summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc9082.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc9082.txt')
-rw-r--r--doc/rfc/rfc9082.txt1010
1 files changed, 1010 insertions, 0 deletions
diff --git a/doc/rfc/rfc9082.txt b/doc/rfc/rfc9082.txt
new file mode 100644
index 0000000..94cc8f9
--- /dev/null
+++ b/doc/rfc/rfc9082.txt
@@ -0,0 +1,1010 @@
+
+
+
+
+Internet Engineering Task Force (IETF) S. Hollenbeck
+Request for Comments: 9082 Verisign Labs
+STD: 95 A. Newton
+Obsoletes: 7482 AWS
+Category: Standards Track June 2021
+ISSN: 2070-1721
+
+
+ Registration Data Access Protocol (RDAP) Query Format
+
+Abstract
+
+ This document describes uniform patterns to construct HTTP URLs that
+ may be used to retrieve registration information from registries
+ (including both Regional Internet Registries (RIRs) and Domain Name
+ Registries (DNRs)) using "RESTful" web access patterns. These
+ uniform patterns define the query syntax for the Registration Data
+ Access Protocol (RDAP). This document obsoletes RFC 7482.
+
+Status of This Memo
+
+ This is an Internet Standards Track document.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Further information on
+ Internet Standards is available in Section 2 of RFC 7841.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ https://www.rfc-editor.org/info/rfc9082.
+
+Copyright Notice
+
+ Copyright (c) 2021 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+Table of Contents
+
+ 1. Introduction
+ 2. Conventions Used in This Document
+ 2.1. Acronyms and Abbreviations
+ 3. Path Segment Specification
+ 3.1. Lookup Path Segment Specification
+ 3.1.1. IP Network Path Segment Specification
+ 3.1.2. Autonomous System Path Segment Specification
+ 3.1.3. Domain Path Segment Specification
+ 3.1.4. Nameserver Path Segment Specification
+ 3.1.5. Entity Path Segment Specification
+ 3.1.6. Help Path Segment Specification
+ 3.2. Search Path Segment Specification
+ 3.2.1. Domain Search
+ 3.2.2. Nameserver Search
+ 3.2.3. Entity Search
+ 4. Query Processing
+ 4.1. Partial String Searching
+ 4.2. Associated Records
+ 5. Extensibility
+ 6. Internationalization Considerations
+ 6.1. Character Encoding Considerations
+ 7. IANA Considerations
+ 8. Security Considerations
+ 9. References
+ 9.1. Normative References
+ 9.2. Informative References
+ Appendix A. Changes from RFC 7482
+ Acknowledgments
+ Authors' Addresses
+
+1. Introduction
+
+ This document describes a specification for querying registration
+ data using a RESTful web service and uniform query patterns. The
+ service is implemented using the Hypertext Transfer Protocol (HTTP)
+ [RFC7230] and the conventions described in [RFC7480]. These uniform
+ patterns define the query syntax for the Registration Data Access
+ Protocol (RDAP). This document obsoletes RFC 7482.
+
+ The protocol described in this specification is intended to address
+ deficiencies with the WHOIS protocol [RFC3912] that have been
+ identified over time, including:
+
+ * lack of standardized command structures;
+
+ * lack of standardized output and error structures;
+
+ * lack of support for internationalization and localization; and
+
+ * lack of support for user identification, authentication, and
+ access control.
+
+ The patterns described in this document purposefully do not encompass
+ all of the methods employed in the WHOIS and other RESTful web
+ services used by the RIRs and DNRs. The intent of the patterns
+ described here is to enable queries of:
+
+ * networks by IP address;
+
+ * Autonomous System (AS) numbers by number;
+
+ * reverse DNS metadata by domain;
+
+ * nameservers by name; and
+
+ * entities (such as registrars and contacts) by identifier.
+
+ Server implementations are free to support only a subset of these
+ features depending on local requirements. Servers MUST return an
+ HTTP 501 (Not Implemented) [RFC7231] response to inform clients of
+ unsupported query types. It is also envisioned that each registry
+ will continue to maintain WHOIS and/or other RESTful web services
+ specific to their needs and those of their constituencies, and the
+ information retrieved through the patterns described here may
+ reference such services.
+
+ Likewise, future IETF specifications may add additional patterns for
+ additional query types. A simple pattern namespacing scheme is
+ described in Section 5 to accommodate custom extensions that will not
+ interfere with the patterns defined in this document or patterns
+ defined in future IETF specifications.
+
+ WHOIS services, in general, are read-only services. Accordingly, URL
+ [RFC3986] patterns specified in this document are only applicable to
+ the HTTP [RFC7231] GET and HEAD methods.
+
+ This document does not describe the results or entities returned from
+ issuing the described URLs with an HTTP GET. The specification of
+ these entities is described in [RFC9083].
+
+ Additionally, resource management, provisioning, and update functions
+ are out of scope for this document. Registries have various and
+ divergent methods covering these functions, and it is unlikely a
+ uniform approach is needed for interoperability.
+
+ HTTP contains mechanisms for servers to authenticate clients and for
+ clients to authenticate servers (from which authorization schemes may
+ be built), so such mechanisms are not described in this document.
+ Policy, provisioning, and processing of authentication and
+ authorization are out of scope for this document as deployments will
+ have to make choices based on local criteria. Supported
+ authentication mechanisms are described in [RFC7481].
+
+2. Conventions Used in This Document
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
+ "OPTIONAL" in this document are to be interpreted as described in
+ BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
+ capitals, as shown here.
+
+2.1. Acronyms and Abbreviations
+
+ IDN: Internationalized Domain Name, a fully-qualified domain name
+ containing one or more labels that are intended to include one or
+ more Unicode code points outside the ASCII range (cf. "domain
+ name", "fully-qualified domain name", and "internationalized
+ domain name" in RFC 8499 [RFC8499]).
+
+ IDNA: Internationalized Domain Names in Applications, a protocol for
+ the handling of IDNs. In this document, "IDNA" refers
+ specifically to the version of those specifications known as
+ "IDNA2008" [RFC5890].
+
+ DNR: Domain Name Registry or Domain Name Registrar
+
+ NFC: Unicode Normalization Form C [Unicode-UAX15]
+
+ NFKC: Unicode Normalization Form KC [Unicode-UAX15]
+
+ RDAP: Registration Data Access Protocol
+
+ REST: Representational State Transfer. The term was first described
+ in a doctoral dissertation [REST].
+
+ RESTful: An adjective that describes a service using HTTP and the
+ principles of REST.
+
+ RIR: Regional Internet Registry
+
+3. Path Segment Specification
+
+ The base URLs used to construct RDAP queries are maintained in an
+ IANA registry (the "bootstrap registry") described in [RFC7484].
+ Queries are formed by retrieving an appropriate base URL from the
+ registry and appending a path segment specified in either Sections
+ 3.1 or 3.2. Generally, a registry or other service provider will
+ provide a base URL that identifies the protocol, host, and port, and
+ this will be used as a base URL that the complete URL is resolved
+ against, as per Section 5 of RFC 3986 [RFC3986]. For example, if the
+ base URL is "https://example.com/rdap/", all RDAP query URLs will
+ begin with "https://example.com/rdap/".
+
+ The bootstrap registry does not contain information for query objects
+ that are not part of a global namespace, including entities and help.
+ A base URL for an associated object is required to construct a
+ complete query. This limitation can be overcome for entities by
+ using the practice described in RFC 8521 [RFC8521].
+
+ For entities, a base URL is retrieved for the service (domain,
+ address, etc.) associated with a given entity. The query URL is
+ constructed by concatenating the base URL with the entity path
+ segment specified in either Sections 3.1.5 or 3.2.3.
+
+ For help, a base URL is retrieved for any service (domain, address,
+ etc.) for which additional information is required. The query URL is
+ constructed by concatenating the base URL with the help path segment
+ specified in Section 3.1.6.
+
+3.1. Lookup Path Segment Specification
+
+ A simple lookup to determine if an object exists (or not) without
+ returning RDAP-encoded results can be performed using the HTTP HEAD
+ method as described in Section 4.1 of [RFC7480].
+
+ The resource type path segments for exact match lookup are:
+
+ 'ip': Used to identify IP networks and associated data referenced
+ using either an IPv4 or IPv6 address.
+
+ 'autnum': Used to identify Autonomous System number registrations
+ and associated data referenced using an asplain Autonomous System
+ number.
+
+ 'domain': Used to identify reverse DNS (RIR) or domain name (DNR)
+ information and associated data referenced using a fully qualified
+ domain name.
+
+ 'nameserver': Used to identify a nameserver information query using
+ a host name.
+
+ 'entity': Used to identify an entity information query using a
+ string identifier.
+
+3.1.1. IP Network Path Segment Specification
+
+ Syntax: ip/<IP address> or ip/<CIDR prefix>/<CIDR length>
+
+ Queries for information about IP networks are of the form /ip/XXX or
+ /ip/XXX/YY where the path segment following 'ip' is either an IPv4
+ dotted decimal or IPv6 [RFC5952] address (i.e., XXX) or an IPv4 or
+ IPv6 Classless Inter-domain Routing (CIDR) [RFC4632] notation address
+ block (i.e., XXX/YY). Semantically, the simpler form using the
+ address can be thought of as a CIDR block with a prefix length of 32
+ for IPv4 and a prefix length of 128 for IPv6. A given specific
+ address or CIDR may fall within multiple IP networks in a hierarchy
+ of networks; therefore, this query targets the "most-specific" or
+ smallest IP network that completely encompasses it in a hierarchy of
+ IP networks.
+
+ The IPv4 and IPv6 address formats supported in this query are
+ described in Section 3.2.2 of RFC 3986 [RFC3986] as IPv4address and
+ IPv6address ABNF definitions. Any valid IPv6 text address format
+ [RFC4291] can be used. This includes IPv6 addresses written using
+ with or without compressed zeros and IPv6 addresses containing
+ embedded IPv4 addresses. The rules to write a text representation of
+ an IPv6 address [RFC5952] are RECOMMENDED. However, the zone_id
+ [RFC4007] is not appropriate in this context; therefore, the
+ corresponding syntax extension in RFC 6874 [RFC6874] MUST NOT be
+ used, and servers SHOULD ignore it.
+
+ For example, the following URL would be used to find information for
+ the most specific network containing 192.0.2.0:
+
+ https://example.com/rdap/ip/192.0.2.0
+
+ The following URL would be used to find information for the most
+ specific network containing 192.0.2.0/24:
+
+ https://example.com/rdap/ip/192.0.2.0/24
+
+ The following URL would be used to find information for the most
+ specific network containing 2001:db8::
+
+ https://example.com/rdap/ip/2001:db8::
+
+3.1.2. Autonomous System Path Segment Specification
+
+ Syntax: autnum/<autonomous system number>
+
+ Queries for information regarding Autonomous System number
+ registrations are of the form /autnum/XXX where XXX is an asplain
+ Autonomous System number [RFC5396]. In some registries, registration
+ of Autonomous System numbers is done on an individual number basis,
+ while other registries may register blocks of Autonomous System
+ numbers. The semantics of this query are such that if a number falls
+ within a range of registered blocks, the target of the query is the
+ block registration and that individual number registrations are
+ considered a block of numbers with a size of 1.
+
+ For example, the following URL would be used to find information
+ describing Autonomous System number 12 (a number within a range of
+ registered blocks):
+
+ https://example.com/rdap/autnum/12
+
+ The following URL would be used to find information describing 4-byte
+ Autonomous System number 65538:
+
+ https://example.com/rdap/autnum/65538
+
+3.1.3. Domain Path Segment Specification
+
+ Syntax: domain/<domain name>
+
+ Queries for domain information are of the form /domain/XXXX, where
+ XXXX is a fully qualified (relative to the root) domain name (as
+ specified in [RFC0952] and [RFC1123]) in either the in-addr.arpa or
+ ip6.arpa zones (for RIRs) or a fully qualified domain name in a zone
+ administered by the server operator (for DNRs). Internationalized
+ Domain Names (IDNs) represented in either A-label or U-label format
+ [RFC5890] are also valid domain names. See Section 6.1 for
+ information on character encoding for the U-label format.
+
+ IDNs SHOULD NOT be represented as a mixture of A-labels and U-labels;
+ that is, internationalized labels in an IDN SHOULD be either all
+ A-labels or all U-labels. It is possible for an RDAP client to
+ assemble a query string from multiple independent data sources. Such
+ a client might not be able to perform conversions between A-labels
+ and U-labels. An RDAP server that receives a query string with a
+ mixture of A-labels and U-labels MAY convert all the U-labels to
+ A-labels, perform IDNA processing, and proceed with exact-match
+ lookup. In such cases, the response to be returned to the query
+ source may not match the input from the query source. Alternatively,
+ the server MAY refuse to process the query.
+
+ The server MAY perform the match using either the A-label or U-label
+ form. Using one consistent form for matching every label is likely
+ to be more reliable.
+
+ The following URL would be used to find information describing the
+ zone serving the network 192.0.2/24:
+
+ https://example.com/rdap/domain/2.0.192.in-addr.arpa
+
+ The following URL would be used to find information describing the
+ zone serving the network 2001:db8:1::/48:
+
+ https://example.com/rdap/domain/1.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa
+
+ The following URL would be used to find information for the
+ blah.example.com domain name:
+
+ https://example.com/rdap/domain/blah.example.com
+
+ The following URL would be used to find information for the
+ xn--fo-5ja.example IDN:
+
+ https://example.com/rdap/domain/xn--fo-5ja.example
+
+3.1.4. Nameserver Path Segment Specification
+
+ Syntax: nameserver/<nameserver name>
+
+ The <nameserver name> parameter represents a fully qualified host
+ name as specified in [RFC0952] and [RFC1123]. Internationalized
+ names represented in either A-label or U-label format [RFC5890] are
+ also valid nameserver names. IDN processing for nameserver names
+ uses the domain name processing instructions specified in
+ Section 3.1.3. See Section 6.1 for information on character encoding
+ for the U-label format.
+
+ The following URL would be used to find information for the
+ ns1.example.com nameserver:
+
+ https://example.com/rdap/nameserver/ns1.example.com
+
+ The following URL would be used to find information for the
+ ns1.xn--fo-5ja.example nameserver:
+
+ https://example.com/rdap/nameserver/ns1.xn--fo-5ja.example
+
+3.1.5. Entity Path Segment Specification
+
+ Syntax: entity/<handle>
+
+ The <handle> parameter represents an entity (such as a contact,
+ registrant, or registrar) identifier whose syntax is specific to the
+ registration provider. For example, for some DNRs, contact
+ identifiers are specified in [RFC5730] and [RFC5733].
+
+ The following URL would be used to find information for the entity
+ associated with handle XXXX:
+
+ https://example.com/rdap/entity/XXXX
+
+3.1.6. Help Path Segment Specification
+
+ Syntax: help
+
+ The help path segment can be used to request helpful information
+ (command syntax, terms of service, privacy policy, rate-limiting
+ policy, supported authentication methods, supported extensions,
+ technical support contact, etc.) from an RDAP server. The response
+ to "help" should provide basic information that a client needs to
+ successfully use the service. The following URL would be used to
+ return "help" information:
+
+ https://example.com/rdap/help
+
+3.2. Search Path Segment Specification
+
+ Pattern matching semantics are described in Section 4.1. The
+ resource type path segments for search are:
+
+ 'domains': Used to identify a domain name information search using a
+ pattern to match a fully qualified domain name.
+
+ 'nameservers': Used to identify a nameserver information search
+ using a pattern to match a host name.
+
+ 'entities': Used to identify an entity information search using a
+ pattern to match a string identifier.
+
+ RDAP search path segments are formed using a concatenation of the
+ plural form of the object being searched for and an HTTP query
+ string. The HTTP query string is formed using a concatenation of the
+ question mark character ('?', US-ASCII value 0x003F), a noun
+ representing the JSON object property associated with the object
+ being searched for, the equal sign character ('=', US-ASCII value
+ 0x003D), and the search pattern (this is in contrast to the more
+ generic HTTP query string that allows multiple simultaneous
+ parameters). Search pattern query processing is described more fully
+ in Section 4. For the domain, nameserver, and entity objects
+ described in this document, the plural object forms are "domains",
+ "nameservers", and "entities".
+
+ Detailed results can be retrieved using the HTTP GET method and the
+ path segments specified here.
+
+3.2.1. Domain Search
+
+ Syntax: domains?name=<domain search pattern>
+
+ Syntax: domains?nsLdhName=<nameserver search pattern>
+
+ Syntax: domains?nsIp=<nameserver IP address>
+
+ Searches for domain information by name are specified using this
+ form:
+
+ domains?name=XXXX
+
+ XXXX is a search pattern representing a domain name in "letters,
+ digits, hyphen" (LDH) format [RFC5890]. The following URL would be
+ used to find DNR information for domain names matching the
+ "example*.com" pattern:
+
+ https://example.com/rdap/domains?name=example*.com
+
+ IDNs in U-label format [RFC5890] can also be used as search patterns
+ (see Section 4). Searches for these names are of the form
+ /domains?name=XXXX, where XXXX is a search pattern representing a
+ domain name in U-label format [RFC5890]. See Section 6.1 for
+ information on character encoding for the U-label format.
+
+ Searches for domain information by nameserver name are specified
+ using this form:
+
+ domains?nsLdhName=YYYY
+
+ YYYY is a search pattern representing a host name in "letters,
+ digits, hyphen" format [RFC5890]. The following URL would be used to
+ search for domains delegated to nameservers matching the
+ "ns1.example*.com" pattern:
+
+ https://example.com/rdap/domains?nsLdhName=ns1.example*.com
+
+ Searches for domain information by nameserver IP address are
+ specified using this form:
+
+ domains?nsIp=ZZZZ
+
+ ZZZZ is an IPv4 [RFC1166] or IPv6 [RFC5952] address. The following
+ URL would be used to search for domains that have been delegated to
+ nameservers that resolve to the "192.0.2.0" address:
+
+ https://example.com/rdap/domains?nsIp=192.0.2.0
+
+3.2.2. Nameserver Search
+
+ Syntax: nameservers?name=<nameserver search pattern>
+
+ Syntax: nameservers?ip=<nameserver IP address>
+
+ Searches for nameserver information by nameserver name are specified
+ using this form:
+
+ nameservers?name=XXXX
+
+ XXXX is a search pattern representing a host name in "letters,
+ digits, hyphen" format [RFC5890]. The following URL would be used to
+ find information for nameserver names matching the "ns1.example*.com"
+ pattern:
+
+ https://example.com/rdap/nameservers?name=ns1.example*.com
+
+ Internationalized nameserver names in U-label format [RFC5890] can
+ also be used as search patterns (see Section 4). Searches for these
+ names are of the form /nameservers?name=XXXX, where XXXX is a search
+ pattern representing a nameserver name in U-label format [RFC5890].
+ See Section 6.1 for information on character encoding for the U-label
+ format.
+
+ Searches for nameserver information by nameserver IP address are
+ specified using this form:
+
+ nameservers?ip=YYYY
+
+ YYYY is an IPv4 [RFC1166] or IPv6 [RFC5952] address. The following
+ URL would be used to search for nameserver names that resolve to the
+ "192.0.2.0" address:
+
+ https://example.com/rdap/nameservers?ip=192.0.2.0
+
+3.2.3. Entity Search
+
+ Syntax: entities?fn=<entity name search pattern>
+
+ Syntax: entities?handle=<entity handle search pattern>
+
+ Searches for entity information by name are specified using this
+ form:
+
+ entities?fn=XXXX
+
+ XXXX is a search pattern representing the "fn" property of an entity
+ (such as a contact, registrant, or registrar) name as described in
+ Section 5.1 of [RFC9083]. The following URL would be used to find
+ information for entity names matching the "Bobby Joe*" pattern:
+
+ https://example.com/rdap/entities?fn=Bobby%20Joe*
+
+ Searches for entity information by handle are specified using this
+ form:
+
+ entities?handle=XXXX
+
+ XXXX is a search pattern representing an entity (such as a contact,
+ registrant, or registrar) identifier whose syntax is specific to the
+ registration provider. The following URL would be used to find
+ information for entity handles matching the "CID-40*" pattern:
+
+ https://example.com/rdap/entities?handle=CID-40*
+
+ URLs MUST be properly encoded according to the rules of [RFC3986].
+ In the example above, "Bobby Joe*" is encoded to "Bobby%20Joe*".
+
+4. Query Processing
+
+ Servers indicate the success or failure of query processing by
+ returning an appropriate HTTP response code to the client. Response
+ codes not specifically identified in this document are described in
+ [RFC7480].
+
+4.1. Partial String Searching
+
+ Partial string searching uses the asterisk ('*', US-ASCII value 0x2A)
+ character to match zero or more trailing characters. A character
+ string representing a domain label suffix MAY be concatenated to the
+ end of the search pattern to limit the scope of the search. For
+ example, the search pattern "exam*" will match "example.com" and
+ "example.net". The search pattern "exam*.com" will match
+ "example.com". If an asterisk appears in a search string, any label
+ that contains the non-asterisk characters in sequence plus zero or
+ more characters in sequence in place of the asterisk would match. A
+ partial string search MUST NOT include more than one asterisk.
+ Additional pattern matching processing is beyond the scope of this
+ specification.
+
+ If a server receives a search request but cannot process the request
+ because it does not support a particular style of partial match
+ searching, it SHOULD return an HTTP 422 (Unprocessable Entity)
+ [RFC4918] response (unless another response code is more appropriate
+ based on a server's policy settings) to note that search
+ functionality is supported, but this particular query cannot be
+ processed. When returning a 422 error, the server MAY also return an
+ error response body as specified in Section 6 of [RFC9083] if the
+ requested media type is one that is specified in [RFC7480].
+
+ Partial matching is not feasible across combinations of Unicode
+ characters because Unicode characters can be combined with each
+ other. Servers SHOULD NOT partially match combinations of Unicode
+ characters where a legal combination is possible. It should be
+ noted, though, that it may not always be possible to detect cases
+ where a character could have been combined with another character,
+ but was not, because characters can be combined in many different
+ ways.
+
+ Clients SHOULD NOT submit a partial match search of Unicode
+ characters where a Unicode character may be legally combined with
+ another Unicode character or characters. Partial match searches with
+ incomplete combinations of characters where a character must be
+ combined with another character or characters are invalid. Partial
+ match searches with characters that may be combined with another
+ character or characters are to be considered non-combined characters
+ (that is, if character x may be combined with character y but
+ character y is not submitted in the search string, then character x
+ is a complete character and no combinations of character x are to be
+ searched).
+
+4.2. Associated Records
+
+ Conceptually, any query-matching record in a server's database might
+ be a member of a set of related records, related in some fashion as
+ defined by the server -- for example, variants of an IDN. The entire
+ set ought to be considered as candidates for inclusion when
+ constructing the response. However, the construction of the final
+ response needs to be mindful of privacy and other data-releasing
+ policies when assembling the RDAP response set.
+
+ Note too that due to the nature of searching, there may be a list of
+ query-matching records. Each one of those is subject to being a
+ member of a set as described in the previous paragraph. What is
+ ultimately returned in a response will be the union of all the sets
+ that has been filtered by whatever policies are in place.
+
+ Note that this model includes arrangements for associated names,
+ including those that are linked by policy mechanisms and names bound
+ together for some other purposes. Note also that returning
+ information that was not explicitly selected by an exact-match
+ lookup, including additional names that match a relatively fuzzy
+ search as well as lists of names that are linked together, may cause
+ privacy issues.
+
+ Note that there might not be a single, static information return
+ policy that applies to all clients equally. Client identity and
+ associated authorizations can be a relevant factor in determining how
+ broad the response set will be for any particular query.
+
+5. Extensibility
+
+ This document describes path segment specifications for a limited
+ number of objects commonly registered in both RIRs and DNRs. It does
+ not attempt to describe path segments for all of the objects
+ registered in all registries. Custom path segments can be created
+ for objects not specified here using the process described in
+ Section 6 of "HTTP Usage in the Registration Data Access Protocol
+ (RDAP)" [RFC7480].
+
+ Custom path segments can be created by prefixing the segment with a
+ unique identifier followed by an underscore character (0x5F). For
+ example, a custom entity path segment could be created by prefixing
+ "entity" with "custom_", producing "custom_entity". Servers MUST
+ return an appropriate failure status code for a request with an
+ unrecognized path segment.
+
+6. Internationalization Considerations
+
+ There is value in supporting the ability to submit either a U-label
+ (Unicode form of an IDN label) or an A-label (US-ASCII form of an IDN
+ label) as a query argument to an RDAP service. Clients capable of
+ processing non-US-ASCII characters may prefer a U-label since this is
+ more visually recognizable and familiar than A-label strings, but
+ clients using programmatic interfaces might find it easier to submit
+ and display A-labels if they are unable to input U-labels with their
+ keyboard configuration. Both query forms are acceptable.
+
+ Internationalized domain and nameserver names can contain character
+ variants and variant labels as described in [RFC4290]. Clients that
+ support queries for internationalized domain and nameserver names
+ MUST accept service provider responses that describe variants as
+ specified in "JSON Responses for the Registration Data Access
+ Protocol (RDAP)" [RFC9083].
+
+6.1. Character Encoding Considerations
+
+ Servers can expect to receive search patterns from clients that
+ contain character strings encoded in different forms supported by
+ HTTP. It is entirely possible to apply filters and normalization
+ rules to search patterns prior to making character comparisons, but
+ this type of processing is more typically needed to determine the
+ validity of registered strings than to match patterns.
+
+ An RDAP client submitting a query string containing non-US-ASCII
+ characters converts such strings into Unicode in UTF-8 encoding. It
+ then performs any local case mapping deemed necessary. Strings are
+ normalized using Normalization Form C (NFC) [Unicode-UAX15]; note
+ that clients might not be able to do this reliably. UTF-8 encoded
+ strings are then appropriately percent-encoded [RFC3986] in the query
+ URL.
+
+ After parsing any percent-encoding, an RDAP server treats each query
+ string as Unicode in UTF-8 encoding. If a string is not valid UTF-8,
+ the server can immediately stop processing the query and return an
+ HTTP 400 (Bad Request) response.
+
+ When processing queries, there is a difference in handling DNS names,
+ including those with putative U-labels, and everything else. DNS
+ names are treated according to the DNS matching rules as described in
+ Section 3.1 of RFC 1035 [RFC1035] for Non-Reserved LDH (NR-LDH)
+ labels and the matching rules described in Section 5.4 of RFC 5891
+ [RFC5891] for U-labels. Matching of DNS names proceeds one label at
+ a time because it is possible for a combination of U-labels and NR-
+ LDH labels to be found in a single domain or host name. The
+ determination of whether a label is a U-label or an NR-LDH label is
+ based on whether the label contains any characters outside of the US-
+ ASCII letters, digits, or hyphen (the so-called LDH rule).
+
+ For everything else, servers map fullwidth and halfwidth characters
+ to their decomposition equivalents. Servers convert strings to the
+ same coded character set of the target data that is to be looked up
+ or searched, and each string is normalized using the same
+ normalization that was used on the target data. In general, storage
+ of strings as Unicode is RECOMMENDED. For the purposes of
+ comparison, Normalization Form KC (NFKC) [Unicode-UAX15] with case
+ folding is used to maximize predictability and the number of matches.
+ Note the use of case-folded NFKC as opposed to NFC in this case.
+
+7. IANA Considerations
+
+ This document has no IANA actions.
+
+8. Security Considerations
+
+ Security services for the operations specified in this document are
+ described in "Security Services for the Registration Data Access
+ Protocol (RDAP)" [RFC7481].
+
+ Search functionality typically requires more server resources (such
+ as memory, CPU cycles, and network bandwidth) when compared to basic
+ lookup functionality. This increases the risk of server resource
+ exhaustion and subsequent denial of service due to abuse. This risk
+ can be mitigated by developing and implementing controls to restrict
+ search functionality to identified and authorized clients. If those
+ clients behave badly, their search privileges can be suspended or
+ revoked. Rate limiting as described in Section 5.5 of "HTTP Usage in
+ the Registration Data Access Protocol (RDAP)" [RFC7480] can also be
+ used to control the rate of received search requests. Server
+ operators can also reduce their risk by restricting the amount of
+ information returned in response to a search request.
+
+ Search functionality also increases the privacy risk of disclosing
+ object relationships that might not otherwise be obvious. For
+ example, a search that returns IDN variants [RFC6927] that do not
+ explicitly match a client-provided search pattern can disclose
+ information about registered domain names that might not be otherwise
+ available. Implementers need to consider the policy and privacy
+ implications of returning information that was not explicitly
+ requested.
+
+ Note that there might not be a single, static information return
+ policy that applies to all clients equally. Client identity and
+ associated authorizations can be a relevant factor in determining how
+ broad the response set will be for any particular query.
+
+9. References
+
+9.1. Normative References
+
+ [RFC0952] Harrenstien, K., Stahl, M., and E. Feinler, "DoD Internet
+ host table specification", RFC 952, DOI 10.17487/RFC0952,
+ October 1985, <https://www.rfc-editor.org/info/rfc952>.
+
+ [RFC1035] Mockapetris, P., "Domain names - implementation and
+ specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
+ November 1987, <https://www.rfc-editor.org/info/rfc1035>.
+
+ [RFC1123] Braden, R., Ed., "Requirements for Internet Hosts -
+ Application and Support", STD 3, RFC 1123,
+ DOI 10.17487/RFC1123, October 1989,
+ <https://www.rfc-editor.org/info/rfc1123>.
+
+ [RFC1166] Kirkpatrick, S., Stahl, M., and M. Recker, "Internet
+ numbers", RFC 1166, DOI 10.17487/RFC1166, July 1990,
+ <https://www.rfc-editor.org/info/rfc1166>.
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119,
+ DOI 10.17487/RFC2119, March 1997,
+ <https://www.rfc-editor.org/info/rfc2119>.
+
+ [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
+ Resource Identifier (URI): Generic Syntax", STD 66,
+ RFC 3986, DOI 10.17487/RFC3986, January 2005,
+ <https://www.rfc-editor.org/info/rfc3986>.
+
+ [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing
+ Architecture", RFC 4291, DOI 10.17487/RFC4291, February
+ 2006, <https://www.rfc-editor.org/info/rfc4291>.
+
+ [RFC4632] Fuller, V. and T. Li, "Classless Inter-domain Routing
+ (CIDR): The Internet Address Assignment and Aggregation
+ Plan", BCP 122, RFC 4632, DOI 10.17487/RFC4632, August
+ 2006, <https://www.rfc-editor.org/info/rfc4632>.
+
+ [RFC4918] Dusseault, L., Ed., "HTTP Extensions for Web Distributed
+ Authoring and Versioning (WebDAV)", RFC 4918,
+ DOI 10.17487/RFC4918, June 2007,
+ <https://www.rfc-editor.org/info/rfc4918>.
+
+ [RFC5396] Huston, G. and G. Michaelson, "Textual Representation of
+ Autonomous System (AS) Numbers", RFC 5396,
+ DOI 10.17487/RFC5396, December 2008,
+ <https://www.rfc-editor.org/info/rfc5396>.
+
+ [RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)",
+ STD 69, RFC 5730, DOI 10.17487/RFC5730, August 2009,
+ <https://www.rfc-editor.org/info/rfc5730>.
+
+ [RFC5733] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)
+ Contact Mapping", STD 69, RFC 5733, DOI 10.17487/RFC5733,
+ August 2009, <https://www.rfc-editor.org/info/rfc5733>.
+
+ [RFC5890] Klensin, J., "Internationalized Domain Names for
+ Applications (IDNA): Definitions and Document Framework",
+ RFC 5890, DOI 10.17487/RFC5890, August 2010,
+ <https://www.rfc-editor.org/info/rfc5890>.
+
+ [RFC5891] Klensin, J., "Internationalized Domain Names in
+ Applications (IDNA): Protocol", RFC 5891,
+ DOI 10.17487/RFC5891, August 2010,
+ <https://www.rfc-editor.org/info/rfc5891>.
+
+ [RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6
+ Address Text Representation", RFC 5952,
+ DOI 10.17487/RFC5952, August 2010,
+ <https://www.rfc-editor.org/info/rfc5952>.
+
+ [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
+ Protocol (HTTP/1.1): Message Syntax and Routing",
+ RFC 7230, DOI 10.17487/RFC7230, June 2014,
+ <https://www.rfc-editor.org/info/rfc7230>.
+
+ [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
+ Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
+ DOI 10.17487/RFC7231, June 2014,
+ <https://www.rfc-editor.org/info/rfc7231>.
+
+ [RFC7480] Newton, A., Ellacott, B., and N. Kong, "HTTP Usage in the
+ Registration Data Access Protocol (RDAP)", STD 95,
+ RFC 7480, DOI 10.17487/RFC7480, March 2015,
+ <https://www.rfc-editor.org/info/rfc7480>.
+
+ [RFC7481] Hollenbeck, S. and N. Kong, "Security Services for the
+ Registration Data Access Protocol (RDAP)", STD 95,
+ RFC 7481, DOI 10.17487/RFC7481, March 2015,
+ <https://www.rfc-editor.org/info/rfc7481>.
+
+ [RFC7484] Blanchet, M., "Finding the Authoritative Registration Data
+ (RDAP) Service", RFC 7484, DOI 10.17487/RFC7484, March
+ 2015, <https://www.rfc-editor.org/info/rfc7484>.
+
+ [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
+ 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
+ May 2017, <https://www.rfc-editor.org/info/rfc8174>.
+
+ [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
+ Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499,
+ January 2019, <https://www.rfc-editor.org/info/rfc8499>.
+
+ [RFC9083] Hollenbeck, S. and A. Newton, "JSON Responses for the
+ Registration Data Access Protocol (RDAP)", STD 95,
+ RFC 9083, DOI 10.17487/RFC9083, June 2021,
+ <https://www.rfc-editor.org/info/rfc9083>.
+
+ [Unicode-UAX15]
+ The Unicode Consortium, "Unicode Standard Annex #15:
+ Unicode Normalization Forms", September 2013,
+ <https://www.unicode.org/reports/tr15/>.
+
+9.2. Informative References
+
+ [REST] Fielding, R., "Architectural Styles and the Design of
+ Network-based Software Architectures", Ph.D.
+ Dissertation, University of California, Irvine, 2000,
+ <https://www.ics.uci.edu/~fielding/pubs/dissertation/
+ fielding_dissertation.pdf>.
+
+ [RFC3912] Daigle, L., "WHOIS Protocol Specification", RFC 3912,
+ DOI 10.17487/RFC3912, September 2004,
+ <https://www.rfc-editor.org/info/rfc3912>.
+
+ [RFC4007] Deering, S., Haberman, B., Jinmei, T., Nordmark, E., and
+ B. Zill, "IPv6 Scoped Address Architecture", RFC 4007,
+ DOI 10.17487/RFC4007, March 2005,
+ <https://www.rfc-editor.org/info/rfc4007>.
+
+ [RFC4290] Klensin, J., "Suggested Practices for Registration of
+ Internationalized Domain Names (IDN)", RFC 4290,
+ DOI 10.17487/RFC4290, December 2005,
+ <https://www.rfc-editor.org/info/rfc4290>.
+
+ [RFC6874] Carpenter, B., Cheshire, S., and R. Hinden, "Representing
+ IPv6 Zone Identifiers in Address Literals and Uniform
+ Resource Identifiers", RFC 6874, DOI 10.17487/RFC6874,
+ February 2013, <https://www.rfc-editor.org/info/rfc6874>.
+
+ [RFC6927] Levine, J. and P. Hoffman, "Variants in Second-Level Names
+ Registered in Top-Level Domains", RFC 6927,
+ DOI 10.17487/RFC6927, May 2013,
+ <https://www.rfc-editor.org/info/rfc6927>.
+
+ [RFC8521] Hollenbeck, S. and A. Newton, "Registration Data Access
+ Protocol (RDAP) Object Tagging", BCP 221, RFC 8521,
+ DOI 10.17487/RFC8521, November 2018,
+ <https://www.rfc-editor.org/info/rfc8521>.
+
+Appendix A. Changes from RFC 7482
+
+ * Addressed known errata.
+
+ * Addressed other reported clarifications and corrections: IDN,
+ IDNA, and DNR definitions. Noted that registrars are entities.
+ Added a reference to RFC 8521 to address the bootstrap registry
+ limitation. Removed extraneous "...". Clarified HTTP query
+ string, search pattern, name server search, domain label suffix,
+ and asterisk search.
+
+ * Addressed "The HTTP query string" clarification.
+
+ * Modified coauthor address.
+
+ * Updated references to RFC 7483 to RFC 9083.
+
+ * Added an IANA Considerations section. Changed references to use
+ HTTPS for targets.
+
+ * Changed "XXXX is a search pattern representing the "FN" property
+ of an entity (such as a contact, registrant, or registrar) name as
+ specified in Section 5.1" to "Changed "XXXX is a search pattern
+ representing the "fn" property of an entity (such as a contact,
+ registrant, or registrar) name as described in Section 5.1".
+
+ * Added acknowledgments.
+
+ * Changed "The intent of the patterns described here are to enable
+ queries" to "The intent of the patterns described here is to
+ enable queries".
+
+ * Changed "the corresponding syntax extension in RFC 6874 [RFC6874]
+ MUST NOT be used, and servers are to ignore it if possible" to
+ "the corresponding syntax extension in RFC 6874 [RFC6874] MUST NOT
+ be used, and servers SHOULD ignore it".
+
+ * Changed "Only a single asterisk is allowed for a partial string
+ search" to "A partial string search MUST NOT include more than one
+ asterisk".
+
+ * Changed "Clients should avoid submitting a partial match search of
+ Unicode characters where a Unicode character may be legally
+ combined with another Unicode character or characters" to "Clients
+ SHOULD NOT submit a partial match search of Unicode characters
+ where a Unicode character may be legally combined with another
+ Unicode character or characters".
+
+ * Changed description of nameserver IP address "search pattern" in
+ Sections 3.2.1 and 3.2.2.
+
+ * IESG review feedback: Added "obsoletes 7482" to the headers,
+ Abstract, and Introduction. Changed "IETF standards" to "IETF
+ specifications" and "Therefore" to "Accordingly" in Section 1.
+ Updated the BCP 14 boilerplate. Added definition of "bootstrap
+ registry" and changed "concatenating ... to" to "concatenating ...
+ with" in Section 3. Changed "bitmask length" to "prefix length"
+ and "2001:db8::0" to "2001:db8::" in Section 3.1.1. Added "in
+ contrast to the more generic HTTP query string that admits
+ multiple simultaneous parameters" in Section 3.2. Changed
+ "0x002A" to "0x2A" in Section 4.1. Clarified use of HTTP 422
+ SHOULD in Section 4.1.
+
+Acknowledgments
+
+ This document is derived from original work on RIR query formats
+ developed by Byron J. Ellacott of APNIC, Arturo L. Servin of LACNIC,
+ Kaveh Ranjbar of the RIPE NCC, and Andrew L. Newton of ARIN.
+ Additionally, this document incorporates DNR query formats originally
+ described by Francisco Arias and Steve Sheng of ICANN and Scott
+ Hollenbeck of Verisign Labs.
+
+ The authors would like to acknowledge the following individuals for
+ their contributions to this document: Francisco Arias, Marc Blanchet,
+ Ernie Dainow, Jean-Philippe Dionne, Byron J. Ellacott, Behnam
+ Esfahbod, John Klensin, John Levine, Edward Lewis, Mario Loffredo,
+ Patrick Mevzek, Mark Nottingham, Kaveh Ranjbar, Arturo L. Servin,
+ Steve Sheng, Jasdip Singh, and Andrew Sullivan.
+
+Authors' Addresses
+
+ Scott Hollenbeck
+ Verisign Labs
+ 12061 Bluemont Way
+ Reston, VA 20190
+ United States of America
+
+ Email: shollenbeck@verisign.com
+ URI: https://www.verisignlabs.com/
+
+
+ Andy Newton
+ Amazon Web Services, Inc.
+ 13200 Woodland Park Road
+ Herndon, VA 20171
+ United States of America
+
+ Email: andy@hxr.us