by Terry Sullivan." ] } ], "events" : [ { "eventAction" : "registration", "eventDate" : "1990-12-31T23:59:59Z" }, { "eventAction" : "last changed", "eventDate" : "1991-12-31T23:59:59Z" } ] } ] } Figure 34 In many use cases, it is necessary to hide or obscure the information of a registrant or contact due to policy or other operational matters. Registries can denote these situations with "status" values (see Section 10.2.2). The following is an elided example of a registrant with information changed to reflect that of a third party. { ... "entities" : [ { "objectClassName" : "entity", "handle" : "XXXX", ... "roles" : [ "registrant", "administrative" ], "status" : [ "proxy", "private", "obscured" ] } ] } Figure 35 A.2. Registrars This document does not provide a specific object class for registrars, but like registrants and contacts (see Appendix A.1), the "roles" string array maybe used. Additionally, many registrars have publicly assigned identifiers. The publicIds structure (Section 4.8) represents that information. The following is an example of an elided containing object with an embedded entity that is a registrar: { ... "entities":[ { "objectClassName" : "entity", "handle":"XXXX", "vcardArray":[ "vcard", [ ["version", {}, "text", "4.0"], ["fn", {}, "text", "Joe's Fish, Chips, and Domains"], ["kind", {}, "text", "org"], ["lang", { "pref":"1" }, "language-tag", "fr"], ["lang", { "pref":"2" }, "language-tag", "en"], ["org", { "type":"work" }, "text", "Example"], ["adr", { "type":"work" }, "text", [ "", "Suite 1234", "4321 Rue Somewhere", "Quebec", "QC", "G1V 2M2", "Canada" ] ], ["tel", { "type":["work", "voice"], "pref":"1" }, "uri", "tel:+1-555-555-1234;ext=102" ], ["email", { "type":"work" }, "text", "joes_fish_chips_and_domains@example.com" ] ] ], "roles":[ "registrar" ], "publicIds":[ { "type":"IANA Registrar ID", "identifier":"1" } ], "remarks":[ { "description":[ "She sells sea shells down by the sea shore.", "Originally written by Terry Sullivan." ] } ], "links":[ { "value":"https://example.net/entity/XXXX", "rel":"alternate", "type":"text/html", "href":"https://www.example.com" } ] } ] } Figure 36 Appendix B. Modeling Events Events represent actions that have taken place against a registered object at a certain date and time. Events have three properties: the action, the actor, and the date and time of the event (which is sometimes in the future). In some cases, the identity of the actor is not captured. Events can be modeled in three ways: 1. events with no designated actor 2. events where the actor is only designated by an identifier 3. events where the actor can be modeled as an entity For the first use case, the events data structure (Section 4.5) is used without the "eventActor" object member. This is an example of an "events" array without the "eventActor". "events" : [ { "eventAction" : "registration", "eventDate" : "1990-12-31T23:59:59Z" } ] Figure 37 For the second use case, the events data structure (Section 4.5) is used with the "eventActor" object member. This is an example of an "events" array with the "eventActor". "events" : [ { "eventAction" : "registration", "eventActor" : "XYZ-NIC", "eventDate" : "1990-12-31T23:59:59Z" } ] Figure 38 For the third use case, the "asEventActor" array is used when an entity (Section 5.1) is embedded into another object class. The "asEventActor" array follows the same structure as the "events" array but does not have "eventActor" attributes. The following is an elided example of a domain object with an entity as an event actor. { "objectClassName" : "domain", "handle" : "XXXX", "ldhName" : "foo.example", "status" : [ "locked", "transfer prohibited" ], ... "entities" : [ { "handle" : "XXXX", ... "asEventActor" : [ { "eventAction" : "last changed", "eventDate" : "1990-12-31T23:59:59Z" } ] } ] } Figure 39 Appendix C. Structured vs. Unstructured Addresses The entity (Section 5.1) object class uses jCard [RFC7095] to represent contact information, including postal addresses. jCard has the ability to represent multiple language preferences, multiple email address and phone numbers, and multiple postal addresses in both a structured and unstructured format. This section describes the use of jCard for representing structured and unstructured addresses. The following is an example of a jCard. { "vcardArray":[ "vcard", [ ["version", {}, "text", "4.0"], ["fn", {}, "text", "Joe User"], ["n", {}, "text", ["User", "Joe", "", "", ["ing. jr", "M.Sc."]] ], ["kind", {}, "text", "individual"], ["lang", { "pref":"1" }, "language-tag", "fr"], ["lang", { "pref":"2" }, "language-tag", "en"], ["org", { "type":"work" }, "text", "Example"], ["title", {}, "text", "Research Scientist"], ["role", {}, "text", "Project Lead"], ["adr", { "type":"work" }, "text", [ "", "Suite 1234", "4321 Rue Somewhere", "Quebec", "QC", "G1V 2M2", "Canada" ] ], ["adr", { "type":"home", "label":"123 Maple Ave\nSuite 90001\nVancouver\nBC\n1239\n" }, "text", [ "", "", "", "", "", "", "" ] ], ["tel", { "type":["work", "voice"], "pref":"1" }, "uri", "tel:+1-555-555-1234;ext=102" ], ["tel", { "type":["work", "cell", "voice", "video", "text"] }, "uri", "tel:+1-555-555-1234" ], ["email", { "type":"work" }, "text", "joe.user@example.com" ], ["geo", { "type":"work" }, "uri", "geo:46.772673,-71.282945"], ["key", { "type":"work" }, "uri", "https://www.example.com/joe.user/joe.asc" ], ["tz", {}, "utc-offset", "-05:00"], ["url", { "type":"home" }, "uri", "https://example.org"] ] ] } Figure 40 The arrays in Figure 40 with the first member of "adr" represent postal addresses. In the first example, the postal address is given as an array of strings and constitutes a structured address. For components of the structured address that are not applicable, an empty string is given. Each member of that array aligns with the positions of a vCard as given in [RFC6350]. In this example, the following data corresponds to the following positional meanings: 1. post office box -- not applicable; empty string 2. extended address (e.g., apartment or suite number) -- Suite 1234 3. street address -- 4321 Rue Somewhere 4. locality (e.g., city) -- Quebec 5. region (e.g., state or province) -- QC 6. postal code -- G1V 2M2 7. country name (full name) -- Canada The second example is an unstructured address. It uses the "label" attribute, which is a string containing a newline (\n) character to separate address components in an unordered, unspecified manner. Note that in this example, the structured address array is still given but that each string is an empty string. Appendix D. Secure DNS Section 5.3 defines the "secureDNS" member to represent secure DNS information about domain names. DNSSEC provides data integrity for DNS through the digital signing of resource records. To enable DNSSEC, the zone is signed by one or more private keys and the signatures are stored as RRSIG records. To complete the chain of trust in the DNS zone hierarchy, a digest of each DNSKEY record (which contains the public key) must be loaded into the parent zone, stored as DS records, and signed by the parent's private key (RRSIG DS record), as indicated in "Resource Records for the DNS Security Extensions" [RFC4034]. Creating the DS records in the parent zone can be done by the registration authority "Domain Name System (DNS) Security Extensions Mapping for the Extensible Provisioning Protocol (EPP)" [RFC5910]. Only DS-related information is provided by RDAP, since other information is not generally stored in the registration database. Other DNSSEC-related information can be retrieved with other DNS tools such as dig. The domain object class (Section 5.3) can represent this information using either the "dsData" or "keyData" object arrays. Client implementers should be aware that some registries do not collect or do not publish all of the secure DNS meta-information. Appendix E. Motivations for Using JSON This section addresses a common question regarding the use of JSON over other data formats, most notably XML. It is often pointed out that many DNRs and one RIR support the EPP [RFC5730] standard, which is an XML serialized protocol. The logic is that since EPP is a common protocol in the industry, it follows that XML would be a more natural choice. While EPP does influence this specification quite a bit, EPP serves a different purpose, which is the provisioning of Internet resources between registries and accredited registrars and serving a much narrower audience than that envisioned for RDAP. By contrast, RDAP has a broader audience and is designed for public consumption of data. Experience from RIRs with first generation RESTful web services for WHOIS indicate that a large percentage of clients operate within browsers and other platforms where full-blown XML stacks are not readily available and where JSON is a better fit. Additionally, while EPP is used in much of the DNR community it is not a universal constant in that industry. And finally, EPP's use of XML predates the specification of JSON. If EPP had been defined today, it may very well have used JSON instead of XML. Beyond the specific DNR and RIR communities, the trend in the broader Internet industry is also switching to JSON over XML, especially in the area of RESTful web services (see [JSON_ascendancy]). Studies have also found that JSON is generally less bulky and consequently faster to parse (see [JSON_performance_study]). Appendix F. Changes from RFC 7483 * Addressed known errata. * Updated references to 7482 to RFC 9082. Adjusted case of "xxxx" used in examples where "XXXX" was previously used, and removed an "X" from "XXXXX". Changed IPv6 address example using "C00" to "c00". Added "a string representing" to the definitions of startAddress and endAddress. Removed "entity" from "Autonomous System Number Entity Object Class". Added "an unsigned 32-bit integer" to the definition of startAutnum and endAutnum. Added "a string representing" to the definition of name in the IP network and ASN object classes. Clarified rdapConformance identifier registration expectations in Section 4.1. Changed "lunarNic_level_0" to "lunarNIC_level_0". * Clarified that the "value", "rel" and "href" JSON values MUST be specified in the "links" array. * Clarified that the "description" array is required in the Notices and Remarks data structures and other values are OPTIONAL. * Noted that all members of the "events" and "Public IDs" arrays are REQUIRED. * Fix "self" link values in examples. Changed "http" to "https" link values in examples. Noted that Figure 18 is an example of a nameserver object with all "appropriate" values given. In Appendix C, quoted the word "label" in "label attribute". Added reference to "status" definition in the descriptions for IP networks and autnums. Fixed a 404 for the informative reference to "The Stealthy Ascendancy of JSON". Added "boolean" to the definition of zoneSigned. * Clarified REQUIRED and OPTIONAL members of the "events" array. * Changed "SHOULD not" to "SHOULD NOT" in Section 5. * Updated normative references (RFC 5226 to RFC 8126, RFC 5988 to RFC 8288, RFC 7159 to RFC 8259). Changed examples using "ns1.xn-- fo-5ja.example" to split URLs to avoid long lines. * Added acknowledgments. * Changed "The "lang" attribute may appear anywhere in an object class or data structure except for in jCard objects" to "The "lang" attribute as defined in this section MAY appear anywhere in an object class or data structure, except for in jCard objects. jCard supports similar functionality by way of the LANGUAGE property parameter (see Section 5.1 of RFC 6350 [RFC6350]". * Changed "simple data types conveyed in JSON strings" to "simple data types conveyed in JSON primitive types (strings, numbers, booleans, and null)". Changed "In other words, servers are free to not include JSON members containing registration data based on their own policies" to "In other words, servers are free to omit unrequired/optional JSON members containing registration data based on their own policies". * Changed "This data structure appears only in the topmost JSON object of a response" to "This data structure MUST appear in the topmost JSON object of a response". * Changed "Some non-answer responses may return entity bodies with information that could be more descriptive" to "Some non-answer responses MAY return entity bodies with information that could be more descriptive". * Changed "The basic structure of that response is an object class containing an error code number (corresponding to the HTTP response code) followed by a string named "title" and an array of strings named "description"" to "The basic structure of that response is an object class containing a REQUIRED error code number (corresponding to the HTTP response code) followed by an OPTIONAL string named "title" and an OPTIONAL array of strings named "description"". * Changed the "Autonomous System Number Object Class" section title to "The Autonomous System Number Object Class" for consistency with other section titles. Removed trailing periods in the "Terminology and Definitions" section for consistency. Changed instances of "lunarNic" to "lunarNIC" for consistency. Removed an extraneous trailing period after the eventDate description. Changed a "." to ";" in the description of the "network" member of the domain object class. Changed "The high-level structure of the autnum object class consists of information about the network registration" to "The high-level structure of the autnum object class consists of information about the Autonomous System number registration". Changed "registry unique" to "registry-unique". * Changed "registrant" to "registrar" in the description of the "transfer" event action to address erratum 6158. Added IANA instructions to correct the description of the value in the registry. * Added text to Section 4.2 to note that "self" and "related" "href" URIs MUST NOT be the same. * Added text to Section 4.2 to describe return of IDNs in LDH name format. * Added text to note that the "fn" member of a contact object MAY be empty in Section 3. * Added text to clarify rdapConformance requirements in Section 4.1. * Added "obsoletes 7483" to the headers, Abstract, and Introduction. Updated BCP 14 boilerplate. Updated IANA Considerations to note that this RFC (a product of the REGEXT Working Group) replaces RFC 7483. Changed "simple string" to "simple character string" in Sections 3 and 4.7. Clarified requirement for the "fn" member in Section 3. Modified the requirement for rdapConformance placement in Section 4.1. Changed "jCard" to "vCard" LANGUAGE property reference in Section 4.4. Changed "no use" to "little or no use" in Section 5.1. Added example line wrap note in Section 5.2. Modified the definition of "idnTable" in Section 5.3. Modified the dsData and keyData examples in Section 5.3. Changed "2001:c00::/23" to "2001:db8::/32" in Section 5.4. Expanded the definition of "type" in Sections 5.4 and 5.5. Modified example autnums in Section 5.5. Added text to the Security Considerations section to note that DNSSEC information returned in a response cannot be trusted directly. Acknowledgments This document is derived from original work on RIR responses in JSON by Byron J. Ellacott, Arturo L. Servin, Kaveh Ranjbar, and Andrew L. Newton. Additionally, this document incorporates work on DNR responses in JSON by Ning Kong, Linlin Zhou, Jiagui Xie, and Sean Shen. The components of the DNR object classes are derived from a categorization of WHOIS response formats created by Ning Kong, Linlin Zhou, Guangqing Deng, Steve Sheng, Francisco Arias, Ray Bellis, and Frederico Neves. Tom Harrison, Murray Kucherawy, Ed Lewis, Audric Schiltknecht, Naoki Kambe, Maarten Bosteels, Mario Loffredo, and Jasdip Singh contributed significant review comments and provided clarifying text. James Mitchell provided text regarding the processing of unknown JSON attributes and identified issues leading to the remodeling of events. Ernie Dainow and Francisco Obispo provided concrete suggestions that led to a better variant model for domain names. Ernie Dainow provided the background information on the secure DNS attributes and objects for domains, informative text on DNSSEC, and many other attributes that appear throughout the object classes of this document. The switch to and incorporation of jCard was performed by Simon Perreault. Olaf Kolkman and Murray Kucherawy chaired the IETF's WEIRDS Working Group from which this document was originally created. James Galvin and Antoin Verschuren chaired the REGEXT Working Group that worked on this document. Authors' Addresses Scott Hollenbeck Verisign Labs 12061 Bluemont Way Reston, VA 20190 United States of America Email: shollenbeck@verisign.com URI: https://www.verisignlabs.com/ Andy Newton Amazon Web Services, Inc. 13200 Woodland Park Road Herndon, VA 20171 United States of America Email: andy@hxr.us ========================================================================= Internet Engineering Task Force (IETF) M. Blanchet Request for Comments: 9224 Viagenie STD: 95 March 2022 Obsoletes: 7484 Category: Standards Track ISSN: 2070-1721 Finding the Authoritative Registration Data Access Protocol (RDAP) Service Abstract This document specifies a method to find which Registration Data Access Protocol (RDAP) server is authoritative to answer queries for a requested scope, such as domain names, IP addresses, or Autonomous System numbers. This document obsoletes RFC 7484. Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc9224. Copyright Notice Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction 2. Conventions Used in This Document 3. Structure of the RDAP Bootstrap Service Registries 4. Bootstrap Service Registry for Domain Name Space 5. Bootstrap Service Registries for Internet Numbers 5.1. Bootstrap Service Registry for IPv4 Address Space 5.2. Bootstrap Service Registry for IPv6 Address Space 5.3. Bootstrap Service Registry for AS Number Space 6. Entity 7. Non-existent Entries or RDAP URL Values 8. Deployment and Implementation Considerations 9. Limitations 10. Formal Definition 10.1. Imported JSON Terms 10.2. Registry Syntax 11. Security Considerations 12. IANA Considerations 12.1. Bootstrap Service Registry for IPv4 Address Space 12.2. Bootstrap Service Registry for IPv6 Address Space 12.3. Bootstrap Service Registry for AS Number Space 12.4. Bootstrap Service Registry for Domain Name Space 13. References 13.1. Normative References 13.2. Informative References Appendix A. Changes since RFC 7484 Acknowledgements Author's Address 1. Introduction Querying and retrieving registration data from registries are defined in the Registration Data Access Protocol (RDAP) [RFC7480] [RFC7481] [RFC9082] [RFC9083]. These documents do not specify where to send the queries. This document specifies a method to find which server is authoritative to answer queries for the requested scope. Top-Level Domains (TLDs), Autonomous System (AS) numbers, and network blocks are delegated by IANA to Internet registries such as TLD registries and Regional Internet Registries (RIRs) that then issue further delegations and maintain information about them. Thus, the bootstrap information needed by RDAP clients is best generated from data and processes already maintained by IANA; the relevant registries already exist at [ipv4reg], [ipv6reg], [asreg], and [domainreg]. This document obsoletes [RFC7484]. Per this document, IANA has created new registries based on a JSON format specified in this document, herein named RDAP Bootstrap Service Registries. These new registries are based on the existing entries of the above-mentioned registries. An RDAP client fetches the RDAP Bootstrap Service Registries, extracts the data, and then performs a match with the query data to find the authoritative registration data server and appropriate query base URL. 2. Conventions Used in This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 3. Structure of the RDAP Bootstrap Service Registries The RDAP Bootstrap Service Registries, as specified in Section 12 below, have been made available as JSON [RFC8259] objects, which can be retrieved via HTTP from locations specified by IANA. The JSON object for each registry contains a series of members containing metadata about the registry such as a version identifier, a timestamp of the publication date of the registry, and a description. Additionally, a "services" member contains the registry items themselves, as an array. Each item of the array contains a second- level array, with two elements, each of them being a third-level array. Each element of the Services Array is a second-level array with two elements: in order, an Entry Array and a Service URL Array. The Entry Array contains all entries that have the same set of base RDAP URLs. The Service URL Array contains the list of base RDAP URLs usable for the entries found in the Entry Array. Elements within these two arrays are not ordered in any way. An example structure of the JSON output of an RDAP Bootstrap Service Registry is illustrated: { "version": "1.0", "publication": "YYYY-MM-DDTHH:MM:SSZ", "description": "Some text", "services": [ [ ["entry1", "entry2", "entry3"], [ "https://registry.example.com/myrdap/", "http://registry.example.com/myrdap/" ] ], [ ["entry4"], [ "https://example.org/" ] ] ] } The formal syntax is described in Section 10. The "version" corresponds to the format version of the registry. This specification defines version "1.0". The syntax of the "publication" value conforms to the Internet date/ time format [RFC3339]. The value is the latest update date of the registry by IANA. The optional "description" string can contain a comment regarding the content of the bootstrap object. Per [RFC7258], in each array of base RDAP URLs, the secure versions of the transport protocol SHOULD be preferred and tried first. For example, if the base RDAP URLs array contains both HTTPS and HTTP URLs, the bootstrap client SHOULD try the HTTPS version first. Base RDAP URLs MUST have a trailing "/" character because they are concatenated to the various segments defined in [RFC9082]. JSON names MUST follow the format recommendations of Section 6 of [RFC7480]. Any unrecognized JSON object properties or values MUST be ignored by implementations. Internationalized Domain Name labels used as entries or base RDAP URLs in the registries defined in this document MUST be only represented using their A-label form as defined in [RFC5890]. All Domain Name labels used as entries or base RDAP URLs in the registries defined in this document MUST be only represented in lowercase. 4. Bootstrap Service Registry for Domain Name Space The JSON output of this registry contains domain label entries attached to the root, grouped by base RDAP URLs, as shown in this example. { "version": "1.0", "publication": "2024-01-07T10:11:12Z", "description": "Some text", "services": [ [ ["net", "com"], [ "https://registry.example.com/myrdap/" ] ], [ ["org", "mytld"], [ "https://example.org/" ] ], [ ["xn--zckzah"], [ "https://example.net/rdap/xn--zckzah/", "http://example.net/rdap/xn--zckzah/" ] ] ] } The domain name's authoritative registration data service is found by doing the label-wise longest match of the target domain name with the domain values in the Entry Arrays in the IANA "Bootstrap Service Registry for Domain Name Space". The match is done per label, from right to left. If the longest match results in multiple entries, then those entries are considered equivalent. The values contained in the Service URL Array of the matching second-level array are the valid base RDAP URLs as described in [RFC9082]. For example, a domain RDAP query for a.b.example.com matches the com entry in one of the arrays of the registry. The base RDAP URL for this query is then taken from the second element of the array, which is an array of base RDAP URLs valid for this entry. The client chooses one of the base URLs from this array; in this example, it chooses the only one available, "https://registry.example.com/ myrdap/". The segment specified in [RFC9082] is then appended to the base URL to complete the query. The complete query is then "https://registry.example.com/myrdap/domain/a.b.example.com". If a domain RDAP query for a.b.example.com matches both com and example.com entries in the registry, then the longest match applies and the example.com entry is used by the client. If the registry contains entries such as com and goodexample.com, then a domain RDAP query for example.com only matches the com entry because matching is done on a per-label basis. The entry for the root of the domain name space is specified as "". 5. Bootstrap Service Registries for Internet Numbers This section discusses IPv4 and IPv6 address space and Autonomous System numbers. For IP address space, the authoritative registration data service is found by doing a longest match of the target address with the values of the arrays in the corresponding RDAP Bootstrap Service Registry for Address Space. The longest match is done the same way as in packet forwarding: the addresses are converted in binary form and then the binary strings are compared to find the longest match up to the specified prefix length. The values contained in the second element of the array are the base RDAP URLs as described in [RFC9082]. The longest match method enables covering prefixes of a larger address space pointing to one base RDAP URL while more specific prefixes within the covering prefix are being served by another base RDAP URL. 5.1. Bootstrap Service Registry for IPv4 Address Space The JSON output of this registry contains IPv4 prefix entries, specified in Classless Inter-domain Routing (CIDR) format [RFC4632] and grouped by RDAP URLs, as shown in this example. { "version": "1.0", "publication": "2024-01-07T10:11:12Z", "description": "RDAP Bootstrap file for example registries.", "services": [ [ ["198.51.100.0/24", "192.0.0.0/8"], [ "https://rir1.example.com/myrdap/" ] ], [ ["203.0.113.0/24", "192.0.2.0/24"], [ "https://example.org/" ] ], [ ["203.0.113.0/28"], [ "https://example.net/rdaprir2/", "http://example.net/rdaprir2/" ] ] ] } For example, a query for "192.0.2.1/25" matches the "192.0.0.0/8" entry and the "192.0.2.0/24" entry in the example registry above. The latter is chosen by the client because it is the longest match. The base RDAP URL for this query is then taken from the second element of the array, which is an array of base RDAP URLs valid for this entry. The client chooses one of the base URLs from this array; in this example, it chooses the only one available, "https://example.org/". The {resource} specified in [RFC9082] is then appended to the base URL to complete the query. The complete query is then "https://example.org/ip/192.0.2.1/25". 5.2. Bootstrap Service Registry for IPv6 Address Space The JSON output of this registry contains IPv6 prefix entries, using [RFC5952] text representation of the address prefixes format, grouped by base RDAP URLs, as shown in this example. { "version": "1.0", "publication": "2024-01-07T10:11:12Z", "description": "RDAP Bootstrap file for example registries.", "services": [ [ ["2001:db8::/34"], [ "https://rir2.example.com/myrdap/" ] ], [ ["2001:db8:4000::/36", "2001:db8:ffff::/48"], [ "https://example.org/" ] ], [ ["2001:db8:1000::/36"], [ "https://example.net/rdaprir2/", "http://example.net/rdaprir2/" ] ] ] } For example, a query for "2001:db8:1000::/48" matches the "2001:db8::/34" entry and the "2001:db8:1000::/36" entry in the example registry above. The latter is chosen by the client because it is the longest match. The base RDAP URL for this query is then taken from the second element of the array, which is an array of base RDAP URLs valid for this entry. The client chooses one of the base URLs from this array; in this example, it chooses "https://example.net/rdaprir2/" because it's the secure version of the protocol. The segment specified in [RFC9082] is then appended to the base URL to complete the query. The complete query is therefore "https://example.net/rdaprir2/ip/2001:db8:1000::/48". If the target RDAP server does not answer, the client can then use another URL prefix from the array. 5.3. Bootstrap Service Registry for AS Number Space The JSON output of this registry contains entries for AS number ranges, grouped by base RDAP URLs, as shown in this example. The Entry Array is an array containing the list of AS number ranges served by the base RDAP URLs found in the second element. Each element of the array contains two AS numbers represented in decimal format, separated by a hyphen, that represents the range of AS numbers between the two AS numbers (inclusive), where values are in increasing order (e.g., 100-200, not 200-100). A single AS number is represented as a range of two identical AS numbers. AS numbers are represented as 'asplain' as defined in [RFC5396]. Ranges MUST NOT overlap. { "version": "1.0", "publication": "2024-01-07T10:11:12Z", "description": "RDAP Bootstrap file for example registries.", "services": [ [ ["64496-64496"], [ "https://rir3.example.com/myrdap/" ] ], [ ["64497-64510", "65536-65551"], [ "https://example.org/" ] ], [ ["64512-65534"], [ "http://example.net/rdaprir2/", "https://example.net/rdaprir2/" ] ] ] } For example, a query for AS 65411 matches the 64512-65534 entry in the example registry above. The base RDAP URL for this query is then taken from the second element of the array, which is an array of base RDAP URLs valid for this entry. The client chooses one of the base URLs from this array; in this example, it chooses "https://example.net/rdaprir2/". The segment specified in [RFC9082] is then appended to the base URL to complete the query. The complete query is, therefore, "https://example.net/rdaprir2/autnum/65411". If the server does not answer, the client can then use another URL prefix from the array. 6. Entity Entities (such as contacts, registrants, or registrars) can be queried by handle as described in [RFC9082]. Since there is no global name space for entities, this document does not describe how to find the authoritative RDAP server for entities. However, it is possible that, if the entity identifier was received from a previous query, the same RDAP server could be queried for that entity, or the entity identifier itself is a fully qualified URL that can be queried. The mechanism described in [RFC8521] MAY also be used. 7. Non-existent Entries or RDAP URL Values The registries may not contain the requested value. In these cases, there is no known RDAP server for that requested value, and the client SHOULD provide an appropriate error message to the user. 8. Deployment and Implementation Considerations This method relies on the fact that RDAP clients are fetching the IANA registries to then find the servers locally. Clients SHOULD NOT fetch the registry on every RDAP request. Clients SHOULD cache the registry, but use underlying protocol signaling, such as the HTTP Expires header field [RFC7234], to identify when it is time to refresh the cached registry. Some authorities of registration data may work together on sharing their information for a common service, including mutual redirection [REDIRECT-RDAP]. When a new object is allocated, such as a new AS range, a new TLD, or a new IP address range, there is no guarantee that this new object will have an entry in the corresponding bootstrap RDAP registry, since the setup of the RDAP server for this new entry may become live and registered later. Therefore, the clients should expect that even if an object, such as TLD, IP address range, or AS range is allocated, the existence of the entry in the corresponding bootstrap registry is not guaranteed. 9. Limitations This method does not provide a direct way to find authoritative RDAP servers for any other objects than the ones described in this document. In particular, the following objects are not bootstrapped with the method described in this document: * entities * queries using search patterns that do not contain a terminating string that matches some entries in the registries * nameservers * help 10. Formal Definition This section is the formal definition of the registries. The structure of JSON objects and arrays using a set of primitive elements is defined in [RFC8259]. Those elements are used to describe the JSON structure of the registries. 10.1. Imported JSON Terms OBJECT: a JSON object, defined in Section 4 of [RFC8259] MEMBER: a member of a JSON object, defined in Section 4 of [RFC8259] MEMBER-NAME: the name of a MEMBER, defined as a "string" in Section 4 of [RFC8259] MEMBER-VALUE: the value of a MEMBER, defined as a "value" in Section 4 of [RFC8259] ARRAY: an array, defined in Section 5 of [RFC8259] ARRAY-VALUE: an element of an ARRAY, defined in Section 5 of [RFC8259] STRING: a "string", as defined in Section 7 of [RFC8259] 10.2. Registry Syntax Using the above terms for the JSON structures, the syntax of a registry is defined as follows: rdap-bootstrap-registry: an OBJECT containing a MEMBER version and a MEMBER publication, an optional MEMBER description, and a MEMBER services-list version: a MEMBER with MEMBER-NAME "version" and MEMBER-VALUE a STRING publication: a MEMBER with MEMBER-NAME "publication" and MEMBER- VALUE a STRING description: a MEMBER with MEMBER-NAME "description" and MEMBER- VALUE a STRING services-list: a MEMBER with MEMBER-NAME "services" and MEMBER-VALUE a services-array services-array: an ARRAY, where each ARRAY-VALUE is a service service: an ARRAY of 2 elements, where the first ARRAY-VALUE is an entry-list and the second ARRAY-VALUE is a service-uri-list entry-list: an ARRAY, where each ARRAY-VALUE is an entry entry: a STRING service-uri-list: an ARRAY, where each ARRAY-VALUE is a service-uri service-uri: a STRING 11. Security Considerations By providing a bootstrap method to find RDAP servers, this document helps to ensure that the end users will get the RDAP data from an authoritative source instead of from rogue sources. The method has the same security properties as the RDAP protocols themselves. The transport used to access the registries uses TLS [RFC8446]. Additional considerations on using RDAP are described in [RFC7481]. 12. IANA Considerations IANA has created the RDAP Bootstrap Services Registries listed below and made them available as JSON objects. The contents of these registries are described in Sections 3, 4, and 5, with the formal syntax specified in Section 10. The registries MUST be accessible only through HTTPS (TLS [RFC8446]) transport. The process for adding or updating entries in these registries differs from the normal IANA registry processes: these registries are generated from the data, processes, and policies maintained by IANA in their allocation registries ([ipv4reg], [ipv6reg], [asreg], and [domainreg]), with the addition of new RDAP server information. IANA updates RDAP Bootstrap Services Registries entries from the allocation registries as those registries are updated. This document does not change any policies related to the allocation registries; IANA has provided a mechanism for collecting the RDAP server information. IANA has created a new top-level category on the Protocol Registries page: <https://www.iana.org/protocols>. The group is called "Registration Data Access Protocol (RDAP)". Each of the RDAP Bootstrap Services Registries has been made available for on-demand download in the JSON format by the general public, and that registry's URI is listed directly on the Protocol Registries page. Other normal registries will be added to this group by other documents, but the reason the URIs for these registries are clearly listed on the main page is to make those URIs obvious to implementers -- these are registries that will be accessed by software, as well as by humans using them for reference information. Because these registries will be accessed by software, the download demand for the RDAP Bootstrap Services Registries may be unusually high compared to normal IANA registries. The technical infrastructure by which registries are published has been put in place by IANA to support the load. Since the publication of [RFC7484], no issues have been reported regarding the load or the service. As discussed in Section 8, software that accesses these registries will depend on the HTTP Expires header field to limit their query rate. It is, therefore, important for that header field to be properly set to provide timely information as the registries change, while maintaining a reasonable load on the IANA servers. The HTTP Content-Type returned to clients accessing these JSON- formatted registries MUST be "application/json", as defined in [RFC8259]. Because of how information in the RDAP Bootstrap Services Registries is grouped and formatted, the registry entries may not be sortable. It is, therefore, not required or expected that the entries be ordered in any way. 12.1. Bootstrap Service Registry for IPv4 Address Space Entries in this registry contain at least the following: * a CIDR [RFC4632] specification of the network block being registered * one or more URLs that provide the RDAP service regarding this registration 12.2. Bootstrap Service Registry for IPv6 Address Space Entries in this registry contain at least the following: * an IPv6 prefix [RFC5952] specification of the network block being registered * one or more URLs that provide the RDAP service regarding this registration 12.3. Bootstrap Service Registry for AS Number Space Entries in this registry contain at least the following: * a range of Autonomous System numbers being registered * one or more URLs that provide the RDAP service regarding this registration 12.4. Bootstrap Service Registry for Domain Name Space Entries in this registry contain at least the following: * a domain name attached to the root being registered * one or more URLs that provide the RDAP service regarding this registration 13. References 13.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>. [RFC3339] Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002, <https://www.rfc-editor.org/info/rfc3339>. [RFC4632] Fuller, V. and T. Li, "Classless Inter-domain Routing (CIDR): The Internet Address Assignment and Aggregation Plan", BCP 122, RFC 4632, DOI 10.17487/RFC4632, August 2006, <https://www.rfc-editor.org/info/rfc4632>. [RFC5396] Huston, G. and G. Michaelson, "Textual Representation of Autonomous System (AS) Numbers", RFC 5396, DOI 10.17487/RFC5396, December 2008, <https://www.rfc-editor.org/info/rfc5396>. [RFC5890] Klensin, J., "Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework", RFC 5890, DOI 10.17487/RFC5890, August 2010, <https://www.rfc-editor.org/info/rfc5890>. [RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6 Address Text Representation", RFC 5952, DOI 10.17487/RFC5952, August 2010, <https://www.rfc-editor.org/info/rfc5952>. [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May 2014, <https://www.rfc-editor.org/info/rfc7258>. [RFC7480] Newton, A., Ellacott, B., and N. Kong, "HTTP Usage in the Registration Data Access Protocol (RDAP)", STD 95, RFC 7480, DOI 10.17487/RFC7480, March 2015, <https://www.rfc-editor.org/info/rfc7480>. [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>. [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data Interchange Format", STD 90, RFC 8259, DOI 10.17487/RFC8259, December 2017, <https://www.rfc-editor.org/info/rfc8259>. 13.2. Informative References [asreg] IANA, "Autonomous System (AS) Numbers", <https://www.iana.org/assignments/as-numbers>. [domainreg] IANA, "Root Zone Database", <https://www.iana.org/domains/root/db>. [ipv4reg] IANA, "IANA IPv4 Address Space Registry", <https://www.iana.org/assignments/ipv4-address-space>. [ipv6reg] IANA, "IPv6 Global Unicast Address Assignments", <https://www.iana.org/assignments/ipv6-unicast-address- assignments>. [REDIRECT-RDAP] Martinez, C.M., Ed., Zhou, L., Ed., and G. Rada, "Redirection Service for Registration Data Access Protocol", Work in Progress, Internet-Draft, draft-ietf- weirds-redirects-04, July 2014, <https://datatracker.ietf.org/doc/html/draft-ietf-weirds- redirects-04>. [RFC7071] Borenstein, N. and M. Kucherawy, "A Media Type for Reputation Interchange", RFC 7071, DOI 10.17487/RFC7071, November 2013, <https://www.rfc-editor.org/info/rfc7071>. [RFC7234] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching", RFC 7234, DOI 10.17487/RFC7234, June 2014, <https://www.rfc-editor.org/info/rfc7234>. [RFC7481] Hollenbeck, S. and N. Kong, "Security Services for the Registration Data Access Protocol (RDAP)", STD 95, RFC 7481, DOI 10.17487/RFC7481, March 2015, <https://www.rfc-editor.org/info/rfc7481>. [RFC7484] Blanchet, M., "Finding the Authoritative Registration Data (RDAP) Service", RFC 7484, DOI 10.17487/RFC7484, March 2015, <https://www.rfc-editor.org/info/rfc7484>. [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, <https://www.rfc-editor.org/info/rfc8446>. [RFC8521] Hollenbeck, S. and A. Newton, "Registration Data Access Protocol (RDAP) Object Tagging", BCP 221, RFC 8521, DOI 10.17487/RFC8521, November 2018, <https://www.rfc-editor.org/info/rfc8521>. [RFC9082] Hollenbeck, S. and A. Newton, "Registration Data Access Protocol (RDAP) Query Format", STD 95, RFC 9082, DOI 10.17487/RFC9082, June 2021, <https://www.rfc-editor.org/info/rfc9082>. [RFC9083] Hollenbeck, S. and A. Newton, "JSON Responses for the Registration Data Access Protocol (RDAP)", STD 95, RFC 9083, DOI 10.17487/RFC9083, June 2021, <https://www.rfc-editor.org/info/rfc9083>. Appendix A. Changes since RFC 7484 There are no substantive changes except for minor clarifications. This update is primarily to meet the requirements for moving to an Internet Standard. Acknowledgements The WEIRDS Working Group had multiple discussions on this topic, including a session during IETF 84, where various methods such as in- DNS and others were debated. The idea of using IANA registries was discovered by the author during discussions with his colleagues as well as by a comment from Andy Newton. All the people involved in these discussions are herein acknowledged. Linlin Zhou, Jean- Philippe Dionne, John Levine, Kim Davies, Ernie Dainow, Scott Hollenbeck, Arturo Servin, Andy Newton, Murray Kucherawy, Tom Harrison, Naoki Kambe, Alexander Mayrhofer, Edward Lewis, Pete Resnick, Alessandro Vesely, Bert Greevenbosch, Barry Leiba, Jari Arkko, Kathleen Moriaty, Stephen Farrell, Richard Barnes, and Jean- Francois Tremblay provided input and suggestions to the first version of this document. Guillaume Leclanche was a coauthor of this document for some revisions; his support is therein acknowledged and greatly appreciated. The section on formal definition was inspired by Section 6.2 of [RFC7071]. This new version [This document] received comments and suggestions from Gavin Brown, Patrick Mevzek, John Levine, Jasdip Singh, George Michaelson, Scott Hollenbeck, Russ Housley, Joel Halpern, Lars Eggert, Benjamin Kaduk, Scott Kelly, Éric Vyncke, John Scudder, Erik Kline, and Robert Wilton. Errata for RFC 7484 were submitted by Pieter Vandepitte and were applied to this document. Author's Address Marc Blanchet Viagenie 246 Aberdeen Quebec QC G1R 2E1 Canada Email: Marc.Blanchet@viagenie.ca URI: https://viagenie.ca