summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc9082.txt
blob: 94cc8f937148563e7e8e5215fe3f281efb3aa34f (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
Internet Engineering Task Force (IETF)                     S. Hollenbeck
Request for Comments: 9082                                 Verisign Labs
STD: 95                                                        A. Newton
Obsoletes: 7482                                                      AWS
Category: Standards Track                                      June 2021
ISSN: 2070-1721


         Registration Data Access Protocol (RDAP) Query Format

Abstract

   This document describes uniform patterns to construct HTTP URLs that
   may be used to retrieve registration information from registries
   (including both Regional Internet Registries (RIRs) and Domain Name
   Registries (DNRs)) using "RESTful" web access patterns.  These
   uniform patterns define the query syntax for the Registration Data
   Access Protocol (RDAP).  This document obsoletes RFC 7482.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc9082.

Copyright Notice

   Copyright (c) 2021 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction
   2.  Conventions Used in This Document
     2.1.  Acronyms and Abbreviations
   3.  Path Segment Specification
     3.1.  Lookup Path Segment Specification
       3.1.1.  IP Network Path Segment Specification
       3.1.2.  Autonomous System Path Segment Specification
       3.1.3.  Domain Path Segment Specification
       3.1.4.  Nameserver Path Segment Specification
       3.1.5.  Entity Path Segment Specification
       3.1.6.  Help Path Segment Specification
     3.2.  Search Path Segment Specification
       3.2.1.  Domain Search
       3.2.2.  Nameserver Search
       3.2.3.  Entity Search
   4.  Query Processing
     4.1.  Partial String Searching
     4.2.  Associated Records
   5.  Extensibility
   6.  Internationalization Considerations
     6.1.  Character Encoding Considerations
   7.  IANA Considerations
   8.  Security Considerations
   9.  References
     9.1.  Normative References
     9.2.  Informative References
   Appendix A.  Changes from RFC 7482
   Acknowledgments
   Authors' Addresses

1.  Introduction

   This document describes a specification for querying registration
   data using a RESTful web service and uniform query patterns.  The
   service is implemented using the Hypertext Transfer Protocol (HTTP)
   [RFC7230] and the conventions described in [RFC7480].  These uniform
   patterns define the query syntax for the Registration Data Access
   Protocol (RDAP).  This document obsoletes RFC 7482.

   The protocol described in this specification is intended to address
   deficiencies with the WHOIS protocol [RFC3912] that have been
   identified over time, including:

   *  lack of standardized command structures;

   *  lack of standardized output and error structures;

   *  lack of support for internationalization and localization; and

   *  lack of support for user identification, authentication, and
      access control.

   The patterns described in this document purposefully do not encompass
   all of the methods employed in the WHOIS and other RESTful web
   services used by the RIRs and DNRs.  The intent of the patterns
   described here is to enable queries of:

   *  networks by IP address;

   *  Autonomous System (AS) numbers by number;

   *  reverse DNS metadata by domain;

   *  nameservers by name; and

   *  entities (such as registrars and contacts) by identifier.

   Server implementations are free to support only a subset of these
   features depending on local requirements.  Servers MUST return an
   HTTP 501 (Not Implemented) [RFC7231] response to inform clients of
   unsupported query types.  It is also envisioned that each registry
   will continue to maintain WHOIS and/or other RESTful web services
   specific to their needs and those of their constituencies, and the
   information retrieved through the patterns described here may
   reference such services.

   Likewise, future IETF specifications may add additional patterns for
   additional query types.  A simple pattern namespacing scheme is
   described in Section 5 to accommodate custom extensions that will not
   interfere with the patterns defined in this document or patterns
   defined in future IETF specifications.

   WHOIS services, in general, are read-only services.  Accordingly, URL
   [RFC3986] patterns specified in this document are only applicable to
   the HTTP [RFC7231] GET and HEAD methods.

   This document does not describe the results or entities returned from
   issuing the described URLs with an HTTP GET.  The specification of
   these entities is described in [RFC9083].

   Additionally, resource management, provisioning, and update functions
   are out of scope for this document.  Registries have various and
   divergent methods covering these functions, and it is unlikely a
   uniform approach is needed for interoperability.

   HTTP contains mechanisms for servers to authenticate clients and for
   clients to authenticate servers (from which authorization schemes may
   be built), so such mechanisms are not described in this document.
   Policy, provisioning, and processing of authentication and
   authorization are out of scope for this document as deployments will
   have to make choices based on local criteria.  Supported
   authentication mechanisms are described in [RFC7481].

2.  Conventions Used in This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

2.1.  Acronyms and Abbreviations

   IDN:  Internationalized Domain Name, a fully-qualified domain name
      containing one or more labels that are intended to include one or
      more Unicode code points outside the ASCII range (cf. "domain
      name", "fully-qualified domain name", and "internationalized
      domain name" in RFC 8499 [RFC8499]).

   IDNA:  Internationalized Domain Names in Applications, a protocol for
      the handling of IDNs.  In this document, "IDNA" refers
      specifically to the version of those specifications known as
      "IDNA2008" [RFC5890].

   DNR:  Domain Name Registry or Domain Name Registrar

   NFC:  Unicode Normalization Form C [Unicode-UAX15]

   NFKC:  Unicode Normalization Form KC [Unicode-UAX15]

   RDAP:  Registration Data Access Protocol

   REST:  Representational State Transfer.  The term was first described
      in a doctoral dissertation [REST].

   RESTful:  An adjective that describes a service using HTTP and the
      principles of REST.

   RIR:  Regional Internet Registry

3.  Path Segment Specification

   The base URLs used to construct RDAP queries are maintained in an
   IANA registry (the "bootstrap registry") described in [RFC7484].
   Queries are formed by retrieving an appropriate base URL from the
   registry and appending a path segment specified in either Sections
   3.1 or 3.2.  Generally, a registry or other service provider will
   provide a base URL that identifies the protocol, host, and port, and
   this will be used as a base URL that the complete URL is resolved
   against, as per Section 5 of RFC 3986 [RFC3986].  For example, if the
   base URL is "https://example.com/rdap/", all RDAP query URLs will
   begin with "https://example.com/rdap/".

   The bootstrap registry does not contain information for query objects
   that are not part of a global namespace, including entities and help.
   A base URL for an associated object is required to construct a
   complete query.  This limitation can be overcome for entities by
   using the practice described in RFC 8521 [RFC8521].

   For entities, a base URL is retrieved for the service (domain,
   address, etc.) associated with a given entity.  The query URL is
   constructed by concatenating the base URL with the entity path
   segment specified in either Sections 3.1.5 or 3.2.3.

   For help, a base URL is retrieved for any service (domain, address,
   etc.) for which additional information is required.  The query URL is
   constructed by concatenating the base URL with the help path segment
   specified in Section 3.1.6.

3.1.  Lookup Path Segment Specification

   A simple lookup to determine if an object exists (or not) without
   returning RDAP-encoded results can be performed using the HTTP HEAD
   method as described in Section 4.1 of [RFC7480].

   The resource type path segments for exact match lookup are:

   'ip':  Used to identify IP networks and associated data referenced
      using either an IPv4 or IPv6 address.

   'autnum':  Used to identify Autonomous System number registrations
      and associated data referenced using an asplain Autonomous System
      number.

   'domain':  Used to identify reverse DNS (RIR) or domain name (DNR)
      information and associated data referenced using a fully qualified
      domain name.

   'nameserver':  Used to identify a nameserver information query using
      a host name.

   'entity':  Used to identify an entity information query using a
      string identifier.

3.1.1.  IP Network Path Segment Specification

   Syntax:  ip/<IP address> or ip/<CIDR prefix>/<CIDR length>

   Queries for information about IP networks are of the form /ip/XXX or
   /ip/XXX/YY where the path segment following 'ip' is either an IPv4
   dotted decimal or IPv6 [RFC5952] address (i.e., XXX) or an IPv4 or
   IPv6 Classless Inter-domain Routing (CIDR) [RFC4632] notation address
   block (i.e., XXX/YY).  Semantically, the simpler form using the
   address can be thought of as a CIDR block with a prefix length of 32
   for IPv4 and a prefix length of 128 for IPv6.  A given specific
   address or CIDR may fall within multiple IP networks in a hierarchy
   of networks; therefore, this query targets the "most-specific" or
   smallest IP network that completely encompasses it in a hierarchy of
   IP networks.

   The IPv4 and IPv6 address formats supported in this query are
   described in Section 3.2.2 of RFC 3986 [RFC3986] as IPv4address and
   IPv6address ABNF definitions.  Any valid IPv6 text address format
   [RFC4291] can be used.  This includes IPv6 addresses written using
   with or without compressed zeros and IPv6 addresses containing
   embedded IPv4 addresses.  The rules to write a text representation of
   an IPv6 address [RFC5952] are RECOMMENDED.  However, the zone_id
   [RFC4007] is not appropriate in this context; therefore, the
   corresponding syntax extension in RFC 6874 [RFC6874] MUST NOT be
   used, and servers SHOULD ignore it.

   For example, the following URL would be used to find information for
   the most specific network containing 192.0.2.0:

   https://example.com/rdap/ip/192.0.2.0

   The following URL would be used to find information for the most
   specific network containing 192.0.2.0/24:

   https://example.com/rdap/ip/192.0.2.0/24

   The following URL would be used to find information for the most
   specific network containing 2001:db8::

   https://example.com/rdap/ip/2001:db8::

3.1.2.  Autonomous System Path Segment Specification

   Syntax:  autnum/<autonomous system number>

   Queries for information regarding Autonomous System number
   registrations are of the form /autnum/XXX where XXX is an asplain
   Autonomous System number [RFC5396].  In some registries, registration
   of Autonomous System numbers is done on an individual number basis,
   while other registries may register blocks of Autonomous System
   numbers.  The semantics of this query are such that if a number falls
   within a range of registered blocks, the target of the query is the
   block registration and that individual number registrations are
   considered a block of numbers with a size of 1.

   For example, the following URL would be used to find information
   describing Autonomous System number 12 (a number within a range of
   registered blocks):

   https://example.com/rdap/autnum/12

   The following URL would be used to find information describing 4-byte
   Autonomous System number 65538:

   https://example.com/rdap/autnum/65538

3.1.3.  Domain Path Segment Specification

   Syntax:  domain/<domain name>

   Queries for domain information are of the form /domain/XXXX, where
   XXXX is a fully qualified (relative to the root) domain name (as
   specified in [RFC0952] and [RFC1123]) in either the in-addr.arpa or
   ip6.arpa zones (for RIRs) or a fully qualified domain name in a zone
   administered by the server operator (for DNRs).  Internationalized
   Domain Names (IDNs) represented in either A-label or U-label format
   [RFC5890] are also valid domain names.  See Section 6.1 for
   information on character encoding for the U-label format.

   IDNs SHOULD NOT be represented as a mixture of A-labels and U-labels;
   that is, internationalized labels in an IDN SHOULD be either all
   A-labels or all U-labels.  It is possible for an RDAP client to
   assemble a query string from multiple independent data sources.  Such
   a client might not be able to perform conversions between A-labels
   and U-labels.  An RDAP server that receives a query string with a
   mixture of A-labels and U-labels MAY convert all the U-labels to
   A-labels, perform IDNA processing, and proceed with exact-match
   lookup.  In such cases, the response to be returned to the query
   source may not match the input from the query source.  Alternatively,
   the server MAY refuse to process the query.

   The server MAY perform the match using either the A-label or U-label
   form.  Using one consistent form for matching every label is likely
   to be more reliable.

   The following URL would be used to find information describing the
   zone serving the network 192.0.2/24:

   https://example.com/rdap/domain/2.0.192.in-addr.arpa

   The following URL would be used to find information describing the
   zone serving the network 2001:db8:1::/48:

   https://example.com/rdap/domain/1.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa

   The following URL would be used to find information for the
   blah.example.com domain name:

   https://example.com/rdap/domain/blah.example.com

   The following URL would be used to find information for the
   xn--fo-5ja.example IDN:

   https://example.com/rdap/domain/xn--fo-5ja.example

3.1.4.  Nameserver Path Segment Specification

   Syntax:  nameserver/<nameserver name>

   The <nameserver name> parameter represents a fully qualified host
   name as specified in [RFC0952] and [RFC1123].  Internationalized
   names represented in either A-label or U-label format [RFC5890] are
   also valid nameserver names.  IDN processing for nameserver names
   uses the domain name processing instructions specified in
   Section 3.1.3.  See Section 6.1 for information on character encoding
   for the U-label format.

   The following URL would be used to find information for the
   ns1.example.com nameserver:

   https://example.com/rdap/nameserver/ns1.example.com

   The following URL would be used to find information for the
   ns1.xn--fo-5ja.example nameserver:

   https://example.com/rdap/nameserver/ns1.xn--fo-5ja.example

3.1.5.  Entity Path Segment Specification

   Syntax:  entity/<handle>

   The <handle> parameter represents an entity (such as a contact,
   registrant, or registrar) identifier whose syntax is specific to the
   registration provider.  For example, for some DNRs, contact
   identifiers are specified in [RFC5730] and [RFC5733].

   The following URL would be used to find information for the entity
   associated with handle XXXX:

   https://example.com/rdap/entity/XXXX

3.1.6.  Help Path Segment Specification

   Syntax:  help

   The help path segment can be used to request helpful information
   (command syntax, terms of service, privacy policy, rate-limiting
   policy, supported authentication methods, supported extensions,
   technical support contact, etc.) from an RDAP server.  The response
   to "help" should provide basic information that a client needs to
   successfully use the service.  The following URL would be used to
   return "help" information:

   https://example.com/rdap/help

3.2.  Search Path Segment Specification

   Pattern matching semantics are described in Section 4.1.  The
   resource type path segments for search are:

   'domains':  Used to identify a domain name information search using a
      pattern to match a fully qualified domain name.

   'nameservers':  Used to identify a nameserver information search
      using a pattern to match a host name.

   'entities':  Used to identify an entity information search using a
      pattern to match a string identifier.

   RDAP search path segments are formed using a concatenation of the
   plural form of the object being searched for and an HTTP query
   string.  The HTTP query string is formed using a concatenation of the
   question mark character ('?', US-ASCII value 0x003F), a noun
   representing the JSON object property associated with the object
   being searched for, the equal sign character ('=', US-ASCII value
   0x003D), and the search pattern (this is in contrast to the more
   generic HTTP query string that allows multiple simultaneous
   parameters).  Search pattern query processing is described more fully
   in Section 4.  For the domain, nameserver, and entity objects
   described in this document, the plural object forms are "domains",
   "nameservers", and "entities".

   Detailed results can be retrieved using the HTTP GET method and the
   path segments specified here.

3.2.1.  Domain Search

   Syntax:  domains?name=<domain search pattern>

   Syntax:  domains?nsLdhName=<nameserver search pattern>

   Syntax:  domains?nsIp=<nameserver IP address>

   Searches for domain information by name are specified using this
   form:

   domains?name=XXXX

   XXXX is a search pattern representing a domain name in "letters,
   digits, hyphen" (LDH) format [RFC5890].  The following URL would be
   used to find DNR information for domain names matching the
   "example*.com" pattern:

   https://example.com/rdap/domains?name=example*.com

   IDNs in U-label format [RFC5890] can also be used as search patterns
   (see Section 4).  Searches for these names are of the form
   /domains?name=XXXX, where XXXX is a search pattern representing a
   domain name in U-label format [RFC5890].  See Section 6.1 for
   information on character encoding for the U-label format.

   Searches for domain information by nameserver name are specified
   using this form:

   domains?nsLdhName=YYYY

   YYYY is a search pattern representing a host name in "letters,
   digits, hyphen" format [RFC5890].  The following URL would be used to
   search for domains delegated to nameservers matching the
   "ns1.example*.com" pattern:

   https://example.com/rdap/domains?nsLdhName=ns1.example*.com

   Searches for domain information by nameserver IP address are
   specified using this form:

   domains?nsIp=ZZZZ

   ZZZZ is an IPv4 [RFC1166] or IPv6 [RFC5952] address.  The following
   URL would be used to search for domains that have been delegated to
   nameservers that resolve to the "192.0.2.0" address:

   https://example.com/rdap/domains?nsIp=192.0.2.0

3.2.2.  Nameserver Search

   Syntax:  nameservers?name=<nameserver search pattern>

   Syntax:  nameservers?ip=<nameserver IP address>

   Searches for nameserver information by nameserver name are specified
   using this form:

   nameservers?name=XXXX

   XXXX is a search pattern representing a host name in "letters,
   digits, hyphen" format [RFC5890].  The following URL would be used to
   find information for nameserver names matching the "ns1.example*.com"
   pattern:

   https://example.com/rdap/nameservers?name=ns1.example*.com

   Internationalized nameserver names in U-label format [RFC5890] can
   also be used as search patterns (see Section 4).  Searches for these
   names are of the form /nameservers?name=XXXX, where XXXX is a search
   pattern representing a nameserver name in U-label format [RFC5890].
   See Section 6.1 for information on character encoding for the U-label
   format.

   Searches for nameserver information by nameserver IP address are
   specified using this form:

   nameservers?ip=YYYY

   YYYY is an IPv4 [RFC1166] or IPv6 [RFC5952] address.  The following
   URL would be used to search for nameserver names that resolve to the
   "192.0.2.0" address:

   https://example.com/rdap/nameservers?ip=192.0.2.0

3.2.3.  Entity Search

   Syntax:  entities?fn=<entity name search pattern>

   Syntax:  entities?handle=<entity handle search pattern>

   Searches for entity information by name are specified using this
   form:

   entities?fn=XXXX

   XXXX is a search pattern representing the "fn" property of an entity
   (such as a contact, registrant, or registrar) name as described in
   Section 5.1 of [RFC9083].  The following URL would be used to find
   information for entity names matching the "Bobby Joe*" pattern:

   https://example.com/rdap/entities?fn=Bobby%20Joe*

   Searches for entity information by handle are specified using this
   form:

   entities?handle=XXXX

   XXXX is a search pattern representing an entity (such as a contact,
   registrant, or registrar) identifier whose syntax is specific to the
   registration provider.  The following URL would be used to find
   information for entity handles matching the "CID-40*" pattern:

   https://example.com/rdap/entities?handle=CID-40*

   URLs MUST be properly encoded according to the rules of [RFC3986].
   In the example above, "Bobby Joe*" is encoded to "Bobby%20Joe*".

4.  Query Processing

   Servers indicate the success or failure of query processing by
   returning an appropriate HTTP response code to the client.  Response
   codes not specifically identified in this document are described in
   [RFC7480].

4.1.  Partial String Searching

   Partial string searching uses the asterisk ('*', US-ASCII value 0x2A)
   character to match zero or more trailing characters.  A character
   string representing a domain label suffix MAY be concatenated to the
   end of the search pattern to limit the scope of the search.  For
   example, the search pattern "exam*" will match "example.com" and
   "example.net".  The search pattern "exam*.com" will match
   "example.com".  If an asterisk appears in a search string, any label
   that contains the non-asterisk characters in sequence plus zero or
   more characters in sequence in place of the asterisk would match.  A
   partial string search MUST NOT include more than one asterisk.
   Additional pattern matching processing is beyond the scope of this
   specification.

   If a server receives a search request but cannot process the request
   because it does not support a particular style of partial match
   searching, it SHOULD return an HTTP 422 (Unprocessable Entity)
   [RFC4918] response (unless another response code is more appropriate
   based on a server's policy settings) to note that search
   functionality is supported, but this particular query cannot be
   processed.  When returning a 422 error, the server MAY also return an
   error response body as specified in Section 6 of [RFC9083] if the
   requested media type is one that is specified in [RFC7480].

   Partial matching is not feasible across combinations of Unicode
   characters because Unicode characters can be combined with each
   other.  Servers SHOULD NOT partially match combinations of Unicode
   characters where a legal combination is possible.  It should be
   noted, though, that it may not always be possible to detect cases
   where a character could have been combined with another character,
   but was not, because characters can be combined in many different
   ways.

   Clients SHOULD NOT submit a partial match search of Unicode
   characters where a Unicode character may be legally combined with
   another Unicode character or characters.  Partial match searches with
   incomplete combinations of characters where a character must be
   combined with another character or characters are invalid.  Partial
   match searches with characters that may be combined with another
   character or characters are to be considered non-combined characters
   (that is, if character x may be combined with character y but
   character y is not submitted in the search string, then character x
   is a complete character and no combinations of character x are to be
   searched).

4.2.  Associated Records

   Conceptually, any query-matching record in a server's database might
   be a member of a set of related records, related in some fashion as
   defined by the server -- for example, variants of an IDN.  The entire
   set ought to be considered as candidates for inclusion when
   constructing the response.  However, the construction of the final
   response needs to be mindful of privacy and other data-releasing
   policies when assembling the RDAP response set.

   Note too that due to the nature of searching, there may be a list of
   query-matching records.  Each one of those is subject to being a
   member of a set as described in the previous paragraph.  What is
   ultimately returned in a response will be the union of all the sets
   that has been filtered by whatever policies are in place.

   Note that this model includes arrangements for associated names,
   including those that are linked by policy mechanisms and names bound
   together for some other purposes.  Note also that returning
   information that was not explicitly selected by an exact-match
   lookup, including additional names that match a relatively fuzzy
   search as well as lists of names that are linked together, may cause
   privacy issues.

   Note that there might not be a single, static information return
   policy that applies to all clients equally.  Client identity and
   associated authorizations can be a relevant factor in determining how
   broad the response set will be for any particular query.

5.  Extensibility

   This document describes path segment specifications for a limited
   number of objects commonly registered in both RIRs and DNRs.  It does
   not attempt to describe path segments for all of the objects
   registered in all registries.  Custom path segments can be created
   for objects not specified here using the process described in
   Section 6 of "HTTP Usage in the Registration Data Access Protocol
   (RDAP)" [RFC7480].

   Custom path segments can be created by prefixing the segment with a
   unique identifier followed by an underscore character (0x5F).  For
   example, a custom entity path segment could be created by prefixing
   "entity" with "custom_", producing "custom_entity".  Servers MUST
   return an appropriate failure status code for a request with an
   unrecognized path segment.

6.  Internationalization Considerations

   There is value in supporting the ability to submit either a U-label
   (Unicode form of an IDN label) or an A-label (US-ASCII form of an IDN
   label) as a query argument to an RDAP service.  Clients capable of
   processing non-US-ASCII characters may prefer a U-label since this is
   more visually recognizable and familiar than A-label strings, but
   clients using programmatic interfaces might find it easier to submit
   and display A-labels if they are unable to input U-labels with their
   keyboard configuration.  Both query forms are acceptable.

   Internationalized domain and nameserver names can contain character
   variants and variant labels as described in [RFC4290].  Clients that
   support queries for internationalized domain and nameserver names
   MUST accept service provider responses that describe variants as
   specified in "JSON Responses for the Registration Data Access
   Protocol (RDAP)" [RFC9083].

6.1.  Character Encoding Considerations

   Servers can expect to receive search patterns from clients that
   contain character strings encoded in different forms supported by
   HTTP.  It is entirely possible to apply filters and normalization
   rules to search patterns prior to making character comparisons, but
   this type of processing is more typically needed to determine the
   validity of registered strings than to match patterns.

   An RDAP client submitting a query string containing non-US-ASCII
   characters converts such strings into Unicode in UTF-8 encoding.  It
   then performs any local case mapping deemed necessary.  Strings are
   normalized using Normalization Form C (NFC) [Unicode-UAX15]; note
   that clients might not be able to do this reliably.  UTF-8 encoded
   strings are then appropriately percent-encoded [RFC3986] in the query
   URL.

   After parsing any percent-encoding, an RDAP server treats each query
   string as Unicode in UTF-8 encoding.  If a string is not valid UTF-8,
   the server can immediately stop processing the query and return an
   HTTP 400 (Bad Request) response.

   When processing queries, there is a difference in handling DNS names,
   including those with putative U-labels, and everything else.  DNS
   names are treated according to the DNS matching rules as described in
   Section 3.1 of RFC 1035 [RFC1035] for Non-Reserved LDH (NR-LDH)
   labels and the matching rules described in Section 5.4 of RFC 5891
   [RFC5891] for U-labels.  Matching of DNS names proceeds one label at
   a time because it is possible for a combination of U-labels and NR-
   LDH labels to be found in a single domain or host name.  The
   determination of whether a label is a U-label or an NR-LDH label is
   based on whether the label contains any characters outside of the US-
   ASCII letters, digits, or hyphen (the so-called LDH rule).

   For everything else, servers map fullwidth and halfwidth characters
   to their decomposition equivalents.  Servers convert strings to the
   same coded character set of the target data that is to be looked up
   or searched, and each string is normalized using the same
   normalization that was used on the target data.  In general, storage
   of strings as Unicode is RECOMMENDED.  For the purposes of
   comparison, Normalization Form KC (NFKC) [Unicode-UAX15] with case
   folding is used to maximize predictability and the number of matches.
   Note the use of case-folded NFKC as opposed to NFC in this case.

7.  IANA Considerations

   This document has no IANA actions.

8.  Security Considerations

   Security services for the operations specified in this document are
   described in "Security Services for the Registration Data Access
   Protocol (RDAP)" [RFC7481].

   Search functionality typically requires more server resources (such
   as memory, CPU cycles, and network bandwidth) when compared to basic
   lookup functionality.  This increases the risk of server resource
   exhaustion and subsequent denial of service due to abuse.  This risk
   can be mitigated by developing and implementing controls to restrict
   search functionality to identified and authorized clients.  If those
   clients behave badly, their search privileges can be suspended or
   revoked.  Rate limiting as described in Section 5.5 of "HTTP Usage in
   the Registration Data Access Protocol (RDAP)" [RFC7480] can also be
   used to control the rate of received search requests.  Server
   operators can also reduce their risk by restricting the amount of
   information returned in response to a search request.

   Search functionality also increases the privacy risk of disclosing
   object relationships that might not otherwise be obvious.  For
   example, a search that returns IDN variants [RFC6927] that do not
   explicitly match a client-provided search pattern can disclose
   information about registered domain names that might not be otherwise
   available.  Implementers need to consider the policy and privacy
   implications of returning information that was not explicitly
   requested.

   Note that there might not be a single, static information return
   policy that applies to all clients equally.  Client identity and
   associated authorizations can be a relevant factor in determining how
   broad the response set will be for any particular query.

9.  References

9.1.  Normative References

   [RFC0952]  Harrenstien, K., Stahl, M., and E. Feinler, "DoD Internet
              host table specification", RFC 952, DOI 10.17487/RFC0952,
              October 1985, <https://www.rfc-editor.org/info/rfc952>.

   [RFC1035]  Mockapetris, P., "Domain names - implementation and
              specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
              November 1987, <https://www.rfc-editor.org/info/rfc1035>.

   [RFC1123]  Braden, R., Ed., "Requirements for Internet Hosts -
              Application and Support", STD 3, RFC 1123,
              DOI 10.17487/RFC1123, October 1989,
              <https://www.rfc-editor.org/info/rfc1123>.

   [RFC1166]  Kirkpatrick, S., Stahl, M., and M. Recker, "Internet
              numbers", RFC 1166, DOI 10.17487/RFC1166, July 1990,
              <https://www.rfc-editor.org/info/rfc1166>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66,
              RFC 3986, DOI 10.17487/RFC3986, January 2005,
              <https://www.rfc-editor.org/info/rfc3986>.

   [RFC4291]  Hinden, R. and S. Deering, "IP Version 6 Addressing
              Architecture", RFC 4291, DOI 10.17487/RFC4291, February
              2006, <https://www.rfc-editor.org/info/rfc4291>.

   [RFC4632]  Fuller, V. and T. Li, "Classless Inter-domain Routing
              (CIDR): The Internet Address Assignment and Aggregation
              Plan", BCP 122, RFC 4632, DOI 10.17487/RFC4632, August
              2006, <https://www.rfc-editor.org/info/rfc4632>.

   [RFC4918]  Dusseault, L., Ed., "HTTP Extensions for Web Distributed
              Authoring and Versioning (WebDAV)", RFC 4918,
              DOI 10.17487/RFC4918, June 2007,
              <https://www.rfc-editor.org/info/rfc4918>.

   [RFC5396]  Huston, G. and G. Michaelson, "Textual Representation of
              Autonomous System (AS) Numbers", RFC 5396,
              DOI 10.17487/RFC5396, December 2008,
              <https://www.rfc-editor.org/info/rfc5396>.

   [RFC5730]  Hollenbeck, S., "Extensible Provisioning Protocol (EPP)",
              STD 69, RFC 5730, DOI 10.17487/RFC5730, August 2009,
              <https://www.rfc-editor.org/info/rfc5730>.

   [RFC5733]  Hollenbeck, S., "Extensible Provisioning Protocol (EPP)
              Contact Mapping", STD 69, RFC 5733, DOI 10.17487/RFC5733,
              August 2009, <https://www.rfc-editor.org/info/rfc5733>.

   [RFC5890]  Klensin, J., "Internationalized Domain Names for
              Applications (IDNA): Definitions and Document Framework",
              RFC 5890, DOI 10.17487/RFC5890, August 2010,
              <https://www.rfc-editor.org/info/rfc5890>.

   [RFC5891]  Klensin, J., "Internationalized Domain Names in
              Applications (IDNA): Protocol", RFC 5891,
              DOI 10.17487/RFC5891, August 2010,
              <https://www.rfc-editor.org/info/rfc5891>.

   [RFC5952]  Kawamura, S. and M. Kawashima, "A Recommendation for IPv6
              Address Text Representation", RFC 5952,
              DOI 10.17487/RFC5952, August 2010,
              <https://www.rfc-editor.org/info/rfc5952>.

   [RFC7230]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
              Protocol (HTTP/1.1): Message Syntax and Routing",
              RFC 7230, DOI 10.17487/RFC7230, June 2014,
              <https://www.rfc-editor.org/info/rfc7230>.

   [RFC7231]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
              Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
              DOI 10.17487/RFC7231, June 2014,
              <https://www.rfc-editor.org/info/rfc7231>.

   [RFC7480]  Newton, A., Ellacott, B., and N. Kong, "HTTP Usage in the
              Registration Data Access Protocol (RDAP)", STD 95,
              RFC 7480, DOI 10.17487/RFC7480, March 2015,
              <https://www.rfc-editor.org/info/rfc7480>.

   [RFC7481]  Hollenbeck, S. and N. Kong, "Security Services for the
              Registration Data Access Protocol (RDAP)", STD 95,
              RFC 7481, DOI 10.17487/RFC7481, March 2015,
              <https://www.rfc-editor.org/info/rfc7481>.

   [RFC7484]  Blanchet, M., "Finding the Authoritative Registration Data
              (RDAP) Service", RFC 7484, DOI 10.17487/RFC7484, March
              2015, <https://www.rfc-editor.org/info/rfc7484>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [RFC8499]  Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
              Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499,
              January 2019, <https://www.rfc-editor.org/info/rfc8499>.

   [RFC9083]  Hollenbeck, S. and A. Newton, "JSON Responses for the
              Registration Data Access Protocol (RDAP)", STD 95,
              RFC 9083, DOI 10.17487/RFC9083, June 2021,
              <https://www.rfc-editor.org/info/rfc9083>.

   [Unicode-UAX15]
              The Unicode Consortium, "Unicode Standard Annex #15:
              Unicode Normalization Forms", September 2013,
              <https://www.unicode.org/reports/tr15/>.

9.2.  Informative References

   [REST]     Fielding, R., "Architectural Styles and the Design of
              Network-based Software Architectures", Ph.D.
              Dissertation, University of California, Irvine, 2000,
              <https://www.ics.uci.edu/~fielding/pubs/dissertation/
              fielding_dissertation.pdf>.

   [RFC3912]  Daigle, L., "WHOIS Protocol Specification", RFC 3912,
              DOI 10.17487/RFC3912, September 2004,
              <https://www.rfc-editor.org/info/rfc3912>.

   [RFC4007]  Deering, S., Haberman, B., Jinmei, T., Nordmark, E., and
              B. Zill, "IPv6 Scoped Address Architecture", RFC 4007,
              DOI 10.17487/RFC4007, March 2005,
              <https://www.rfc-editor.org/info/rfc4007>.

   [RFC4290]  Klensin, J., "Suggested Practices for Registration of
              Internationalized Domain Names (IDN)", RFC 4290,
              DOI 10.17487/RFC4290, December 2005,
              <https://www.rfc-editor.org/info/rfc4290>.

   [RFC6874]  Carpenter, B., Cheshire, S., and R. Hinden, "Representing
              IPv6 Zone Identifiers in Address Literals and Uniform
              Resource Identifiers", RFC 6874, DOI 10.17487/RFC6874,
              February 2013, <https://www.rfc-editor.org/info/rfc6874>.

   [RFC6927]  Levine, J. and P. Hoffman, "Variants in Second-Level Names
              Registered in Top-Level Domains", RFC 6927,
              DOI 10.17487/RFC6927, May 2013,
              <https://www.rfc-editor.org/info/rfc6927>.

   [RFC8521]  Hollenbeck, S. and A. Newton, "Registration Data Access
              Protocol (RDAP) Object Tagging", BCP 221, RFC 8521,
              DOI 10.17487/RFC8521, November 2018,
              <https://www.rfc-editor.org/info/rfc8521>.

Appendix A.  Changes from RFC 7482

   *  Addressed known errata.

   *  Addressed other reported clarifications and corrections: IDN,
      IDNA, and DNR definitions.  Noted that registrars are entities.
      Added a reference to RFC 8521 to address the bootstrap registry
      limitation.  Removed extraneous "...".  Clarified HTTP query
      string, search pattern, name server search, domain label suffix,
      and asterisk search.

   *  Addressed "The HTTP query string" clarification.

   *  Modified coauthor address.

   *  Updated references to RFC 7483 to RFC 9083.

   *  Added an IANA Considerations section.  Changed references to use
      HTTPS for targets.

   *  Changed "XXXX is a search pattern representing the "FN" property
      of an entity (such as a contact, registrant, or registrar) name as
      specified in Section 5.1" to "Changed "XXXX is a search pattern
      representing the "fn" property of an entity (such as a contact,
      registrant, or registrar) name as described in Section 5.1".

   *  Added acknowledgments.

   *  Changed "The intent of the patterns described here are to enable
      queries" to "The intent of the patterns described here is to
      enable queries".

   *  Changed "the corresponding syntax extension in RFC 6874 [RFC6874]
      MUST NOT be used, and servers are to ignore it if possible" to
      "the corresponding syntax extension in RFC 6874 [RFC6874] MUST NOT
      be used, and servers SHOULD ignore it".

   *  Changed "Only a single asterisk is allowed for a partial string
      search" to "A partial string search MUST NOT include more than one
      asterisk".

   *  Changed "Clients should avoid submitting a partial match search of
      Unicode characters where a Unicode character may be legally
      combined with another Unicode character or characters" to "Clients
      SHOULD NOT submit a partial match search of Unicode characters
      where a Unicode character may be legally combined with another
      Unicode character or characters".

   *  Changed description of nameserver IP address "search pattern" in
      Sections 3.2.1 and 3.2.2.

   *  IESG review feedback: Added "obsoletes 7482" to the headers,
      Abstract, and Introduction.  Changed "IETF standards" to "IETF
      specifications" and "Therefore" to "Accordingly" in Section 1.
      Updated the BCP 14 boilerplate.  Added definition of "bootstrap
      registry" and changed "concatenating ... to" to "concatenating ...
      with" in Section 3.  Changed "bitmask length" to "prefix length"
      and "2001:db8::0" to "2001:db8::" in Section 3.1.1.  Added "in
      contrast to the more generic HTTP query string that admits
      multiple simultaneous parameters" in Section 3.2.  Changed
      "0x002A" to "0x2A" in Section 4.1.  Clarified use of HTTP 422
      SHOULD in Section 4.1.

Acknowledgments

   This document is derived from original work on RIR query formats
   developed by Byron J. Ellacott of APNIC, Arturo L. Servin of LACNIC,
   Kaveh Ranjbar of the RIPE NCC, and Andrew L. Newton of ARIN.
   Additionally, this document incorporates DNR query formats originally
   described by Francisco Arias and Steve Sheng of ICANN and Scott
   Hollenbeck of Verisign Labs.

   The authors would like to acknowledge the following individuals for
   their contributions to this document: Francisco Arias, Marc Blanchet,
   Ernie Dainow, Jean-Philippe Dionne, Byron J. Ellacott, Behnam
   Esfahbod, John Klensin, John Levine, Edward Lewis, Mario Loffredo,
   Patrick Mevzek, Mark Nottingham, Kaveh Ranjbar, Arturo L. Servin,
   Steve Sheng, Jasdip Singh, and Andrew Sullivan.

Authors' Addresses

   Scott Hollenbeck
   Verisign Labs
   12061 Bluemont Way
   Reston, VA 20190
   United States of America

   Email: shollenbeck@verisign.com
   URI:   https://www.verisignlabs.com/


   Andy Newton
   Amazon Web Services, Inc.
   13200 Woodland Park Road
   Herndon, VA 20171
   United States of America

   Email: andy@hxr.us