idnits 2.17.1 draft-ietf-weirds-rdap-query-18.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 23, 2014) is 3412 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-14) exists of draft-ietf-weirds-json-response-13 -- Possible downref: Normative reference to a draft: ref. 'I-D.ietf-weirds-rdap-sec' -- Possible downref: Normative reference to a draft: ref. 'I-D.ietf-weirds-using-http' ** Downref: Normative reference to an Unknown state RFC: RFC 952 ** Downref: Normative reference to an Informational RFC: RFC 1166 ** Obsolete normative reference: RFC 7230 (Obsoleted by RFC 9110, RFC 9112) ** Obsolete normative reference: RFC 7231 (Obsoleted by RFC 9110) -- Possible downref: Non-RFC (?) normative reference: ref. 'Unicode-UAX15' Summary: 4 errors (**), 0 flaws (~~), 2 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. Newton 3 Internet-Draft ARIN 4 Intended status: Standards Track S. Hollenbeck 5 Expires: June 26, 2015 Verisign Labs 6 December 23, 2014 8 Registration Data Access Protocol Query Format 9 draft-ietf-weirds-rdap-query-18 11 Abstract 13 This document describes uniform patterns to construct HTTP URLs that 14 may be used to retrieve registration information from registries 15 (including both Regional Internet Registries (RIRs) and Domain Name 16 Registries (DNRs)) using "RESTful" web access patterns. These 17 uniform patterns define the query syntax for the Registration Data 18 Access Protocol (RDAP). 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on June 26, 2015. 37 Copyright Notice 39 Copyright (c) 2014 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Conventions Used in This Document . . . . . . . . . . . . . . 2 55 1.1. Acronyms and Abbreviations . . . . . . . . . . . . . . . 2 56 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 57 3. Path Segment Specification . . . . . . . . . . . . . . . . . 4 58 3.1. Lookup Path Segment Specification . . . . . . . . . . . . 5 59 3.1.1. IP Network Path Segment Specification . . . . . . . . 5 60 3.1.2. Autonomous System Path Segment Specification . . . . 6 61 3.1.3. Domain Path Segment Specification . . . . . . . . . . 7 62 3.1.4. Name Server Path Segment Specification . . . . . . . 8 63 3.1.5. Entity Path Segment Specification . . . . . . . . . . 8 64 3.1.6. Help Path Segment Specification . . . . . . . . . . . 8 65 3.2. Search Path Segment Specification . . . . . . . . . . . . 9 66 3.2.1. Domain Search . . . . . . . . . . . . . . . . . . . . 9 67 3.2.2. Name Server Search . . . . . . . . . . . . . . . . . 10 68 3.2.3. Entity Search . . . . . . . . . . . . . . . . . . . . 11 69 4. Query Processing . . . . . . . . . . . . . . . . . . . . . . 12 70 4.1. Partial String Searching . . . . . . . . . . . . . . . . 12 71 4.2. Associated Records . . . . . . . . . . . . . . . . . . . 13 72 5. Extensibility . . . . . . . . . . . . . . . . . . . . . . . . 13 73 6. Internationalization Considerations . . . . . . . . . . . . . 14 74 6.1. Character Encoding Considerations . . . . . . . . . . . . 14 75 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 76 8. Security Considerations . . . . . . . . . . . . . . . . . . . 15 77 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 16 78 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 79 10.1. Normative References . . . . . . . . . . . . . . . . . . 16 80 10.2. Informative References . . . . . . . . . . . . . . . . . 18 81 Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 19 82 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 84 1. Conventions Used in This Document 86 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 87 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 88 document are to be interpreted as described in RFC 2119 [RFC2119]. 90 1.1. Acronyms and Abbreviations 92 IDN: Internationalized Domain Name 93 IDNA: Internationalized Domain Names in Applications, a protocol 94 for the handling of IDNs. 95 DNR: Domain Name Registry 96 NFC: Unicode Normalization Form C ([Unicode-UAX15]) 97 NFKC: Unicode Normalization Form KC ([Unicode-UAX15]) 98 RDAP: Registration Data Access Protocol 99 REST: Representational State Transfer. The term was first 100 described in a doctoral dissertation [REST]. 101 RESTful: An adjective that describes a service using HTTP and the 102 principles of REST. 103 RIR: Regional Internet Registry 105 2. Introduction 107 This document describes a specification for querying registration 108 data using a RESTful web service and uniform query patterns. The 109 service is implemented using the Hypertext Transfer Protocol (HTTP) 110 [RFC7230] and the conventions described in 111 [I-D.ietf-weirds-using-http]. These uniform patterns define the 112 query syntax for the Registration Data Access Protocol (RDAP). 114 The protocol described in this specification is intended to address 115 deficiencies with the WHOIS protocol [RFC3912] that have been 116 identified over time, including: 118 o Lack of standardized command structures, 119 o lack of standardized output and error structures, 120 o lack of support for internationalization and localization, and 121 o lack of support for user identification, authentication, and 122 access control. 124 The patterns described in this document purposefully do not encompass 125 all of the methods employed in the WHOIS and other RESTful web 126 services of all of the RIRs and DNRs. The intent of the patterns 127 described here are to enable queries of: 129 o networks by IP address, 130 o autonomous system numbers by number, 131 o reverse DNS meta-data by domain, 132 o name servers by name, 133 o registrars by name, and 134 o entities (such as contacts) by identifier. 136 Server implementations are free to support only a subset of these 137 features depending on local requirements. Servers MUST return an 138 HTTP 501 (Not Implemented) [RFC7231] response to inform clients of 139 unsupported query types. It is also envisioned that each registry 140 will continue to maintain WHOIS and/or other RESTful web services 141 specific to their needs and those of their constituencies, and the 142 information retrieved through the patterns described here may 143 reference such services. 145 Likewise, future IETF standards may add additional patterns for 146 additional query types. A simple pattern namespacing scheme is 147 described in Section 5 to accommodate custom extensions that will not 148 interfere with the patterns defined in this document or patterns 149 defined in future IETF standards. 151 WHOIS services, in general, are read-only services. Therefore URL 152 [RFC3986] patterns specified in this document are only applicable to 153 the HTTP [RFC7231] GET and HEAD methods. 155 This document does not describe the results or entities returned from 156 issuing the described URLs with an HTTP GET. The specification of 157 these entities is described in [I-D.ietf-weirds-json-response]. 159 Additionally, resource management, provisioning and update functions 160 are out of scope for this document. Registries have various and 161 divergent methods covering these functions, and it is unlikely a 162 uniform approach is needed for interoperability. 164 HTTP contains mechanisms for servers to authenticate clients and for 165 clients to authenticate servers (from which authorization schemes may 166 be built) so such mechanisms are not described in this document. 167 Policy, provisioning, and processing of authentication and 168 authorization are out-of-scope for this document as deployments will 169 have to make choices based on local criteria. Supported 170 authentication mechanisms are described in 171 [I-D.ietf-weirds-rdap-sec]. 173 3. Path Segment Specification 175 The base URLs used to construct RDAP queries are maintained in an 176 IANA registry described in [I-D.ietf-weirds-bootstrap]. Queries are 177 formed by retrieving an appropriate base URL from the registry and 178 appending a path segment specified in either Section 3.1 or 179 Section 3.2. Generally, a registry or other service provider will 180 provide a base URL that identifies the protocol, host and port, and 181 this will be used as a base URL that the complete URL is resolved 182 against, as per Section 5 of RFC 3986 [RFC3986]. For example, if the 183 base URL is "https://example.com/rdap/", all RDAP query URLs will 184 begin with "https://example.com/rdap/". 186 The bootstrap registry does not contain information for query objects 187 that are not part of a global namespace, including entities and help. 188 A base URL for an associated object is required to construct a 189 complete query. 191 For entities, a base URL is retrieved for the service (domain, 192 address, etc.) associated with a given entity. The query URL is 193 constructed by concatenating the base URL to the entity path segment 194 specified in either Section 3.1.5 or Section 3.2.3. 196 For help, a base URL is retrieved for any service (domain, address, 197 etc.) for which additional information is required. The query URL is 198 constructed by concatenating the base URL to the help path segment 199 specified in Section 3.1.6. 201 3.1. Lookup Path Segment Specification 203 A simple lookup to determine if an object exists (or not) without 204 returning RDAP-encoded results can be performed using the HTTP HEAD 205 method as described in Section 4.1 of [I-D.ietf-weirds-using-http]. 207 The resource type path segments for exact match lookup are: 209 o 'ip': Used to identify IP networks and associated data referenced 210 using either an IPv4 or IPv6 address. 211 o 'autnum': Used to identify autonomous system registrations and 212 associated data referenced using an AS Plain autonomous system 213 number. 214 o 'domain': Used to identify reverse DNS (RIR) or domain name (DNR) 215 information and associated data referenced using a fully-qualified 216 domain name. 217 o 'nameserver': Used to identify a name server information query 218 using a host name. 219 o 'entity': Used to identify an entity information query using a 220 string identifier. 222 3.1.1. IP Network Path Segment Specification 224 Syntax: ip/ or ip// 226 Queries for information about IP networks are of the form /ip/XXX/... 227 or /ip/XXX/YY/... where the path segment following 'ip' is either an 228 IPv4 dotted-decimal or IPv6 [RFC5952] address (i.e. XXX) or an IPv4 229 or IPv6 CIDR [RFC4632] notation address block (i.e. XXX/YY). 230 Semantically, the simpler form using the address can be thought of as 231 a CIDR block with a bitmask length of 32 for IPv4 and a bitmask 232 length of 128 for IPv6. A given specific address or CIDR may fall 233 within multiple IP networks in a hierarchy of networks, therefore 234 this query targets the "most-specific" or smallest IP network which 235 completely encompasses it in a hierarchy of IP networks. 237 The IPv4 and IPv6 address formats supported in this query are 238 described in Section 3.2.2 of RFC 3986 [RFC3986], as IPv4address and 239 IPv6address ABNF definitions. Any valid IPv6 text address format 240 [RFC4291] can be used. This includes IPv6 addresses written using 241 with or without compressed zeros, and IPv6 addresses containing 242 embedded IPv4 addresses. The rules to write a text representation of 243 an IPv6 address [RFC5952] are RECOMMENDED. However, the zone_id 244 [RFC4007] is not appropriate in this context and therefore the 245 corresponding syntax extension in RFC 6874 [RFC6874] MUST NOT be 246 used, and servers are to ignore it if possible. 248 For example, the following URL would be used to find information for 249 the most specific network containing 192.0.2.0: 251 https://example.com/rdap/ip/192.0.2.0 253 The following URL would be used to find information for the most 254 specific network containing 192.0.2.0/24: 256 https://example.com/rdap/ip/192.0.2.0/24 258 The following URL would be used to find information for the most 259 specific network containing 2001:db8::0: 261 https://example.com/rdap/ip/2001:db8::0 263 3.1.2. Autonomous System Path Segment Specification 265 Syntax: autnum/ 267 Queries for information regarding autonomous system number 268 registrations are of the form /autnum/XXX/... where XXX is an AS 269 Plain autonomous system number [RFC5396]. In some registries, 270 registration of autonomous system numbers is done on an individual 271 number basis, while other registries may register blocks of 272 autonomous system numbers. The semantics of this query are such that 273 if a number falls within a range of registered blocks, the target of 274 the query is the block registration, and that individual number 275 registrations are considered a block of numbers with a size of 1. 277 For example, the following URL would be used to find information 278 describing autonomous system number 12 (a number within a range of 279 registered blocks): 281 https://example.com/rdap/autnum/12 283 The following URL would be used to find information describing 4-byte 284 autonomous system number 65538: 286 https://example.com/rdap/autnum/65538 288 3.1.3. Domain Path Segment Specification 290 Syntax: domain/ 292 Queries for domain information are of the form /domain/XXXX/..., 293 where XXXX is a fully-qualified (relative to the root) domain name 294 (as specified in RFC 952 [RFC0952] and RFC 1123 [RFC1123]) in either 295 the in-addr.arpa or ip6.arpa zones (for RIRs) or a fully-qualified 296 domain name in a zone administered by the server operator (for DNRs). 297 Internationalized domain names represented in either A-label or 298 U-label format [RFC5890] are also valid domain names. See 299 Section 6.1 for information on character encoding for the U-label 300 format. 302 IDNs SHOULD NOT be represented as a mixture of A-labels and U-labels; 303 that is, internationalized labels in an IDN SHOULD be either all 304 A-labels or all U-labels. It is possible for an RDAP client to 305 assemble a query string from multiple independent data sources. Such 306 a client might not be able to perform conversions between A-labels 307 and U-labels. An RDAP server that receives a query string with a 308 mixture of A-labels and U-labels MAY convert all the U-labels to 309 A-labels, perform IDNA processing, and proceed with exact-match 310 lookup. In such cases, the response to be returned to the query 311 source may not match the input from the query source. Alternatively, 312 the server MAY refuse to process the query. 314 The server MAY perform the match using either the A-label or U-label 315 form. Using one consistent form for matching every label is likely 316 to be more reliable. 318 The following URL would be used to find information describing the 319 zone serving the network 192.0.2/24: 321 https://example.com/rdap/domain/2.0.192.in-addr.arpa 323 The following URL would be used to find information describing the 324 zone serving the network 2001:db8:1::/48: 326 https://example.com/rdap/domain/1.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa 328 The following URL would be used to find information for the 329 blah.example.com domain name: 331 https://example.com/rdap/domain/blah.example.com 333 The following URL would be used to find information for the 334 xn--fo-5ja.example IDN: 336 https://example.com/rdap/domain/xn--fo-5ja.example 338 3.1.4. Name Server Path Segment Specification 340 Syntax: nameserver/ 342 The parameter represents a fully qualified host 343 name as specified in RFC 952 [RFC0952] and RFC 1123 [RFC1123]. 344 Internationalized names represented in either A-label or U-label 345 format [RFC5890] are also valid name server names. IDN processing 346 for name server names uses the domain name processing instructions 347 specified in Section 3.1.3. See Section 6.1 for information on 348 character encoding for the U-label format. 350 The following URL would be used to find information for the 351 ns1.example.com name server: 353 https://example.com/rdap/nameserver/ns1.example.com 355 The following URL would be used to find information for the 356 ns1.xn--fo-5ja.example name server: 358 https://example.com/rdap/nameserver/ns1.xn--fo-5ja.example 360 3.1.5. Entity Path Segment Specification 362 Syntax: entity/ 364 The parameter represents an entity (such as a contact, 365 registrant, or registrar) identifier whose syntax is specific to the 366 registration provider. For example, for some DNRs contact 367 identifiers are specified in RFC 5730 [RFC5730] and RFC 5733 368 [RFC5733]. 370 The following URL would be used to find information for the entity 371 associated with handle XXXX: 373 https://example.com/rdap/entity/XXXX 375 3.1.6. Help Path Segment Specification 377 Syntax: help 379 The help path segment can be used to request helpful information 380 (command syntax, terms of service, privacy policy, rate limiting 381 policy, supported authentication methods, supported extensions, 382 technical support contact, etc.) from an RDAP server. The response 383 to "help" should provide basic information that a client needs to 384 successfully use the service. The following URL would be used to 385 return "help" information: 387 https://example.com/rdap/help 389 3.2. Search Path Segment Specification 391 Pattern matching semantics are described in Section 4.1. The 392 resource type path segments for search are: 394 o 'domains': Used to identify a domain name information search using 395 a pattern to match a fully-qualified domain name. 396 o 'nameservers': Used to identify a name server information search 397 using a pattern to match a host name. 398 o 'entities': Used to identify an entity information search using a 399 pattern to match a string identifier. 401 RDAP search path segments are formed using a concatenation of the 402 plural form of the object being searched for and an HTTP query 403 string. The HTTP query string is formed using a concatenation of the 404 question mark character ('?', ASCII value 0x003F), the JSON object 405 value associated with the object being searched for, the equal sign 406 character ('=', ASCII value 0x003D), and the search pattern. Search 407 pattern query processing is described more fully in Section 4. For 408 the domain, nameserver, and entity objects described in this document 409 the plural object forms are "domains", "nameservers", and "entities". 411 Detailed results can be retrieved using the HTTP GET method and the 412 path segments specified here. 414 3.2.1. Domain Search 416 Syntax: domains?name= 418 Syntax: domains?nsLdhName= 420 Syntax: domains?nsIp= 422 Searches for domain information by name are specified using this 423 form: 425 domains?name=XXXX 427 XXXX is a search pattern representing a domain name in "letters, 428 digits, hyphen" format [RFC5890] in a zone administered by the server 429 operator of a DNR. The following URL would be used to find DNR 430 information for domain names matching the "example*.com" pattern: 432 https://example.com/rdap/domains?name=example*.com 434 Internationalized Domain Names (IDNs) in U-label format [RFC5890] can 435 also be used as search patterns (see Section 4). Searches for these 436 names are of the form /domains?name=XXXX, where XXXX is a search 437 pattern representing a domain name in U-label format [RFC5890]. See 438 Section 6.1 for information on character encoding for the U-label 439 format. 441 Searches for domain information by name server name are specified 442 using this form: 444 domains?nsLdhName=YYYY 446 YYYY is a search pattern representing a host name in "letters, 447 digits, hyphen" format [RFC5890] in a zone administered by the server 448 operator of a DNR. The following URL would be used to search for 449 domains delegated to name servers matching the "ns1.example*.com" 450 pattern: 452 https://example.com/rdap/domains?nsLdhName=ns1.example*.com 454 Searches for domain information by name server IP address are 455 specified using this form: 457 domains?nsIp=ZZZZ 459 ZZZZ is a search pattern representing an IPv4 [RFC1166] or IPv6 460 [RFC5952] address. The following URL would be used to search for 461 domains that have been delegated to name servers that resolve to the 462 "192.0.2.0" address: 464 https://example.com/rdap/domains?nsIp=192.0.2.0 466 3.2.2. Name Server Search 468 Syntax: nameservers?name= 470 Syntax: nameservers?ip= 472 Searches for name server information by name server name are 473 specified using this form: 475 nameservers?name=XXXX 477 XXXX is a search pattern representing a host name in "letters, 478 digits, hyphen" format [RFC5890] in a zone administered by the server 479 operator of a DNR. The following URL would be used to find DNR 480 information for name server names matching the "ns1.example*.com" 481 pattern: 483 https://example.com/rdap/nameservers?name=ns1.example*.com 485 Internationalized name server names in U-label format [RFC5890] can 486 also be used as search patterns (see Section 4). Searches for these 487 names are of the form /nameservers?name=XXXX, where XXXX is a search 488 pattern representing a name server name in U-label format [RFC5890]. 489 See Section 6.1 for information on character encoding for the U-label 490 format. 492 Searches for name server information by name server IP address are 493 specified using this form: 495 nameservers?ip=YYYY 497 YYYY is a search pattern representing an IPv4 [RFC1166] or IPv6 498 [RFC5952] address. The following URL would be used to search for 499 name server names that resolve to the "192.0.2.0" address: 501 https://example.com/rdap/nameservers?ip=192.0.2.0 503 3.2.3. Entity Search 505 Syntax: entities?fn= 507 Syntax: entities?handle= 509 Searches for entity information by name are specified using this 510 form: 512 entities?fn=XXXX 514 where XXXX is a search pattern representing the "FN" property of an 515 entity (such as a contact, registrant, or registrar) name as 516 specified in Section 5.1 of [I-D.ietf-weirds-json-response]. The 517 following URL would be used to find information for entity names 518 matching the "Bobby Joe*" pattern: 520 https://example.com/rdap/entities?fn=Bobby%20Joe* 522 Searches for entity information by handle are specified using this 523 form: 525 entities?handle=XXXX 526 where XXXX is a search pattern representing an entity (such as a 527 contact, registrant, or registrar) identifier whose syntax is 528 specific to the registration provider. The following URL would be 529 used to find information for entity handles matching the "CID-40*" 530 pattern: 532 https://example.com/rdap/entities?handle=CID-40* 534 URLs MUST be properly encoded according to the rules of [RFC3986]. 535 In the example above, "Bobby Joe*" is encoded to "Bobby%20Joe*". 537 4. Query Processing 539 Servers indicate the success or failure of query processing by 540 returning an appropriate HTTP response code to the client. Response 541 codes not specifically identified in this document are described in 542 [I-D.ietf-weirds-using-http]. 544 4.1. Partial String Searching 546 Partial string searching uses the asterisk ('*', ASCII value 0x002A) 547 character to match zero or more trailing characters. A character 548 string representing multiple domain name labels MAY be concatenated 549 to the end of the search pattern to limit the scope of the search. 550 For example, the search pattern "exam*" will match "example.com" and 551 "example.net". The search pattern "exam*.com" will match 552 "example.com". If an asterisk appears in a search string, any label 553 that contains the non-asterisk characters in sequence plus zero or 554 more characters in sequence in place of the asterisk would match. 555 Additional pattern matching processing is beyond the scope of this 556 specification. 558 If a server receives a search request but cannot process the request 559 because it does not support a particular style of partial match 560 searching, it SHOULD return an HTTP 422 (Unprocessable Entity) 561 [RFC4918] response. When returning a 422 error, the server MAY also 562 return an error response body as specified in Section 7 of 563 [I-D.ietf-weirds-json-response] if the requested media type is one 564 that is specified in [I-D.ietf-weirds-using-http]. 566 Partial matching is not feasible across combinations of Unicode 567 characters because Unicode characters can be combined with each 568 other. Servers SHOULD NOT partially match combinations of Unicode 569 characters where a legal combination is possible. It should be 570 noted, though, that it may not always be possible to detect cases 571 where a character could have been combined with another character, 572 but was not, because characters can be combined in many different 573 ways. 575 Clients should avoid submitting a partial match search of Unicode 576 characters where a Unicode character may be legally combined with 577 another Unicode character or characters. Partial match searches with 578 incomplete combinations of characters where a character must be 579 combined with another character or characters are invalid. Partial 580 match searches with characters that may be combined with another 581 character or characters are to be considered non-combined characters 582 (that is, if character x may be combined with character y but 583 character y is not submitted in the search string then character x is 584 a complete character and no combinations of character x are to be 585 searched). 587 4.2. Associated Records 589 Conceptually, any query-matching record in a server's database might 590 be a member of a set of related records, related in some fashion as 591 defined by the server - for example, variants of an IDN. The entire 592 set ought to be considered as candidates for inclusion when 593 constructing the response. However, the construction of the final 594 response needs to be mindful of privacy and other data-releasing 595 policies when assembling the RDAP response set. 597 Note too that due to the nature of searching, there may be a list of 598 query-matching records. Each one of those is subject to being a 599 member of a set as described in the previous paragraph. What is 600 ultimately returned in a response will be the union of all the sets 601 that has been filtered by whatever policies are in place. 603 Note that this model includes arrangements for associated names, 604 including those that are linked by policy mechanisms and names bound 605 together for some other purposes. Note also that returning 606 information that was not explicitly selected by an exact-match 607 lookup, including additional names that match a relatively fuzzy 608 search as well as lists of names that are linked together, may cause 609 privacy issues. 611 Note that there might not be a single, static information return 612 policy that applies to all clients equally. Client identity and 613 associated authorizations can be a relevant factor in determining how 614 broad the response set will be for any particular query. 616 5. Extensibility 618 This document describes path segment specifications for a limited 619 number of objects commonly registered in both RIRs and DNRs. It does 620 not attempt to describe path segments for all of the objects 621 registered in all registries. Custom path segments can be created 622 for objects not specified here using the process described in 623 Section 6 of "HTTP usage in the Registration Data Access Protocol 624 (RDAP)" [I-D.ietf-weirds-using-http]. 626 Custom path segments can be created by prefixing the segment with a 627 unique identifier followed by an underscore character (0x5F). For 628 example, a custom entity path segment could be created by prefixing 629 "entity" with "custom_", producing "custom_entity". Servers MUST 630 return an appropriate failure status code for a request with an 631 unrecognized path segment. 633 6. Internationalization Considerations 635 There is value in supporting the ability to submit either a U-label 636 (Unicode form of an IDN label) or an A-label (ASCII form of an IDN 637 label) as a query argument to an RDAP service. Clients capable of 638 processing non-ASCII characters may prefer a U-label since this is 639 more visually recognizable and familiar than A-label strings, but 640 clients using programmatic interfaces might find it easier to submit 641 and display A-labels if they are unable to input U-labels with their 642 keyboard configuration. Both query forms are acceptable. 644 Internationalized domain and name server names can contain character 645 variants and variant labels as described in RFC 4290 [RFC4290]. 646 Clients that support queries for internationalized domain and name 647 server names MUST accept service provider responses that describe 648 variants as specified in "JSON Responses for the Registration Data 649 Access Protocol" [I-D.ietf-weirds-json-response]. 651 6.1. Character Encoding Considerations 653 Servers can expect to receive search patterns from clients that 654 contain character strings encoded in different forms supported by 655 HTTP. It is entirely possible to apply filters and normalization 656 rules to search patterns prior to making character comparisons, but 657 this type of processing is more typically needed to determine the 658 validity of registered strings than to match patterns. 660 An RDAP client submitting a query string containing non-US-ASCII 661 characters converts such strings into Unicode in UTF-8 encoding. It 662 then performs any local case mapping deemed necessary. Strings are 663 normalized using Normalization Form C (NFC, [Unicode-UAX15]); note 664 that clients might not be able to do this reliably. UTF-8 encoded 665 strings are then appropriately percent-encoded [RFC3986] in the query 666 URL. 668 After parsing any percent-encoding, an RDAP server treats each query 669 string as Unicode in UTF-8 encoding. If a string is not valid UTF-8, 670 the server can immediately stop processing the query and return an 671 HTTP 400 (Bad Request) response. 673 When processing queries, there is a difference in handling DNS names, 674 including those including putative U-labels, and everything else. 675 DNS names are treated according to the DNS matching rules as 676 described in Section 3.1 of RFC 1035 [RFC1035] for NR-LDH labels and 677 the matching rules described in Section 5.4 of RFC 5891 [RFC5891] for 678 U-labels. Matching of DNS names proceeds one label at a time, 679 because it is possible for a combination of U-labels and NR-LDH 680 labels to be found in a single domain or host name. The 681 determination of whether a label is a U-label or an NR-LDH label is 682 based on whether the label contains any characters outside of the US- 683 ASCII letters, digits, or hyphen (the so-called LDH rule). 685 For everything else, servers map fullwidth and halfwidth characters 686 to their decomposition equivalents. Servers convert strings to the 687 same coded character set of the target data that is to be looked up 688 or searched and each string is normalized using the same 689 normalization that was used on the target data. In general, storage 690 of strings as Unicode is RECOMMENDED. For the purposes of 691 comparison, Normalization Form KC (NFKC, [Unicode-UAX15]) with case 692 folding is used to maximize predictability and the number of matches. 693 Note the use of case-folded NFKC as opposed to NFC in this case. 695 7. IANA Considerations 697 This document does not specify any IANA actions. 699 8. Security Considerations 701 Security services for the operations specified in this document are 702 described in "Security Services for the Registration Data Access 703 Protocol" [I-D.ietf-weirds-rdap-sec]. 705 Search functionality typically requires more server resources (such 706 as memory, CPU cycles, and network bandwidth) when compared to basic 707 lookup functionality. This increases the risk of server resource 708 exhaustion and subsequent denial of service due to abuse. This risk 709 can be mitigated by developing and implementing controls to restrict 710 search functionality to identified and authorized clients. If those 711 clients behave badly, their search privileges can be suspended or 712 revoked. Rate limiting as described in Section 5.5 of "HTTP usage in 713 the Registration Data Access Protocol (RDAP)" 714 [I-D.ietf-weirds-using-http] can also be used to control the rate of 715 received search requests. Server operators can also reduce their 716 risk by restricting the amount of information returned in response to 717 a search request. 719 Search functionality also increases the privacy risk of disclosing 720 object relationships that might not otherwise be obvious. For 721 example, a search that returns IDN variants [RFC6927] that do not 722 explicitly match a client-provided search pattern can disclose 723 information about registered domain names that might not be otherwise 724 available. Implementers need to consider the policy and privacy 725 implications of returning information that was not explicitly 726 requested. 728 Note that there might not be a single, static information return 729 policy that applies to all clients equally. Client identity and 730 associated authorizations can be a relevant factor in determining how 731 broad the response set will be for any particular query. 733 9. Acknowledgements 735 This document is derived from original work on RIR query formats 736 developed by Byron J. Ellacott of APNIC, Arturo L. Servin of 737 LACNIC, Kaveh Ranjbar of the RIPE NCC, and Andrew L. Newton of ARIN. 738 Additionally, this document incorporates DNR query formats originally 739 described by Francisco Arias and Steve Sheng of ICANN and Scott 740 Hollenbeck of Verisign Labs. 742 The authors would like to acknowledge the following individuals for 743 their contributions to this document: Francisco Arias, Marc Blanchet, 744 Ernie Dainow, Jean-Philippe Dionne, Behnam Esfahbod, John Klensin, 745 Edward Lewis, John Levine, Mark Nottingham, and Andrew Sullivan. 747 10. References 749 10.1. Normative References 751 [I-D.ietf-weirds-bootstrap] 752 Blanchet, M., "Finding the Authoritative Registration Data 753 (RDAP) Service", draft-ietf-weirds-bootstrap-11 (work in 754 progress), December 2014. 756 [I-D.ietf-weirds-json-response] 757 Newton, A. and S. Hollenbeck, "JSON Responses for the 758 Registration Data Access Protocol (RDAP)", draft-ietf- 759 weirds-json-response-13 (work in progress), December 2014. 761 [I-D.ietf-weirds-rdap-sec] 762 Hollenbeck, S. and N. Kong, "Security Services for the 763 Registration Data Access Protocol", draft-ietf-weirds- 764 rdap-sec-12 (work in progress), December 2014. 766 [I-D.ietf-weirds-using-http] 767 Newton, A., Ellacott, B., and N. Kong, "HTTP usage in the 768 Registration Data Access Protocol (RDAP)", draft-ietf- 769 weirds-using-http-15 (work in progress), November 2014. 771 [RFC0952] Harrenstien, K., Stahl, M., and E. Feinler, "DoD Internet 772 host table specification", RFC 952, October 1985. 774 [RFC1035] Mockapetris, P., "Domain names - implementation and 775 specification", STD 13, RFC 1035, November 1987. 777 [RFC1123] Braden, R., "Requirements for Internet Hosts - Application 778 and Support", STD 3, RFC 1123, October 1989. 780 [RFC1166] Kirkpatrick, S., Stahl, M., and M. Recker, "Internet 781 numbers", RFC 1166, July 1990. 783 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 784 Requirement Levels", BCP 14, RFC 2119, March 1997. 786 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 787 Resource Identifier (URI): Generic Syntax", STD 66, RFC 788 3986, January 2005. 790 [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing 791 Architecture", RFC 4291, February 2006. 793 [RFC4632] Fuller, V. and T. Li, "Classless Inter-domain Routing 794 (CIDR): The Internet Address Assignment and Aggregation 795 Plan", BCP 122, RFC 4632, August 2006. 797 [RFC4918] Dusseault, L., "HTTP Extensions for Web Distributed 798 Authoring and Versioning (WebDAV)", RFC 4918, June 2007. 800 [RFC5396] Huston, G. and G. Michaelson, "Textual Representation of 801 Autonomous System (AS) Numbers", RFC 5396, December 2008. 803 [RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)", 804 STD 69, RFC 5730, August 2009. 806 [RFC5733] Hollenbeck, S., "Extensible Provisioning Protocol (EPP) 807 Contact Mapping", STD 69, RFC 5733, August 2009. 809 [RFC5890] Klensin, J., "Internationalized Domain Names for 810 Applications (IDNA): Definitions and Document Framework", 811 RFC 5890, August 2010. 813 [RFC5891] Klensin, J., "Internationalized Domain Names in 814 Applications (IDNA): Protocol", RFC 5891, August 2010. 816 [RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6 817 Address Text Representation", RFC 5952, August 2010. 819 [RFC7230] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol 820 (HTTP/1.1): Message Syntax and Routing", RFC 7230, June 821 2014. 823 [RFC7231] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol 824 (HTTP/1.1): Semantics and Content", RFC 7231, June 2014. 826 [Unicode-UAX15] 827 The Unicode Consortium, "Unicode Standard Annex #15: 828 Unicode Normalization Forms", September 2013, 829 . 831 10.2. Informative References 833 [REST] Fielding, R., "Architectural Styles and the Design of 834 Network-based Software Architectures", Ph.D. Dissertation, 835 University of California, Irvine, 2000, 836 . 839 [RFC3912] Daigle, L., "WHOIS Protocol Specification", RFC 3912, 840 September 2004. 842 [RFC4007] Deering, S., Haberman, B., Jinmei, T., Nordmark, E., and 843 B. Zill, "IPv6 Scoped Address Architecture", RFC 4007, 844 March 2005. 846 [RFC4290] Klensin, J., "Suggested Practices for Registration of 847 Internationalized Domain Names (IDN)", RFC 4290, December 848 2005. 850 [RFC6874] Carpenter, B., Cheshire, S., and R. Hinden, "Representing 851 IPv6 Zone Identifiers in Address Literals and Uniform 852 Resource Identifiers", RFC 6874, February 2013. 854 [RFC6927] Levine, J. and P. Hoffman, "Variants in Second-Level Names 855 Registered in Top-Level Domains", RFC 6927, May 2013. 857 Appendix A. Change Log 859 Initial -00: Adopted as working group document. 860 -01: Added "Conventions Used in This Document" section. Added 861 normative reference to draft-ietf-weirds-rdap-sec and some 862 wrapping text in the Security Considerations section. 863 -02: Removed "unified" from the title. Rewrote the last paragraph 864 of section 2. Edited the first paragraph of section 3 to more 865 clearly note that only one path segment is provided. Added 866 "bitmask" to "length" in section 3.1. Changed "lowest IP network" 867 to "smallest IP network" in section 3.1. Added "asplain" to the 868 description of autonomous system numbers in section 3.2. Minor 869 change from "semantics is" to "semantics are" in section 3.2. 870 Changed the last sentence in section 4 to more clearly specify 871 error response behavior. Added acknowledgements. Added a 872 paragraph in the introduction regarding future IETF standards and 873 extensibility. 874 -03: Changed 'query' to 'lookup' in document title to better 875 describe the 'exact match lookup' purpose of this document. 876 Included a multitude of minor additions and clarifications 877 provided by Marc Blanchet and Jean-Philippe Dionne. Modified the 878 domain and name server sections to include support for IDN 879 U-labels. 880 -04: Updated the domain and name server sections to use .example IDN 881 U-labels. Added text to note that mixed IDN labels SHOULD NOT be 882 used. Fixed broken sentences in Section 6. 883 -05: Added "help" path segment. 884 -06: Added search text and removed or edited old search text. 885 -07: Fixed query parameter typo by replacing "/?" with "?". Changed 886 "asplain" to "AS Plain". Added entity search by handle. 887 Corrected section references. Updated IDN search text. 888 -08: Revised URI formats and added IANA instructions to create a 889 registry entry for the "rdap" well-known prefix. Revised search 890 processing text and added search privacy consideration. 891 Synchronized examples with response draft. 892 -09: More search processing and URI prefix updates. Updated fully- 893 qualified domain name reference. 894 -10: Added name server search by IP address. 895 -11: Replaced reference to RFC 4627 with reference to RFC 7159. 896 Replaced .well-known with bootstrap-defined prefix. Replaced 897 references to RFC 2616 with references to RFC 7231 and draft-ietf- 898 httpbis-http2, adding a note to make it clear that 2616 is an 899 acceptable reference if http2 isn't ready when needed. 900 -12: IDN label processing clarification. Added domain search by 901 name server name and name server IP address. Minor text editing 902 for consistency in the search sections. Replaced reference to 903 draft-ietf-httpbis-http2 with a reference to RFC 7230 and removed 904 reference note. 906 -13: Added HTTP HEAD reference in Section 3.2. 907 -14: Address WG last call comments. 908 -15: Address AD review comments. 909 -16: Address IETF last call comments. 910 -17: Address IESG review comments. 911 -18: One more IESG review comment regarding asterisk pattern 912 matching. 914 Authors' Addresses 916 Andrew Lee Newton 917 American Registry for Internet Numbers 918 3635 Concorde Parkway 919 Chantilly, VA 20151 920 US 922 Email: andy@arin.net 923 URI: http://www.arin.net 925 Scott Hollenbeck 926 Verisign Labs 927 12061 Bluemont Way 928 Reston, VA 20190 929 US 931 Email: shollenbeck@verisign.com 932 URI: http://www.verisignlabs.com/