]> Viagenie

246 Aberdeen Quebec QC G1R 2E1 Canada marc.blanchet@viagenie.ca http://viagenie.ca

Registration Access Data Protocol(RDAP) is being deployed in domain and IP address registries. This document describes issues and findings while interfacing with the known server implementations and deployments. It also provides recommendations for the specifications.

While developing various tools and software related to RDAP, issues have been found and are documented below. This document should help in writing future version of the specifications and provide better conformant deployment. It is split in various sections based on where the fix should be applied. Obviously, there are different levels of severity of the issues, including nits or very minor. The actual instances and organisations running the RDAP servers where the issues were found are not listed.

This section describes issues related to the IANA non-Bootstrap registries as specified in .

The IANA RDAP JSON Values registry contains various values expected in JSON responses. The following table shows values not registered in the registry but seen in the field. The second column shows the possible corresponding values already registered. Recommendation: implementations should replace their custom values with the registered ones, when one exist. Implementors should register their values when there is no corresponding registered one. Remarks Type Unregistered Values Possibly Corresponding Registered Values object truncated due to server policyobject truncated due to authorization Response truncated due to authorizationobject truncated due to authorization Object truncated due to authorizationobject truncated due to authorization object redacted due to authorizationobject truncated due to authorization Event Action Unregistered Values Possibly Corresponding Registered Values delegation check last correct delegation check last updatelast changed Status Value Unregistered Values Possibly Corresponding Registered Values server deleted prohibitedserver delete prohibited okactive Role Value Unregistered Values Possibly Corresponding Registered Values ownerregistrant

The IANA RDAP Extensions registry contains various extensions values expected in RDAP JSON responses in the rdapCconformance member. The following table shows values not registered in the registry but seen in the field. The second column shows the possible corresponding values already registered. Recommendation: implementations should replace their custom values with the registered ones, when one exist. Implementors should register their values when there is no corresponding registered one. Unregistered Values Possibly Corresponding Registered Values rdap_objectTag_level_0rdap_objectTag rdap_openidc_level_0 icann_rdap_technical_implementation_guide_0 icann_rdap_response_profile_0 itNic_level_0 fred_version_0fred nicbr_level_0 ur_domain_check_level_0 history_version_0 registrar_api_0

This section discusses issues found related to RDAP responses, specified in .

As specified in , the HTTP "Access-Control-Allow-Origin: *" header should be included in the responses, to enable Web clients to work properly. Some RDAP servers do not set this header. RFC7480 says "it is RECOMMENDED that servers". It should be updated to "for any public Internet deployment, servers MUST".

A non-conformant server sends the following answer, where the value of "objectClassName" is an empty string (as well as "handle" also empty). As per section 4.9, this "objectClassName" value is required. Extract of the seen response:

{ entities: [ { "entities": [ { "objectClassName": "", "handle": "", } ], ], }

The links relation values as specified in section 4.3 refer to which creates the IANA Link Relations registry. This registry contains a large number of values where most of them do not apply to the RDAP deployment. As seen with other values above that are similar to registered ones but not used, we list here the ones we have seen. It would be appropriate to further describes the main ones in the RFC so implementors focus on ones that are expected instead of picking the wrong ones in the IANA registry or to define new ones and do not register them. Links Relation Values Seen Values about alternate copyright describedBy help related self terms-of-service up

An RDAP server returns a link of "rel": "related" is pointing to itself, therefore causing the RDAP client to fetch the object again, then read the related link and then fetch again, creating an infinite loop. Extract of the seen response:

{ "links": [ { "title": "Self", "rel": "self", "type": "application/rdap+json", "href": "https://rdapserver.example.com/domain/example.net" }, { "title": "Registrar Data for this object", "rel": "related", "href": "https://rdapserver.example.com/domain/example.net", "type": "application/rdap+json" } ], }

Recommendation: do not put related link same as self. RFC7483 section 4.2 should be updated to add the following text: "A link of "rel": "related" should not have the "href" value the same as the value of "href" of link of "rel": "self".

An RDAP server returns the registrant entity in a subentity, which makes difficult to parse given the expectation is the registrant would be at the top level. Extract of the seen response:

{ entities: [ { "objectClassName": "entity", "handle": "HANDLE1", "roles": [ "abuse" ], "vcardArray": [ ... ], "entities": [ { "objectClassName": "entity", "handle": "HANDLE2", "roles": [ "registrant" ], "vcardArray": [ ... ], } ], ],

Recommendation: put the registrant in the top-level entities as follows:

{ entities: [ { "objectClassName": "entity", "handle": "HANDLE1", "roles": [ "abuse" ], "vcardArray": [ ... ] }, { "objectClassName": "entity", "handle": "HANDLE2", "roles": [ "registrant" ], "vcardArray": [ ... ], } ],

This section talks about support of RFC7482 queries and the RDAP server behaviors seen.

For RIR registries, the ip query may include an IPv6 address which then includes one or many ":". Clients may decide to do percent-encoding of the query. In one RDAP server, the server rejected the percent-encoded query of an IPv6 address. For example, https://rdapserver.example.com/ip/2001%3Adb8%3A0%3A%3A/48 is rejected, while https://rdapserver.example.com/ip/2001:db8:0::/48 is accepted. Recommendation: accept both percent-encoded queries or non-percent encoded queries.

The ICANN RDAP Profile section 3.2 requires the domain registries who do not have registrant information (so-called thin registries) to put a specific link of "rel": "related" pointing to the domain registrar responsible for the domain being queried, so that a client can get the registrant information using a second query to the related link. However, the semantics seems ambiguous as other RDAP servers may use the "rel": "related" for other related means, but not the specific semantic of finding the registrant data. Therefore, a possible mitigation is to define a new "rel" type of "registrantInfo" (mnemonic TBD) to carry the specific semantic of registrant info.

Section 3.2.1 of says: "domains?nsIp=ZZZZ. ZZZZ is a search pattern representing an IPv4 [RFC1166] or IPv6 [RFC5952] address.". Search pattern has been used throughout the document as something that can include ‘*’, while here, it does not. The syntax statement is also misleading. Similarly, section 3.2.2 says: "nameservers?ip=YYYY YYYY is a search pattern representing an IPv4 [RFC1166] or IPv6 [RFC5952] address." Recommendation: in , replace: "ZZZZ is a search pattern representing an IPv4" by "ZZZZ is an IPv4", "Syntax: domains?nsIp=<domain search pattern>" by "Syntax: domains?nsIp=<nameserver IP address>", "YYYY is a search pattern representing an IPv4" by "YYYY is an IPv4", "Syntax: nameservers?ip=<nameserver search pattern>" by "Syntax: nameservers?ip=<nameserver IP address>"

This section describes issues related to the IANA Bootstrap registries as specified in .

section 3 says: "Base RDAP URLs MUST have a trailing "/" character". However, some values in the various IANA Bootstrap registries do not have the trailing "/" character. These should be added to provide consistency.

provides a way to list multiple RDAP servers for an entry. This flexibility was designed initially to support multiple URI types, such as http: and https, and to provide some level of redundancy. However, given that security deployment policy is to use https everywhere and redundancy can be accomplished in other ways, deployment has shown that all entries in all bootstrap registries have a single target RDAP URL value. Therefore, we can consider updating the RFC to provide only one target value. However, this should be done carefully to avoid breaking current deployed clients.

Proper conformance to specifications helps security. However, no security issues have been found in the context of this draft.

This document request IANA to add the following values to this registry. TBD.

Audric Schiltknecht, TBD have provided input and suggestions to this document.