idnits 2.17.1 draft-hollenbeck-regext-rfc7482bis-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) == There are 3 instances of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 29, 2020) is 1548 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Downref: Normative reference to an Unknown state RFC: RFC 952 ** Downref: Normative reference to an Informational RFC: RFC 1166 ** Obsolete normative reference: RFC 7230 (Obsoleted by RFC 9110, RFC 9112) ** Obsolete normative reference: RFC 7231 (Obsoleted by RFC 9110) ** Obsolete normative reference: RFC 7483 (Obsoleted by RFC 9083) ** Obsolete normative reference: RFC 7484 (Obsoleted by RFC 9224) ** Obsolete normative reference: RFC 8499 (Obsoleted by RFC 9499) -- Possible downref: Non-RFC (?) normative reference: ref. 'Unicode-UAX15' Summary: 8 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 REGEXT Working Group S. Hollenbeck 3 Internet-Draft Verisign Labs 4 Intended status: Standards Track A. Newton 5 Expires: August 1, 2020 ARIN 6 January 29, 2020 8 Registration Data Access Protocol (RDAP) Query Format 9 draft-hollenbeck-regext-rfc7482bis-01 11 Abstract 13 This document describes uniform patterns to construct HTTP URLs that 14 may be used to retrieve registration information from registries 15 (including both Regional Internet Registries (RIRs) and Domain Name 16 Registries (DNRs)) using "RESTful" web access patterns. These 17 uniform patterns define the query syntax for the Registration Data 18 Access Protocol (RDAP). 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at https://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on August 1, 2020. 37 Copyright Notice 39 Copyright (c) 2020 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (https://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 55 2. Conventions Used in This Document . . . . . . . . . . . . . . 4 56 2.1. Acronyms and Abbreviations . . . . . . . . . . . . . . . 4 57 3. Path Segment Specification . . . . . . . . . . . . . . . . . 5 58 3.1. Lookup Path Segment Specification . . . . . . . . . . . . 5 59 3.1.1. IP Network Path Segment Specification . . . . . . . . 6 60 3.1.2. Autonomous System Path Segment Specification . . . . 7 61 3.1.3. Domain Path Segment Specification . . . . . . . . . . 7 62 3.1.4. Nameserver Path Segment Specification . . . . . . . . 8 63 3.1.5. Entity Path Segment Specification . . . . . . . . . . 9 64 3.1.6. Help Path Segment Specification . . . . . . . . . . . 9 65 3.2. Search Path Segment Specification . . . . . . . . . . . . 9 66 3.2.1. Domain Search . . . . . . . . . . . . . . . . . . . . 10 67 3.2.2. Nameserver Search . . . . . . . . . . . . . . . . . . 11 68 3.2.3. Entity Search . . . . . . . . . . . . . . . . . . . . 12 69 4. Query Processing . . . . . . . . . . . . . . . . . . . . . . 12 70 4.1. Partial String Searching . . . . . . . . . . . . . . . . 13 71 4.2. Associated Records . . . . . . . . . . . . . . . . . . . 13 72 5. Extensibility . . . . . . . . . . . . . . . . . . . . . . . . 14 73 6. Internationalization Considerations . . . . . . . . . . . . . 14 74 6.1. Character Encoding Considerations . . . . . . . . . . . . 15 75 7. Implementation Status . . . . . . . . . . . . . . . . . . . . 16 76 7.1. Viagenie . . . . . . . . . . . . . . . . . . . . . . . . 16 77 7.2. ARIN . . . . . . . . . . . . . . . . . . . . . . . . . . 17 78 7.3. LACNIC . . . . . . . . . . . . . . . . . . . . . . . . . 17 79 7.4. ICANN . . . . . . . . . . . . . . . . . . . . . . . . . . 18 80 8. Security Considerations . . . . . . . . . . . . . . . . . . . 19 81 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 82 9.1. Normative References . . . . . . . . . . . . . . . . . . 20 83 9.2. Informative References . . . . . . . . . . . . . . . . . 22 84 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 23 85 Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 86 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24 88 1. Introduction 90 This document describes a specification for querying registration 91 data using a RESTful web service and uniform query patterns. The 92 service is implemented using the Hypertext Transfer Protocol (HTTP) 93 [RFC7230] and the conventions described in [RFC7480]. These uniform 94 patterns define the query syntax for the Registration Data Access 95 Protocol (RDAP). 97 The protocol described in this specification is intended to address 98 deficiencies with the WHOIS protocol [RFC3912] that have been 99 identified over time, including: 101 o lack of standardized command structures; 103 o lack of standardized output and error structures; 105 o lack of support for internationalization and localization; and 107 o lack of support for user identification, authentication, and 108 access control. 110 The patterns described in this document purposefully do not encompass 111 all of the methods employed in the WHOIS and other RESTful web 112 services used by the RIRs and DNRs. The intent of the patterns 113 described here are to enable queries of: 115 o networks by IP address; 117 o Autonomous System (AS) numbers by number; 119 o reverse DNS metadata by domain; 121 o nameservers by name; and 123 o entities (such as registrars and contacts) by identifier. 125 Server implementations are free to support only a subset of these 126 features depending on local requirements. Servers MUST return an 127 HTTP 501 (Not Implemented) [RFC7231] response to inform clients of 128 unsupported query types. It is also envisioned that each registry 129 will continue to maintain WHOIS and/or other RESTful web services 130 specific to their needs and those of their constituencies, and the 131 information retrieved through the patterns described here may 132 reference such services. 134 Likewise, future IETF standards may add additional patterns for 135 additional query types. A simple pattern namespacing scheme is 136 described in Section 5 to accommodate custom extensions that will not 137 interfere with the patterns defined in this document or patterns 138 defined in future IETF standards. 140 WHOIS services, in general, are read-only services. Therefore, URL 141 [RFC3986] patterns specified in this document are only applicable to 142 the HTTP [RFC7231] GET and HEAD methods. 144 This document does not describe the results or entities returned from 145 issuing the described URLs with an HTTP GET. The specification of 146 these entities is described in [RFC7483]. 148 Additionally, resource management, provisioning, and update functions 149 are out of scope for this document. Registries have various and 150 divergent methods covering these functions, and it is unlikely a 151 uniform approach is needed for interoperability. 153 HTTP contains mechanisms for servers to authenticate clients and for 154 clients to authenticate servers (from which authorization schemes may 155 be built), so such mechanisms are not described in this document. 156 Policy, provisioning, and processing of authentication and 157 authorization are out of scope for this document as deployments will 158 have to make choices based on local criteria. Supported 159 authentication mechanisms are described in [RFC7481]. 161 2. Conventions Used in This Document 163 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 164 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 165 document are to be interpreted as described in [RFC2119]. 167 2.1. Acronyms and Abbreviations 169 IDN: Internationalized Domain Name, a fully-qualified domain name 170 containing one or more labels that are intended to include one or 171 more Unicode code points outside the ASCII range (cf. "domain 172 name", "fully-qualified domain name" and "internationalized domain 173 name" in RFC 8499 [RFC8499]). 175 IDNA: Internationalized Domain Names in Applications, a protocol 176 for the handling of IDNs. In this document, "IDNA" refers 177 specifically to the version of those specifications known as 178 "IDNA2008" [RFC5890]. 180 DNR: Domain Name Registry or Domain Name Registrar 182 NFC: Unicode Normalization Form C [Unicode-UAX15] 184 NFKC: Unicode Normalization Form KC [Unicode-UAX15] 186 RDAP: Registration Data Access Protocol 188 REST: Representational State Transfer. The term was first 189 described in a doctoral dissertation [REST]. 191 RESTful: An adjective that describes a service using HTTP and the 192 principles of REST. 194 RIR: Regional Internet Registry 196 3. Path Segment Specification 198 The base URLs used to construct RDAP queries are maintained in an 199 IANA registry described in [RFC7484]. Queries are formed by 200 retrieving an appropriate base URL from the registry and appending a 201 path segment specified in either Sections 3.1 or 3.2. Generally, a 202 registry or other service provider will provide a base URL that 203 identifies the protocol, host, and port, and this will be used as a 204 base URL that the complete URL is resolved against, as per Section 5 205 of RFC 3986 [RFC3986]. For example, if the base URL is 206 "https://example.com/rdap/", all RDAP query URLs will begin with 207 "https://example.com/rdap/". 209 The bootstrap registry does not contain information for query objects 210 that are not part of a global namespace, including entities and help. 211 A base URL for an associated object is required to construct a 212 complete query. This limitation can be overcome for entities by 213 using the practice described in RFC 8521 [RFC8521]. 215 For entities, a base URL is retrieved for the service (domain, 216 address, etc.) associated with a given entity. The query URL is 217 constructed by concatenating the base URL to the entity path segment 218 specified in either Sections 3.1.5 or 3.2.3. 220 For help, a base URL is retrieved for any service (domain, address, 221 etc.) for which additional information is required. The query URL is 222 constructed by concatenating the base URL to the help path segment 223 specified in Section 3.1.6. 225 3.1. Lookup Path Segment Specification 227 A simple lookup to determine if an object exists (or not) without 228 returning RDAP-encoded results can be performed using the HTTP HEAD 229 method as described in Section 4.1 of [RFC7480]. 231 The resource type path segments for exact match lookup are: 233 o 'ip': Used to identify IP networks and associated data referenced 234 using either an IPv4 or IPv6 address. 236 o 'autnum': Used to identify Autonomous System number registrations 237 and associated data referenced using an asplain Autonomous System 238 number. 240 o 'domain': Used to identify reverse DNS (RIR) or domain name (DNR) 241 information and associated data referenced using a fully qualified 242 domain name. 244 o 'nameserver': Used to identify a nameserver information query 245 using a host name. 247 o 'entity': Used to identify an entity information query using a 248 string identifier. 250 3.1.1. IP Network Path Segment Specification 252 Syntax: ip/ or ip// 254 Queries for information about IP networks are of the form /ip/XXX or 255 /ip/XXX/YY where the path segment following 'ip' is either an IPv4 256 dotted decimal or IPv6 [RFC5952] address (i.e., XXX) or an IPv4 or 257 IPv6 Classless Inter-domain Routing (CIDR) [RFC4632] notation address 258 block (i.e., XXX/YY). Semantically, the simpler form using the 259 address can be thought of as a CIDR block with a bitmask length of 32 260 for IPv4 and a bitmask length of 128 for IPv6. A given specific 261 address or CIDR may fall within multiple IP networks in a hierarchy 262 of networks; therefore, this query targets the "most-specific" or 263 smallest IP network that completely encompasses it in a hierarchy of 264 IP networks. 266 The IPv4 and IPv6 address formats supported in this query are 267 described in Section 3.2.2 of RFC 3986 [RFC3986] as IPv4address and 268 IPv6address ABNF definitions. Any valid IPv6 text address format 269 [RFC4291] can be used. This includes IPv6 addresses written using 270 with or without compressed zeros and IPv6 addresses containing 271 embedded IPv4 addresses. The rules to write a text representation of 272 an IPv6 address [RFC5952] are RECOMMENDED. However, the zone_id 273 [RFC4007] is not appropriate in this context; therefore, the 274 corresponding syntax extension in RFC 6874 [RFC6874] MUST NOT be 275 used, and servers are to ignore it if possible. 277 For example, the following URL would be used to find information for 278 the most specific network containing 192.0.2.0: 280 https://example.com/rdap/ip/192.0.2.0 282 The following URL would be used to find information for the most 283 specific network containing 192.0.2.0/24: 285 https://example.com/rdap/ip/192.0.2.0/24 286 The following URL would be used to find information for the most 287 specific network containing 2001:db8::0: 289 https://example.com/rdap/ip/2001:db8::0 291 3.1.2. Autonomous System Path Segment Specification 293 Syntax: autnum/ 295 Queries for information regarding Autonomous System number 296 registrations are of the form /autnum/XXX where XXX is an asplain 297 Autonomous System number [RFC5396]. In some registries, registration 298 of Autonomous System numbers is done on an individual number basis, 299 while other registries may register blocks of Autonomous System 300 numbers. The semantics of this query are such that if a number falls 301 within a range of registered blocks, the target of the query is the 302 block registration and that individual number registrations are 303 considered a block of numbers with a size of 1. 305 For example, the following URL would be used to find information 306 describing Autonomous System number 12 (a number within a range of 307 registered blocks): 309 https://example.com/rdap/autnum/12 311 The following URL would be used to find information describing 4-byte 312 Autonomous System number 65538: 314 https://example.com/rdap/autnum/65538 316 3.1.3. Domain Path Segment Specification 318 Syntax: domain/ 320 Queries for domain information are of the form /domain/XXXX, where 321 XXXX is a fully qualified (relative to the root) domain name (as 322 specified in [RFC0952] and [RFC1123]) in either the in-addr.arpa or 323 ip6.arpa zones (for RIRs) or a fully qualified domain name in a zone 324 administered by the server operator (for DNRs). Internationalized 325 Domain Names (IDNs) represented in either A-label or U-label format 326 [RFC5890] are also valid domain names. See Section 6.1 for 327 information on character encoding for the U-label format. 329 IDNs SHOULD NOT be represented as a mixture of A-labels and U-labels; 330 that is, internationalized labels in an IDN SHOULD be either all 331 A-labels or all U-labels. It is possible for an RDAP client to 332 assemble a query string from multiple independent data sources. Such 333 a client might not be able to perform conversions between A-labels 334 and U-labels. An RDAP server that receives a query string with a 335 mixture of A-labels and U-labels MAY convert all the U-labels to 336 A-labels, perform IDNA processing, and proceed with exact-match 337 lookup. In such cases, the response to be returned to the query 338 source may not match the input from the query source. Alternatively, 339 the server MAY refuse to process the query. 341 The server MAY perform the match using either the A-label or U-label 342 form. Using one consistent form for matching every label is likely 343 to be more reliable. 345 The following URL would be used to find information describing the 346 zone serving the network 192.0.2/24: 348 https://example.com/rdap/domain/2.0.192.in-addr.arpa 350 The following URL would be used to find information describing the 351 zone serving the network 2001:db8:1::/48: 353 https://example.com/rdap/domain/1.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa 355 The following URL would be used to find information for the 356 blah.example.com domain name: 358 https://example.com/rdap/domain/blah.example.com 360 The following URL would be used to find information for the xn--fo- 361 5ja.example IDN: 363 https://example.com/rdap/domain/xn--fo-5ja.example 365 3.1.4. Nameserver Path Segment Specification 367 Syntax: nameserver/ 369 The parameter represents a fully qualified host 370 name as specified in [RFC0952] and [RFC1123]. Internationalized 371 names represented in either A-label or U-label format [RFC5890] are 372 also valid nameserver names. IDN processing for nameserver names 373 uses the domain name processing instructions specified in 374 Section 3.1.3. See Section 6.1 for information on character encoding 375 for the U-label format. 377 The following URL would be used to find information for the 378 ns1.example.com nameserver: 380 https://example.com/rdap/nameserver/ns1.example.com 381 The following URL would be used to find information for the ns1.xn-- 382 fo-5ja.example nameserver: 384 https://example.com/rdap/nameserver/ns1.xn--fo-5ja.example 386 3.1.5. Entity Path Segment Specification 388 Syntax: entity/ 390 The parameter represents an entity (such as a contact, 391 registrant, or registrar) identifier whose syntax is specific to the 392 registration provider. For example, for some DNRs, contact 393 identifiers are specified in [RFC5730] and [RFC5733]. 395 The following URL would be used to find information for the entity 396 associated with handle XXXX: 398 https://example.com/rdap/entity/XXXX 400 3.1.6. Help Path Segment Specification 402 Syntax: help 404 The help path segment can be used to request helpful information 405 (command syntax, terms of service, privacy policy, rate-limiting 406 policy, supported authentication methods, supported extensions, 407 technical support contact, etc.) from an RDAP server. The response 408 to "help" should provide basic information that a client needs to 409 successfully use the service. The following URL would be used to 410 return "help" information: 412 https://example.com/rdap/help 414 3.2. Search Path Segment Specification 416 Pattern matching semantics are described in Section 4.1. The 417 resource type path segments for search are: 419 o 'domains': Used to identify a domain name information search using 420 a pattern to match a fully qualified domain name. 422 o 'nameservers': Used to identify a nameserver information search 423 using a pattern to match a host name. 425 o 'entities': Used to identify an entity information search using a 426 pattern to match a string identifier. 428 RDAP search path segments are formed using a concatenation of the 429 plural form of the object being searched for and an HTTP query 430 string. The HTTP query string is formed using a concatenation of the 431 question mark character ('?', US-ASCII value 0x003F), the JSON object 432 value associated with the object being searched for, the equal sign 433 character ('=', US-ASCII value 0x003D), and the search pattern. 434 Search pattern query processing is described more fully in Section 4. 435 For the domain, nameserver, and entity objects described in this 436 document, the plural object forms are "domains", "nameservers", and 437 "entities". 439 Detailed results can be retrieved using the HTTP GET method and the 440 path segments specified here. 442 3.2.1. Domain Search 444 Syntax: domains?name= 446 Syntax: domains?nsLdhName= 448 Syntax: domains?nsIp= 450 Searches for domain information by name are specified using this 451 form: 453 domains?name=XXXX 455 XXXX is a search pattern representing a domain name in "letters, 456 digits, hyphen" (LDH) format [RFC5890]. The following URL would be 457 used to find DNR information for domain names matching the 458 "example*.com" pattern: 460 https://example.com/rdap/domains?name=example*.com 462 IDNs in U-label format [RFC5890] can also be used as search patterns 463 (see Section 4). Searches for these names are of the form 464 /domains?name=XXXX, where XXXX is a search pattern representing a 465 domain name in U-label format [RFC5890]. See Section 6.1 for 466 information on character encoding for the U-label format. 468 Searches for domain information by nameserver name are specified 469 using this form: 471 domains?nsLdhName=YYYY 473 YYYY is a search pattern representing a host name in "letters, 474 digits, hyphen" format [RFC5890]. The following URL would be used to 475 search for domains delegated to nameservers matching the 476 "ns1.example*.com" pattern: 478 https://example.com/rdap/domains?nsLdhName=ns1.example*.com 480 Searches for domain information by nameserver IP address are 481 specified using this form: 483 domains?nsIp=ZZZZ 485 ZZZZ is a search pattern representing an IPv4 [RFC1166] or IPv6 486 [RFC5952] address. The following URL would be used to search for 487 domains that have been delegated to nameservers that resolve to the 488 "192.0.2.0" address: 490 https://example.com/rdap/domains?nsIp=192.0.2.0 492 3.2.2. Nameserver Search 494 Syntax: nameservers?name= 496 Syntax: nameservers?ip= 498 Searches for nameserver information by nameserver name are specified 499 using this form: 501 nameservers?name=XXXX 503 XXXX is a search pattern representing a host name in "letters, 504 digits, hyphen" format [RFC5890]. The following URL would be used to 505 find information for nameserver names matching the "ns1.example*.com" 506 pattern: 508 https://example.com/rdap/nameservers?name=ns1.example*.com 510 Internationalized nameserver names in U-label format [RFC5890] can 511 also be used as search patterns (see Section 4). Searches for these 512 names are of the form /nameservers?name=XXXX, where XXXX is a search 513 pattern representing a nameserver name in U-label format [RFC5890]. 514 See Section 6.1 for information on character encoding for the U-label 515 format. 517 Searches for nameserver information by nameserver IP address are 518 specified using this form: 520 nameservers?ip=YYYY 521 YYYY is a search pattern representing an IPv4 [RFC1166] or IPv6 522 [RFC5952] address. The following URL would be used to search for 523 nameserver names that resolve to the "192.0.2.0" address: 525 https://example.com/rdap/nameservers?ip=192.0.2.0 527 3.2.3. Entity Search 529 Syntax: entities?fn= 531 Syntax: entities?handle= 533 Searches for entity information by name are specified using this 534 form: 536 entities?fn=XXXX 538 XXXX is a search pattern representing the "FN" property of an entity 539 (such as a contact, registrant, or registrar) name as specified in 540 Section 5.1 of [RFC7483]. The following URL would be used to find 541 information for entity names matching the "Bobby Joe*" pattern: 543 https://example.com/rdap/entities?fn=Bobby%20Joe* 545 Searches for entity information by handle are specified using this 546 form: 548 entities?handle=XXXX 550 XXXX is a search pattern representing an entity (such as a contact, 551 registrant, or registrar) identifier whose syntax is specific to the 552 registration provider. The following URL would be used to find 553 information for entity handles matching the "CID-40*" pattern: 555 https://example.com/rdap/entities?handle=CID-40* 557 URLs MUST be properly encoded according to the rules of [RFC3986]. 558 In the example above, "Bobby Joe*" is encoded to "Bobby%20Joe*". 560 4. Query Processing 562 Servers indicate the success or failure of query processing by 563 returning an appropriate HTTP response code to the client. Response 564 codes not specifically identified in this document are described in 565 [RFC7480]. 567 4.1. Partial String Searching 569 Partial string searching uses the asterisk ('*', US-ASCII value 570 0x002A) character to match zero or more trailing characters. A 571 character string representing a domain label suffix MAY be 572 concatenated to the end of the search pattern to limit the scope of 573 the search. For example, the search pattern "exam*" will match 574 "example.com" and "example.net". The search pattern "exam*.com" will 575 match "example.com". If an asterisk appears in a search string, any 576 label that contains the non-asterisk characters in sequence plus zero 577 or more characters in sequence in place of the asterisk would match. 578 Only a single asterisk is allowed for a partial string search. 579 Additional pattern matching processing is beyond the scope of this 580 specification. 582 If a server receives a search request but cannot process the request 583 because it does not support a particular style of partial match 584 searching, it SHOULD return an HTTP 422 (Unprocessable Entity) 585 [RFC4918] response. When returning a 422 error, the server MAY also 586 return an error response body as specified in Section 6 of [RFC7483] 587 if the requested media type is one that is specified in [RFC7480]. 589 Partial matching is not feasible across combinations of Unicode 590 characters because Unicode characters can be combined with each 591 other. Servers SHOULD NOT partially match combinations of Unicode 592 characters where a legal combination is possible. It should be 593 noted, though, that it may not always be possible to detect cases 594 where a character could have been combined with another character, 595 but was not, because characters can be combined in many different 596 ways. 598 Clients should avoid submitting a partial match search of Unicode 599 characters where a Unicode character may be legally combined with 600 another Unicode character or characters. Partial match searches with 601 incomplete combinations of characters where a character must be 602 combined with another character or characters are invalid. Partial 603 match searches with characters that may be combined with another 604 character or characters are to be considered non-combined characters 605 (that is, if character x may be combined with character y but 606 character y is not submitted in the search string, then character x 607 is a complete character and no combinations of character x are to be 608 searched). 610 4.2. Associated Records 612 Conceptually, any query-matching record in a server's database might 613 be a member of a set of related records, related in some fashion as 614 defined by the server -- for example, variants of an IDN. The entire 615 set ought to be considered as candidates for inclusion when 616 constructing the response. However, the construction of the final 617 response needs to be mindful of privacy and other data-releasing 618 policies when assembling the RDAP response set. 620 Note too that due to the nature of searching, there may be a list of 621 query-matching records. Each one of those is subject to being a 622 member of a set as described in the previous paragraph. What is 623 ultimately returned in a response will be the union of all the sets 624 that has been filtered by whatever policies are in place. 626 Note that this model includes arrangements for associated names, 627 including those that are linked by policy mechanisms and names bound 628 together for some other purposes. Note also that returning 629 information that was not explicitly selected by an exact-match 630 lookup, including additional names that match a relatively fuzzy 631 search as well as lists of names that are linked together, may cause 632 privacy issues. 634 Note that there might not be a single, static information return 635 policy that applies to all clients equally. Client identity and 636 associated authorizations can be a relevant factor in determining how 637 broad the response set will be for any particular query. 639 5. Extensibility 641 This document describes path segment specifications for a limited 642 number of objects commonly registered in both RIRs and DNRs. It does 643 not attempt to describe path segments for all of the objects 644 registered in all registries. Custom path segments can be created 645 for objects not specified here using the process described in 646 Section 6 of "HTTP Usage in the Registration Data Access Protocol 647 (RDAP)" [RFC7480]. 649 Custom path segments can be created by prefixing the segment with a 650 unique identifier followed by an underscore character (0x5F). For 651 example, a custom entity path segment could be created by prefixing 652 "entity" with "custom_", producing "custom_entity". Servers MUST 653 return an appropriate failure status code for a request with an 654 unrecognized path segment. 656 6. Internationalization Considerations 658 There is value in supporting the ability to submit either a U-label 659 (Unicode form of an IDN label) or an A-label (US-ASCII form of an IDN 660 label) as a query argument to an RDAP service. Clients capable of 661 processing non-US-ASCII characters may prefer a U-label since this is 662 more visually recognizable and familiar than A-label strings, but 663 clients using programmatic interfaces might find it easier to submit 664 and display A-labels if they are unable to input U-labels with their 665 keyboard configuration. Both query forms are acceptable. 667 Internationalized domain and nameserver names can contain character 668 variants and variant labels as described in [RFC4290]. Clients that 669 support queries for internationalized domain and nameserver names 670 MUST accept service provider responses that describe variants as 671 specified in "JSON Responses for the Registration Data Access 672 Protocol (RDAP)" [RFC7483]. 674 6.1. Character Encoding Considerations 676 Servers can expect to receive search patterns from clients that 677 contain character strings encoded in different forms supported by 678 HTTP. It is entirely possible to apply filters and normalization 679 rules to search patterns prior to making character comparisons, but 680 this type of processing is more typically needed to determine the 681 validity of registered strings than to match patterns. 683 An RDAP client submitting a query string containing non-US-ASCII 684 characters converts such strings into Unicode in UTF-8 encoding. It 685 then performs any local case mapping deemed necessary. Strings are 686 normalized using Normalization Form C (NFC) [Unicode-UAX15]; note 687 that clients might not be able to do this reliably. UTF-8 encoded 688 strings are then appropriately percent-encoded [RFC3986] in the query 689 URL. 691 After parsing any percent-encoding, an RDAP server treats each query 692 string as Unicode in UTF-8 encoding. If a string is not valid UTF-8, 693 the server can immediately stop processing the query and return an 694 HTTP 400 (Bad Request) response. 696 When processing queries, there is a difference in handling DNS names, 697 including those with putative U-labels, and everything else. DNS 698 names are treated according to the DNS matching rules as described in 699 Section 3.1 of RFC 1035 [RFC1035] for Non-Reserved LDH (NR-LDH) 700 labels and the matching rules described in Section 5.4 of RFC 5891 701 [RFC5891] for U-labels. Matching of DNS names proceeds one label at 702 a time because it is possible for a combination of U-labels and NR- 703 LDH labels to be found in a single domain or host name. The 704 determination of whether a label is a U-label or an NR-LDH label is 705 based on whether the label contains any characters outside of the US- 706 ASCII letters, digits, or hyphen (the so-called LDH rule). 708 For everything else, servers map fullwidth and halfwidth characters 709 to their decomposition equivalents. Servers convert strings to the 710 same coded character set of the target data that is to be looked up 711 or searched, and each string is normalized using the same 712 normalization that was used on the target data. In general, storage 713 of strings as Unicode is RECOMMENDED. For the purposes of 714 comparison, Normalization Form KC (NFKC) [Unicode-UAX15] with case 715 folding is used to maximize predictability and the number of matches. 716 Note the use of case-folded NFKC as opposed to NFC in this case. 718 7. Implementation Status 720 NOTE: Please remove this section and the reference to RFC 7942 prior 721 to publication as an RFC. 723 This section records the status of known implementations of the 724 protocol defined by this specification at the time of posting of this 725 Internet-Draft, and is based on a proposal described in RFC 7942 726 [RFC7942]. The description of implementations in this section is 727 intended to assist the IETF in its decision processes in progressing 728 drafts to RFCs. Please note that the listing of any individual 729 implementation here does not imply endorsement by the IETF. 730 Furthermore, no effort has been spent to verify the information 731 presented here that was supplied by IETF contributors. This is not 732 intended as, and must not be construed to be, a catalog of available 733 implementations or their features. Readers are advised to note that 734 other implementations may exist. 736 According to RFC 7942, "this will allow reviewers and working groups 737 to assign due consideration to documents that have the benefit of 738 running code, which may serve as evidence of valuable experimentation 739 and feedback that have made the implemented protocols more mature. 740 It is up to the individual working groups to use this information as 741 they see fit". 743 7.1. Viagenie 745 Responsible Organization: Viagenie 747 Location: RDAPBrowser (iOS and Android): https://viagenie.ca/ 748 rdapbrowser 750 Description: Mobile app (iOS and Android) implementing an RDAP 751 client for domains, IP addresses and AS numbers. 753 Level of Maturity: Production 755 Coverage: All except for nameserver, entity, help, and search path 756 segments. 758 Version Compatibility: RFC 7482 759 Licensing: Proprietary 761 Implementation Experience: Quite simple and easy to deploy. 762 Responses are much harder to parse because RDAP servers are not 763 compliant. 765 Contact Information: Marc Blanchet, rdapbrowser@viagenie.ca 767 Date Last Updated: September 27, 2019 769 7.2. ARIN 771 Responsible Organization: ARIN 773 Location: NicInfo https://github.com/arineng/nicinfo, and 774 search.arin.net https://search.arin.net/rdap/ 776 Description: NicInfo is a command line client written in Ruby. 777 search.arin.net is a public web page getting about 8k queries per 778 day. 780 Level of Maturity: NicInfo started as a research project, but is 781 known to be used by some organizations in a production capacity. 782 search.arin.net is production. 784 Coverage: NicInfo supports all query types. Search.arin.net 785 supports lookup of entities by handle, search of entities by name, 786 lookup of domain names, lookup of ip networks, lookup of autnums. 788 Version Compatibility: RFC 7482 790 Licensing: NicInfo is published under the ISC license. 791 Search.arin.net is not publicly licensed. 793 Implementation Experience: The RDAP queries are straightforward 794 for the most part. The vast majority of logic goes into 795 displaying information. 797 Contact Information: info@arin.net 799 Date Last Updated: NicInfo was last updated in Feb 2018. 800 Search.arin.net was last updated in July 2019. 802 7.3. LACNIC 804 Responsible Organization: LACNIC 806 Location: https://github.com/LACNIC/rdap-frontend-angular-dev 807 Description: The goal of this client is to have an RDAP client 808 that can be easily embedded in web pages. The original request 809 was for a web whois/rdap feature that was to replace a very, very 810 old web whois that just popen'd CLI WHOIS and just copied back the 811 output to html. We decided to implement something that could, in 812 the future, be embedded in any web page and is not tied to our 813 current web portal CMS. The client is implemented in Javascript 814 and AngularJS. 816 Level of Maturity: We consider the current version production 817 quality, it has been in use in our web portal for more than a year 818 now. 820 Coverage: The client implements /ip, /autnum, and /entity. The 821 client does not support searches. For these objects the 822 implementation follows the standard closely. There may be a few 823 gaps, but it's mostly aligned to the RFCs. 825 Version Compatibility: RFC 7482 827 Licensing: BSD-Style 829 Implementation Experience: Users of the traditional WHOIS service 830 are a bit confused at first when they realize that an RDAP query 831 does not necessarily return the same information and in some cases 832 they need to "navigate" the RDAP tree to get data that is normally 833 returned in a single WHOIS query. In our experience, this gap in 834 expectations has been one of the most significant hurdles in 835 adoption of RDAP. Our RDAP client makes this "navigation" easier 836 as it presents results in the form of a web page where the "next" 837 necessary RDAP query is a click on a link. On the plus side, the 838 protocol provides all the information needed to present this links 839 and clicks to the user. We have however introduced a few 840 extensions into our RDAP responses to get both services to parity 841 in the information presented in a single query. 843 Contact Information: Gerardo Rada (gerardo@lacnic.net), Carlos 844 Martinez (carlos@lacnic.net) 846 Date Last Updated: This application is currently in maintenance 847 mode. Also, we employ a rolling release update. Latest updates 848 are available in the git log of the repo. 850 7.4. ICANN 852 Responsible Organization: Internet Corporation for Assigned Names 853 and Numbers (ICANN) 854 Location: Domain Name Registration Data Lookup: 855 https://lookup.icann.org/ 857 Description: ICANN created the Domain Name Registration Data 858 Lookup web client as a free public service that gives users the 859 ability to look up and display publicly available registration 860 data related to a domain name using the top level domain's RDAP 861 service location listed in the IANA bootstrap service registry for 862 domain name space (RFC 7484), and the sponsoring Registrar's RDAP 863 server. This web client implementation also supports the 864 specifications defined in the "gTLD RDAP Profile" documents 865 (https://www.icann.org/gtld-rdap-profile). 867 Level of Maturity: Production. 869 Coverage: This web client implements RFC 7482 section 3.1.3 870 "Domain Path Segment Specification" to perform lookups exclusively 871 for the domain object class. 873 Version Compatibility: RFC 7482 875 Contact Information: globalSupport@icann.org 877 Date Last Updated: 07-Oct-2019 879 8. Security Considerations 881 Security services for the operations specified in this document are 882 described in "Security Services for the Registration Data Access 883 Protocol (RDAP)" [RFC7481]. 885 Search functionality typically requires more server resources (such 886 as memory, CPU cycles, and network bandwidth) when compared to basic 887 lookup functionality. This increases the risk of server resource 888 exhaustion and subsequent denial of service due to abuse. This risk 889 can be mitigated by developing and implementing controls to restrict 890 search functionality to identified and authorized clients. If those 891 clients behave badly, their search privileges can be suspended or 892 revoked. Rate limiting as described in Section 5.5 of "HTTP Usage in 893 the Registration Data Access Protocol (RDAP)" [RFC7480] can also be 894 used to control the rate of received search requests. Server 895 operators can also reduce their risk by restricting the amount of 896 information returned in response to a search request. 898 Search functionality also increases the privacy risk of disclosing 899 object relationships that might not otherwise be obvious. For 900 example, a search that returns IDN variants [RFC6927] that do not 901 explicitly match a client-provided search pattern can disclose 902 information about registered domain names that might not be otherwise 903 available. Implementers need to consider the policy and privacy 904 implications of returning information that was not explicitly 905 requested. 907 Note that there might not be a single, static information return 908 policy that applies to all clients equally. Client identity and 909 associated authorizations can be a relevant factor in determining how 910 broad the response set will be for any particular query. 912 9. References 914 9.1. Normative References 916 [RFC0952] Harrenstien, K., Stahl, M., and E. Feinler, "DoD Internet 917 host table specification", RFC 952, DOI 10.17487/RFC0952, 918 October 1985, . 920 [RFC1035] Mockapetris, P., "Domain names - implementation and 921 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 922 November 1987, . 924 [RFC1123] Braden, R., Ed., "Requirements for Internet Hosts - 925 Application and Support", STD 3, RFC 1123, 926 DOI 10.17487/RFC1123, October 1989, 927 . 929 [RFC1166] Kirkpatrick, S., Stahl, M., and M. Recker, "Internet 930 numbers", RFC 1166, DOI 10.17487/RFC1166, July 1990, 931 . 933 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 934 Requirement Levels", BCP 14, RFC 2119, 935 DOI 10.17487/RFC2119, March 1997, 936 . 938 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 939 Resource Identifier (URI): Generic Syntax", STD 66, 940 RFC 3986, DOI 10.17487/RFC3986, January 2005, 941 . 943 [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing 944 Architecture", RFC 4291, DOI 10.17487/RFC4291, February 945 2006, . 947 [RFC4632] Fuller, V. and T. Li, "Classless Inter-domain Routing 948 (CIDR): The Internet Address Assignment and Aggregation 949 Plan", BCP 122, RFC 4632, DOI 10.17487/RFC4632, August 950 2006, . 952 [RFC4918] Dusseault, L., Ed., "HTTP Extensions for Web Distributed 953 Authoring and Versioning (WebDAV)", RFC 4918, 954 DOI 10.17487/RFC4918, June 2007, 955 . 957 [RFC5396] Huston, G. and G. Michaelson, "Textual Representation of 958 Autonomous System (AS) Numbers", RFC 5396, 959 DOI 10.17487/RFC5396, December 2008, 960 . 962 [RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)", 963 STD 69, RFC 5730, DOI 10.17487/RFC5730, August 2009, 964 . 966 [RFC5733] Hollenbeck, S., "Extensible Provisioning Protocol (EPP) 967 Contact Mapping", STD 69, RFC 5733, DOI 10.17487/RFC5733, 968 August 2009, . 970 [RFC5890] Klensin, J., "Internationalized Domain Names for 971 Applications (IDNA): Definitions and Document Framework", 972 RFC 5890, DOI 10.17487/RFC5890, August 2010, 973 . 975 [RFC5891] Klensin, J., "Internationalized Domain Names in 976 Applications (IDNA): Protocol", RFC 5891, 977 DOI 10.17487/RFC5891, August 2010, 978 . 980 [RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6 981 Address Text Representation", RFC 5952, 982 DOI 10.17487/RFC5952, August 2010, 983 . 985 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 986 Protocol (HTTP/1.1): Message Syntax and Routing", 987 RFC 7230, DOI 10.17487/RFC7230, June 2014, 988 . 990 [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 991 Protocol (HTTP/1.1): Semantics and Content", RFC 7231, 992 DOI 10.17487/RFC7231, June 2014, 993 . 995 [RFC7480] Newton, A., Ellacott, B., and N. Kong, "HTTP Usage in the 996 Registration Data Access Protocol (RDAP)", RFC 7480, 997 DOI 10.17487/RFC7480, March 2015, 998 . 1000 [RFC7481] Hollenbeck, S. and N. Kong, "Security Services for the 1001 Registration Data Access Protocol (RDAP)", RFC 7481, 1002 DOI 10.17487/RFC7481, March 2015, 1003 . 1005 [RFC7483] Newton, A. and S. Hollenbeck, "JSON Responses for the 1006 Registration Data Access Protocol (RDAP)", RFC 7483, 1007 DOI 10.17487/RFC7483, March 2015, 1008 . 1010 [RFC7484] Blanchet, M., "Finding the Authoritative Registration Data 1011 (RDAP) Service", RFC 7484, DOI 10.17487/RFC7484, March 1012 2015, . 1014 [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS 1015 Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, 1016 January 2019, . 1018 [Unicode-UAX15] 1019 The Unicode Consortium, "Unicode Standard Annex #15: 1020 Unicode Normalization Forms", September 2013, 1021 . 1023 9.2. Informative References 1025 [REST] Fielding, R., "Architectural Styles and the Design of 1026 Network-based Software Architectures", Ph.D. 1027 Dissertation, University of California, Irvine, 2000, 1028 . 1031 [RFC3912] Daigle, L., "WHOIS Protocol Specification", RFC 3912, 1032 DOI 10.17487/RFC3912, September 2004, 1033 . 1035 [RFC4007] Deering, S., Haberman, B., Jinmei, T., Nordmark, E., and 1036 B. Zill, "IPv6 Scoped Address Architecture", RFC 4007, 1037 DOI 10.17487/RFC4007, March 2005, 1038 . 1040 [RFC4290] Klensin, J., "Suggested Practices for Registration of 1041 Internationalized Domain Names (IDN)", RFC 4290, 1042 DOI 10.17487/RFC4290, December 2005, 1043 . 1045 [RFC6874] Carpenter, B., Cheshire, S., and R. Hinden, "Representing 1046 IPv6 Zone Identifiers in Address Literals and Uniform 1047 Resource Identifiers", RFC 6874, DOI 10.17487/RFC6874, 1048 February 2013, . 1050 [RFC6927] Levine, J. and P. Hoffman, "Variants in Second-Level Names 1051 Registered in Top-Level Domains", RFC 6927, 1052 DOI 10.17487/RFC6927, May 2013, 1053 . 1055 [RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running 1056 Code: The Implementation Status Section", BCP 205, 1057 RFC 7942, DOI 10.17487/RFC7942, July 2016, 1058 . 1060 [RFC8521] Hollenbeck, S. and A. Newton, "Registration Data Access 1061 Protocol (RDAP) Object Tagging", BCP 221, RFC 8521, 1062 DOI 10.17487/RFC8521, November 2018, 1063 . 1065 Acknowledgements 1067 This document is derived from original work on RIR query formats 1068 developed by Byron J. Ellacott of APNIC, Arturo L. Servin of 1069 LACNIC, Kaveh Ranjbar of the RIPE NCC, and Andrew L. Newton of ARIN. 1070 Additionally, this document incorporates DNR query formats originally 1071 described by Francisco Arias and Steve Sheng of ICANN and Scott 1072 Hollenbeck of Verisign Labs. 1074 The authors would like to acknowledge the following individuals for 1075 their contributions to this document: Francisco Arias, Marc Blanchet, 1076 Ernie Dainow, Jean-Philippe Dionne, Byron J. Ellacott, Behnam 1077 Esfahbod, John Klensin, John Levine, Edward Lewis, Mark Nottingham, 1078 Kaveh Ranjbar, Arturo L. Servin, Steve Sheng, and Andrew Sullivan. 1080 Change Log 1082 00: Initial version ported from RFC 7482. Added Implementation 1083 Status section. Addressed known errata. 1085 01: Addressed other reported clarifications and corrections. 1087 Authors' Addresses 1089 Scott Hollenbeck 1090 Verisign Labs 1091 12061 Bluemont Way 1092 Reston, VA 20190 1093 United States 1095 Email: shollenbeck@verisign.com 1096 URI: http://www.verisignlabs.com/ 1098 Andrew Lee Newton 1099 American Registry for Internet Numbers 1100 3635 Concorde Parkway 1101 Chantilly, VA 20151 1102 United States 1104 Email: andy@arin.net 1105 URI: http://www.arin.net