idnits 2.17.1 draft-blanchet-regext-rdap-deployfindings-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 182: '... says "it is RECOMMENDED that server...' RFC 2119 keyword, line 356: '... [RFC7484] section 3 says: "Base RDAP URLs MUST have a trailing "/"...' Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 2, 2019) is 1762 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '1' on line 419 -- Looks like a reference, but probably isn't: '2' on line 422 -- Looks like a reference, but probably isn't: '3' on line 425 -- Looks like a reference, but probably isn't: '4' on line 428 == Missing Reference: 'RFC1166' is mentioned on line 339, but not defined == Missing Reference: 'RFC5952' is mentioned on line 339, but not defined ** Obsolete normative reference: RFC 7482 (Obsoleted by RFC 9082) ** Obsolete normative reference: RFC 7483 (Obsoleted by RFC 9083) ** Obsolete normative reference: RFC 7484 (Obsoleted by RFC 9224) -- Obsolete informational reference (is this intentional?): RFC 5988 (Obsoleted by RFC 8288) Summary: 4 errors (**), 0 flaws (~~), 3 warnings (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Blanchet 3 Internet-Draft Viagenie 4 Intended status: Informational June 2, 2019 5 Expires: December 4, 2019 7 RDAP Deployment Findings and Update 8 draft-blanchet-regext-rdap-deployfindings-00 10 Abstract 12 Registration Access Data Protocol(RDAP) is being deployed in domain 13 and IP address registries. This document describes issues and 14 findings while interfacing with the known server implementations and 15 deployments. It also provides recommendations for the 16 specifications. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at https://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on December 4, 2019. 35 Copyright Notice 37 Copyright (c) 2019 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (https://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 2. IANA RDAP Registries Related Issues . . . . . . . . . . . . . 2 54 2.1. Values not Registered or Similar . . . . . . . . . . . . 3 55 2.2. RDAP Extensions not Registered . . . . . . . . . . . . . 4 56 3. RDAP Responses . . . . . . . . . . . . . . . . . . . . . . . 4 57 3.1. Cross-origin resource sharing(CORS) . . . . . . . . . . . 5 58 3.2. Object Class Name empty . . . . . . . . . . . . . . . . . 5 59 3.3. Links Relation Values . . . . . . . . . . . . . . . . . . 5 60 3.4. Related link pointing to self causes infinite loop . . . 6 61 3.5. Registrant Entity Too Deep . . . . . . . . . . . . . . . 7 62 4. Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 63 4.1. URL encoding of : . . . . . . . . . . . . . . . . . . . . 8 64 5. Domain Registrar RDAP Server Location . . . . . . . . . . . . 8 65 6. Issues related to RFC7482 . . . . . . . . . . . . . . . . . . 8 66 6.1. Search patterns that are not . . . . . . . . . . . . . . 8 67 7. IANA RDAP Bootstrap Registries Related Issues . . . . . . . . 8 68 7.1. Missing Trailing Char in Bootstrap Registries . . . . . . 9 69 7.2. Single target value . . . . . . . . . . . . . . . . . . . 9 70 8. Security Considerations . . . . . . . . . . . . . . . . . . . 9 71 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 72 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 73 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 74 11.1. Normative References . . . . . . . . . . . . . . . . . . 9 75 11.2. Informative References . . . . . . . . . . . . . . . . . 10 76 11.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 10 77 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10 79 1. Introduction 81 While developing various tools and software related to RDAP, issues 82 have been found and are documented below. This document should help 83 in writing future version of the specifications and provide better 84 conformant deployment. It is split in various sections based on 85 where the fix should be applied. Obviously, there are different 86 levels of severity of the issues, including nits or very minor. The 87 actual instances and organisations running the RDAP servers where the 88 issues were found are not listed. 90 2. IANA RDAP Registries Related Issues 92 This section describes issues related to the IANA non-Bootstrap 93 registries as specified in [RFC7483]. 95 2.1. Values not Registered or Similar 97 The IANA RDAP JSON Values registry [1] contains various values 98 expected in JSON responses. The following table shows values not 99 registered in the registry but seen in the field. The second column 100 shows the possible corresponding values already registered. 102 Recommendation: implementations should replace their custom values 103 with the registered ones, when one exist. Implementors should 104 register their values when there is no corresponding registered one. 106 Remarks Type 108 +---------------------------------+---------------------------------+ 109 | Unregistered Values | Possibly Corresponding | 110 | | Registered Values | 111 +---------------------------------+---------------------------------+ 112 | object truncated due to server | object truncated due to | 113 | policy | authorization | 114 | Response truncated due to | object truncated due to | 115 | authorization | authorization | 116 | Object truncated due to | object truncated due to | 117 | authorization | authorization | 118 | object redacted due to | object truncated due to | 119 | authorization | authorization | 120 +---------------------------------+---------------------------------+ 122 Event Action 124 +-----------------------------+-------------------------------------+ 125 | Unregistered Values | Possibly Corresponding Registered | 126 | | Values | 127 +-----------------------------+-------------------------------------+ 128 | delegation check | | 129 | last correct delegation | | 130 | check | | 131 | last update | last changed | 132 +-----------------------------+-------------------------------------+ 133 Status Value 135 +--------------------------+----------------------------------------+ 136 | Unregistered Values | Possibly Corresponding Registered | 137 | | Values | 138 +--------------------------+----------------------------------------+ 139 | server deleted | server delete prohibited | 140 | prohibited | | 141 | ok | active | 142 +--------------------------+----------------------------------------+ 144 2.2. RDAP Extensions not Registered 146 The IANA RDAP Extensions registry [2] contains various extensions 147 values expected in RDAP JSON responses in the rdapCconformance 148 member. The following table shows values not registered in the 149 registry but seen in the field. The second column shows the possible 150 corresponding values already registered. 152 Recommendation: implementations should replace their custom values 153 with the registered ones, when one exist. Implementors should 154 register their values when there is no corresponding registered one. 156 +---------------------------------------------+---------------------+ 157 | Unregistered Values | Possibly | 158 | | Corresponding | 159 | | Registered Values | 160 +---------------------------------------------+---------------------+ 161 | rdap_objectTag_level_0 | rdap_objectTag | 162 | rdap_openidc_level_0 | | 163 | icann_rdap_technical_implementation_guide_0 | | 164 | icann_rdap_response_profile_0 | | 165 | itNic_level_0 | | 166 | fred_version_0 | fred | 167 | nicbr_level_0 | | 168 | ur_domain_check_level_0 | | 169 | history_version_0 | | 170 +---------------------------------------------+---------------------+ 172 3. RDAP Responses 174 This section discusses issues found related to RDAP responses, 175 specified in [RFC7483]. 177 3.1. Cross-origin resource sharing(CORS) 179 As specified in [RFC7480], the HTTP "Access-Control-Allow-Origin: *" 180 header should be included in the responses, to enable Web clients to 181 work properly. Some RDAP servers do not set this header. RFC7480 182 says "it is RECOMMENDED that servers". It should be updated to "for 183 any public Internet deployment, servers MUST". 185 3.2. Object Class Name empty 187 A non-conformant server sends the following answer, where the value 188 of "objectClassName" is an empty string (as well as "handle" also 189 empty). As per [RFC7483] section 4.9, this "objectClassName" value 190 is required. Extract of the seen response: 192 { 193 entities: [ 194 { 195 "entities": [ 196 { 197 "objectClassName": "", 198 "handle": "", 199 } 200 ], 201 ], 202 } 204 3.3. Links Relation Values 206 The links relation values as specified in [RFC7483] section 4.3 refer 207 to [RFC5988] which creates the IANA Link Relations registry [3]. 208 This registry contains a large number of values where most of them do 209 not apply to the RDAP deployment. As seen with other values above 210 that are similar to registered ones but not used, we list here the 211 ones we have seen. It would be appropriate to further describes the 212 main ones in the RFC so implementors focus on ones that are expected 213 instead of picking the wrong ones in the IANA registry or to define 214 new ones and do not register them. 216 Links Relation Values Seen 218 +------------------+ 219 | Values | 220 +------------------+ 221 | about | 222 | alternate | 223 | copyright | 224 | describedBy | 225 | help | 226 | related | 227 | self | 228 | terms-of-service | 229 | up | 230 +------------------+ 232 3.4. Related link pointing to self causes infinite loop 234 An RDAP server returns a link of "rel": "related" is pointing to 235 itself, therefore causing the RDAP client to fetch the object again, 236 then read the related link and then fetch again, creating an infinite 237 loop. Extract of the seen response: 239 { 240 "links": [ 241 { 242 "title": "Self", 243 "rel": "self", 244 "type": "application/rdap+json", 245 "href": "https://rdapserver.example.com/domain/example.net" 246 }, 247 { 248 "title": "Registrar Data for this object", 249 "rel": "related", 250 "href": "https://rdapserver.example.com/domain/example.net", 251 "type": "application/rdap+json" 252 } 253 ], 254 } 256 Recommendation: do not put related link same as self. RFC7483 257 section 4.2 should be updated to add the following text: "A link of 258 "rel": "related" should not have the "href" value the same as the 259 value of "href" of link of "rel": "self". 261 3.5. Registrant Entity Too Deep 263 An RDAP server returns the registrant entity in a subentity, which 264 makes difficult to parse given the expectation is the registrant 265 would be at the top level. Extract of the seen response: 267 { 268 entities: [ 269 { 270 "objectClassName": "entity", 271 "handle": "HANDLE1", 272 "roles": [ "abuse" ], 273 "vcardArray": [ ... ], 274 "entities": [ 275 { 276 "objectClassName": "entity", 277 "handle": "HANDLE2", 278 "roles": [ "registrant" ], 279 "vcardArray": [ ... ], 280 } 281 ], 282 ], 284 Recommendation: put the registrant in the top-level entities as 285 follows: 287 { 288 entities: [ 289 { 290 "objectClassName": "entity", 291 "handle": "HANDLE1", 292 "roles": [ "abuse" ], 293 "vcardArray": [ ... ] 294 }, 295 { 296 "objectClassName": "entity", 297 "handle": "HANDLE2", 298 "roles": [ "registrant" ], 299 "vcardArray": [ ... ], 300 } 301 ], 303 4. Queries 305 This section talks about support of RFC7482 queries and the RDAP 306 server behaviors seen. 308 4.1. URL encoding of : 310 For RIR registries, the ip query may include an IPv6 address which 311 then includes one or many ":". Clients may decide to do percent- 312 encoding of the query. In one RDAP server, the server rejected the 313 percent-encoded query of an IPv6 address. Recommendation: accept 314 either percent-encoded queries or non-percent encoded queries. 316 5. Domain Registrar RDAP Server Location 318 The ICANN RDAP Profile [4] section 3.2 requires the domain registries 319 who do not have registrant information (so-called thin registries) to 320 put a specific link of "rel": "related" pointing to the domain 321 registrar responsible for the domain being queried, so that a client 322 can get the registrant information using a second query to the 323 related link. However, the semantics seems ambiguous as other RDAP 324 servers may use the "rel": "related" for other related means, but not 325 the specific semantic of finding the registrant data. Therefore, a 326 possible mitigation is to define a new "rel" type of "registrantInfo" 327 (mnemonic TBD) to carry the specific semantic of registrant info. 329 6. Issues related to RFC7482 331 6.1. Search patterns that are not 333 Section 3.2.1 of [RFC7482] says: "domains?nsIp=ZZZZ. ZZZZ is a 334 search pattern representing an IPv4 [RFC1166] or IPv6 [RFC5952] 335 address.". Search pattern has been used throughout the document as 336 something that can include '*', while here, it does not. The syntax 337 statement is also misleading. Similarly, section 3.2.2 says: 338 "nameservers?ip=YYYY YYYY is a search pattern representing an IPv4 339 [RFC1166] or IPv6 [RFC5952] address." 341 Recommendation: in [RFC7482], replace: "ZZZZ is a search pattern 342 representing an IPv4" by "ZZZZ is an IPv4", "Syntax: 343 domains?nsIp=" by "Syntax: 344 domains?nsIp=", "YYYY is a search pattern 345 representing an IPv4" by "YYYY is an IPv4", "Syntax: 346 nameservers?ip=" by "Syntax: 347 nameservers?ip=" 349 7. IANA RDAP Bootstrap Registries Related Issues 351 This section describes issues related to the IANA Bootstrap 352 registries as specified in [RFC7484]. 354 7.1. Missing Trailing Char in Bootstrap Registries 356 [RFC7484] section 3 says: "Base RDAP URLs MUST have a trailing "/" 357 character". However, some values in the various IANA Bootstrap 358 registries do not have the trailing "/" character. These should be 359 added to provide consistency. 361 7.2. Single target value 363 [RFC7484] provides a way to list multiple RDAP servers for an entry. 364 This flexibility was designed initially to support multiple URI 365 types, such as http: and https, and to provide some level of 366 redundancy. However, given that security deployment policy is to use 367 https everywhere and redundancy can be accomplished in other ways, 368 deployment has shown that all entries in all bootstrap registries 369 have a single target RDAP URL value. Therefore, we can consider 370 updating the RFC to provide only one target value. However, this 371 should be done carefully to avoid breaking current deployed clients. 373 8. Security Considerations 375 Proper conformance to specifications helps security. However, no 376 security issues have been found in the context of this draft. 378 9. IANA Considerations 380 This document request IANA to add the following values to this 381 registry. TBD. 383 10. Acknowledgements 385 Audric Schiltknecht, TBD have provided input and suggestions to this 386 document. 388 11. References 390 11.1. Normative References 392 [RFC7480] Newton, A., Ellacott, B., and N. Kong, "HTTP Usage in the 393 Registration Data Access Protocol (RDAP)", RFC 7480, 394 DOI 10.17487/RFC7480, March 2015, 395 . 397 [RFC7482] Newton, A. and S. Hollenbeck, "Registration Data Access 398 Protocol (RDAP) Query Format", RFC 7482, 399 DOI 10.17487/RFC7482, March 2015, 400 . 402 [RFC7483] Newton, A. and S. Hollenbeck, "JSON Responses for the 403 Registration Data Access Protocol (RDAP)", RFC 7483, 404 DOI 10.17487/RFC7483, March 2015, 405 . 407 [RFC7484] Blanchet, M., "Finding the Authoritative Registration Data 408 (RDAP) Service", RFC 7484, DOI 10.17487/RFC7484, March 409 2015, . 411 11.2. Informative References 413 [RFC5988] Nottingham, M., "Web Linking", RFC 5988, 414 DOI 10.17487/RFC5988, October 2010, 415 . 417 11.3. URIs 419 [1] https://www.iana.org/assignments/rdap-json-values/rdap-json- 420 values.xhtml 422 [2] https://www.iana.org/assignments/rdap-extensions/rdap- 423 extensions.xhtml 425 [3] https://www.iana.org/assignments/link-relations/link- 426 relations.xhtml 428 [4] https://www.icann.org/en/system/files/files/rdap-technical- 429 implementation-guide-15feb19-en.pdf 431 Author's Address 433 Marc Blanchet 434 Viagenie 435 246 Aberdeen 436 Quebec, QC G1R 2E1 437 Canada 439 Email: marc.blanchet@viagenie.ca 440 URI: http://viagenie.ca