SIDN enables RDAP for .amsterdam and .politie
Earlier this month, we launched an RDAP service for the top-level domains .amsterdam and .politie. The service can be used to look up information about domain names, registrants, DNS servers and registrars. At the end of the year, RDAP will be enabled for the .nl domain as well.
RDAP, short for Registration Data Access Protocol, is the successor to the familiar Whois protocol for looking up registration data linked to domain names, IP addresses and AS numbers. The Whois is showing its age, and doesn't meet present-day requirements. RDAP is a modern internet standard that improves on the Whois in terms of authentication and authorisation, information structuring, and data retrieval and processing.
"Last year, ICANN instructed registries to filter their Whois information in order to comply with European GDPR requirements," says Pim Pastoors, Product Manager at SIDN. "And, from the end of August, RDAP will be mandatory for generic top-level domains (gTLDs). That includes .amsterdam and .politie, whose technical management is contracted to SIDN. So, this summer, lots of RDAP implementations will be going live at more or less the same time." "By making RDAP mandatory, ICANN is seeking to ensure that more registration data is shared in the future. Policies are currently being developed defining which stakeholders should have access to what information." Although we're enabling our RDAP service a little earlier than most registries, we haven't been driving progress in this field as we did with the development and implementation of DNSSEC. "Where RDAP is concerned, we're looking to the experiences of the five Regional Internet Registries (RIRs) in the pilot group," explains Pastoors. "That's on account of various loose ends in the interpretation of RDAP, which need to be tied up during the implementation and rollout. With regard to the software, we initially used an open-source implementation by DNS Belgium as our starting point, but we are now running on software we developed ourselves."
"Simplest protocol ever"
Olaf Kolkman, Chief Internet Technology Officer at the Internet Society (ISOC), chaired the WEIRDS working group responsible for developing the RDAP protocol. "Whois is possibly the simplest protocol ever invented," he says. "You connect to the server, send a line of text, and get a text blob back. And that's it: there are no requirements regarding the context, form or content. So you have to fish the information you're after out of the blob yourself." The unstructured data transfer associated with Whois is a legacy from the early days of the internet, but obviously unsuitable for the present day. "A previous attempt was made to replace Whois, but the alternative system proposed was too complex. So, in 2012, we decided to try again with RDAP."
RDAP is a web service based on the REST interface and the JSON data format. REST is a transfer mechanism similar to the HTTP web protocol. And JSON is a simple text format for the storage and transfer of structured information – a highly simplified version of XML. RDAP therefore uses the same modern technologies that nowadays underpin all web services. "The idea behind RDAP was to create as a standardised and interoperable means of accessing Whois information," explains Kolkman. "The key criteria were that the information had to lend itself to automated processing, and that various categories of user could be given access to various classes of information. For example, a registrar needs more information than is available to the public. And a government body's information requirements are different again. When developing the data model, we therefore investigated what information the various stakeholders typically wanted. We then devised a protocol under which different information can be made available to different user groups, without dictating exactly who can access what. That's a policy matter, and therefore outside our remit." The product of the working group's labours was published in March 2015, in the form of five internet standards (RFC 7480-7484) [1, 2, 3, 4, 5].
In parallel to development of the RDAP protocol, the RIRs in the pilot group – RIPE-NCC, ARIN, APNIC, LACNIC and AFRINIC – linked up with VeriSign to realise several RDAP implementations. Anyone who wants or needs to enable RDAP therefore has plenty of specimen implementations to refer to. ICANN is now liaising with stakeholders to develop policies on Whois/RDAP data retention and access: what information must be recorded, and who is allowed to consult it, under what circumstances? The GDPR forms an important framework for the second phase of this 'expedited policy development process' (EPDP).
At SIDN, however, we are reluctant to wait until the EPDP is complete. "The process could easily go on for years," says Pastoors. "It's inevitable, therefore, that we'll have to make changes to our software over time. And our implementation of RDAP for the .nl zone later this year will be guided mainly by the experience that we gain with RDAP for .amsterdam and .politie." "In the second phase, we'll be looking at diversification of the RDAP service for various user groups. In that context, the guiding principle will be that we share no more information than strictly necessary. The intention is that, say, a Certificate Authority (CA) will be able to have an account that allows access to precisely the information needed to issue a certificate for a particular domain. And a registrar will get the information needed to set up a transfer, and so on." "RDAP is a huge improvement on Whois," emphasises Pastoors. "The new protocol is far better than what we had before. We would encourage anyone with an interest in this area to try out our public RDAP service, and tell us how they get on."