idnits 2.17.1 draft-ietf-regext-rdap-partial-response-13.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 29, 2020) is 1366 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 7230 (Obsoleted by RFC 9110, RFC 9112) ** Obsolete normative reference: RFC 7482 (Obsoleted by RFC 9082) ** Obsolete normative reference: RFC 7483 (Obsoleted by RFC 9083) Summary: 3 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Registration Protocols Extensions M. Loffredo 3 Internet-Draft M. Martinelli 4 Intended status: Standards Track IIT-CNR/Registro.it 5 Expires: January 30, 2021 July 29, 2020 7 Registration Data Access Protocol (RDAP) Partial Response 8 draft-ietf-regext-rdap-partial-response-13 10 Abstract 12 The Registration Data Access Protocol (RDAP) does not include 13 capabilities to request partial responses. Servers will only return 14 full responses that include all of the information that a client is 15 authorized to receive. A partial response capability that limits the 16 amount of information returned, especially in the case of search 17 queries, could bring benefits to both clients and servers. This 18 document describes an RDAP query extension that allows clients to 19 specify their preference for obtaining a partial response. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at https://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on January 30, 2021. 38 Copyright Notice 40 Copyright (c) 2020 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (https://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 1.1. Conventions Used in This Document . . . . . . . . . . . . 3 57 2. RDAP Path Segment Specification . . . . . . . . . . . . . . . 3 58 2.1. Subsetting Metadata . . . . . . . . . . . . . . . . . . . 3 59 2.1.1. RDAP Conformance . . . . . . . . . . . . . . . . . . 4 60 2.1.2. Representing Subsetting Links . . . . . . . . . . . . 4 61 3. Dealing with Relationships . . . . . . . . . . . . . . . . . 5 62 4. Basic Field Sets . . . . . . . . . . . . . . . . . . . . . . 6 63 5. Negative Answers . . . . . . . . . . . . . . . . . . . . . . 7 64 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 65 7. Implementation Status . . . . . . . . . . . . . . . . . . . . 8 66 7.1. IIT-CNR/Registro.it . . . . . . . . . . . . . . . . . . . 8 67 7.2. APNIC . . . . . . . . . . . . . . . . . . . . . . . . . . 9 68 8. Security Considerations . . . . . . . . . . . . . . . . . . . 9 69 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 70 9.1. Normative References . . . . . . . . . . . . . . . . . . 9 71 9.2. Informative References . . . . . . . . . . . . . . . . . 10 72 Appendix A. Approaches to Partial Response Implementation . . . 11 73 A.1. Specific Issues Raised by RDAP . . . . . . . . . . . . . 11 74 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 13 75 Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 76 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 78 1. Introduction 80 The use of partial responses in RESTful API [REST] design is very 81 common. The rationale is quite simple: instead of returning objects 82 in API responses with all data fields, only a subset of the fields in 83 each result object is returned. The benefit is obvious: fewer data 84 transferred over the network means less bandwidth usage, faster 85 server responses, less CPU time spent both on the server and the 86 client, and less memory usage on the client. 88 Currently, RDAP does not provide a client with any way to request a 89 partial response. Servers can only provide the client with a full 90 response [RFC7483]. Servers cannot limit the amount of information 91 returned in a response based on a client's preferences, and this 92 creates inefficiencies. 94 The protocol described in this specification extends RDAP search 95 capabilities to enable partial responses through the provisioning of 96 pre-defined sets of fields that clients can submit to an RDAP service 97 by adding a new query parameter. The service is implemented using 98 the Hypertext Transfer Protocol (HTTP) [RFC7230] and the conventions 99 described in [RFC7480]. 101 1.1. Conventions Used in This Document 103 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 104 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 105 "OPTIONAL" in this document are to be interpreted as described in BCP 106 14 [RFC2119] [RFC8174] when, and only when, they appear in all 107 capitals, as shown here. 109 2. RDAP Path Segment Specification 111 The path segment defined in this section is an OPTIONAL extension of 112 search path segments defined in [RFC7482]. This document defines an 113 RDAP query parameter, "fieldSet", whose value is a non-empty string 114 identifying a server-defined set of fields returned in place of the 115 full response (Figure 1). The field sets supported by a server are 116 usually described in out-of-band documents (e.g. RDAP profile) 117 together with other features. Moreover, this document defines in 118 Section 2.1 an in-band mechanism by means of which servers can 119 provide clients with a basic information about the supported field 120 sets. 122 https://example.com/rdap/domains?name=example*.com&fieldSet=afieldset 124 Figure 1: Example of RDAP search query reporting the "fieldSet" 125 parameter 127 This solution can be implemented by RDAP providers with less effort 128 than field selection and is easily requested by clients. The 129 considerations that have led to this solution are described in more 130 detail in Appendix A. 132 2.1. Subsetting Metadata 134 According to most advanced principles in REST design, collectively 135 known as HATEOAS (Hypermedia as the Engine of Application State) 136 [HATEOAS], a client entering a REST application through an initial 137 URI should use server-provided links to dynamically discover 138 available actions and access the resources it needs. In this way, 139 the client is not required to have prior knowledge of the service 140 and, consequently, to hard code the URIs of different resources. 141 This allows the server to make URI changes as the API evolves without 142 breaking clients. Definitively, a REST service should be as self- 143 descriptive as possible. 145 Therefore, servers implementing the query parameter described in this 146 specification SHOULD provide additional information in their 147 responses about the available field sets. Such information is 148 collected in a new data structure named "subsetting_metadata" 149 containing the following properties: 151 o "currentFieldSet": "String" (REQUIRED) either the value of the 152 "fieldSet" parameter as specified in the query string, or the 153 field set applied by default; 155 o "availableFieldSets": "AvailableFieldSet[]" (OPTIONAL) an array of 156 objects, with each element describing an available field set. 157 Members are: 159 * "name": "String" (REQUIRED) the field set name; 160 * "default": "Boolean" (REQUIRED) whether the field set is 161 applied by default; 162 * "description": "String" (OPTIONAL) a human-readable description 163 of the field set; 164 * "links": "Link[]" (OPTIONAL) an array of links as described in 165 [RFC8288] containing the query string that applies the field 166 set. 168 2.1.1. RDAP Conformance 170 Servers returning the "subsetting_metadata" section in their 171 responses MUST include "subsetting" in the rdapConformance array. 173 2.1.2. Representing Subsetting Links 175 An RDAP server MAY use the "links" array of the "subsetting_metadata" 176 element to provide ready-made references [RFC8288] to the available 177 field sets (Figure 2). The target URI in each link is the reference 178 to an alternative to the current view of results identified by the 179 context URI. 181 { 182 "rdapConformance": [ 183 "rdap_level_0", 184 "subsetting" 185 ], 186 ... 187 "subsetting_metadata": { 188 "currentFieldSet": "afieldset", 189 "availableFieldSets": [ 190 { 191 "name": "anotherfieldset", 192 "description": "Contains some fields", 193 "default": false, 194 "links": [ 195 { 196 "value": "https://example.com/rdap/domains?name=*nr.com 197 &fieldSet=afieldset", 198 "rel": "alternate", 199 "href": "https://example.com/rdap/domains?name=*nr.com 200 &fieldSet=anotherfieldset", 201 "title": "Result Subset Link", 202 "type": "application/rdap+json" 203 } 204 ] 205 }, 206 ... 207 ] 208 }, 209 ... 210 "domainSearchResults": [ 211 ... 212 ] 213 } 215 Figure 2: Example of a "subsetting_metadata" instance 217 3. Dealing with Relationships 219 Representation of second level objects within a field set produces 220 additional considerations. Since the topmost objects could be 221 returned according to different field sets, the same field sets could 222 be applied to their related objects. As a consequence, the response 223 could contain either no relationship or associated objects which are 224 in turn provided according to a field set. 226 4. Basic Field Sets 228 This section defines three basic field sets which servers MAY 229 implement to facilitate their interaction with clients: 231 o "id": the server provides only the key field: "handle" for 232 entities, "ldhName" for domains and nameservers. If a returned 233 domain or nameserver is an Internationalized Domain Name (IDN) 234 [RFC5890], then the "unicodeName" field MUST be included in the 235 response. This field set could be used when the client wants to 236 obtain a collection of object identifiers (Figure 3); 238 o "brief": the field set contains the fields that can be included in 239 a "short" response. This field set could be used when the client 240 is asking for a subset of the full response which provides only 241 basic knowledge of each object; 243 o "full": the field set contains all of the information the server 244 can provide for a particular object. 246 The "objectClassName" field is implicitly included in each of the 247 above field sets. RDAP providers SHOULD include a "self" link in 248 each field set. RDAP providers MAY also add any property providing 249 service information. 251 Fields included in the "brief" and "full" field set responses MUST 252 take into account the user's access and authorization levels. 254 { 255 "rdapConformance": [ 256 "rdap_level_0", 257 "subsetting" 258 ], 259 ... 260 "domainSearchResults": [ 261 { 262 "objectClassName": "domain", 263 "ldhName": "example1.com", 264 "links": [ 265 { 266 "value": "https://example.com/rdap/domain/example1.com", 267 "rel": "self", 268 "href": "https://example.com/rdap/domain/example1.com", 269 "type": "application/rdap+json" 270 } 271 ] 272 }, 273 { 274 "objectClassName": "domain", 275 "ldhName": "example2.com", 276 "links": [ 277 { 278 "value": "https://example.com/rdap/domain/example2.com", 279 "rel": "self", 280 "href": "https://example.com/rdap/domain/example2.com", 281 "type": "application/rdap+json" 282 } 283 ] 284 }, 285 ... 286 ] 287 } 289 Figure 3: Example of RDAP response according to the "id" field set 291 5. Negative Answers 293 Each request including an empty or unsupported "fieldSet" value MUST 294 produce an HTTP 400 (Bad Request) response code. Optionally, the 295 response MAY include additional information regarding the negative 296 answer in the HTTP entity body. 298 6. IANA Considerations 300 IANA is requested to register the following value in the RDAP 301 Extensions Registry: 303 Extension identifier: subsetting 304 Registry operator: Any 305 Published specification: This document. 306 Contact: IETF 307 Intended usage: This extension describes best practice for partial 308 response provisioning. 310 7. Implementation Status 312 NOTE: Please remove this section and the reference to RFC 7942 prior 313 to publication as an RFC. 315 This section records the status of known implementations of the 316 protocol defined by this specification at the time of posting of this 317 Internet-Draft, and is based on a proposal described in [RFC7942]. 318 The description of implementations in this section is intended to 319 assist the IETF in its decision processes in progressing drafts to 320 RFCs. Please note that the listing of any individual implementation 321 here does not imply endorsement by the IETF. Furthermore, no effort 322 has been spent to verify the information presented here that was 323 supplied by IETF contributors. This is not intended as, and must not 324 be construed to be, a catalog of available implementations or their 325 features. Readers are advised to note that other implementations may 326 exist. 328 According to RFC 7942, "this will allow reviewers and working groups 329 to assign due consideration to documents that have the benefit of 330 running code, which may serve as evidence of valuable experimentation 331 and feedback that have made the implemented protocols more mature. 332 It is up to the individual working groups to use this information as 333 they see fit". 335 7.1. IIT-CNR/Registro.it 337 Responsible Organization: Institute of Informatics and Telematics 338 of the National Research Council (IIT-CNR)/Registro.it 339 Location: https://rdap.pubtest.nic.it/ 340 Description: This implementation includes support for RDAP queries 341 using data from .it public test environment. 342 Level of Maturity: This is an "alpha" test implementation. 343 Coverage: This implementation includes all of the features 344 described in this specification. 345 Contact Information: Mario Loffredo, mario.loffredo@iit.cnr.it 347 7.2. APNIC 349 Responsible Organization: Asia-Pacific Network Information Centre 350 Location: https://github.com/APNIC-net/rdap-rmp-demo/tree/partial- 351 response 352 Description: A proof-of-concept for RDAP mirroring. 353 Level of Maturity: This is a proof-of-concept implementation. 354 Coverage: This implementation includes all of the features 355 described in this specification. 356 Contact Information: Tom Harrison, tomh@apnic.net 358 8. Security Considerations 360 A search query typically requires more server resources (such as 361 memory, CPU cycles, and network bandwidth) when compared to a lookup 362 query. This increases the risk of server resource exhaustion and 363 subsequent denial of service due to abuse. This risk can be 364 mitigated by supporting the return of partial responses combined with 365 other strategies (e.g. restricting search functionality, limiting the 366 rate of search requests, and truncating and paging results). 368 Support for partial responses gives RDAP operators the ability to 369 implement data access control policies based on the HTTP 370 authentication mechanisms described in [RFC7481]. RDAP operators can 371 vary the information returned in RDAP responses based on a client's 372 access and authorization levels. For example: 374 o the list of fields for each set can differ based on the client's 375 access and authorization levels; 377 o the set of available field sets could be restricted based on the 378 client's access and authorization levels. 380 Servers can also define different result limits according to the 381 available field sets, so a more flexible truncation strategy can be 382 implemented. The new query parameter presented in this document 383 provides RDAP operators with a way to implement a server that reduces 384 inefficiency risks. 386 9. References 388 9.1. Normative References 390 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 391 Requirement Levels", BCP 14, RFC 2119, 392 DOI 10.17487/RFC2119, March 1997, 393 . 395 [RFC5890] Klensin, J., "Internationalized Domain Names for 396 Applications (IDNA): Definitions and Document Framework", 397 RFC 5890, DOI 10.17487/RFC5890, August 2010, 398 . 400 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 401 Protocol (HTTP/1.1): Message Syntax and Routing", 402 RFC 7230, DOI 10.17487/RFC7230, June 2014, 403 . 405 [RFC7480] Newton, A., Ellacott, B., and N. Kong, "HTTP Usage in the 406 Registration Data Access Protocol (RDAP)", RFC 7480, 407 DOI 10.17487/RFC7480, March 2015, 408 . 410 [RFC7481] Hollenbeck, S. and N. Kong, "Security Services for the 411 Registration Data Access Protocol (RDAP)", RFC 7481, 412 DOI 10.17487/RFC7481, March 2015, 413 . 415 [RFC7482] Newton, A. and S. Hollenbeck, "Registration Data Access 416 Protocol (RDAP) Query Format", RFC 7482, 417 DOI 10.17487/RFC7482, March 2015, 418 . 420 [RFC7483] Newton, A. and S. Hollenbeck, "JSON Responses for the 421 Registration Data Access Protocol (RDAP)", RFC 7483, 422 DOI 10.17487/RFC7483, March 2015, 423 . 425 [RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running 426 Code: The Implementation Status Section", BCP 205, 427 RFC 7942, DOI 10.17487/RFC7942, July 2016, 428 . 430 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 431 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 432 May 2017, . 434 [RFC8288] Nottingham, M., "Web Linking", RFC 8288, 435 DOI 10.17487/RFC8288, October 2017, 436 . 438 9.2. Informative References 440 [CQL] Whitaker, G., "Catnap Query Language Reference", September 441 2017, . 444 [HATEOAS] Jedrzejewski, B., "HATEOAS - a simple explanation", 2018, 445 . 448 [REST] Fielding, R., "Architectural Styles and the Design of 449 Network-based Software Architectures", 2000, 450 . 453 Appendix A. Approaches to Partial Response Implementation 455 Looking at the implementation experiences of partial response, two 456 approaches are observed: 458 o The client explicitly describes the data fields to be returned; 460 o The client describes a name identifying a server-defined set of 461 data fields. 463 The former is more flexible than the latter because clients can 464 specify all the data fields they need. However, it has some 465 drawbacks: 467 o Fields have to be declared according to a given syntax. This is a 468 simple task when the data structure of the object is flat, but it 469 is much more difficult when the object has a tree structure like 470 that of a JSON object. The presence of arrays and deep nested 471 objects complicate both the syntax definition of the query and, 472 consequently, the processing required on the server side; 474 o Clients need to recognize the returned data structure to avoid 475 cases when the requested fields are invalid; 477 o The request of some fields might not match the client's access and 478 authorization levels. Clients might request unauthorized fields 479 and servers should define a strategy for responding, such as 480 always returning an error response or returning a response that 481 ignores the unauthorized fields. 483 A.1. Specific Issues Raised by RDAP 485 In addition to those listed above, RDAP responses raise some specific 486 issues: 488 o Relevant entity object information is included in a jCard, but 489 such information cannot be easily selected because it is split 490 into the items of a jagged array; 492 o RDAP responses contain some properties providing service 493 information (e.g. rdapConformance, links, notices, remarks, etc.) 494 which are not normally selected but they are just as important. 495 They could be returned anyway but, in this case, the server would 496 provide unrequested data. 498 It is possible to address these issues. For example, the Catnap 499 Query Language [CQL] is a comprehensive expression language that can 500 be used to customize the JSON response of a RESTful web service. 501 Application of CQL to RDAP responses would explicitly identify the 502 output fields that would be acceptable when a few fields are 503 requested but it would become very complicated when processing a 504 larger number of fields. In the following, two CQL expressions for a 505 domain search query are shown (Figure 4). In the first, only 506 objectClassName and ldhName are requested. In the second, the fields 507 of a possible WHOIS-like response are listed. 509 https://example.com/rdap/domains?name=example*.com 510 &fields=domainSearchResults(objectClassName,ldhName) 512 https://example.com/rdap/domains?name=example*.com 513 &fields=domainSearchResults(objectClassName,ldhName, 514 unicodeName, 515 status, 516 events(eventAction,eventDate), 517 entities(objectClassName,handle,roles), 518 nameservers(objectClassName,ldhName)) 520 Figure 4: Examples of CQL expressions for a domain search query 522 The latter approach seems to facilitate RDAP interoperability. 523 Servers can define basic field sets which, if known to clients, can 524 increase the probability of obtaining a valid response. The usage of 525 field sets makes the query string be less complex. Moreover, the 526 definition of pre-defined sets of fields makes it easier to establish 527 result limits. 529 Finally, considering that there is no real need for RDAP users to 530 have the maximum flexibility in defining all the possible sets of 531 logically connected fields (e.g. users interested in domains usually 532 need to know the status, the creation date, and the expiry date of 533 each domain), the latter approach is preferred. 535 Acknowledgements 537 The authors would like to acknowledge Scott Hollenbeck, Tom Harrison, 538 Karl Heinz Wolf, Jasdip Singh and Patrick Mevzek for their 539 contribution to this document. 541 Change Log 543 00: Initial working group version ported from draft-loffredo-regext- 544 rdap-partial-response-03 545 01: Removed "FOR DISCUSSION" items. Changed the basic field sets 546 from REQUIRED to OPTIONAL. Removed the definition of fields 547 included in "brief" field set. Provided a more detailed 548 description of "subsetting_metadata" structure. Removed some 549 references. 550 02: Added the "Negative Answers" section. Changed "IANA 551 Considerations" section. 552 03: Added the "unicodeName" field in the id fieldSet when a returned 553 domain or nameserver is an IDN. Added RFC5890 to "Normative 554 References" section. 555 04: Recommended the RDAP providers to include a "self" link in any 556 field set other than "full". Updated "Acknowledgements" section. 557 05: Moved "Approaches to Partial Response Implementation" section to 558 the appendix. 559 06: Clarified the use of self links in "Basic Field Sets" section. 560 Added APNIC to the implementations of the "Implementation Status" 561 section. 562 07: Changed "only a subset is returned" to "only a subset of fields 563 in each result object is returned" in the "Introduction" section. 564 Moved the "RDAP Conformance" section up in the document. Updated 565 the "Acknowledgements" section. 566 08: Changed the rdapConformance tag "subsetting_level_0" to 567 "subsetting". Moved [RFC7942] to the "Normative References". 568 09: Corrected the "rdapConformance" content in Figure 3. 569 10: Corrected the JSON content in Figure 2. Clarified the meaning 570 of both context and target URIs in a result subset link defined in 571 Section 2.1.2. Updated the "Acknowledgements" section. 572 11: Minor pre-AD review edits. 573 12: Additional minor pre-AD review edits. 574 13: Edits due to Gen-ART review: in the first paragraph of Section 2 575 clarified how field sets are defined by a server, in the first 576 sentence of Section 5 replaced SHOULD with MUST. Other minor 577 edits due to AD review. 579 Authors' Addresses 581 Mario Loffredo 582 IIT-CNR/Registro.it 583 Via Moruzzi,1 584 Pisa 56124 585 IT 587 Email: mario.loffredo@iit.cnr.it 588 URI: http://www.iit.cnr.it 590 Maurizio Martinelli 591 IIT-CNR/Registro.it 592 Via Moruzzi,1 593 Pisa 56124 594 IT 596 Email: maurizio.martinelli@iit.cnr.it 597 URI: http://www.iit.cnr.it