1 Internet Engineering Task Force (IETF) S. Hollenbeck
2 Request for Comments: 9082 Verisign Labs
3 STD: 95 A. Newton
4 Obsoletes: 7482 AWS
5 Category: Standards Track June 2021
6 ISSN: 2070-1721
7
8
9 Registration Data Access Protocol (RDAP) Query Format
10
11 Abstract
12
13 This document describes uniform patterns to construct HTTP URLs that
14 may be used to retrieve registration information from registries
15 (including both Regional Internet Registries (RIRs) and Domain Name
16 Registries (DNRs)) using "RESTful" web access patterns. These
17 uniform patterns define the query syntax for the Registration Data
18 Access Protocol (RDAP). This document obsoletes RFC 7482.
19
20 Status of This Memo
21
22 This is an Internet Standards Track document.
23
24 This document is a product of the Internet Engineering Task Force
25 (IETF). It represents the consensus of the IETF community. It has
26 received public review and has been approved for publication by the
27 Internet Engineering Steering Group (IESG). Further information on
28 Internet Standards is available in Section 2 of RFC 7841.
29
30 Information about the current status of this document, any errata,
31 and how to provide feedback on it may be obtained at
32 https://www.rfc-editor.org/info/rfc9082.
33
34 Copyright Notice
35
36 Copyright (c) 2021 IETF Trust and the persons identified as the
37 document authors. All rights reserved.
38
39 This document is subject to BCP 78 and the IETF Trust's Legal
40 Provisions Relating to IETF Documents
41 (https://trustee.ietf.org/license-info) in effect on the date of
42 publication of this document. Please review these documents
43 carefully, as they describe your rights and restrictions with respect
44 to this document. Code Components extracted from this document must
45 include Simplified BSD License text as described in Section 4.e of
46 the Trust Legal Provisions and are provided without warranty as
47 described in the Simplified BSD License.
48
49 Table of Contents
50
51 1. Introduction
52 2. Conventions Used in This Document
53 2.1. Acronyms and Abbreviations
54 3. Path Segment Specification
55 3.1. Lookup Path Segment Specification
56 3.1.1. IP Network Path Segment Specification
57 3.1.2. Autonomous System Path Segment Specification
58 3.1.3. Domain Path Segment Specification
59 3.1.4. Nameserver Path Segment Specification
60 3.1.5. Entity Path Segment Specification
61 3.1.6. Help Path Segment Specification
62 3.2. Search Path Segment Specification
63 3.2.1. Domain Search
64 3.2.2. Nameserver Search
65 3.2.3. Entity Search
66 4. Query Processing
67 4.1. Partial String Searching
68 4.2. Associated Records
69 5. Extensibility
70 6. Internationalization Considerations
71 6.1. Character Encoding Considerations
72 7. IANA Considerations
73 8. Security Considerations
74 9. References
75 9.1. Normative References
76 9.2. Informative References
77 Appendix A. Changes from RFC 7482
78 Acknowledgments
79 Authors' Addresses
80
81 1. Introduction
82
83 This document describes a specification for querying registration
84 data using a RESTful web service and uniform query patterns. The
85 service is implemented using the Hypertext Transfer Protocol (HTTP)
86 [RFC7230] and the conventions described in [RFC7480]. These uniform
87 patterns define the query syntax for the Registration Data Access
88 Protocol (RDAP). This document obsoletes RFC 7482.
89
90 The protocol described in this specification is intended to address
91 deficiencies with the WHOIS protocol [RFC3912] that have been
92 identified over time, including:
93
94 * lack of standardized command structures;
95
96 * lack of standardized output and error structures;
97
98 * lack of support for internationalization and localization; and
99
100 * lack of support for user identification, authentication, and
101 access control.
102
103 The patterns described in this document purposefully do not encompass
104 all of the methods employed in the WHOIS and other RESTful web
105 services used by the RIRs and DNRs. The intent of the patterns
106 described here is to enable queries of:
107
108 * networks by IP address;
109
110 * Autonomous System (AS) numbers by number;
111
112 * reverse DNS metadata by domain;
113
114 * nameservers by name; and
115
116 * entities (such as registrars and contacts) by identifier.
117
118 Server implementations are free to support only a subset of these
119 features depending on local requirements. Servers MUST return an
120 HTTP 501 (Not Implemented) [RFC7231] response to inform clients of
121 unsupported query types. It is also envisioned that each registry
122 will continue to maintain WHOIS and/or other RESTful web services
123 specific to their needs and those of their constituencies, and the
124 information retrieved through the patterns described here may
125 reference such services.
126
127 Likewise, future IETF specifications may add additional patterns for
128 additional query types. A simple pattern namespacing scheme is
129 described in Section 5 to accommodate custom extensions that will not
130 interfere with the patterns defined in this document or patterns
131 defined in future IETF specifications.
132
133 WHOIS services, in general, are read-only services. Accordingly, URL
134 [RFC3986] patterns specified in this document are only applicable to
135 the HTTP [RFC7231] GET and HEAD methods.
136
137 This document does not describe the results or entities returned from
138 issuing the described URLs with an HTTP GET. The specification of
139 these entities is described in [RFC9083].
140
141 Additionally, resource management, provisioning, and update functions
142 are out of scope for this document. Registries have various and
143 divergent methods covering these functions, and it is unlikely a
144 uniform approach is needed for interoperability.
145
146 HTTP contains mechanisms for servers to authenticate clients and for
147 clients to authenticate servers (from which authorization schemes may
148 be built), so such mechanisms are not described in this document.
149 Policy, provisioning, and processing of authentication and
150 authorization are out of scope for this document as deployments will
151 have to make choices based on local criteria. Supported
152 authentication mechanisms are described in [RFC7481].
153
154 2. Conventions Used in This Document
155
156 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
157 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
158 "OPTIONAL" in this document are to be interpreted as described in
159 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
160 capitals, as shown here.
161
162 2.1. Acronyms and Abbreviations
163
164 IDN: Internationalized Domain Name, a fully-qualified domain name
165 containing one or more labels that are intended to include one or
166 more Unicode code points outside the ASCII range (cf. "domain
167 name", "fully-qualified domain name", and "internationalized
168 domain name" in RFC 8499 [RFC8499]).
169
170 IDNA: Internationalized Domain Names in Applications, a protocol for
171 the handling of IDNs. In this document, "IDNA" refers
172 specifically to the version of those specifications known as
173 "IDNA2008" [RFC5890].
174
175 DNR: Domain Name Registry or Domain Name Registrar
176
177 NFC: Unicode Normalization Form C [Unicode-UAX15]
178
179 NFKC: Unicode Normalization Form KC [Unicode-UAX15]
180
181 RDAP: Registration Data Access Protocol
182
183 REST: Representational State Transfer. The term was first described
184 in a doctoral dissertation [REST].
185
186 RESTful: An adjective that describes a service using HTTP and the
187 principles of REST.
188
189 RIR: Regional Internet Registry
190
191 3. Path Segment Specification
192
193 The base URLs used to construct RDAP queries are maintained in an
194 IANA registry (the "bootstrap registry") described in [RFC7484].
195 Queries are formed by retrieving an appropriate base URL from the
196 registry and appending a path segment specified in either Sections
197 3.1 or 3.2. Generally, a registry or other service provider will
198 provide a base URL that identifies the protocol, host, and port, and
199 this will be used as a base URL that the complete URL is resolved
200 against, as per Section 5 of RFC 3986 [RFC3986]. For example, if the
201 base URL is "https://example.com/rdap/", all RDAP query URLs will
202 begin with "https://example.com/rdap/".
203
204 The bootstrap registry does not contain information for query objects
205 that are not part of a global namespace, including entities and help.
206 A base URL for an associated object is required to construct a
207 complete query. This limitation can be overcome for entities by
208 using the practice described in RFC 8521 [RFC8521].
209
210 For entities, a base URL is retrieved for the service (domain,
211 address, etc.) associated with a given entity. The query URL is
212 constructed by concatenating the base URL with the entity path
213 segment specified in either Sections 3.1.5 or 3.2.3.
214
215 For help, a base URL is retrieved for any service (domain, address,
216 etc.) for which additional information is required. The query URL is
217 constructed by concatenating the base URL with the help path segment
218 specified in Section 3.1.6.
219
220 3.1. Lookup Path Segment Specification
221
222 A simple lookup to determine if an object exists (or not) without
223 returning RDAP-encoded results can be performed using the HTTP HEAD
224 method as described in Section 4.1 of [RFC7480].
225
226 The resource type path segments for exact match lookup are:
227
228 'ip': Used to identify IP networks and associated data referenced
229 using either an IPv4 or IPv6 address.
230
231 'autnum': Used to identify Autonomous System number registrations
232 and associated data referenced using an asplain Autonomous System
233 number.
234
235 'domain': Used to identify reverse DNS (RIR) or domain name (DNR)
236 information and associated data referenced using a fully qualified
237 domain name.
238
239 'nameserver': Used to identify a nameserver information query using
240 a host name.
241
242 'entity': Used to identify an entity information query using a
243 string identifier.
244
245 3.1.1. IP Network Path Segment Specification
246
247 Syntax: ip/<IP address> or ip/<CIDR prefix>/<CIDR length>
248
249 Queries for information about IP networks are of the form /ip/XXX or
250 /ip/XXX/YY where the path segment following 'ip' is either an IPv4
251 dotted decimal or IPv6 [RFC5952] address (i.e., XXX) or an IPv4 or
252 IPv6 Classless Inter-domain Routing (CIDR) [RFC4632] notation address
253 block (i.e., XXX/YY). Semantically, the simpler form using the
254 address can be thought of as a CIDR block with a prefix length of 32
255 for IPv4 and a prefix length of 128 for IPv6. A given specific
256 address or CIDR may fall within multiple IP networks in a hierarchy
257 of networks; therefore, this query targets the "most-specific" or
258 smallest IP network that completely encompasses it in a hierarchy of
259 IP networks.
260
261 The IPv4 and IPv6 address formats supported in this query are
262 described in Section 3.2.2 of RFC 3986 [RFC3986] as IPv4address and
263 IPv6address ABNF definitions. Any valid IPv6 text address format
264 [RFC4291] can be used. This includes IPv6 addresses written using
265 with or without compressed zeros and IPv6 addresses containing
266 embedded IPv4 addresses. The rules to write a text representation of
267 an IPv6 address [RFC5952] are RECOMMENDED. However, the zone_id
268 [RFC4007] is not appropriate in this context; therefore, the
269 corresponding syntax extension in RFC 6874 [RFC6874] MUST NOT be
270 used, and servers SHOULD ignore it.
271
272 For example, the following URL would be used to find information for
273 the most specific network containing 192.0.2.0:
274
275 https://example.com/rdap/ip/192.0.2.0
276
277 The following URL would be used to find information for the most
278 specific network containing 192.0.2.0/24:
279
280 https://example.com/rdap/ip/192.0.2.0/24
281
282 The following URL would be used to find information for the most
283 specific network containing 2001:db8::
284
285 https://example.com/rdap/ip/2001:db8::
286
287 3.1.2. Autonomous System Path Segment Specification
288
289 Syntax: autnum/<autonomous system number>
290
291 Queries for information regarding Autonomous System number
292 registrations are of the form /autnum/XXX where XXX is an asplain
293 Autonomous System number [RFC5396]. In some registries, registration
294 of Autonomous System numbers is done on an individual number basis,
295 while other registries may register blocks of Autonomous System
296 numbers. The semantics of this query are such that if a number falls
297 within a range of registered blocks, the target of the query is the
298 block registration and that individual number registrations are
299 considered a block of numbers with a size of 1.
300
301 For example, the following URL would be used to find information
302 describing Autonomous System number 12 (a number within a range of
303 registered blocks):
304
305 https://example.com/rdap/autnum/12
306
307 The following URL would be used to find information describing 4-byte
308 Autonomous System number 65538:
309
310 https://example.com/rdap/autnum/65538
311
312 3.1.3. Domain Path Segment Specification
313
314 Syntax: domain/<domain name>
315
316 Queries for domain information are of the form /domain/XXXX, where
317 XXXX is a fully qualified (relative to the root) domain name (as
318 specified in [RFC0952] and [RFC1123]) in either the in-addr.arpa or
319 ip6.arpa zones (for RIRs) or a fully qualified domain name in a zone
320 administered by the server operator (for DNRs). Internationalized
321 Domain Names (IDNs) represented in either A-label or U-label format
322 [RFC5890] are also valid domain names. See Section 6.1 for
323 information on character encoding for the U-label format.
324
325 IDNs SHOULD NOT be represented as a mixture of A-labels and U-labels;
326 that is, internationalized labels in an IDN SHOULD be either all
327 A-labels or all U-labels. It is possible for an RDAP client to
328 assemble a query string from multiple independent data sources. Such
329 a client might not be able to perform conversions between A-labels
330 and U-labels. An RDAP server that receives a query string with a
331 mixture of A-labels and U-labels MAY convert all the U-labels to
332 A-labels, perform IDNA processing, and proceed with exact-match
333 lookup. In such cases, the response to be returned to the query
334 source may not match the input from the query source. Alternatively,
335 the server MAY refuse to process the query.
336
337 The server MAY perform the match using either the A-label or U-label
338 form. Using one consistent form for matching every label is likely
339 to be more reliable.
340
341 The following URL would be used to find information describing the
342 zone serving the network 192.0.2/24:
343
344 https://example.com/rdap/domain/2.0.192.in-addr.arpa
345
346 The following URL would be used to find information describing the
347 zone serving the network 2001:db8:1::/48:
348
349 https://example.com/rdap/domain/1.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa
350
351 The following URL would be used to find information for the
352 blah.example.com domain name:
353
354 https://example.com/rdap/domain/blah.example.com
355
356 The following URL would be used to find information for the
357 xn--fo-5ja.example IDN:
358
359 https://example.com/rdap/domain/xn--fo-5ja.example
360
361 3.1.4. Nameserver Path Segment Specification
362
363 Syntax: nameserver/<nameserver name>
364
365 The <nameserver name> parameter represents a fully qualified host
366 name as specified in [RFC0952] and [RFC1123]. Internationalized
367 names represented in either A-label or U-label format [RFC5890] are
368 also valid nameserver names. IDN processing for nameserver names
369 uses the domain name processing instructions specified in
370 Section 3.1.3. See Section 6.1 for information on character encoding
371 for the U-label format.
372
373 The following URL would be used to find information for the
374 ns1.example.com nameserver:
375
376 https://example.com/rdap/nameserver/ns1.example.com
377
378 The following URL would be used to find information for the
379 ns1.xn--fo-5ja.example nameserver:
380
381 https://example.com/rdap/nameserver/ns1.xn--fo-5ja.example
382
383 3.1.5. Entity Path Segment Specification
384
385 Syntax: entity/<handle>
386
387 The <handle> parameter represents an entity (such as a contact,
388 registrant, or registrar) identifier whose syntax is specific to the
389 registration provider. For example, for some DNRs, contact
390 identifiers are specified in [RFC5730] and [RFC5733].
391
392 The following URL would be used to find information for the entity
393 associated with handle XXXX:
394
395 https://example.com/rdap/entity/XXXX
396
397 3.1.6. Help Path Segment Specification
398
399 Syntax: help
400
401 The help path segment can be used to request helpful information
402 (command syntax, terms of service, privacy policy, rate-limiting
403 policy, supported authentication methods, supported extensions,
404 technical support contact, etc.) from an RDAP server. The response
405 to "help" should provide basic information that a client needs to
406 successfully use the service. The following URL would be used to
407 return "help" information:
408
409 https://example.com/rdap/help
410
411 3.2. Search Path Segment Specification
412
413 Pattern matching semantics are described in Section 4.1. The
414 resource type path segments for search are:
415
416 'domains': Used to identify a domain name information search using a
417 pattern to match a fully qualified domain name.
418
419 'nameservers': Used to identify a nameserver information search
420 using a pattern to match a host name.
421
422 'entities': Used to identify an entity information search using a
423 pattern to match a string identifier.
424
425 RDAP search path segments are formed using a concatenation of the
426 plural form of the object being searched for and an HTTP query
427 string. The HTTP query string is formed using a concatenation of the
428 question mark character ('?', US-ASCII value 0x003F), a noun
429 representing the JSON object property associated with the object
430 being searched for, the equal sign character ('=', US-ASCII value
431 0x003D), and the search pattern (this is in contrast to the more
432 generic HTTP query string that allows multiple simultaneous
433 parameters). Search pattern query processing is described more fully
434 in Section 4. For the domain, nameserver, and entity objects
435 described in this document, the plural object forms are "domains",
436 "nameservers", and "entities".
437
438 Detailed results can be retrieved using the HTTP GET method and the
439 path segments specified here.
440
441 3.2.1. Domain Search
442
443 Syntax: domains?name=<domain search pattern>
444
445 Syntax: domains?nsLdhName=<nameserver search pattern>
446
447 Syntax: domains?nsIp=<nameserver IP address>
448
449 Searches for domain information by name are specified using this
450 form:
451
452 domains?name=XXXX
453
454 XXXX is a search pattern representing a domain name in "letters,
455 digits, hyphen" (LDH) format [RFC5890]. The following URL would be
456 used to find DNR information for domain names matching the
457 "example*.com" pattern:
458
459 https://example.com/rdap/domains?name=example*.com
460
461 IDNs in U-label format [RFC5890] can also be used as search patterns
462 (see Section 4). Searches for these names are of the form
463 /domains?name=XXXX, where XXXX is a search pattern representing a
464 domain name in U-label format [RFC5890]. See Section 6.1 for
465 information on character encoding for the U-label format.
466
467 Searches for domain information by nameserver name are specified
468 using this form:
469
470 domains?nsLdhName=YYYY
471
472 YYYY is a search pattern representing a host name in "letters,
473 digits, hyphen" format [RFC5890]. The following URL would be used to
474 search for domains delegated to nameservers matching the
475 "ns1.example*.com" pattern:
476
477 https://example.com/rdap/domains?nsLdhName=ns1.example*.com
478
479 Searches for domain information by nameserver IP address are
480 specified using this form:
481
482 domains?nsIp=ZZZZ
483
484 ZZZZ is an IPv4 [RFC1166] or IPv6 [RFC5952] address. The following
485 URL would be used to search for domains that have been delegated to
486 nameservers that resolve to the "192.0.2.0" address:
487
488 https://example.com/rdap/domains?nsIp=192.0.2.0
489
490 3.2.2. Nameserver Search
491
492 Syntax: nameservers?name=<nameserver search pattern>
493
494 Syntax: nameservers?ip=<nameserver IP address>
495
496 Searches for nameserver information by nameserver name are specified
497 using this form:
498
499 nameservers?name=XXXX
500
501 XXXX is a search pattern representing a host name in "letters,
502 digits, hyphen" format [RFC5890]. The following URL would be used to
503 find information for nameserver names matching the "ns1.example*.com"
504 pattern:
505
506 https://example.com/rdap/nameservers?name=ns1.example*.com
507
508 Internationalized nameserver names in U-label format [RFC5890] can
509 also be used as search patterns (see Section 4). Searches for these
510 names are of the form /nameservers?name=XXXX, where XXXX is a search
511 pattern representing a nameserver name in U-label format [RFC5890].
512 See Section 6.1 for information on character encoding for the U-label
513 format.
514
515 Searches for nameserver information by nameserver IP address are
516 specified using this form:
517
518 nameservers?ip=YYYY
519
520 YYYY is an IPv4 [RFC1166] or IPv6 [RFC5952] address. The following
521 URL would be used to search for nameserver names that resolve to the
522 "192.0.2.0" address:
523
524 https://example.com/rdap/nameservers?ip=192.0.2.0
525
526 3.2.3. Entity Search
527
528 Syntax: entities?fn=<entity name search pattern>
529
530 Syntax: entities?handle=<entity handle search pattern>
531
532 Searches for entity information by name are specified using this
533 form:
534
535 entities?fn=XXXX
536
537 XXXX is a search pattern representing the "fn" property of an entity
538 (such as a contact, registrant, or registrar) name as described in
539 Section 5.1 of [RFC9083]. The following URL would be used to find
540 information for entity names matching the "Bobby Joe*" pattern:
541
542 https://example.com/rdap/entities?fn=Bobby%20Joe*
543
544 Searches for entity information by handle are specified using this
545 form:
546
547 entities?handle=XXXX
548
549 XXXX is a search pattern representing an entity (such as a contact,
550 registrant, or registrar) identifier whose syntax is specific to the
551 registration provider. The following URL would be used to find
552 information for entity handles matching the "CID-40*" pattern:
553
554 https://example.com/rdap/entities?handle=CID-40*
555
556 URLs MUST be properly encoded according to the rules of [RFC3986].
557 In the example above, "Bobby Joe*" is encoded to "Bobby%20Joe*".
558
559 4. Query Processing
560
561 Servers indicate the success or failure of query processing by
562 returning an appropriate HTTP response code to the client. Response
563 codes not specifically identified in this document are described in
564 [RFC7480].
565
566 4.1. Partial String Searching
567
568 Partial string searching uses the asterisk ('*', US-ASCII value 0x2A)
569 character to match zero or more trailing characters. A character
570 string representing a domain label suffix MAY be concatenated to the
571 end of the search pattern to limit the scope of the search. For
572 example, the search pattern "exam*" will match "example.com" and
573 "example.net". The search pattern "exam*.com" will match
574 "example.com". If an asterisk appears in a search string, any label
575 that contains the non-asterisk characters in sequence plus zero or
576 more characters in sequence in place of the asterisk would match. A
577 partial string search MUST NOT include more than one asterisk.
578 Additional pattern matching processing is beyond the scope of this
579 specification.
580
581 If a server receives a search request but cannot process the request
582 because it does not support a particular style of partial match
583 searching, it SHOULD return an HTTP 422 (Unprocessable Entity)
584 [RFC4918] response (unless another response code is more appropriate
585 based on a server's policy settings) to note that search
586 functionality is supported, but this particular query cannot be
587 processed. When returning a 422 error, the server MAY also return an
588 error response body as specified in Section 6 of [RFC9083] if the
589 requested media type is one that is specified in [RFC7480].
590
591 Partial matching is not feasible across combinations of Unicode
592 characters because Unicode characters can be combined with each
593 other. Servers SHOULD NOT partially match combinations of Unicode
594 characters where a legal combination is possible. It should be
595 noted, though, that it may not always be possible to detect cases
596 where a character could have been combined with another character,
597 but was not, because characters can be combined in many different
598 ways.
599
600 Clients SHOULD NOT submit a partial match search of Unicode
601 characters where a Unicode character may be legally combined with
602 another Unicode character or characters. Partial match searches with
603 incomplete combinations of characters where a character must be
604 combined with another character or characters are invalid. Partial
605 match searches with characters that may be combined with another
606 character or characters are to be considered non-combined characters
607 (that is, if character x may be combined with character y but
608 character y is not submitted in the search string, then character x
609 is a complete character and no combinations of character x are to be
610 searched).
611
612 4.2. Associated Records
613
614 Conceptually, any query-matching record in a server's database might
615 be a member of a set of related records, related in some fashion as
616 defined by the server -- for example, variants of an IDN. The entire
617 set ought to be considered as candidates for inclusion when
618 constructing the response. However, the construction of the final
619 response needs to be mindful of privacy and other data-releasing
620 policies when assembling the RDAP response set.
621
622 Note too that due to the nature of searching, there may be a list of
623 query-matching records. Each one of those is subject to being a
624 member of a set as described in the previous paragraph. What is
625 ultimately returned in a response will be the union of all the sets
626 that has been filtered by whatever policies are in place.
627
628 Note that this model includes arrangements for associated names,
629 including those that are linked by policy mechanisms and names bound
630 together for some other purposes. Note also that returning
631 information that was not explicitly selected by an exact-match
632 lookup, including additional names that match a relatively fuzzy
633 search as well as lists of names that are linked together, may cause
634 privacy issues.
635
636 Note that there might not be a single, static information return
637 policy that applies to all clients equally. Client identity and
638 associated authorizations can be a relevant factor in determining how
639 broad the response set will be for any particular query.
640
641 5. Extensibility
642
643 This document describes path segment specifications for a limited
644 number of objects commonly registered in both RIRs and DNRs. It does
645 not attempt to describe path segments for all of the objects
646 registered in all registries. Custom path segments can be created
647 for objects not specified here using the process described in
648 Section 6 of "HTTP Usage in the Registration Data Access Protocol
649 (RDAP)" [RFC7480].
650
651 Custom path segments can be created by prefixing the segment with a
652 unique identifier followed by an underscore character (0x5F). For
653 example, a custom entity path segment could be created by prefixing
654 "entity" with "custom_", producing "custom_entity". Servers MUST
655 return an appropriate failure status code for a request with an
656 unrecognized path segment.
657
658 6. Internationalization Considerations
659
660 There is value in supporting the ability to submit either a U-label
661 (Unicode form of an IDN label) or an A-label (US-ASCII form of an IDN
662 label) as a query argument to an RDAP service. Clients capable of
663 processing non-US-ASCII characters may prefer a U-label since this is
664 more visually recognizable and familiar than A-label strings, but
665 clients using programmatic interfaces might find it easier to submit
666 and display A-labels if they are unable to input U-labels with their
667 keyboard configuration. Both query forms are acceptable.
668
669 Internationalized domain and nameserver names can contain character
670 variants and variant labels as described in [RFC4290]. Clients that
671 support queries for internationalized domain and nameserver names
672 MUST accept service provider responses that describe variants as
673 specified in "JSON Responses for the Registration Data Access
674 Protocol (RDAP)" [RFC9083].
675
676 6.1. Character Encoding Considerations
677
678 Servers can expect to receive search patterns from clients that
679 contain character strings encoded in different forms supported by
680 HTTP. It is entirely possible to apply filters and normalization
681 rules to search patterns prior to making character comparisons, but
682 this type of processing is more typically needed to determine the
683 validity of registered strings than to match patterns.
684
685 An RDAP client submitting a query string containing non-US-ASCII
686 characters converts such strings into Unicode in UTF-8 encoding. It
687 then performs any local case mapping deemed necessary. Strings are
688 normalized using Normalization Form C (NFC) [Unicode-UAX15]; note
689 that clients might not be able to do this reliably. UTF-8 encoded
690 strings are then appropriately percent-encoded [RFC3986] in the query
691 URL.
692
693 After parsing any percent-encoding, an RDAP server treats each query
694 string as Unicode in UTF-8 encoding. If a string is not valid UTF-8,
695 the server can immediately stop processing the query and return an
696 HTTP 400 (Bad Request) response.
697
698 When processing queries, there is a difference in handling DNS names,
699 including those with putative U-labels, and everything else. DNS
700 names are treated according to the DNS matching rules as described in
701 Section 3.1 of RFC 1035 [RFC1035] for Non-Reserved LDH (NR-LDH)
702 labels and the matching rules described in Section 5.4 of RFC 5891
703 [RFC5891] for U-labels. Matching of DNS names proceeds one label at
704 a time because it is possible for a combination of U-labels and NR-
705 LDH labels to be found in a single domain or host name. The
706 determination of whether a label is a U-label or an NR-LDH label is
707 based on whether the label contains any characters outside of the US-
708 ASCII letters, digits, or hyphen (the so-called LDH rule).
709
710 For everything else, servers map fullwidth and halfwidth characters
711 to their decomposition equivalents. Servers convert strings to the
712 same coded character set of the target data that is to be looked up
713 or searched, and each string is normalized using the same
714 normalization that was used on the target data. In general, storage
715 of strings as Unicode is RECOMMENDED. For the purposes of
716 comparison, Normalization Form KC (NFKC) [Unicode-UAX15] with case
717 folding is used to maximize predictability and the number of matches.
718 Note the use of case-folded NFKC as opposed to NFC in this case.
719
720 7. IANA Considerations
721
722 This document has no IANA actions.
723
724 8. Security Considerations
725
726 Security services for the operations specified in this document are
727 described in "Security Services for the Registration Data Access
728 Protocol (RDAP)" [RFC7481].
729
730 Search functionality typically requires more server resources (such
731 as memory, CPU cycles, and network bandwidth) when compared to basic
732 lookup functionality. This increases the risk of server resource
733 exhaustion and subsequent denial of service due to abuse. This risk
734 can be mitigated by developing and implementing controls to restrict
735 search functionality to identified and authorized clients. If those
736 clients behave badly, their search privileges can be suspended or
737 revoked. Rate limiting as described in Section 5.5 of "HTTP Usage in
738 the Registration Data Access Protocol (RDAP)" [RFC7480] can also be
739 used to control the rate of received search requests. Server
740 operators can also reduce their risk by restricting the amount of
741 information returned in response to a search request.
742
743 Search functionality also increases the privacy risk of disclosing
744 object relationships that might not otherwise be obvious. For
745 example, a search that returns IDN variants [RFC6927] that do not
746 explicitly match a client-provided search pattern can disclose
747 information about registered domain names that might not be otherwise
748 available. Implementers need to consider the policy and privacy
749 implications of returning information that was not explicitly
750 requested.
751
752 Note that there might not be a single, static information return
753 policy that applies to all clients equally. Client identity and
754 associated authorizations can be a relevant factor in determining how
755 broad the response set will be for any particular query.
756
757 9. References
758
759 9.1. Normative References
760
761 [RFC0952] Harrenstien, K., Stahl, M., and E. Feinler, "DoD Internet
762 host table specification", RFC 952, DOI 10.17487/RFC0952,
763 October 1985, <https://www.rfc-editor.org/info/rfc952>.
764
765 [RFC1035] Mockapetris, P., "Domain names - implementation and
766 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
767 November 1987, <https://www.rfc-editor.org/info/rfc1035>.
768
769 [RFC1123] Braden, R., Ed., "Requirements for Internet Hosts -
770 Application and Support", STD 3, RFC 1123,
771 DOI 10.17487/RFC1123, October 1989,
772 <https://www.rfc-editor.org/info/rfc1123>.
773
774 [RFC1166] Kirkpatrick, S., Stahl, M., and M. Recker, "Internet
775 numbers", RFC 1166, DOI 10.17487/RFC1166, July 1990,
776 <https://www.rfc-editor.org/info/rfc1166>.
777
778 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
779 Requirement Levels", BCP 14, RFC 2119,
780 DOI 10.17487/RFC2119, March 1997,
781 <https://www.rfc-editor.org/info/rfc2119>.
782
783 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
784 Resource Identifier (URI): Generic Syntax", STD 66,
785 RFC 3986, DOI 10.17487/RFC3986, January 2005,
786 <https://www.rfc-editor.org/info/rfc3986>.
787
788 [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing
789 Architecture", RFC 4291, DOI 10.17487/RFC4291, February
790 2006, <https://www.rfc-editor.org/info/rfc4291>.
791
792 [RFC4632] Fuller, V. and T. Li, "Classless Inter-domain Routing
793 (CIDR): The Internet Address Assignment and Aggregation
794 Plan", BCP 122, RFC 4632, DOI 10.17487/RFC4632, August
795 2006, <https://www.rfc-editor.org/info/rfc4632>.
796
797 [RFC4918] Dusseault, L., Ed., "HTTP Extensions for Web Distributed
798 Authoring and Versioning (WebDAV)", RFC 4918,
799 DOI 10.17487/RFC4918, June 2007,
800 <https://www.rfc-editor.org/info/rfc4918>.
801
802 [RFC5396] Huston, G. and G. Michaelson, "Textual Representation of
803 Autonomous System (AS) Numbers", RFC 5396,
804 DOI 10.17487/RFC5396, December 2008,
805 <https://www.rfc-editor.org/info/rfc5396>.
806
807 [RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)",
808 STD 69, RFC 5730, DOI 10.17487/RFC5730, August 2009,
809 <https://www.rfc-editor.org/info/rfc5730>.
810
811 [RFC5733] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)
812 Contact Mapping", STD 69, RFC 5733, DOI 10.17487/RFC5733,
813 August 2009, <https://www.rfc-editor.org/info/rfc5733>.
814
815 [RFC5890] Klensin, J., "Internationalized Domain Names for
816 Applications (IDNA): Definitions and Document Framework",
817 RFC 5890, DOI 10.17487/RFC5890, August 2010,
818 <https://www.rfc-editor.org/info/rfc5890>.
819
820 [RFC5891] Klensin, J., "Internationalized Domain Names in
821 Applications (IDNA): Protocol", RFC 5891,
822 DOI 10.17487/RFC5891, August 2010,
823 <https://www.rfc-editor.org/info/rfc5891>.
824
825 [RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6
826 Address Text Representation", RFC 5952,
827 DOI 10.17487/RFC5952, August 2010,
828 <https://www.rfc-editor.org/info/rfc5952>.
829
830 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
831 Protocol (HTTP/1.1): Message Syntax and Routing",
832 RFC 7230, DOI 10.17487/RFC7230, June 2014,
833 <https://www.rfc-editor.org/info/rfc7230>.
834
835 [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
836 Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
837 DOI 10.17487/RFC7231, June 2014,
838 <https://www.rfc-editor.org/info/rfc7231>.
839
840 [RFC7480] Newton, A., Ellacott, B., and N. Kong, "HTTP Usage in the
841 Registration Data Access Protocol (RDAP)", STD 95,
842 RFC 7480, DOI 10.17487/RFC7480, March 2015,
843 <https://www.rfc-editor.org/info/rfc7480>.
844
845 [RFC7481] Hollenbeck, S. and N. Kong, "Security Services for the
846 Registration Data Access Protocol (RDAP)", STD 95,
847 RFC 7481, DOI 10.17487/RFC7481, March 2015,
848 <https://www.rfc-editor.org/info/rfc7481>.
849
850 [RFC7484] Blanchet, M., "Finding the Authoritative Registration Data
851 (RDAP) Service", RFC 7484, DOI 10.17487/RFC7484, March
852 2015, <https://www.rfc-editor.org/info/rfc7484>.
853
854 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
855 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
856 May 2017, <https://www.rfc-editor.org/info/rfc8174>.
857
858 [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
859 Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499,
860 January 2019, <https://www.rfc-editor.org/info/rfc8499>.
861
862 [RFC9083] Hollenbeck, S. and A. Newton, "JSON Responses for the
863 Registration Data Access Protocol (RDAP)", STD 95,
864 RFC 9083, DOI 10.17487/RFC9083, June 2021,
865 <https://www.rfc-editor.org/info/rfc9083>.
866
867 [Unicode-UAX15]
868 The Unicode Consortium, "Unicode Standard Annex #15:
869 Unicode Normalization Forms", September 2013,
870 <https://www.unicode.org/reports/tr15/>.
871
872 9.2. Informative References
873
874 [REST] Fielding, R., "Architectural Styles and the Design of
875 Network-based Software Architectures", Ph.D.
876 Dissertation, University of California, Irvine, 2000,
877 <https://www.ics.uci.edu/~fielding/pubs/dissertation/
878 fielding_dissertation.pdf>.
879
880 [RFC3912] Daigle, L., "WHOIS Protocol Specification", RFC 3912,
881 DOI 10.17487/RFC3912, September 2004,
882 <https://www.rfc-editor.org/info/rfc3912>.
883
884 [RFC4007] Deering, S., Haberman, B., Jinmei, T., Nordmark, E., and
885 B. Zill, "IPv6 Scoped Address Architecture", RFC 4007,
886 DOI 10.17487/RFC4007, March 2005,
887 <https://www.rfc-editor.org/info/rfc4007>.
888
889 [RFC4290] Klensin, J., "Suggested Practices for Registration of
890 Internationalized Domain Names (IDN)", RFC 4290,
891 DOI 10.17487/RFC4290, December 2005,
892 <https://www.rfc-editor.org/info/rfc4290>.
893
894 [RFC6874] Carpenter, B., Cheshire, S., and R. Hinden, "Representing
895 IPv6 Zone Identifiers in Address Literals and Uniform
896 Resource Identifiers", RFC 6874, DOI 10.17487/RFC6874,
897 February 2013, <https://www.rfc-editor.org/info/rfc6874>.
898
899 [RFC6927] Levine, J. and P. Hoffman, "Variants in Second-Level Names
900 Registered in Top-Level Domains", RFC 6927,
901 DOI 10.17487/RFC6927, May 2013,
902 <https://www.rfc-editor.org/info/rfc6927>.
903
904 [RFC8521] Hollenbeck, S. and A. Newton, "Registration Data Access
905 Protocol (RDAP) Object Tagging", BCP 221, RFC 8521,
906 DOI 10.17487/RFC8521, November 2018,
907 <https://www.rfc-editor.org/info/rfc8521>.
908
909 Appendix A. Changes from RFC 7482
910
911 * Addressed known errata.
912
913 * Addressed other reported clarifications and corrections: IDN,
914 IDNA, and DNR definitions. Noted that registrars are entities.
915 Added a reference to RFC 8521 to address the bootstrap registry
916 limitation. Removed extraneous "...". Clarified HTTP query
917 string, search pattern, name server search, domain label suffix,
918 and asterisk search.
919
920 * Addressed "The HTTP query string" clarification.
921
922 * Modified coauthor address.
923
924 * Updated references to RFC 7483 to RFC 9083.
925
926 * Added an IANA Considerations section. Changed references to use
927 HTTPS for targets.
928
929 * Changed "XXXX is a search pattern representing the "FN" property
930 of an entity (such as a contact, registrant, or registrar) name as
931 specified in Section 5.1" to "Changed "XXXX is a search pattern
932 representing the "fn" property of an entity (such as a contact,
933 registrant, or registrar) name as described in Section 5.1".
934
935 * Added acknowledgments.
936
937 * Changed "The intent of the patterns described here are to enable
938 queries" to "The intent of the patterns described here is to
939 enable queries".
940
941 * Changed "the corresponding syntax extension in RFC 6874 [RFC6874]
942 MUST NOT be used, and servers are to ignore it if possible" to
943 "the corresponding syntax extension in RFC 6874 [RFC6874] MUST NOT
944 be used, and servers SHOULD ignore it".
945
946 * Changed "Only a single asterisk is allowed for a partial string
947 search" to "A partial string search MUST NOT include more than one
948 asterisk".
949
950 * Changed "Clients should avoid submitting a partial match search of
951 Unicode characters where a Unicode character may be legally
952 combined with another Unicode character or characters" to "Clients
953 SHOULD NOT submit a partial match search of Unicode characters
954 where a Unicode character may be legally combined with another
955 Unicode character or characters".
956
957 * Changed description of nameserver IP address "search pattern" in
958 Sections 3.2.1 and 3.2.2.
959
960 * IESG review feedback: Added "obsoletes 7482" to the headers,
961 Abstract, and Introduction. Changed "IETF standards" to "IETF
962 specifications" and "Therefore" to "Accordingly" in Section 1.
963 Updated the BCP 14 boilerplate. Added definition of "bootstrap
964 registry" and changed "concatenating ... to" to "concatenating ...
965 with" in Section 3. Changed "bitmask length" to "prefix length"
966 and "2001:db8::0" to "2001:db8::" in Section 3.1.1. Added "in
967 contrast to the more generic HTTP query string that admits
968 multiple simultaneous parameters" in Section 3.2. Changed
969 "0x002A" to "0x2A" in Section 4.1. Clarified use of HTTP 422
970 SHOULD in Section 4.1.
971
972 Acknowledgments
973
974 This document is derived from original work on RIR query formats
975 developed by Byron J. Ellacott of APNIC, Arturo L. Servin of LACNIC,
976 Kaveh Ranjbar of the RIPE NCC, and Andrew L. Newton of ARIN.
977 Additionally, this document incorporates DNR query formats originally
978 described by Francisco Arias and Steve Sheng of ICANN and Scott
979 Hollenbeck of Verisign Labs.
980
981 The authors would like to acknowledge the following individuals for
982 their contributions to this document: Francisco Arias, Marc Blanchet,
983 Ernie Dainow, Jean-Philippe Dionne, Byron J. Ellacott, Behnam
984 Esfahbod, John Klensin, John Levine, Edward Lewis, Mario Loffredo,
985 Patrick Mevzek, Mark Nottingham, Kaveh Ranjbar, Arturo L. Servin,
986 Steve Sheng, Jasdip Singh, and Andrew Sullivan.
987
988 Authors' Addresses
989
990 Scott Hollenbeck
991 Verisign Labs
992 12061 Bluemont Way
993 Reston, VA 20190
994 United States of America
995
996 Email: shollenbeck@verisign.com
997 URI: https://www.verisignlabs.com/
998
999
1000 Andy Newton
1001 Amazon Web Services, Inc.
1002 13200 Woodland Park Road
1003 Herndon, VA 20171
1004 United States of America
1005
1006 Email: andy@hxr.us
1007
The IETF is responsible for the creation and maintenance of the DNS RFCs. The ICANN DNS RFC annotation project provides a forum for collecting community annotations on these RFCs as an aid to understanding for implementers and any interested parties. The annotations displayed here are not the result of the IETF consensus process.
This RFC is included in the DNS RFCs annotation project whose home page is here.