ARMWARE RFC Archive <- STD Index (1..100)

STD 95

(also RFC 7480, RFC 7481, RFC 9082, RFC 9083, RFC 9224)


[Note that this file is a concatenation of more than one RFC.]

Internet Engineering Task Force (IETF)                         A. Newton
Request for Comments: 7480                                          ARIN
Category: Standards Track                                    B. Ellacott
ISSN: 2070-1721                                                    APNIC
                                                                 N. Kong
                                                                   CNNIC
                                                              March 2015

       HTTP Usage in the Registration Data Access Protocol (RDAP)

Abstract

   This document is one of a collection that together describes the
   Registration Data Access Protocol (RDAP).  It describes how RDAP is
   transported using the Hypertext Transfer Protocol (HTTP).  RDAP is a
   successor protocol to the very old WHOIS protocol.  The purpose of
   this document is to clarify the use of standard HTTP mechanisms for
   this application.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7480.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Newton, et al.               Standards Track                    [Page 1]



RFC 7480                     RDAP over HTTP                   March 2015

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Design Intents  . . . . . . . . . . . . . . . . . . . . . . .   5
   4.  Queries . . . . . . . . . . . . . . . . . . . . . . . . . . .   5
     4.1.  HTTP Methods  . . . . . . . . . . . . . . . . . . . . . .   5
     4.2.  Accept Header . . . . . . . . . . . . . . . . . . . . . .   5
     4.3.  Query Parameters  . . . . . . . . . . . . . . . . . . . .   6
   5.  Types of HTTP Response  . . . . . . . . . . . . . . . . . . .   6
     5.1.  Positive Answers  . . . . . . . . . . . . . . . . . . . .   6
     5.2.  Redirects . . . . . . . . . . . . . . . . . . . . . . . .   6
     5.3.  Negative Answers  . . . . . . . . . . . . . . . . . . . .   7
     5.4.  Malformed Queries . . . . . . . . . . . . . . . . . . . .   7
     5.5.  Rate Limits . . . . . . . . . . . . . . . . . . . . . . .   7
     5.6.  Cross-Origin Resource Sharing (CORS)  . . . . . . . . . .   8
   6.  Extensibility . . . . . . . . . . . . . . . . . . . . . . . .   8
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .   9
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   9
     8.1.  RDAP Extensions Registry  . . . . . . . . . . . . . . . .   9
   9.  Internationalization Considerations . . . . . . . . . . . . .  10
     9.1.  URIs and IRIs . . . . . . . . . . . . . . . . . . . . . .  10
     9.2.  Language Identifiers in Queries and Responses . . . . . .  10
     9.3.  Language Identifiers in HTTP Headers  . . . . . . . . . .  10
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .  11
     10.1.  Normative References . . . . . . . . . . . . . . . . . .  11
     10.2.  Informative References . . . . . . . . . . . . . . . . .  12
   Appendix A.  Protocol Example . . . . . . . . . . . . . . . . . .  13
   Appendix B.  Cache Busting  . . . . . . . . . . . . . . . . . . .  13
   Appendix C.  Bootstrapping and Redirection  . . . . . . . . . . .  14
   Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . 15
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  16

Newton, et al.               Standards Track                    [Page 2]



RFC 7480                     RDAP over HTTP                   March 2015

1.  Introduction

   This document describes the usage of the Hypertext Transfer Protocol
   (HTTP) [RFC7230] for the Registration Data Access Protocol (RDAP).
   The goal of this document is to tie together usage patterns of HTTP
   into a common profile applicable to the various types of directory
   services serving registration data using practices informed by the
   Representational State Transfer (REST) [REST] architectural style.
   By giving the various directory services common behavior, a single
   client is better able to retrieve data from directory services
   adhering to this behavior.

   Registration data expected to be presented by this service is
   Internet resource registration data -- registration of domain names
   and Internet number resources.  This data is typically provided by
   WHOIS [RFC3912] services, but the WHOIS protocol is insufficient to
   modern registration data service requirements.  A replacement
   protocol is expected to retain the simple transactional nature of
   WHOIS, while providing a specification for queries and responses,
   redirection to authoritative sources, support for Internationalized
   Domain Names (IDNs) [RFC5890], and support for localized registration
   data such as addresses and organization or person names.

   In designing these common usage patterns, this document introduces
   considerations for a simple use of HTTP.  Where complexity may
   reside, it is the goal of this document to place it upon the server
   and to keep the client as simple as possible.  A client
   implementation should be possible using common operating system
   scripting tools (e.g., bash and wget).

   This is the basic usage pattern for this protocol:

   1.  A client determines an appropriate server to query along with the
       appropriate base Uniform Resource Locator (URL) to use in such
       queries.  [RFC7484] describes one method to determine the server
       and the base URL.  See Appendix C for more information.

   2.  A client issues an HTTP (or HTTPS) query using GET [RFC7231].  As
       an example, a query URL for the network registration 192.0.2.0
       might be

          http://example.com/rdap/ip/192.0.2.0

       [RFC7482] details the various queries used in RDAP.

Newton, et al.               Standards Track                    [Page 3]



RFC 7480                     RDAP over HTTP                   March 2015

   3.  If the receiving server has the information for the query, it
       examines the Accept header field of the query and returns a 200
       response with a response entity appropriate for the requested
       format.  [RFC7483] details a response in JavaScript Object
       Notation (JSON).

   4.  If the receiving server does not have the information for the
       query but does have knowledge of where the information can be
       found, it will return a redirection response (3xx) with the
       Location header field containing an HTTP(S) URL pointing to the
       information or another server known to have knowledge of the
       location of the information.  The client is expected to requery
       using that HTTP URL.

   5.  If the receiving server does not have the information being
       requested and does not have knowledge of where the information
       can be found, it returns a 404 response.

   6.  If the receiving server will not answer a request for policy
       reasons, it will return an error response (4xx) indicating the
       reason for giving no answer.

   It is not the intent of this document to redefine the meaning and
   semantics of HTTP.  The purpose of this document is to clarify the
   use of standard HTTP mechanisms for this application.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

   As is noted in "Security and Stability Advisory Committee (SSAC)
   Report on WHOIS Terminology and Structure" [SAC-051], the term
   "WHOIS" is overloaded, often referring to a protocol, a service, and
   data.  In accordance with [SAC-051], this document describes the base
   behavior for an RDAP.  [SAC-051] describes a protocol profile of RDAP
   for Domain Name Registries (DNRs), the Domain Name Registration Data
   Access Protocol (DNRD-AP).

   In this document, an RDAP client is an HTTP user agent performing an
   RDAP query, and an RDAP server is an HTTP server providing an RDAP
   response.  RDAP query and response formats are described in [RFC7482]
   and [RFC7483], while this document describes how RDAP clients and
   servers use HTTP to exchange queries and responses.  [RFC7481]
   describes security considerations for RDAP.

Newton, et al.               Standards Track                    [Page 4]



RFC 7480                     RDAP over HTTP                   March 2015

3.  Design Intents

   There are a few design criteria this document attempts to meet.

   First, each query is meant to require only one path of execution to
   obtain an answer.  A response may contain an answer, no answer, or a
   redirect, and clients are not expected to fork multiple paths of
   execution to make a query.

   Second, the semantics of the request/response allow for future and/or
   non-standard response formats.  In this document, only a JSON
   [RFC7159] response media type is noted, with the response contents to
   be described separately (see [RFC7483]).  This document only
   describes how RDAP is transported using HTTP with this format.

   Third, this protocol is intended to be able to make use of the range
   of mechanisms available for use with HTTP.  HTTP offers a number of
   mechanisms not described further in this document.  Operators are
   able to make use of these mechanisms according to their local policy,
   including cache control, authorization, compression, and redirection.
   HTTP also benefits from widespread investment in scalability,
   reliability, and performance, as well as widespread programmer
   understanding of client behaviors for web services styled after REST
   [REST], reducing the cost to deploy Registration Data Directory
   Services and clients.  This protocol is forward compatible with HTTP
   2.0.

4.  Queries

4.1.  HTTP Methods

   Clients use the GET method to retrieve a response body and use the
   HEAD method to determine existence of data on the server.  Clients
   SHOULD use either the HTTP GET or HEAD methods (see [RFC7231]).
   Servers are under no obligation to support other HTTP methods;
   therefore, clients using other methods will likely not interoperate
   properly.

   Clients and servers MUST support HTTPS to support security services.

4.2.  Accept Header

   To indicate to servers that an RDAP response is desired, clients
   include an Accept header field with an RDAP-specific JSON media type,
   the generic JSON media type, or both.  Servers receiving an RDAP
   request return an entity with a Content-Type header containing the
   RDAP-specific JSON media type.

Newton, et al.               Standards Track                    [Page 5]



RFC 7480                     RDAP over HTTP                   March 2015

   This specification does not define the responses a server returns to
   a request with any other media types in the Accept header field, or
   with no Accept header field.  One possibility would be to return a
   response in a media type suitable for rendering in a web browser.

4.3.  Query Parameters

   Servers MUST ignore unknown query parameters.  Use of unknown query
   parameters for cache busting is described in Appendix B.

5.  Types of HTTP Response

   This section describes the various types of responses a server may
   send to a client.  While no standard HTTP response code is forbidden
   in usage, this section defines the minimal set of response codes in
   common use by servers that a client will need to understand.  While
   some clients may be constructed with simple tooling that does not
   account for all of these response codes, a more robust client
   accounting for these codes will likely provide a better user
   experience.  It is expected that usage of response codes and types
   for this application not defined here will be described in subsequent
   documents.

5.1.  Positive Answers

   If a server has the information requested by the client and wishes to
   respond to the client with the information according to its policies,
   it returns that answer in the body of a 200 (OK) response (see
   [RFC7231]).

5.2.  Redirects

   If a server wishes to inform a client that the answer to a given
   query can be found elsewhere, it returns either a 301 (Moved
   Permanently) response code to indicate a permanent move or a 302
   (Found), 303 (See Other), or 307 (Temporary Redirect) response code
   to indicate a non-permanent redirection, and it includes an HTTP(S)
   URL in the Location header field (see [RFC7231]).  The client is
   expected to issue a subsequent request to satisfy the original query
   using the given URL without any processing of the URL.  In other
   words, the server is to hand back a complete URL, and the client
   should not have to transform the URL to follow it.  Servers are under
   no obligation to return a URL conformant to [RFC7482].

   For this application, such an example of a permanent move might be a
   Top-Level Domain (TLD) operator informing a client the information

Newton, et al.               Standards Track                    [Page 6]



RFC 7480                     RDAP over HTTP                   March 2015

   being sought can be found with another TLD operator (i.e., a query
   for the domain bar in foo.example is found at
   http://foo.example/domain/bar).

   For example, if the client uses

      http://serv1.example.com/weirds/domain/example.com

   the server redirecting to

      https://serv2.example.net/weirds2/

   would set the Location: field to the value

      https://serv2.example.net/weirds2/domain/example.com

5.3.  Negative Answers

   If a server wishes to respond that it has an empty result set (that
   is, no data appropriately satisfying the query), it returns a 404
   (Not Found) response code.  Optionally, it MAY include additional
   information regarding the negative answer in the HTTP entity body.

   If a server wishes to inform the client that information about the
   query is available, but cannot include the information in the
   response to the client for policy reasons, the server MUST respond
   with an appropriate response code out of HTTP's 4xx range.  A client
   MAY retry the query if that is appropriate for the respective
   response code.

5.4.  Malformed Queries

   If a server receives a query that it cannot interpret as an RDAP
   query, it returns a 400 (Bad Request) response code.  Optionally, it
   MAY include additional information regarding this negative answer in
   the HTTP entity body.

5.5.  Rate Limits

   Some servers apply rate limits to deter address scraping and other
   abuses.  When a server declines to answer a query due to rate limits,
   it returns a 429 (Too Many Requests) response code as described in
   [RFC6585].  A client that receives a 429 response SHOULD decrease its
   query rate and honor the Retry-After header field if one is present.
   Servers may place stricter limits upon clients that do not honor the
   Retry-After header.  Optionally, the server MAY include additional
   information regarding the rate limiting in the HTTP entity body.

Newton, et al.               Standards Track                    [Page 7]



RFC 7480                     RDAP over HTTP                   March 2015

   Note that this is not a defense against denial-of-service (DoS)
   attacks, since a malicious client could ignore the code and continue
   to send queries at a high rate.  A server might use another response
   code if it did not wish to reveal to a client that rate limiting is
   the reason for the denial of a reply.

5.6.  Cross-Origin Resource Sharing (CORS)

   When responding to queries, it is RECOMMENDED that servers use the
   Access-Control-Allow-Origin header field, as specified by
   [W3C.REC-cors-20140116].  A value of "*" is suitable when RDAP is
   used for public resources.

   This header (often called the CORS header) helps in-browser web
   applications by lifting the "same-origin" restriction (i.e., a
   browser may load RDAP client code from one web server but query
   others for RDAP data).

   By default, browsers do not send cookies when cross origin requests
   are allowed.  Setting the Access-Control-Allow-Credentials header
   field to "true" will send cookies.  Use of the
   Access-Control-Allow-Credentials header field is NOT RECOMMENDED.

6.  Extensibility

   For extensibility purposes, this document defines an IANA registry
   for prefixes used in JSON [RFC7159] data serialization and URI path
   segments (see Section 8).

   Prefixes and identifiers SHOULD only consist of the alphabetic US-
   ASCII characters A through Z in both uppercase and lowercase, the
   numerical digits 0 through 9, and the underscore character, and they
   SHOULD NOT begin with an underscore character, numerical digit, or
   the characters "xml".  The following describes the production of JSON
   names in ABNF [RFC5234].

     name = ALPHA *( ALPHA / DIGIT / "_" )

                       Figure 1: ABNF for JSON Names

   This restriction is a union of the Ruby programming language
   identifier syntax and the XML element name syntax and has two
   purposes.  First, client implementers using modern programming
   languages such as Ruby or Java can use libraries that automatically
   promote JSON names to first-order object attributes or members.
   Second, a clean mapping between JSON and XML is easy to accomplish
   using these rules.

Newton, et al.               Standards Track                    [Page 8]



RFC 7480                     RDAP over HTTP                   March 2015

7.  Security Considerations

   This document does not pose strong security requirements to the RDAP
   protocol.  However, it does not restrict against the use of security
   mechanisms offered by the HTTP protocol.  It does require that RDAP
   clients and servers MUST support HTTPS.

   This document makes recommendations for server implementations
   against DoS (Section 5.5) and interoperability with existing security
   mechanisms in HTTP clients (Section 5.6).

   Additional security considerations to the RDAP protocol are covered
   in [RFC7481].

8.  IANA Considerations

8.1.  RDAP Extensions Registry

   IANA has created a new category in the protocol registries labeled
   "Registration Data Access Protocol (RDAP)", and within that category,
   has established a URL-referenceable, stand-alone registry labeled
   "RDAP Extensions".  The purpose of this registry is to ensure
   uniqueness of extension identifiers.  The extension identifier is
   used as a prefix in JSON names and as a prefix of path segments in
   RDAP URLs.

   The production rule for these identifiers is specified in Section 6.

   In accordance with [RFC5226], the IANA policy for assigning new
   values, shall be Specification Required: values and their meanings
   must be documented in an RFC or in some other permanent and readily
   available reference, in sufficient detail that interoperability
   between independent implementations is possible.

   The following is a template for an RDAP extension registration:

      Extension identifier: the identifier of the extension

      Registry operator: the name of the registry operator

      Published specification: RFC number, bibliographical reference, or
      URL to a permanent and readily available specification

      Person & email address to contact for further information: The
      names and email addresses of individuals to contact regarding this
      registry entry

Newton, et al.               Standards Track                    [Page 9]



RFC 7480                     RDAP over HTTP                   March 2015

      Intended usage: brief reasons for this registry entry (as defined
      by [RFC5226]).

   The following is an example of a registration in the RDAP extension
   registry:

      Extension identifier: lunarNic

      Registry operator: The Registry of the Moon, LLC

      Published specification: http://www.example/moon_apis/rdap

      Person & email address to contact for further information:
      Professor Bernardo de la Paz <berny@moon.example>

      Intended usage: COMMON

9.  Internationalization Considerations

9.1.  URIs and IRIs

   Clients can use Internationalized Resource Identifiers (IRIs)
   [RFC3987] for internal use as they see fit but MUST transform them to
   URIs [RFC3986] for interaction with RDAP servers.  RDAP servers MUST
   use URIs in all responses, and again clients can transform these URIs
   to IRIs for internal use as they see fit.

9.2.  Language Identifiers in Queries and Responses

   Under most scenarios, clients requesting data will not signal that
   the data be returned in a particular language or script.  On the
   other hand, when servers return data and have knowledge that the data
   is in a language or script, the data SHOULD be annotated with
   language identifiers whenever they are available, thus allowing
   clients to process and display the data accordingly.

   [RFC7483] provides such a mechanism.

9.3.  Language Identifiers in HTTP Headers

   Given the description of the use of language identifiers in
   Section 9.2, unless otherwise specified, servers SHOULD ignore the
   HTTP [RFC7231] Accept-Language header field when formulating HTTP
   entity responses, so that clients do not conflate the Accept-Language
   header with the 'lang' values in the entity body.

Newton, et al.               Standards Track                   [Page 10]



RFC 7480                     RDAP over HTTP                   March 2015

   However, servers MAY return language identifiers in the Content-
   Language header field so as to inform clients of the intended
   language of HTTP layer messages.

10.  References

10.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.

   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66, RFC
              3986, January 2005,
              <http://www.rfc-editor.org/info/rfc3986>.

   [RFC3987]  Duerst, M. and M. Suignard, "Internationalized Resource
              Identifiers (IRIs)", RFC 3987, January 2005,
              <http://www.rfc-editor.org/info/rfc3987>.

   [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
              IANA Considerations Section in RFCs", BCP 26, RFC 5226,
              May 2008, <http://www.rfc-editor.org/info/rfc5226>.

   [RFC6585]  Nottingham, M. and R. Fielding, "Additional HTTP Status
              Codes", RFC 6585, April 2012,
              <http://www.rfc-editor.org/info/rfc6585>.

   [RFC7230]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
              Protocol (HTTP/1.1): Message Syntax and Routing", RFC
              7230, June 2014, <http://www.rfc-editor.org/info/rfc7230>.

   [RFC7231]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
              Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
              June 2014, <http://www.rfc-editor.org/info/rfc7231>.

   [RFC7481]  Hollenbeck, S. and N. Kong, "Security Services for the
              Registration Data Access Protocol (RDAP)", RFC 7481,
              February 2015, <http://www.rfc-editor.org/info/rfc7481>.

   [RFC7482]  Newton, A. and S. Hollenbeck, "Registration Data Access
              Protocol (RDAP) Query Format", RFC 7482, February 2015,
              <http://www.rfc-editor.org/info/rfc7482>.

   [RFC7483]  Newton, A. and S. Hollenbeck, "JSON Responses for the
              Registration Data Access Protocol (RDAP)", RFC 7483,
              February 2015, <http://www.rfc-editor.org/info/rfc7483>.

Newton, et al.               Standards Track                   [Page 11]



RFC 7480                     RDAP over HTTP                   March 2015

   [RFC7484]  Blanchet, M., "Finding the Authoritative Registration Data
              (RDAP) Service", RFC 7484, February 2015,
              <http://www.rfc-editor.org/info/rfc7484>.

   [W3C.REC-cors-20140116]
              Kesteren, A., "Cross-Origin Resource Sharing", W3C
              Recommendation, REC-cors-20140116, January 2014,
              <http://www.w3.org/TR/2014/REC-cors-20140116/>.

10.2.  Informative References

   [REST]     Fielding, R. and R. Taylor, "Principled Design of the
              Modern Web Architecture", ACM Transactions on Internet
              Technology, Vol. 2, No. 2, May 2002.

   [RFC3912]  Daigle, L., "WHOIS Protocol Specification", RFC 3912,
              September 2004, <http://www.rfc-editor.org/info/rfc3912>.

   [RFC5234]  Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
              Specifications: ABNF", STD 68, RFC 5234, January 2008,
              <http://www.rfc-editor.org/info/rfc5234>.

   [RFC5890]  Klensin, J., "Internationalized Domain Names for
              Applications (IDNA): Definitions and Document Framework",
              RFC 5890, August 2010,
              <http://www.rfc-editor.org/info/rfc5890>.

   [RFC7159]  Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
              Interchange Format", RFC 7159, March 2014,
              <http://www.rfc-editor.org/info/rfc7159>.

   [SAC-051]  Piscitello, D., Ed., "SSAC Report on Domain Name WHOIS
              Terminology and Structure", A report from the ICANN
              Security and Stability Advisory Committee (SSAC),
              September 2011.

   [lacnic-joint-whois]
              LACNIC, "Joint Whois", December 2005,
              <ftp://anonymous@ftp.registro.br/pub/gter/
              gter20/02-jwhois-lacnic.pdf>.

Newton, et al.               Standards Track                   [Page 12]



RFC 7480                     RDAP over HTTP                   March 2015

Appendix A.  Protocol Example

   To demonstrate typical behavior of an RDAP client and server, the
   following is an example of an exchange, including a redirect.  The
   data in the response has been elided for brevity, as the data format
   is not described in this document.  The media type used here is
   described in [RFC7483].

   An example of an RDAP client and server exchange:

     Client:
         <TCP connect to rdap.example.com port 80>
         GET /rdap/ip/203.0.113.0/24 HTTP/1.1
         Host: rdap.example.com
         Accept: application/rdap+json

     rdap.example.com:
         HTTP/1.1 301 Moved Permanently
         Location: http://rdap-ip.example.com/rdap/ip/203.0.113.0/24
         Content-Length: 0
         Content-Type: application/rdap+json
         <TCP disconnect>

     Client:
         <TCP connect to rdap-ip.example.com port 80>
         GET /rdap/ip/203.0.113.0/24 HTTP/1.1
         Host:  rdap-ip.example.com
         Accept: application/rdap+json

     rdap-ip.example.com:
         HTTP/1.1 200 OK
         Content-Type: application/rdap+json
         Content-Length: 9001

         { ... }
         <TCP disconnect>

Appendix B.  Cache Busting

   Some HTTP [RFC7230] cache infrastructures do not adhere to caching
   standards adequately and could cache responses longer than is
   intended by the server.  To overcome these issues, clients can use an
   ad hoc and improbably used query parameter with a random value of
   their choosing.  As Section 4.3 instructs servers to ignore unknown
   parameters, this is compatible with the RDAP definition.

Newton, et al.               Standards Track                   [Page 13]



RFC 7480                     RDAP over HTTP                   March 2015

   An example of using an unknown query parameter to bust caches:

     http://example.com/ip/192.0.2.0?__fuhgetaboutit=xyz123

   Use of an unknown parameter to overcome misbehaving caches is not
   part of any specification and is offered here for informational
   purposes.

Appendix C.  Bootstrapping and Redirection

   The traditional deployment model of WHOIS [RFC3912] does not provide
   a mechanism for determining the authoritative source for information.

   Some approaches have been implemented in the past, most notably the
   Joint WHOIS [lacnic-joint-whois] initiative.  However, among other
   shortcomings, Joint WHOIS is implemented using proxies and server-
   side referrals.

   These issues are solved in RDAP using HTTP redirects and
   bootstrapping.  Bootstrapping is discussed in [RFC7484].  In
   constrained environments, the processes outlined in [RFC7484] may not
   be viable, and there may be the need for servers acting as a
   "redirector".

   Redirector servers issue HTTP redirects to clients using a
   redirection table informed by [RFC7484].  Figure 2 diagrams a client
   using a redirector for bootstrapping.

                                      REDIRECTOR       ARIN
                                      RDAP             RDAP
                                        .               .
                                        |               |
        Q: 23.1.1.1? -----------------> |               |
                                        |               |
           <---------- HTTP 301 --------|               |
                  ('Try ARIN RDAP')     |               |
                                        |               |
                                                        |
          Q: 23.1.1.1? -------------------------------> |
                                                        |
             <---------- HTTP 200 --------------------- |
                    (JSON response is returned)         |
                                                        |
                                                        |
                                                        .

                 Figure 2: Querying RDAP Data for 23.1.1.1

Newton, et al.               Standards Track                   [Page 14]



RFC 7480                     RDAP over HTTP                   March 2015

   In some cases, particularly sub-delegations made between Regional
   Internet Registries (RIRs) known as "ERX space" and transfers of
   networks, multiple HTTP redirects will be issued.  Figure 3 shows
   such a scenario.

                          REDIRECTOR  LACNIC           ARIN
                          RDAP        RDAP             RDAP
                            .           .               .
        Q: 23.1.1.1? ---->  |           |               |
                            |           |               |
          <-- HTTP 301 ---  |           |               |
         ('Try LACNIC')     |           |               |
                            |           |               |
                            |           |               |
        Q: 23.1.1.1? -----------------> |               |
                                        |               |
           <---------- HTTP 301 --------|               |
                  ('Try ARIN RDAP')     |               |
                                        |               |
                                                        |
          Q: 23.1.1.1? -------------------------------> |
                                                        |
             <---------- HTTP 200 --------------------- |
                    (JSON response is returned)         |
                                                        |
                                                        |
                                                        .

      Figure 3: Querying RDAP Data for Data That Has Been Transferred

Acknowledgements

   John Levine provided text to tighten up the Accept header field usage
   and the text for the section on 429 responses.

   Marc Blanchet provided some clarifying text regarding the use of URLs
   with redirects, as well as very useful feedback during Working Group
   Last Call (WGLC).

   Normative language reviews were provided by Murray S. Kucherawy,
   Andrew Sullivan, Tom Harrison, Ed Lewis, and Alexander Mayrhofer.

   Jean-Phillipe Dionne provided text for the Security Considerations
   section.

   The concept of the redirector server informatively discussed in
   Appendix C was documented by Carlos M.  Martinez and Gerardo Rada of

Newton, et al.               Standards Track                   [Page 15]



RFC 7480                     RDAP over HTTP                   March 2015

   LACNIC and Linlin Zhou of CNNIC and subsequently incorporated into
   this document.

   This document is the work product of the IETF's WEIRDS working group,
   of which Olaf Kolkman and Murray Kucherawy were chairs.

Authors' Addresses

   Andrew Lee Newton
   American Registry for Internet Numbers
   3635 Concorde Parkway
   Chantilly, VA  20151
   United States

   EMail: andy@arin.net
   URI:   http://www.arin.net

   Byron J. Ellacott
   Asia Pacific Network Information Centre
   6 Cordelia Street
   South Brisbane  QLD 4101
   Australia

   EMail: bje@apnic.net
   URI:   http://www.apnic.net

   Ning Kong
   China Internet Network Information Center
   4 South 4th Street, Zhongguancun, Haidian District
   Beijing  100190
   China

   Phone: +86 10 5881 3147
   EMail: nkong@cnnic.cn

Newton, et al.               Standards Track                   [Page 16]




=========================================================================

Internet Engineering Task Force (IETF)                     S. Hollenbeck
Request for Comments: 7481                                 Verisign Labs
Category: Standards Track                                        N. Kong
ISSN: 2070-1721                                                    CNNIC
                                                              March 2015

   Security Services for the Registration Data Access Protocol (RDAP)

Abstract

   The Registration Data Access Protocol (RDAP) provides "RESTful" web
   services to retrieve registration metadata from Domain Name and
   Regional Internet Registries.  This document describes information
   security services, including access control, authentication,
   authorization, availability, data confidentiality, and data integrity
   for RDAP.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7481.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Hollenbeck & Kong            Standards Track                    [Page 1]



RFC 7481                 RDAP Security Services               March 2015

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Conventions Used in This Document . . . . . . . . . . . . . .   2
     2.1.  Acronyms and Abbreviations  . . . . . . . . . . . . . . .   3
   3.  Information Security Services and RDAP  . . . . . . . . . . .   3
     3.1.  Access Control  . . . . . . . . . . . . . . . . . . . . .   3
     3.2.  Authentication  . . . . . . . . . . . . . . . . . . . . .   3
       3.2.1.  Federated Authentication  . . . . . . . . . . . . . .   4
     3.3.  Authorization . . . . . . . . . . . . . . . . . . . . . .   6
     3.4.  Availability  . . . . . . . . . . . . . . . . . . . . . .   6
     3.5.  Data Confidentiality  . . . . . . . . . . . . . . . . . .   7
     3.6.  Data Integrity  . . . . . . . . . . . . . . . . . . . . .   7
   4.  Privacy Threats Associated with Registration Data . . . . . .   8
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   9
   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  10
     6.1.  Normative References  . . . . . . . . . . . . . . . . . .  10
     6.2.  Informative References  . . . . . . . . . . . . . . . . .  11
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  13
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  13

1.  Introduction

   The Registration Data Access Protocol (RDAP) is specified in multiple
   documents, including "Registration Data Access Protocol (RDAP) Query
   Format" [RFC7482], "JSON Responses for the Registration Data Access
   Protocol (RDAP)" [RFC7483], and "HTTP Usage in the Registration Data
   Access Protocol (RDAP)" [RFC7480].

   One goal of RDAP is to provide security services that do not exist in
   the WHOIS [RFC3912] protocol, including access control,
   authentication, authorization, availability, data confidentiality,
   and data integrity.  This document describes how each of these
   services is achieved by RDAP using features that are available in
   other protocol layers.  Additional or alternative mechanisms can be
   added in the future.  Where applicable, informative references to
   requirements for a WHOIS replacement service [RFC3707] are noted.

2.  Conventions Used in This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

Hollenbeck & Kong            Standards Track                    [Page 2]



RFC 7481                 RDAP Security Services               March 2015

2.1.  Acronyms and Abbreviations

      DNR: Domain Name Registry

      HTTP: Hypertext Transfer Protocol

      JSON: JavaScript Object Notation

      RDAP: Registration Data Access Protocol

      RIR: Regional Internet Registry

      TLS: Transport Layer Security

3.  Information Security Services and RDAP

   RDAP itself does not include native security services.  Instead, RDAP
   relies on features that are available in other protocol layers to
   provide needed security services, including access control,
   authentication, authorization, availability, data confidentiality,
   and data integrity.  A description of each of these security services
   can be found in "Internet Security Glossary, Version 2" [RFC4949].
   No requirements have been identified for other security services.

3.1.  Access Control

   WHOIS does not include specific features to control access to
   registration information.  As described in the following sections,
   RDAP includes features to identify, authenticate, and authorize
   clients, allowing server operators to control access to information
   based on a client's identity and associated authorizations.
   Information returned to a client can be clearly marked with a status
   value (see Section 10.2.2 of [RFC7483]) that identifies the access
   granted to the client.

3.2.  Authentication

   This section describes security authentication mechanisms and the
   need for authorization policies to include them.  It describes
   requirements for the implementations of clients and servers but does
   not dictate the policies of server operators.  For example, a server
   operator with no policy regarding differentiated or tiered access to
   data will have no authorization mechanisms and will have no need for
   any type of authentication.  A server operator with policies on
   differentiated access will have to construct an authorization scheme
   and will need to follow the specified authentication requirements.

Hollenbeck & Kong            Standards Track                    [Page 3]



RFC 7481                 RDAP Security Services               March 2015

   WHOIS does not provide features to identify and authenticate clients.
   As noted in Section 3.1.4.2 of "Cross Registry Internet Service
   Protocol (CRISP) Requirements" [RFC3707], there is utility in
   allowing server operators to offer "varying degrees of access
   depending on policy and need."  Clients have to be identified and
   authenticated to provide that utility.

   RDAP's authentication framework needs to accommodate anonymous access
   as well as verification of identities using a range of authentication
   methods and credential services.  To that end, RDAP clients and
   servers MUST implement the authentication framework specified in
   "Hypertext Transfer Protocol (HTTP/1.1): Authentication" [RFC7235].
   The "basic" scheme can be used to send a client's user name and
   password to a server in plaintext, base64-encoded form.  The "digest"
   scheme can be used to authenticate a client without exposing the
   client's plaintext password.  If the "basic" scheme is used, HTTP
   over TLS [RFC2818] MUST be used to protect the client's credentials
   from disclosure while in transit (see Section 3.5).

   Servers MUST support either Basic or Digest authentication; they are
   not required to support both.  Clients MUST support both to
   interoperate with servers that support one or the other.  Servers may
   provide a login page that triggers HTTP authentication.  Clients
   should continue sending the HTTP authentication header once they
   receive an initial 401 (Unauthorized) response from the HTTP server
   as long as the scheme portion of the URL doesn't change.

   The Transport Layer Security protocol [RFC5246] includes an optional
   feature to identify and authenticate clients who possess and present
   a valid X.509 digital certificate [RFC5280].  Support for this
   feature is OPTIONAL.

   RDAP does not impose any unique server authentication requirements.
   The server authentication provided by TLS fully addresses the needs
   of RDAP.  In general, transports for RDAP must either provide a
   TLS-protected transport (e.g., HTTPS) or a mechanism that provides an
   equivalent level of server authentication.

   Work on HTTP authentication methods continues.  RDAP is designed to
   be agile enough to support additional methods as they are defined.

3.2.1.  Federated Authentication

   The traditional client-server authentication model requires clients
   to maintain distinct credentials for every RDAP server.  This
   situation can become unwieldy as the number of RDAP servers
   increases.  Federated authentication mechanisms allow clients to use
   one credential to access multiple RDAP servers and reduce client

Hollenbeck & Kong            Standards Track                    [Page 4]



RFC 7481                 RDAP Security Services               March 2015

   credential management complexity.  RDAP MAY include a federated
   authentication mechanism that permits a client to access multiple
   RDAP servers in the same federation with one credential.

   Federated authentication mechanisms used by RDAP MUST be fully
   supported by HTTP.  OAuth, OpenID, Security Assertion Markup Language
   (SAML), and mechanisms based on Certification Authority (CA) are all
   possible approaches to provide federated authentication.  At the time
   of this document's publication, negotiation or advertisement of
   federated authentication services is still an undefined mechanism by
   the noted federated authentication protocols.  Developing this
   mechanism is beyond the scope of this document.

   The OAuth authorization framework [RFC6749] describes a method for
   users to access protected web resources without having to hand out
   their credentials.  Instead, clients are issued access tokens by
   authorization servers with the permission of the resource owners.
   Using OAuth, multiple RDAP servers can form a federation, and the
   clients can access any server in the same federation by providing one
   credential registered in any server in that federation.  The OAuth
   authorization framework is designed for use with HTTP and thus can be
   used with RDAP.

   OpenID [OpenID] is a decentralized single sign-on authentication
   system that allows users to log in at multiple web sites with one ID
   instead of having to create multiple unique accounts.  An end user
   can freely choose which OpenID provider to use and can preserve their
   Identifier if they switch OpenID providers.

   Note that OAuth and OpenID do not consistently require data
   confidentiality services to protect interactions between providers
   and consumers.  HTTP over TLS [RFC2818] can be used as needed to
   provide protection against man-in-the-middle attacks.

   SAML 2.0 [SAML] is an XML-based protocol that can be used to
   implement web-based authentication and authorization services,
   including single sign on.  It uses security tokens containing
   assertions to exchange information about an end user between an
   identity provider and a service provider.

   The Transport Layer Security protocol describes the specification of
   a client certificate in Section 7.4.6 of [RFC5246].  Clients who
   possess and present a valid X.509 digital certificate, issued by a
   CA, could be identified and authenticated by a server who trusts the
   corresponding CA.  A certificate authentication method can be used to
   achieve federated authentication in which multiple RDAP servers all
   trust the same CAs, and then any client with a certificate issued by
   a trusted CA can access any RDAP server in the federation.  This

Hollenbeck & Kong            Standards Track                    [Page 5]



RFC 7481                 RDAP Security Services               March 2015

   certificate-based mechanism is supported by HTTPS and can be used
   with RDAP.

3.3.  Authorization

   WHOIS does not provide services to grant different levels of access
   to clients based on a client's authenticated identity.  As noted in
   Section 3.1.4.2 of "Cross Registry Internet Service Protocol (CRISP)
   Requirements" [RFC3707], there is utility in allowing server
   operators to offer "varying degrees of access depending on policy and
   need."  Access control decisions can be made once a client's identity
   has been established and authenticated (see Section 3.2).

   Server operators MAY offer varying degrees of access depending on
   policy and need in conjunction with the authentication methods
   described in Section 3.2.  If such varying degrees of access are
   supported, an RDAP server MUST provide granular access controls (that
   is, per registration data object) in order to implement authorization
   policies.  Some examples:

   -  Clients will be allowed access only to data for which they have a
      relationship.

   -  Unauthenticated or anonymous access status may not yield any
      contact information.

   -  Full access may be granted to a special group of authenticated
      clients.

   The type of access allowed by a server will most likely vary from one
   operator to the next.  A description of the response privacy
   considerations associated with different levels of authorization can
   be found in Section 13 of [RFC7483].

3.4.  Availability

   An RDAP service has to be available to be useful.  There are no RDAP-
   unique requirements to provide availability, but as a general
   security consideration, a service operator needs to be aware of the
   issues associated with denial of service.  A thorough reading of
   "Internet Denial-of-Service Considerations" [RFC4732] is advised.

   An RDAP service MAY use an HTTP throttling mechanism to limit the
   number of queries that a single client can send in a given period of
   time.  If used, the server SHOULD return an HTTP 429 (Too Many
   Requests) response code as described in "Additional HTTP Status
   Codes" [RFC6585].  A client that receives a 429 response SHOULD
   decrease its query rate and honor the Retry-After header field if one

Hollenbeck & Kong            Standards Track                    [Page 6]



RFC 7481                 RDAP Security Services               March 2015

   is present.  Note that this is not a defense against
   denial-of-service attacks, since a malicious client could ignore the
   code and continue to send queries at a high rate.  A server might use
   another response code if it did not wish to reveal to a client that
   rate limiting is the reason for the denial of a reply.

3.5.  Data Confidentiality

   WHOIS does not provide the ability to protect data from inadvertent
   disclosure while in transit.  RDAP uses HTTP over TLS [RFC2818] to
   provide that protection by encrypting all traffic sent on the
   connection between client and server.  HTTP over TLS MUST be used to
   protect all client-server exchanges unless operational constraints
   make it impossible to meet this requirement.  It is also possible to
   encrypt discrete objects (such as command path segments and JSON-
   encoded response objects) at one endpoint, send them to the other
   endpoint via an unprotected transport protocol, and decrypt the
   object on receipt.  Encryption algorithms as described in "Internet
   Security Glossary, Version 2" [RFC4949] are commonly used to provide
   data confidentiality at the object level.

   There are no current requirements for object-level data
   confidentiality using encryption.  Support for this feature could be
   added to RDAP in the future.

   As noted in Section 3.2, the HTTP "basic" authentication scheme can
   be used to authenticate a client.  When this scheme is used, HTTP
   over TLS MUST be used to protect the client's credentials from
   disclosure while in transit.  If the policy of the server operator
   requires encryption to protect client-server data exchanges (such as
   to protect non-public data that cannot be accessed without client
   identification and authentication), HTTP over TLS MUST be used to
   protect those exchanges.

   A description of privacy threats that can be addressed with
   confidentiality services can be found in Section 4.  Section 10.2.2
   of [RFC7483] describes status values that can be used to describe
   operator actions used to protect response data from disclosure to
   unauthorized clients.

3.6.  Data Integrity

   WHOIS does not provide the ability to protect data from modification
   while in transit.  Web services such as RDAP commonly use HTTP over
   TLS [RFC2818] to provide that protection by using a keyed Message
   Authentication Code (MAC) to detect modifications.  It is also
   possible to sign discrete objects (such as command path segments and
   JSON-encoded response objects) at one endpoint, send them to the

Hollenbeck & Kong            Standards Track                    [Page 7]



RFC 7481                 RDAP Security Services               March 2015

   other endpoint via a transport protocol, and validate the signature
   of the object on receipt.  Digital signature algorithms as described
   in "Internet Security Glossary, Version 2" [RFC4949] are commonly
   used to provide data integrity at the object level.

   There are no current requirements for object-level data integrity
   using digital signatures.  Support for this feature could be added to
   RDAP in the future.

   The most specific need for this service is to provide assurance that
   HTTP 30x redirection hints [RFC7231] and response elements returned
   from the server are not modified while in transit.  If the policy of
   the server operator requires message integrity for client-server data
   exchanges, HTTP over TLS MUST be used to protect those exchanges.

4.  Privacy Threats Associated with Registration Data

   Registration data has historically included personal data about
   registrants.  WHOIS services have historically made this information
   available to the public, creating a privacy risk by revealing the
   personal details of registrants.  WHOIS services have not had the
   benefit of authentication or access control mechanisms to gate access
   to registration data.  As a result of this, proxy and privacy
   services have arisen to shield the identities of registrants.

   The standardization of RDAP does not change or impact the data that
   operators may require to be collected from registrants, but it
   provides support for a number of mechanisms that may be used to
   mitigate privacy threats to registrants should operators choose to
   use them.

   RDAP includes mechanisms that can be used to authenticate clients,
   allowing servers to support tiered access based on local policy.
   This means that all registration data need no longer be public, and
   personal data or data that may be considered more sensitive can have
   its access restricted to specifically privileged clients.

   RDAP data structures allow servers to indicate via status values when
   data returned to clients has been made private, redacted, obscured,
   or registered by a proxy.  "Private" means that the data is not
   designated for public consumption.  "Redacted" means that some
   registration data fields are not being made available.  "Obscured"
   means that data has been altered for the purposes of not readily
   revealing the actual registration information.  One option that
   operators have available to them to reduce privacy risks to
   registrants is to adopt policies that make use of these status values
   to restrict the registrant data shared with any or all clients

Hollenbeck & Kong            Standards Track                    [Page 8]



RFC 7481                 RDAP Security Services               March 2015

   according to the sensitivity of the data, the privileges of the
   clients, or some other heuristics.

   RDAP uses the jCard [RFC7095] standard format for entity
   representation.  Operators may find that many of the jCard fields are
   irrelevant for registry operation purposes or that they have no
   reason to collect information from registrants that would correspond
   to certain fields.  Operators wishing to reduce privacy risks for
   registrants may restrict which information they collect and/or which
   fields they populate in responses.

   In addition to privacy risks to registrants, there are also potential
   privacy risks for those who query registration data.  For example,
   the fact that a registry employee performs a particular query may
   reveal information about the employee's activities that he or she
   would have preferred to keep private.  RDAP supports the use of HTTP
   over TLS to provide privacy protection for those querying registrant
   data as well as registrants, unless operational constraints make it
   impossible to meet this requirement.

5.  Security Considerations

   One of the goals of RDAP is to provide security services that do not
   exist in the WHOIS protocol.  This document describes the security
   services provided by RDAP and associated protocol layers, including
   authentication, authorization, availability, data confidentiality,
   and data integrity.  Non-repudiation services were also considered
   and ultimately rejected due to a lack of requirements.  There are,
   however, currently deployed WHOIS servers that can return signed
   responses that provide non-repudiation with proof of origin.  RDAP
   might need to be extended to provide this service in the future.

   As an HTTP-based protocol, RDAP is susceptible to code injection
   attacks.  Code injection refers to adding code into a computer system
   or program to alter the course of execution.  There are many types of
   code injection, including SQL injection, dynamic variable or function
   injection, include-file injection, shell injection, and HTML-script
   injection, among others.  Data confidentiality and integrity services
   provide a measure of defense against man-in-the-middle injection
   attacks, but vulnerabilities in both client- and server-side software
   make it possible for injection attacks to succeed.  Consistently
   checking and validating server credentials can help detect
   man-in-the-middle attacks.

   As noted in Section 3.2.1, digital certificates can be used to
   implement federated authentication.  There is a risk of too
   promiscuous, or even rogue, CAs being included in the list of
   acceptable CAs that the TLS server sends the client as part of the

Hollenbeck & Kong            Standards Track                    [Page 9]



RFC 7481                 RDAP Security Services               March 2015

   TLS client-authentication handshake and lending the appearance of
   trust to certificates signed by those CAs.  Periodic monitoring of
   the list of CAs that RDAP servers trust for client authentication can
   help reduce this risk.

   The Transport Layer Security protocol [RFC5246] includes a null
   cipher suite that does not encrypt data and thus does not provide
   data confidentiality.  This option MUST NOT be used when data
   confidentiality services are needed.  Additional considerations for
   secure use of TLS are described in [SECURE-TLS-DTLS].

   Data integrity services are sometimes mistakenly associated with
   directory service operational policy requirements focused on data
   accuracy.  "Accuracy" refers to the truthful association of data
   elements (such as names, addresses, and telephone numbers) in the
   context of a particular directory object (such as a domain name).
   Accuracy requirements are out of scope for this protocol.

   Additional security considerations are described in the
   specifications for HTTP [RFC7231], HTTP Basic and Digest access
   authentication [RFC7235], HTTP over TLS [RFC2818], and additional
   HTTP status codes [RFC6585].  Security considerations for federated
   authentication systems can be found in the OAuth [RFC6749] and OpenID
   [OpenID] specifications.

6.  References

6.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.

   [RFC2818]  Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000,
              <http://www.rfc-editor.org/info/rfc2818>.

   [RFC6585]  Nottingham, M. and R. Fielding, "Additional HTTP Status
              Codes", RFC 6585, April 2012,
              <http://www.rfc-editor.org/info/rfc6585>.

   [RFC7231]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
              Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
              June 2014, <http://www.rfc-editor.org/info/rfc7231>.

   [RFC7235]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
              Protocol (HTTP/1.1): Authentication", RFC 7235, June 2014,
              <http://www.rfc-editor.org/info/rfc7235>.

Hollenbeck & Kong            Standards Track                   [Page 10]



RFC 7481                 RDAP Security Services               March 2015

   [RFC7480]  Newton, A., Ellacott, B., and N. Kong, "HTTP Usage in the
              Registration Data Access Protocol (RDAP)", RFC 7480, March
              2015, <http://www.rfc-editor.org/info/rfc7480>.

   [RFC7482]  Newton, A. and S. Hollenbeck, "Registration Data Access
              Protocol (RDAP) Query Format", RFC 7482, March 2015,
              <http://www.rfc-editor.org/info/rfc7482>.

   [RFC7483]  Newton, A. and S. Hollenbeck, "JSON Responses for the
              Registration Data Access Protocol (RDAP)", RFC 7483, March
              2015, <http://www.rfc-editor.org/info/rfc7483>.

6.2.  Informative References

   [OpenID]   OpenID Foundation, "OpenID Authentication 2.0 - Final",
              December 2007, <http://specs.openid.net/auth/2.0>.

   [RFC3707]  Newton, A., "Cross Registry Internet Service Protocol
              (CRISP) Requirements", RFC 3707, February 2004,
              <http://www.rfc-editor.org/info/rfc3707>.

   [RFC3912]  Daigle, L., "WHOIS Protocol Specification", RFC 3912,
              September 2004, <http://www.rfc-editor.org/info/rfc3912>.

   [RFC4732]  Handley, M., Ed., Rescorla, E., Ed., and IAB, "Internet
              Denial-of-Service Considerations", RFC 4732, December
              2006, <http://www.rfc-editor.org/info/rfc4732>.

   [RFC4949]  Shirey, R., "Internet Security Glossary, Version 2", FYI
              36, RFC 4949, August 2007,
              <http://www.rfc-editor.org/info/rfc4949>.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246, August 2008,
              <http://www.rfc-editor.org/info/rfc5246>.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, May 2008,
              <http://www.rfc-editor.org/info/rfc5280>.

   [RFC6749]  Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
              RFC 6749, October 2012,
              <http://www.rfc-editor.org/info/rfc6749>.

   [RFC7095]  Kewisch, P., "jCard: The JSON Format for vCard", RFC 7095,
              January 2014, <http://www.rfc-editor.org/info/rfc7095>.

Hollenbeck & Kong            Standards Track                   [Page 11]



RFC 7481                 RDAP Security Services               March 2015

   [SAML]     OASIS, "Security Assertion Markup Language (SAML) v2.0",
              March 2005, <https://www.oasis-open.org/
              standards#samlv2.0>.

   [SECURE-TLS-DTLS]
              Sheffer, Y., Holz, R., and P. Saint-Andre,
              "Recommendations for Secure Use of TLS and DTLS", Work in
              Progress, draft-ietf-uta-tls-bcp-09, February 2015.

Hollenbeck & Kong            Standards Track                   [Page 12]



RFC 7481                 RDAP Security Services               March 2015

Acknowledgements

   The authors would like to acknowledge the following individuals for
   their contributions to this document: Richard Barnes, Marc Blanchet,
   Alissa Cooper, Ernie Dainow, Spencer Dawkins, Jean-Philippe Dionne,
   Byron Ellacott, Stephen Farrell, Tony Hansen, Peter Koch, Murray
   Kucherawy, Barry Leiba, Andrew Newton, and Linlin Zhou.

Authors' Addresses

   Scott Hollenbeck
   Verisign Labs
   12061 Bluemont Way
   Reston, VA  20190
   United States

   EMail: shollenbeck@verisign.com
   URI:   http://www.verisignlabs.com/

   Ning Kong
   China Internet Network Information Center
   4 South 4th Street, Zhongguancun, Haidian District
   Beijing  100190
   China

   Phone: +86 10 5881 3147
   EMail: nkong@cnnic.cn

Hollenbeck & Kong            Standards Track                   [Page 13]




=========================================================================

Internet Engineering Task Force (IETF)                     S. Hollenbeck
Request for Comments: 9082                                 Verisign Labs
STD: 95                                                        A. Newton
Obsoletes: 7482                                                      AWS
Category: Standards Track                                      June 2021
ISSN: 2070-1721

         Registration Data Access Protocol (RDAP) Query Format

Abstract

   This document describes uniform patterns to construct HTTP URLs that
   may be used to retrieve registration information from registries
   (including both Regional Internet Registries (RIRs) and Domain Name
   Registries (DNRs)) using "RESTful" web access patterns.  These
   uniform patterns define the query syntax for the Registration Data
   Access Protocol (RDAP).  This document obsoletes RFC 7482.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc9082.

Copyright Notice

   Copyright (c) 2021 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction
   2.  Conventions Used in This Document
     2.1.  Acronyms and Abbreviations
   3.  Path Segment Specification
     3.1.  Lookup Path Segment Specification
       3.1.1.  IP Network Path Segment Specification
       3.1.2.  Autonomous System Path Segment Specification
       3.1.3.  Domain Path Segment Specification
       3.1.4.  Nameserver Path Segment Specification
       3.1.5.  Entity Path Segment Specification
       3.1.6.  Help Path Segment Specification
     3.2.  Search Path Segment Specification
       3.2.1.  Domain Search
       3.2.2.  Nameserver Search
       3.2.3.  Entity Search
   4.  Query Processing
     4.1.  Partial String Searching
     4.2.  Associated Records
   5.  Extensibility
   6.  Internationalization Considerations
     6.1.  Character Encoding Considerations
   7.  IANA Considerations
   8.  Security Considerations
   9.  References
     9.1.  Normative References
     9.2.  Informative References
   Appendix A.  Changes from RFC 7482
   Acknowledgments
   Authors' Addresses

1.  Introduction

   This document describes a specification for querying registration
   data using a RESTful web service and uniform query patterns.  The
   service is implemented using the Hypertext Transfer Protocol (HTTP)
   [RFC7230] and the conventions described in [RFC7480].  These uniform
   patterns define the query syntax for the Registration Data Access
   Protocol (RDAP).  This document obsoletes RFC 7482.

   The protocol described in this specification is intended to address
   deficiencies with the WHOIS protocol [RFC3912] that have been
   identified over time, including:

   *  lack of standardized command structures;

   *  lack of standardized output and error structures;

   *  lack of support for internationalization and localization; and

   *  lack of support for user identification, authentication, and
      access control.

   The patterns described in this document purposefully do not encompass
   all of the methods employed in the WHOIS and other RESTful web
   services used by the RIRs and DNRs.  The intent of the patterns
   described here is to enable queries of:

   *  networks by IP address;

   *  Autonomous System (AS) numbers by number;

   *  reverse DNS metadata by domain;

   *  nameservers by name; and

   *  entities (such as registrars and contacts) by identifier.

   Server implementations are free to support only a subset of these
   features depending on local requirements.  Servers MUST return an
   HTTP 501 (Not Implemented) [RFC7231] response to inform clients of
   unsupported query types.  It is also envisioned that each registry
   will continue to maintain WHOIS and/or other RESTful web services
   specific to their needs and those of their constituencies, and the
   information retrieved through the patterns described here may
   reference such services.

   Likewise, future IETF specifications may add additional patterns for
   additional query types.  A simple pattern namespacing scheme is
   described in Section 5 to accommodate custom extensions that will not
   interfere with the patterns defined in this document or patterns
   defined in future IETF specifications.

   WHOIS services, in general, are read-only services.  Accordingly, URL
   [RFC3986] patterns specified in this document are only applicable to
   the HTTP [RFC7231] GET and HEAD methods.

   This document does not describe the results or entities returned from
   issuing the described URLs with an HTTP GET.  The specification of
   these entities is described in [RFC9083].

   Additionally, resource management, provisioning, and update functions
   are out of scope for this document.  Registries have various and
   divergent methods covering these functions, and it is unlikely a
   uniform approach is needed for interoperability.

   HTTP contains mechanisms for servers to authenticate clients and for
   clients to authenticate servers (from which authorization schemes may
   be built), so such mechanisms are not described in this document.
   Policy, provisioning, and processing of authentication and
   authorization are out of scope for this document as deployments will
   have to make choices based on local criteria.  Supported
   authentication mechanisms are described in [RFC7481].

2.  Conventions Used in This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

2.1.  Acronyms and Abbreviations

   IDN:  Internationalized Domain Name, a fully-qualified domain name
      containing one or more labels that are intended to include one or
      more Unicode code points outside the ASCII range (cf. "domain
      name", "fully-qualified domain name", and "internationalized
      domain name" in RFC 8499 [RFC8499]).

   IDNA:  Internationalized Domain Names in Applications, a protocol for
      the handling of IDNs.  In this document, "IDNA" refers
      specifically to the version of those specifications known as
      "IDNA2008" [RFC5890].

   DNR:  Domain Name Registry or Domain Name Registrar

   NFC:  Unicode Normalization Form C [Unicode-UAX15]

   NFKC:  Unicode Normalization Form KC [Unicode-UAX15]

   RDAP:  Registration Data Access Protocol

   REST:  Representational State Transfer.  The term was first described
      in a doctoral dissertation [REST].

   RESTful:  An adjective that describes a service using HTTP and the
      principles of REST.

   RIR:  Regional Internet Registry

3.  Path Segment Specification

   The base URLs used to construct RDAP queries are maintained in an
   IANA registry (the "bootstrap registry") described in [RFC7484].
   Queries are formed by retrieving an appropriate base URL from the
   registry and appending a path segment specified in either Sections
   3.1 or 3.2.  Generally, a registry or other service provider will
   provide a base URL that identifies the protocol, host, and port, and
   this will be used as a base URL that the complete URL is resolved
   against, as per Section 5 of RFC 3986 [RFC3986].  For example, if the
   base URL is "https://example.com/rdap/", all RDAP query URLs will
   begin with "https://example.com/rdap/".

   The bootstrap registry does not contain information for query objects
   that are not part of a global namespace, including entities and help.
   A base URL for an associated object is required to construct a
   complete query.  This limitation can be overcome for entities by
   using the practice described in RFC 8521 [RFC8521].

   For entities, a base URL is retrieved for the service (domain,
   address, etc.) associated with a given entity.  The query URL is
   constructed by concatenating the base URL with the entity path
   segment specified in either Sections 3.1.5 or 3.2.3.

   For help, a base URL is retrieved for any service (domain, address,
   etc.) for which additional information is required.  The query URL is
   constructed by concatenating the base URL with the help path segment
   specified in Section 3.1.6.

3.1.  Lookup Path Segment Specification

   A simple lookup to determine if an object exists (or not) without
   returning RDAP-encoded results can be performed using the HTTP HEAD
   method as described in Section 4.1 of [RFC7480].

   The resource type path segments for exact match lookup are:

   'ip':  Used to identify IP networks and associated data referenced
      using either an IPv4 or IPv6 address.

   'autnum':  Used to identify Autonomous System number registrations
      and associated data referenced using an asplain Autonomous System
      number.

   'domain':  Used to identify reverse DNS (RIR) or domain name (DNR)
      information and associated data referenced using a fully qualified
      domain name.

   'nameserver':  Used to identify a nameserver information query using
      a host name.

   'entity':  Used to identify an entity information query using a
      string identifier.

3.1.1.  IP Network Path Segment Specification

   Syntax:  ip/<IP address> or ip/<CIDR prefix>/<CIDR length>

   Queries for information about IP networks are of the form /ip/XXX or
   /ip/XXX/YY where the path segment following 'ip' is either an IPv4
   dotted decimal or IPv6 [RFC5952] address (i.e., XXX) or an IPv4 or
   IPv6 Classless Inter-domain Routing (CIDR) [RFC4632] notation address
   block (i.e., XXX/YY).  Semantically, the simpler form using the
   address can be thought of as a CIDR block with a prefix length of 32
   for IPv4 and a prefix length of 128 for IPv6.  A given specific
   address or CIDR may fall within multiple IP networks in a hierarchy
   of networks; therefore, this query targets the "most-specific" or
   smallest IP network that completely encompasses it in a hierarchy of
   IP networks.

   The IPv4 and IPv6 address formats supported in this query are
   described in Section 3.2.2 of RFC 3986 [RFC3986] as IPv4address and
   IPv6address ABNF definitions.  Any valid IPv6 text address format
   [RFC4291] can be used.  This includes IPv6 addresses written using
   with or without compressed zeros and IPv6 addresses containing
   embedded IPv4 addresses.  The rules to write a text representation of
   an IPv6 address [RFC5952] are RECOMMENDED.  However, the zone_id
   [RFC4007] is not appropriate in this context; therefore, the
   corresponding syntax extension in RFC 6874 [RFC6874] MUST NOT be
   used, and servers SHOULD ignore it.

   For example, the following URL would be used to find information for
   the most specific network containing 192.0.2.0:

   https://example.com/rdap/ip/192.0.2.0

   The following URL would be used to find information for the most
   specific network containing 192.0.2.0/24:

   https://example.com/rdap/ip/192.0.2.0/24

   The following URL would be used to find information for the most
   specific network containing 2001:db8::

   https://example.com/rdap/ip/2001:db8::

3.1.2.  Autonomous System Path Segment Specification

   Syntax:  autnum/<autonomous system number>

   Queries for information regarding Autonomous System number
   registrations are of the form /autnum/XXX where XXX is an asplain
   Autonomous System number [RFC5396].  In some registries, registration
   of Autonomous System numbers is done on an individual number basis,
   while other registries may register blocks of Autonomous System
   numbers.  The semantics of this query are such that if a number falls
   within a range of registered blocks, the target of the query is the
   block registration and that individual number registrations are
   considered a block of numbers with a size of 1.

   For example, the following URL would be used to find information
   describing Autonomous System number 12 (a number within a range of
   registered blocks):

   https://example.com/rdap/autnum/12

   The following URL would be used to find information describing 4-byte
   Autonomous System number 65538:

   https://example.com/rdap/autnum/65538

3.1.3.  Domain Path Segment Specification

   Syntax:  domain/<domain name>

   Queries for domain information are of the form /domain/XXXX, where
   XXXX is a fully qualified (relative to the root) domain name (as
   specified in [RFC952] and [RFC1123]) in either the in-addr.arpa or
   ip6.arpa zones (for RIRs) or a fully qualified domain name in a zone
   administered by the server operator (for DNRs).  Internationalized
   Domain Names (IDNs) represented in either A-label or U-label format
   [RFC5890] are also valid domain names.  See Section 6.1 for
   information on character encoding for the U-label format.

   IDNs SHOULD NOT be represented as a mixture of A-labels and U-labels;
   that is, internationalized labels in an IDN SHOULD be either all
   A-labels or all U-labels.  It is possible for an RDAP client to
   assemble a query string from multiple independent data sources.  Such
   a client might not be able to perform conversions between A-labels
   and U-labels.  An RDAP server that receives a query string with a
   mixture of A-labels and U-labels MAY convert all the U-labels to
   A-labels, perform IDNA processing, and proceed with exact-match
   lookup.  In such cases, the response to be returned to the query
   source may not match the input from the query source.  Alternatively,
   the server MAY refuse to process the query.

   The server MAY perform the match using either the A-label or U-label
   form.  Using one consistent form for matching every label is likely
   to be more reliable.

   The following URL would be used to find information describing the
   zone serving the network 192.0.2/24:

   https://example.com/rdap/domain/2.0.192.in-addr.arpa

   The following URL would be used to find information describing the
   zone serving the network 2001:db8:1::/48:

   https://example.com/rdap/domain/1.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa

   The following URL would be used to find information for the
   blah.example.com domain name:

   https://example.com/rdap/domain/blah.example.com

   The following URL would be used to find information for the
   xn--fo-5ja.example IDN:

   https://example.com/rdap/domain/xn--fo-5ja.example

3.1.4.  Nameserver Path Segment Specification

   Syntax:  nameserver/<nameserver name>

   The <nameserver name> parameter represents a fully qualified host
   name as specified in [RFC952] and [RFC1123].  Internationalized
   names represented in either A-label or U-label format [RFC5890] are
   also valid nameserver names.  IDN processing for nameserver names
   uses the domain name processing instructions specified in
   Section 3.1.3.  See Section 6.1 for information on character encoding
   for the U-label format.

   The following URL would be used to find information for the
   ns1.example.com nameserver:

   https://example.com/rdap/nameserver/ns1.example.com

   The following URL would be used to find information for the
   ns1.xn--fo-5ja.example nameserver:

   https://example.com/rdap/nameserver/ns1.xn--fo-5ja.example

3.1.5.  Entity Path Segment Specification

   Syntax:  entity/<handle>

   The <handle> parameter represents an entity (such as a contact,
   registrant, or registrar) identifier whose syntax is specific to the
   registration provider.  For example, for some DNRs, contact
   identifiers are specified in [RFC5730] and [RFC5733].

   The following URL would be used to find information for the entity
   associated with handle XXXX:

   https://example.com/rdap/entity/XXXX

3.1.6.  Help Path Segment Specification

   Syntax:  help

   The help path segment can be used to request helpful information
   (command syntax, terms of service, privacy policy, rate-limiting
   policy, supported authentication methods, supported extensions,
   technical support contact, etc.) from an RDAP server.  The response
   to "help" should provide basic information that a client needs to
   successfully use the service.  The following URL would be used to
   return "help" information:

   https://example.com/rdap/help

3.2.  Search Path Segment Specification

   Pattern matching semantics are described in Section 4.1.  The
   resource type path segments for search are:

   'domains':  Used to identify a domain name information search using a
      pattern to match a fully qualified domain name.

   'nameservers':  Used to identify a nameserver information search
      using a pattern to match a host name.

   'entities':  Used to identify an entity information search using a
      pattern to match a string identifier.

   RDAP search path segments are formed using a concatenation of the
   plural form of the object being searched for and an HTTP query
   string.  The HTTP query string is formed using a concatenation of the
   question mark character ('?', US-ASCII value 0x003F), a noun
   representing the JSON object property associated with the object
   being searched for, the equal sign character ('=', US-ASCII value
   0x003D), and the search pattern (this is in contrast to the more
   generic HTTP query string that allows multiple simultaneous
   parameters).  Search pattern query processing is described more fully
   in Section 4.  For the domain, nameserver, and entity objects
   described in this document, the plural object forms are "domains",
   "nameservers", and "entities".

   Detailed results can be retrieved using the HTTP GET method and the
   path segments specified here.

3.2.1.  Domain Search

   Syntax:  domains?name=<domain search pattern>

   Syntax:  domains?nsLdhName=<nameserver search pattern>

   Syntax:  domains?nsIp=<nameserver IP address>

   Searches for domain information by name are specified using this
   form:

   domains?name=XXXX

   XXXX is a search pattern representing a domain name in "letters,
   digits, hyphen" (LDH) format [RFC5890].  The following URL would be
   used to find DNR information for domain names matching the
   "example*.com" pattern:

   https://example.com/rdap/domains?name=example*.com

   IDNs in U-label format [RFC5890] can also be used as search patterns
   (see Section 4).  Searches for these names are of the form
   /domains?name=XXXX, where XXXX is a search pattern representing a
   domain name in U-label format [RFC5890].  See Section 6.1 for
   information on character encoding for the U-label format.

   Searches for domain information by nameserver name are specified
   using this form:

   domains?nsLdhName=YYYY

   YYYY is a search pattern representing a host name in "letters,
   digits, hyphen" format [RFC5890].  The following URL would be used to
   search for domains delegated to nameservers matching the
   "ns1.example*.com" pattern:

   https://example.com/rdap/domains?nsLdhName=ns1.example*.com

   Searches for domain information by nameserver IP address are
   specified using this form:

   domains?nsIp=ZZZZ

   ZZZZ is an IPv4 [RFC1166] or IPv6 [RFC5952] address.  The following
   URL would be used to search for domains that have been delegated to
   nameservers that resolve to the "192.0.2.0" address:

   https://example.com/rdap/domains?nsIp=192.0.2.0

3.2.2.  Nameserver Search

   Syntax:  nameservers?name=<nameserver search pattern>

   Syntax:  nameservers?ip=<nameserver IP address>

   Searches for nameserver information by nameserver name are specified
   using this form:

   nameservers?name=XXXX

   XXXX is a search pattern representing a host name in "letters,
   digits, hyphen" format [RFC5890].  The following URL would be used to
   find information for nameserver names matching the "ns1.example*.com"
   pattern:

   https://example.com/rdap/nameservers?name=ns1.example*.com

   Internationalized nameserver names in U-label format [RFC5890] can
   also be used as search patterns (see Section 4).  Searches for these
   names are of the form /nameservers?name=XXXX, where XXXX is a search
   pattern representing a nameserver name in U-label format [RFC5890].
   See Section 6.1 for information on character encoding for the U-label
   format.

   Searches for nameserver information by nameserver IP address are
   specified using this form:

   nameservers?ip=YYYY

   YYYY is an IPv4 [RFC1166] or IPv6 [RFC5952] address.  The following
   URL would be used to search for nameserver names that resolve to the
   "192.0.2.0" address:

   https://example.com/rdap/nameservers?ip=192.0.2.0

3.2.3.  Entity Search

   Syntax:  entities?fn=<entity name search pattern>

   Syntax:  entities?handle=<entity handle search pattern>

   Searches for entity information by name are specified using this
   form:

   entities?fn=XXXX

   XXXX is a search pattern representing the "fn" property of an entity
   (such as a contact, registrant, or registrar) name as described in
   Section 5.1 of [RFC9083].  The following URL would be used to find
   information for entity names matching the "Bobby Joe*" pattern:

   https://example.com/rdap/entities?fn=Bobby%20Joe*

   Searches for entity information by handle are specified using this
   form:

   entities?handle=XXXX

   XXXX is a search pattern representing an entity (such as a contact,
   registrant, or registrar) identifier whose syntax is specific to the
   registration provider.  The following URL would be used to find
   information for entity handles matching the "CID-40*" pattern:

   https://example.com/rdap/entities?handle=CID-40*

   URLs MUST be properly encoded according to the rules of [RFC3986].
   In the example above, "Bobby Joe*" is encoded to "Bobby%20Joe*".

4.  Query Processing

   Servers indicate the success or failure of query processing by
   returning an appropriate HTTP response code to the client.  Response
   codes not specifically identified in this document are described in
   [RFC7480].

4.1.  Partial String Searching

   Partial string searching uses the asterisk ('*', US-ASCII value 0x2A)
   character to match zero or more trailing characters.  A character
   string representing a domain label suffix MAY be concatenated to the
   end of the search pattern to limit the scope of the search.  For
   example, the search pattern "exam*" will match "example.com" and
   "example.net".  The search pattern "exam*.com" will match
   "example.com".  If an asterisk appears in a search string, any label
   that contains the non-asterisk characters in sequence plus zero or
   more characters in sequence in place of the asterisk would match.  A
   partial string search MUST NOT include more than one asterisk.
   Additional pattern matching processing is beyond the scope of this
   specification.

   If a server receives a search request but cannot process the request
   because it does not support a particular style of partial match
   searching, it SHOULD return an HTTP 422 (Unprocessable Entity)
   [RFC4918] response (unless another response code is more appropriate
   based on a server's policy settings) to note that search
   functionality is supported, but this particular query cannot be
   processed.  When returning a 422 error, the server MAY also return an
   error response body as specified in Section 6 of [RFC9083] if the
   requested media type is one that is specified in [RFC7480].

   Partial matching is not feasible across combinations of Unicode
   characters because Unicode characters can be combined with each
   other.  Servers SHOULD NOT partially match combinations of Unicode
   characters where a legal combination is possible.  It should be
   noted, though, that it may not always be possible to detect cases
   where a character could have been combined with another character,
   but was not, because characters can be combined in many different
   ways.

   Clients SHOULD NOT submit a partial match search of Unicode
   characters where a Unicode character may be legally combined with
   another Unicode character or characters.  Partial match searches with
   incomplete combinations of characters where a character must be
   combined with another character or characters are invalid.  Partial
   match searches with characters that may be combined with another
   character or characters are to be considered non-combined characters
   (that is, if character x may be combined with character y but
   character y is not submitted in the search string, then character x
   is a complete character and no combinations of character x are to be
   searched).

4.2.  Associated Records

   Conceptually, any query-matching record in a server's database might
   be a member of a set of related records, related in some fashion as
   defined by the server -- for example, variants of an IDN.  The entire
   set ought to be considered as candidates for inclusion when
   constructing the response.  However, the construction of the final
   response needs to be mindful of privacy and other data-releasing
   policies when assembling the RDAP response set.

   Note too that due to the nature of searching, there may be a list of
   query-matching records.  Each one of those is subject to being a
   member of a set as described in the previous paragraph.  What is
   ultimately returned in a response will be the union of all the sets
   that has been filtered by whatever policies are in place.

   Note that this model includes arrangements for associated names,
   including those that are linked by policy mechanisms and names bound
   together for some other purposes.  Note also that returning
   information that was not explicitly selected by an exact-match
   lookup, including additional names that match a relatively fuzzy
   search as well as lists of names that are linked together, may cause
   privacy issues.

   Note that there might not be a single, static information return
   policy that applies to all clients equally.  Client identity and
   associated authorizations can be a relevant factor in determining how
   broad the response set will be for any particular query.

5.  Extensibility

   This document describes path segment specifications for a limited
   number of objects commonly registered in both RIRs and DNRs.  It does
   not attempt to describe path segments for all of the objects
   registered in all registries.  Custom path segments can be created
   for objects not specified here using the process described in
   Section 6 of "HTTP Usage in the Registration Data Access Protocol
   (RDAP)" [RFC7480].

   Custom path segments can be created by prefixing the segment with a
   unique identifier followed by an underscore character (0x5F).  For
   example, a custom entity path segment could be created by prefixing
   "entity" with "custom_", producing "custom_entity".  Servers MUST
   return an appropriate failure status code for a request with an
   unrecognized path segment.

6.  Internationalization Considerations

   There is value in supporting the ability to submit either a U-label
   (Unicode form of an IDN label) or an A-label (US-ASCII form of an IDN
   label) as a query argument to an RDAP service.  Clients capable of
   processing non-US-ASCII characters may prefer a U-label since this is
   more visually recognizable and familiar than A-label strings, but
   clients using programmatic interfaces might find it easier to submit
   and display A-labels if they are unable to input U-labels with their
   keyboard configuration.  Both query forms are acceptable.

   Internationalized domain and nameserver names can contain character
   variants and variant labels as described in [RFC4290].  Clients that
   support queries for internationalized domain and nameserver names
   MUST accept service provider responses that describe variants as
   specified in "JSON Responses for the Registration Data Access
   Protocol (RDAP)" [RFC9083].

6.1.  Character Encoding Considerations

   Servers can expect to receive search patterns from clients that
   contain character strings encoded in different forms supported by
   HTTP.  It is entirely possible to apply filters and normalization
   rules to search patterns prior to making character comparisons, but
   this type of processing is more typically needed to determine the
   validity of registered strings than to match patterns.

   An RDAP client submitting a query string containing non-US-ASCII
   characters converts such strings into Unicode in UTF-8 encoding.  It
   then performs any local case mapping deemed necessary.  Strings are
   normalized using Normalization Form C (NFC) [Unicode-UAX15]; note
   that clients might not be able to do this reliably.  UTF-8 encoded
   strings are then appropriately percent-encoded [RFC3986] in the query
   URL.

   After parsing any percent-encoding, an RDAP server treats each query
   string as Unicode in UTF-8 encoding.  If a string is not valid UTF-8,
   the server can immediately stop processing the query and return an
   HTTP 400 (Bad Request) response.

   When processing queries, there is a difference in handling DNS names,
   including those with putative U-labels, and everything else.  DNS
   names are treated according to the DNS matching rules as described in
   Section 3.1 of RFC 1035 [RFC1035] for Non-Reserved LDH (NR-LDH)
   labels and the matching rules described in Section 5.4 of RFC 5891
   [RFC5891] for U-labels.  Matching of DNS names proceeds one label at
   a time because it is possible for a combination of U-labels and NR-
   LDH labels to be found in a single domain or host name.  The
   determination of whether a label is a U-label or an NR-LDH label is
   based on whether the label contains any characters outside of the US-
   ASCII letters, digits, or hyphen (the so-called LDH rule).

   For everything else, servers map fullwidth and halfwidth characters
   to their decomposition equivalents.  Servers convert strings to the
   same coded character set of the target data that is to be looked up
   or searched, and each string is normalized using the same
   normalization that was used on the target data.  In general, storage
   of strings as Unicode is RECOMMENDED.  For the purposes of
   comparison, Normalization Form KC (NFKC) [Unicode-UAX15] with case
   folding is used to maximize predictability and the number of matches.
   Note the use of case-folded NFKC as opposed to NFC in this case.

7.  IANA Considerations

   This document has no IANA actions.

8.  Security Considerations

   Security services for the operations specified in this document are
   described in "Security Services for the Registration Data Access
   Protocol (RDAP)" [RFC7481].

   Search functionality typically requires more server resources (such
   as memory, CPU cycles, and network bandwidth) when compared to basic
   lookup functionality.  This increases the risk of server resource
   exhaustion and subsequent denial of service due to abuse.  This risk
   can be mitigated by developing and implementing controls to restrict
   search functionality to identified and authorized clients.  If those
   clients behave badly, their search privileges can be suspended or
   revoked.  Rate limiting as described in Section 5.5 of "HTTP Usage in
   the Registration Data Access Protocol (RDAP)" [RFC7480] can also be
   used to control the rate of received search requests.  Server
   operators can also reduce their risk by restricting the amount of
   information returned in response to a search request.

   Search functionality also increases the privacy risk of disclosing
   object relationships that might not otherwise be obvious.  For
   example, a search that returns IDN variants [RFC6927] that do not
   explicitly match a client-provided search pattern can disclose
   information about registered domain names that might not be otherwise
   available.  Implementers need to consider the policy and privacy
   implications of returning information that was not explicitly
   requested.

   Note that there might not be a single, static information return
   policy that applies to all clients equally.  Client identity and
   associated authorizations can be a relevant factor in determining how
   broad the response set will be for any particular query.

9.  References

9.1.  Normative References

   [RFC952]  Harrenstien, K., Stahl, M., and E. Feinler, "DoD Internet
              host table specification", RFC 952, DOI 10.17487/RFC952,
              October 1985, <https://www.rfc-editor.org/info/rfc952>.

   [RFC1035]  Mockapetris, P., "Domain names - implementation and
              specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
              November 1987, <https://www.rfc-editor.org/info/rfc1035>.

   [RFC1123]  Braden, R., Ed., "Requirements for Internet Hosts -
              Application and Support", STD 3, RFC 1123,
              DOI 10.17487/RFC1123, October 1989,
              <https://www.rfc-editor.org/info/rfc1123>.

   [RFC1166]  Kirkpatrick, S., Stahl, M., and M. Recker, "Internet
              numbers", RFC 1166, DOI 10.17487/RFC1166, July 1990,
              <https://www.rfc-editor.org/info/rfc1166>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66,
              RFC 3986, DOI 10.17487/RFC3986, January 2005,
              <https://www.rfc-editor.org/info/rfc3986>.

   [RFC4291]  Hinden, R. and S. Deering, "IP Version 6 Addressing
              Architecture", RFC 4291, DOI 10.17487/RFC4291, February
              2006, <https://www.rfc-editor.org/info/rfc4291>.

   [RFC4632]  Fuller, V. and T. Li, "Classless Inter-domain Routing
              (CIDR): The Internet Address Assignment and Aggregation
              Plan", BCP 122, RFC 4632, DOI 10.17487/RFC4632, August
              2006, <https://www.rfc-editor.org/info/rfc4632>.

   [RFC4918]  Dusseault, L., Ed., "HTTP Extensions for Web Distributed
              Authoring and Versioning (WebDAV)", RFC 4918,
              DOI 10.17487/RFC4918, June 2007,
              <https://www.rfc-editor.org/info/rfc4918>.

   [RFC5396]  Huston, G. and G. Michaelson, "Textual Representation of
              Autonomous System (AS) Numbers", RFC 5396,
              DOI 10.17487/RFC5396, December 2008,
              <https://www.rfc-editor.org/info/rfc5396>.

   [RFC5730]  Hollenbeck, S., "Extensible Provisioning Protocol (EPP)",
              STD 69, RFC 5730, DOI 10.17487/RFC5730, August 2009,
              <https://www.rfc-editor.org/info/rfc5730>.

   [RFC5733]  Hollenbeck, S., "Extensible Provisioning Protocol (EPP)
              Contact Mapping", STD 69, RFC 5733, DOI 10.17487/RFC5733,
              August 2009, <https://www.rfc-editor.org/info/rfc5733>.

   [RFC5890]  Klensin, J., "Internationalized Domain Names for
              Applications (IDNA): Definitions and Document Framework",
              RFC 5890, DOI 10.17487/RFC5890, August 2010,
              <https://www.rfc-editor.org/info/rfc5890>.

   [RFC5891]  Klensin, J., "Internationalized Domain Names in
              Applications (IDNA): Protocol", RFC 5891,
              DOI 10.17487/RFC5891, August 2010,
              <https://www.rfc-editor.org/info/rfc5891>.

   [RFC5952]  Kawamura, S. and M. Kawashima, "A Recommendation for IPv6
              Address Text Representation", RFC 5952,
              DOI 10.17487/RFC5952, August 2010,
              <https://www.rfc-editor.org/info/rfc5952>.

   [RFC7230]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
              Protocol (HTTP/1.1): Message Syntax and Routing",
              RFC 7230, DOI 10.17487/RFC7230, June 2014,
              <https://www.rfc-editor.org/info/rfc7230>.

   [RFC7231]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
              Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
              DOI 10.17487/RFC7231, June 2014,
              <https://www.rfc-editor.org/info/rfc7231>.

   [RFC7480]  Newton, A., Ellacott, B., and N. Kong, "HTTP Usage in the
              Registration Data Access Protocol (RDAP)", STD 95,
              RFC 7480, DOI 10.17487/RFC7480, March 2015,
              <https://www.rfc-editor.org/info/rfc7480>.

   [RFC7481]  Hollenbeck, S. and N. Kong, "Security Services for the
              Registration Data Access Protocol (RDAP)", STD 95,
              RFC 7481, DOI 10.17487/RFC7481, March 2015,
              <https://www.rfc-editor.org/info/rfc7481>.

   [RFC7484]  Blanchet, M., "Finding the Authoritative Registration Data
              (RDAP) Service", RFC 7484, DOI 10.17487/RFC7484, March
              2015, <https://www.rfc-editor.org/info/rfc7484>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [RFC8499]  Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
              Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499,
              January 2019, <https://www.rfc-editor.org/info/rfc8499>.

   [RFC9083]  Hollenbeck, S. and A. Newton, "JSON Responses for the
              Registration Data Access Protocol (RDAP)", STD 95,
              RFC 9083, DOI 10.17487/RFC9083, June 2021,
              <https://www.rfc-editor.org/info/rfc9083>.

   [Unicode-UAX15]
              The Unicode Consortium, "Unicode Standard Annex #15:
              Unicode Normalization Forms", September 2013,
              <https://www.unicode.org/reports/tr15/>.

9.2.  Informative References

   [REST]     Fielding, R., "Architectural Styles and the Design of
              Network-based Software Architectures", Ph.D.
              Dissertation, University of California, Irvine, 2000,
              <https://www.ics.uci.edu/~fielding/pubs/dissertation/
              fielding_dissertation.pdf>.

   [RFC3912]  Daigle, L., "WHOIS Protocol Specification", RFC 3912,
              DOI 10.17487/RFC3912, September 2004,
              <https://www.rfc-editor.org/info/rfc3912>.

   [RFC4007]  Deering, S., Haberman, B., Jinmei, T., Nordmark, E., and
              B. Zill, "IPv6 Scoped Address Architecture", RFC 4007,
              DOI 10.17487/RFC4007, March 2005,
              <https://www.rfc-editor.org/info/rfc4007>.

   [RFC4290]  Klensin, J., "Suggested Practices for Registration of
              Internationalized Domain Names (IDN)", RFC 4290,
              DOI 10.17487/RFC4290, December 2005,
              <https://www.rfc-editor.org/info/rfc4290>.

   [RFC6874]  Carpenter, B., Cheshire, S., and R. Hinden, "Representing
              IPv6 Zone Identifiers in Address Literals and Uniform
              Resource Identifiers", RFC 6874, DOI 10.17487/RFC6874,
              February 2013, <https://www.rfc-editor.org/info/rfc6874>.

   [RFC6927]  Levine, J. and P. Hoffman, "Variants in Second-Level Names
              Registered in Top-Level Domains", RFC 6927,
              DOI 10.17487/RFC6927, May 2013,
              <https://www.rfc-editor.org/info/rfc6927>.

   [RFC8521]  Hollenbeck, S. and A. Newton, "Registration Data Access
              Protocol (RDAP) Object Tagging", BCP 221, RFC 8521,
              DOI 10.17487/RFC8521, November 2018,
              <https://www.rfc-editor.org/info/rfc8521>.

Appendix A.  Changes from RFC 7482

   *  Addressed known errata.

   *  Addressed other reported clarifications and corrections: IDN,
      IDNA, and DNR definitions.  Noted that registrars are entities.
      Added a reference to RFC 8521 to address the bootstrap registry
      limitation.  Removed extraneous "...".  Clarified HTTP query
      string, search pattern, name server search, domain label suffix,
      and asterisk search.

   *  Addressed "The HTTP query string" clarification.

   *  Modified coauthor address.

   *  Updated references to RFC 7483 to RFC 9083.

   *  Added an IANA Considerations section.  Changed references to use
      HTTPS for targets.

   *  Changed "XXXX is a search pattern representing the "FN" property
      of an entity (such as a contact, registrant, or registrar) name as
      specified in Section 5.1" to "Changed "XXXX is a search pattern
      representing the "fn" property of an entity (such as a contact,
      registrant, or registrar) name as described in Section 5.1".

   *  Added acknowledgments.

   *  Changed "The intent of the patterns described here are to enable
      queries" to "The intent of the patterns described here is to
      enable queries".

   *  Changed "the corresponding syntax extension in RFC 6874 [RFC6874]
      MUST NOT be used, and servers are to ignore it if possible" to
      "the corresponding syntax extension in RFC 6874 [RFC6874] MUST NOT
      be used, and servers SHOULD ignore it".

   *  Changed "Only a single asterisk is allowed for a partial string
      search" to "A partial string search MUST NOT include more than one
      asterisk".

   *  Changed "Clients should avoid submitting a partial match search of
      Unicode characters where a Unicode character may be legally
      combined with another Unicode character or characters" to "Clients
      SHOULD NOT submit a partial match search of Unicode characters
      where a Unicode character may be legally combined with another
      Unicode character or characters".

   *  Changed description of nameserver IP address "search pattern" in
      Sections 3.2.1 and 3.2.2.

   *  IESG review feedback: Added "obsoletes 7482" to the headers,
      Abstract, and Introduction.  Changed "IETF standards" to "IETF
      specifications" and "Therefore" to "Accordingly" in Section 1.
      Updated the BCP 14 boilerplate.  Added definition of "bootstrap
      registry" and changed "concatenating ... to" to "concatenating ...
      with" in Section 3.  Changed "bitmask length" to "prefix length"
      and "2001:db8::0" to "2001:db8::" in Section 3.1.1.  Added "in
      contrast to the more generic HTTP query string that admits
      multiple simultaneous parameters" in Section 3.2.  Changed
      "0x002A" to "0x2A" in Section 4.1.  Clarified use of HTTP 422
      SHOULD in Section 4.1.

Acknowledgments

   This document is derived from original work on RIR query formats
   developed by Byron J. Ellacott of APNIC, Arturo L. Servin of LACNIC,
   Kaveh Ranjbar of the RIPE NCC, and Andrew L. Newton of ARIN.
   Additionally, this document incorporates DNR query formats originally
   described by Francisco Arias and Steve Sheng of ICANN and Scott
   Hollenbeck of Verisign Labs.

   The authors would like to acknowledge the following individuals for
   their contributions to this document: Francisco Arias, Marc Blanchet,
   Ernie Dainow, Jean-Philippe Dionne, Byron J. Ellacott, Behnam
   Esfahbod, John Klensin, John Levine, Edward Lewis, Mario Loffredo,
   Patrick Mevzek, Mark Nottingham, Kaveh Ranjbar, Arturo L. Servin,
   Steve Sheng, Jasdip Singh, and Andrew Sullivan.

Authors' Addresses

   Scott Hollenbeck
   Verisign Labs
   12061 Bluemont Way
   Reston, VA 20190
   United States of America

   Email: shollenbeck@verisign.com
   URI:   https://www.verisignlabs.com/

   Andy Newton
   Amazon Web Services, Inc.
   13200 Woodland Park Road
   Herndon, VA 20171
   United States of America

   Email: andy@hxr.us

=========================================================================

Internet Engineering Task Force (IETF)                     S. Hollenbeck
Request for Comments: 9083                                 Verisign Labs
STD: 95                                                        A. Newton
Obsoletes: 7483                                                      AWS
Category: Standards Track                                      June 2021
ISSN: 2070-1721

    JSON Responses for the Registration Data Access Protocol (RDAP)

Abstract

   This document describes JSON data structures representing
   registration information maintained by Regional Internet Registries
   (RIRs) and Domain Name Registries (DNRs).  These data structures are
   used to form Registration Data Access Protocol (RDAP) query
   responses.  This document obsoletes RFC 7483.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc9083.

Copyright Notice

   Copyright (c) 2021 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction
     1.1.  Terminology and Definitions
     1.2.  Data Model
   2.  Use of JSON
     2.1.  Naming
   3.  Common Data Types
   4.  Common Data Structures
     4.1.  RDAP Conformance
     4.2.  Links
     4.3.  Notices and Remarks
     4.4.  Language Identifier
     4.5.  Events
     4.6.  Status
     4.7.  Port 43 WHOIS Server
     4.8.  Public IDs
     4.9.  Object Class Name
     4.10. An Example
   5.  Object Classes
     5.1.  The Entity Object Class
     5.2.  The Nameserver Object Class
     5.3.  The Domain Object Class
     5.4.  The IP Network Object Class
     5.5.  The Autonomous System Number Object Class
   6.  Error Response Body
   7.  Responding to Help Queries
   8.  Responding To Searches
   9.  Indicating Truncated Responses
   10. IANA Considerations
     10.1.  RDAP JSON Media Type Registration
     10.2.  JSON Values Registry
       10.2.1.  Notice and Remark Types
       10.2.2.  Status
       10.2.3.  Event Actions
       10.2.4.  Roles
       10.2.5.  Variant Relations
   11. Security Considerations
   12. Internationalization Considerations
     12.1.  Character Encoding
     12.2.  URIs and IRIs
     12.3.  Language Tags
     12.4.  Internationalized Domain Names
   13. Privacy Considerations
   14. References
     14.1.  Normative References
     14.2.  Informative References
   Appendix A.  Suggested Data Modeling with the Entity Object Class
     A.1.  Registrants and Contacts
     A.2.  Registrars
   Appendix B.  Modeling Events
   Appendix C.  Structured vs. Unstructured Addresses
   Appendix D.  Secure DNS
   Appendix E.  Motivations for Using JSON
   Appendix F.  Changes from RFC 7483
   Acknowledgments
   Authors' Addresses

1.  Introduction

   This document describes responses in the JSON [RFC8259] format for
   the queries as defined by the Registration Data Access Protocol Query
   Format [RFC9082].  A communication protocol for exchanging queries
   and responses is described in [RFC7480].  This document obsoletes RFC
   7483.

1.1.  Terminology and Definitions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

   The following list describes terminology and definitions used
   throughout this document:

   DNR:  Domain Name Registry or Domain Name Registrar

   LDH:  letters, digits, hyphen

   member:  data found within an object as defined by JSON [RFC8259]

   object:  a data structure as defined by JSON [RFC8259]

   object class:  the definition of members that may be found in JSON
    objects described in this document

   object instance:  an instantiation or specific instance of an object
    class

   RDAP:  Registration Data Access Protocol

   RIR:  Regional Internet Registry

1.2.  Data Model

   The data model for JSON responses is specified in five sections:

   1.  simple data types conveyed in JSON primitive types (strings,
       numbers, booleans, and null)

   2.  data structures specified as JSON arrays or objects that are used
       repeatedly when building up larger objects

   3.  object classes representing structured data corresponding to a
       lookup of a single object

   4.  arrays of objects representing structured data corresponding to a
       search for multiple objects

   5.  the response to an error

   The object classes represent responses for two major categories of
   data: responses returned by RIRs for registration data related to IP
   addresses, reverse DNS names, and Autonomous System numbers and
   responses returned by DNRs for registration data related to forward
   DNS names.  The following object classes are returned by both RIRs
   and DNRs:

   1.  domains

   2.  nameservers

   3.  entities

   The information served by both RIRs and DNRs for these object classes
   overlap extensively and are given in this document as a unified model
   for both classes of service.

   In addition to the object classes listed above, RIRs also serve the
   following object classes:

   1.  IP networks

   2.  Autonomous System numbers

   Object classes defined in this document represent a minimal set of
   what a compliant client/server needs to understand to function
   correctly; however, some deployments may want to include additional
   object classes to suit individual needs.  Anticipating this need for
   extension, Section 2.1 of this document defines a mechanism for
   extending the JSON objects that are described in this document.

   Positive responses take two forms.  A response to a lookup of a
   single object in the registration system yields a JSON object, which
   is the subject of the lookup.  A response to a search for multiple
   objects yields a JSON object that contains an array of JSON objects
   that are the subject of the search.  In each type of response, other
   data structures are present within the topmost JSON object.

2.  Use of JSON

2.1.  Naming

   Clients of these JSON responses SHOULD ignore unrecognized JSON
   members in responses.  Servers can insert members into the JSON
   responses, which are not specified in this document, but that does
   not constitute an error in the response.  Servers that insert such
   unspecified members into JSON responses SHOULD have member names
   prefixed with a short identifier followed by an underscore followed
   by a meaningful name.  It has been observed that these short
   identifiers aid software implementers with identifying the
   specification of the JSON member, and failure to use one could cause
   an implementer to assume the server is erroneously using a name from
   this specification.  This allowance does not apply to jCard [RFC7095]
   objects.  The full JSON name (the prefix plus the underscore plus the
   meaningful name) SHOULD adhere to the character and name limitations
   of the prefix registry described in [RFC7480].  Failure to use these
   limitations could result in slower adoption as these limitations have
   been observed to aid some client programming models.

   Consider the following JSON response with JSON members, all of which
   are specified in this document.

   {
     "handle" : "ABC123",
     "remarks" :
     [
       {
         "description" :
         [
           "She sells sea shells down by the sea shore.",
           "Originally written by Terry Sullivan."
         ]
       }
     ]
   }

                                  Figure 1

   If The Registry of the Moon desires to express information not found
   in this specification, it might select "lunarNIC" as its identifying
   prefix and insert, as an example, the member named
   "lunarNIC_beforeOneSmallStep" to signify registrations occurring
   before the first moon landing and the member named
   "lunarNIC_harshMistressNotes" that contains other descriptive text.

   Consider the following JSON response with JSON names, some of which
   should be ignored by clients without knowledge of their meaning.

   {
     "handle" : "ABC123",
     "lunarNIC_beforeOneSmallStep" : "TRUE THAT!",
     "remarks" :
     [
       {
         "description" :
         [
           "She sells sea shells down by the sea shore.",
           "Originally written by Terry Sullivan."
         ]
       }
     ],
     "lunarNIC_harshMistressNotes" :
     [
       "In space,",
       "nobody can hear you scream."
     ]
   }

                                  Figure 2

   Insertion of unrecognized members ignored by clients may also be used
   for future revisions to this specification.

   Clients processing JSON responses need to be prepared for members
   representing registration data specified in this document to be
   absent from a response.  In other words, servers are free to omit
   unrequired/optional JSON members containing registration data based
   on their own policies.

   Finally, all JSON names specified in this document are case
   sensitive.  Both servers and clients MUST transmit and process them
   using the specified character case.

3.  Common Data Types

   JSON [RFC8259] defines the data types of a number, character string,
   boolean, array, object, and null.  This section describes the
   semantics and/or syntax reference for common, JSON character strings
   used in this document.

   handle:           DNRs and RIRs have registry-unique identifiers that
                     may be used to specifically reference an object
                     instance.  The semantics of this data type as found
                     in this document are to be a registry-unique
                     reference to the closest enclosing object where the
                     value is found.  The data type names "registryId",
                     "roid", "nic-handle", "registrationNo", etc., are
                     terms often synonymous with this data type.  In
                     this document, the term "handle" is used.  The term
                     exposed to users by clients is a presentation issue
                     beyond the scope of this document.  This value is a
                     simple character string.

   IPv4 addresses:   The representation of IPv4 addresses in this
                     document uses the dotted-decimal notation.  An
                     example of this textual representation is
                     "192.0.2.0".

   IPv6 addresses:   The representation of IPv6 addresses in this
                     document follow the forms outlined in [RFC5952].
                     An example of this textual representation is
                     "2001:db8::1:0:0:1".

   country codes:    Where the identity of a geopolitical nation or
                     country is needed, these identities are represented
                     with the alpha-2 or two-character country code
                     designation as defined in [ISO.3166.2020].  The
                     alpha-2 representation is used because it is freely
                     available, whereas the alpha-3 and numeric-3
                     standards are not.

   LDH names:        Textual representations of DNS names where the
                     labels of the domain are all "letters, digits,
                     hyphen" labels as described by [RFC5890].  Trailing
                     periods are optional.

   Unicode names:    Textual representations of DNS names where one or
                     more of the labels are U-labels as described by
                     [RFC5890].  Trailing periods are optional.

   dates and times:  The syntax for values denoting dates and times is
                     defined in [RFC3339].

   URIs:             The syntax for values denoting a Uniform Resource
                     Identifier (URI) is defined by [RFC3986].

   Contact information is defined using jCards as described in
   [RFC7095].  The "fn" member is required and MUST NOT be null
   according to [RFC6350].  An empty "fn" member MAY be used when the
   contact name does not exist or is redacted.

4.  Common Data Structures

   This section defines common data structures used in responses and
   object classes.

4.1.  RDAP Conformance

   The data structure named "rdapConformance" is an array of strings,
   each providing a hint as to the specifications used in the
   construction of the response.  This data structure MUST appear in the
   topmost JSON object of a response and MUST NOT appear anywhere else.
   A response to a "help" request will include identifiers for all of
   the specifications supported by the server.  A response to any other
   request will include only identifiers for the specifications used in
   the construction of the response.  The set of returned identifiers
   MAY vary depending on the authorization level of the client.

   An example rdapConformance data structure:

   "rdapConformance" :
   [
     "rdap_level_0"
   ]

                                  Figure 3

   The string literal "rdap_level_0" signifies conformance with this
   specification.  When custom JSON values are inserted into responses,
   conformance to those custom specifications MUST be indicated by
   including a unique string literal value registered in the IANA RDAP
   Extensions registry specified in [RFC7480].  For example, if the
   fictional Registry of the Moon wants to signify that their JSON
   responses are conformant with their registered extensions, the string
   used might be "lunarNIC_level_0".  These registered values aid the
   identification of specifications for software implementers, and
   failure to use them could result in slower adoption of extensions.

   Example rdapConformance structure with custom extensions noted:

   "rdapConformance" :
   [
     "rdap_level_0",
     "lunarNIC_level_0"
   ]

                                  Figure 4

4.2.  Links

   The "links" array is found in data structures to signify links to
   other resources on the Internet.  The relationship of these links is
   defined by the IANA registry described by [RFC8288].

   The following is an example of the link structure:

       {
         "value" : "https://example.com/context_uri",
         "rel" : "self",
         "href" : "https://example.com/target_uri",
         "hreflang" : [ "en", "ch" ],
         "title" : "title",
         "media" : "screen",
         "type" : "application/json"
       }

                                  Figure 5

   The JSON name/values of "rel", "href", "hreflang", "title", "media",
   and "type" correspond to values found in Section 3 of [RFC8288].  The
   "value" JSON value is the context URI as described by [RFC8288].  The
   "value", "rel", and "href" JSON values MUST be specified.  All other
   JSON values are OPTIONAL.  A "related" link relation MUST NOT include
   an "href" URI that is the same as the "self" link relation "href" URI
   to reduce the risk of infinite client processing loops.
   Internationalized Domain Names (IDNs) returned in URIs SHOULD be
   consistently returned in LDH name format to allow clients to process
   these IDNs according to their capabilities.

   This is an example of the "links" array as it might be found in an
   object class:

       "links" :
       [
           {
             "value" : "https://example.com/ip/2001:db8::123",
             "rel" : "self",
             "href" : "https://example.com/ip/2001:db8::123",
             "type" : "application/rdap+json"
           },
           {
             "value" : "https://example.com/ip/2001:db8::123",
             "rel" : "up",
             "href" : "https://example.com/ip/2001:db8::/48",
             "type" : "application/rdap+json"
           }

       ]

                                  Figure 6

4.3.  Notices and Remarks

   The "notices" and "remarks" data structures take the same form.  The
   notices structure denotes information about the service providing
   RDAP information and/or information about the entire response,
   whereas the remarks structure denotes information about the object
   class that contains it (see Section 5 regarding object classes).

   Both are arrays of objects.  Each object contains a "title" string
   representing the title of the object, a "type" string denoting a
   registered type of remark or notice (see Section 10.2.1), an array of
   strings named "description" for the purposes of conveying any
   descriptive text, and a "links" array as described in Section 4.2.
   The "description" array MUST be included.  All other JSON values are
   OPTIONAL.

   An example of the notices data structure:

   "notices" :
   [
     {
       "title" : "Terms of Use",
       "description" :
       [
         "Service subject to The Registry of the Moon's TOS.",
         "Copyright (c) 2020 LunarNIC"
       ],
       "links" :
       [
         {
           "value" : "https://example.net/entity/XXXX",
           "rel" : "alternate",
           "type" : "text/html",
           "href" : "https://www.example.com/terms_of_use.html"
         }
       ]
     }
   ]

                                  Figure 7

   It is the job of the clients to determine line breaks, spacing, and
   display issues for sentences within the character strings of the
   "description" array.  Each string in the "description" array contains
   a single complete division of human-readable text indicating to
   clients where there are semantic breaks.

   An example of the remarks data structure:

   "remarks" :
   [
     {
       "description" :
       [
         "She sells sea shells down by the sea shore.",
         "Originally written by Terry Sullivan."
       ]
     }
   ]

                                  Figure 8

   Note that objects in the "remarks" array may also have a "links"
   array.

   While the "title" and "description" fields are intended primarily for
   human consumption, the "type" string contains a well-known value to
   be registered with IANA (see Section 10.2.1) for programmatic use.

   An example of the remarks data structure:

   "remarks" :
   [
     {
       "type" : "object truncated due to authorization",
       "description" :
       [
         "Some registration data may not have been given.",
         "Use proper authorization credentials to see all of it."
       ]
     }
   ]

                                  Figure 9

   While the "remarks" array will appear in many object classes in a
   response, the "notices" array appears only in the topmost object of a
   response.

4.4.  Language Identifier

   This data structure consists solely of a name/value pair, where the
   name is "lang" and the value is a string containing a language
   identifier as described in [RFC5646].

   "lang" : "mn-Cyrl-MN"

                                 Figure 10

   The "lang" attribute as defined in this section MAY appear anywhere
   in an object class or data structure, except for in jCard objects.
   vCard supports similar functionality by way of the LANGUAGE property
   parameter (see Section 5.1 of RFC 6350 [RFC6350]).

4.5.  Events

   This data structure represents events that have occurred on an
   instance of an object class (see Section 5 regarding object classes).

   This is an example of an "events" array.

   "events" :
   [
     {
       "eventAction" : "registration",
       "eventActor" : "SOMEID-LUNARNIC",
       "eventDate" : "1990-12-31T23:59:59Z"
     },
     {
       "eventAction" : "last changed",
       "eventActor" : "OTHERID-LUNARNIC",
       "eventDate" : "1991-12-31T23:59:59Z"
     }
   ]

                                 Figure 11

   The "events" array consists of objects, each with the following
   members:

   *  "eventAction" -- a REQUIRED string denoting the reason for the
      event

   *  "eventActor" -- an OPTIONAL identifier denoting the actor
      responsible for the event

   *  "eventDate" -- a REQUIRED string containing the time and date the
      event occurred

   *  "links" -- OPTIONAL; see Section 4.2

   Events can be future dated.  One use case for future dating of events
   is to denote when an object expires from a registry.

   The "links" array in this data structure is provided for references
   to the event actor.  In order to reference an RDAP entity, a "rel" of
   "related" and a "type" of "application/rdap+json" is used in the link
   reference.

   See Section 10.2.3 for a list of values for the "eventAction" string.
   See Appendix B regarding the various ways events can be modeled.

4.6.  Status

   This data structure, named "status", is an array of strings
   indicating the state of a registered object (see Section 10.2.2 for a
   list of values).

4.7.  Port 43 WHOIS Server

   This data structure, a member named "port43", is a simple character
   string containing the fully qualified host name or IP address of the
   WHOIS [RFC3912] server where the containing object instance may be
   found.  Note that this is not a URI, as there is no WHOIS URI scheme.

4.8.  Public IDs

   This data structure maps a public identifier to an object class.  It
   is named "publicIds" and is an array of objects, with each object
   containing the following REQUIRED members:

   *  type -- a string denoting the type of public identifier

   *  identifier -- a string denoting a public identifier of the type
      related to "type"

   The following is an example of a publicIds structure.

   "publicIds":
   [
     {
       "type":"IANA Registrar ID",
       "identifier":"1"
     }
   ]

                                 Figure 12

4.9.  Object Class Name

   This data structure, a member named "objectClassName", gives the
   object class name of a particular object as a string.  This
   identifies the type of object being processed.  An objectClassName is
   REQUIRED in all RDAP response objects so that the type of the object
   can be interpreted.

4.10.  An Example

   This is an example response with both rdapConformance and notices
   embedded:

   {
     "rdapConformance" :
     [
       "rdap_level_0"
     ],
     "notices" :
     [
       {
         "title" : "Content Removed",
         "description" :
         [
           "Without full authorization, content has been removed.",
           "Sorry, dude!"
         ],
         "links" :
         [
           {
             "value" : "https://example.net/ip/192.0.2.0/24",
             "rel" : "alternate",
             "type" : "text/html",
             "href" : "https://www.example.com/redaction_policy.html"
           }
         ]
       }
     ],
     "lang" : "en",
     "objectClassName" : "ip network",
     "startAddress" : "192.0.2.0",
     "endAddress" : "192.0.2.255",
     "handle" : "XXXX-RIR",
     "ipVersion" : "v4",
     "name": "NET-RTR-1",
     "parentHandle" : "YYYY-RIR",
     "remarks" :
     [

       {
         "description" :
         [
           "She sells sea shells down by the sea shore.",
           "Originally written by Terry Sullivan."
         ]
       }
     ]
   }

                                 Figure 13

5.  Object Classes

   Object classes represent structures appropriate for a response from
   the queries specified in [RFC9082].

   Each object class contains a "links" array as specified in
   Section 4.2.  For every object class instance in a response, whether
   the object class instance is directly representing the response to a
   query or is embedded in other object class instances or is an item in
   a search result set, servers SHOULD provide a link representing a URI
   for that object class instance using the "self" relationship as
   described in the IANA registry specified by [RFC8288].  As explained
   in Section 5.2, this may be not always be possible for nameserver
   data.  Clients MUST be able to process object instances without a
   self link.  When present, clients can use the self link for caching
   data.  Servers MAY provide more than one self link for any given
   object instance.  Failure to provide any self link by a server may
   result in clients being unable to cache object class instances.

   Clients using self links for caching SHOULD NOT cache any object
   class instances where the authority of the self link is different
   than the authority of the server returning the data.  Failing to do
   so might result in cache poisoning.

   Self links MUST contain a "type" element containing the "application/
   rdap+json" media type when referencing RDAP object instances as
   defined by this document.

   This is an example of the "links" array with a self link to an object
   class:

       "links" :
       [
           {
             "value" : "https://example.com/ip/2001:db8::123",
             "rel" : "self",
             "href" : "https://example.com/ip/2001:db8::123",
             "type" : "application/rdap+json"
           }
       ]

                                 Figure 14

5.1.  The Entity Object Class

   The entity object class appears throughout this document and is an
   appropriate response for the /entity/XXXX query defined in
   "Registration Data Access Protocol (RDAP) Query Format" [RFC9082].
   This object class represents the information of organizations,
   corporations, governments, non-profits, clubs, individual persons,
   and informal groups of people.  All of these representations are so
   similar that it is best to represent them in JSON [RFC8259] with one
   construct, the entity object class, to aid in the reuse of code by
   implementers.

   The entity object class uses jCard [RFC7095] to represent contact
   information, such as postal addresses, email addresses, phone numbers
   and names of organizations and individuals.  Many of the types of
   information that can be represented with jCard have little or no use
   in RDAP, such as birthdays, anniversaries, and gender.

   The entity object is served by both RIRs and DNRs.  The following is
   an example of an entity that might be served by an RIR.

   {
     "objectClassName" : "entity",
     "handle":"XXXX",
     "vcardArray":[
       "vcard",
       [
         ["version", {}, "text", "4.0"],
         ["fn", {}, "text", "Joe User"],
         ["n", {}, "text",
           ["User", "Joe", "", "", ["ing. jr", "M.Sc."]]
         ],
         ["kind", {}, "text", "individual"],
         ["lang", {
           "pref":"1"
         }, "language-tag", "fr"],
         ["lang", {
           "pref":"2"
         }, "language-tag", "en"],
         ["org", {
           "type":"work"
         }, "text", "Example"],
         ["title", {}, "text", "Research Scientist"],
         ["role", {}, "text", "Project Lead"],
         ["adr",
           { "type":"work" },
           "text",
           [
             "",
             "Suite 1234",
             "4321 Rue Somewhere",
             "Quebec",
             "QC",
             "G1V 2M2",
             "Canada"
           ]
         ],
         ["adr",
           {
             "type":"home",
             "label":"123 Maple Ave\nSuite 90001\nVancouver\nBC\n1239\n"
           },
           "text",
           [
             "", "", "", "", "", "", ""
           ]
         ],
         ["tel",
           {
             "type":["work", "voice"],
             "pref":"1"
           },
           "uri",
           "tel:+1-555-555-1234;ext=102"
         ],
         ["tel",
           { "type":["work", "cell", "voice", "video", "text"] },
           "uri",
           "tel:+1-555-555-4321"
         ],
         ["email",
           { "type":"work" },
           "text",
           "joe.user@example.com"
         ],
         ["geo", {
           "type":"work"
         }, "uri", "geo:46.772673,-71.282945"],
         ["key",
           { "type":"work" },
           "uri",
           "https://www.example.com/joe.user/joe.asc"
         ],
         ["tz", {},
           "utc-offset", "-05:00"],
         ["url", { "type":"home" },
           "uri", "https://example.org"]
       ]
     ],
     "roles":[ "registrar" ],
     "publicIds":[
       {
         "type":"IANA Registrar ID",
         "identifier":"1"
       }
     ],
     "remarks":[
       {
         "description":[
           "She sells sea shells down by the sea shore.",
           "Originally written by Terry Sullivan."
         ]
       }
     ],
     "links":[
       {
         "value":"https://example.com/entity/XXXX",
         "rel":"self",
         "href":"https://example.com/entity/XXXX",
         "type" : "application/rdap+json"
       }
     ],
     "events":[
       {
         "eventAction":"registration",
         "eventDate":"1990-12-31T23:59:59Z"
       }
     ],
     "asEventActor":[

       {
         "eventAction":"last changed",
         "eventDate":"1991-12-31T23:59:59Z"
       }
     ]
   }

                                 Figure 15

   The entity object class can contain the following members:

   *  objectClassName -- the string "entity"

   *  handle -- a string representing a registry-unique identifier of
      the entity

   *  vcardArray -- a jCard with the entity's contact information

   *  roles -- an array of strings, each signifying the relationship an
      object would have with its closest containing object (see
      Section 10.2.4 for a list of values)

   *  publicIds -- see Section 4.8

   *  entities -- an array of entity objects as defined by this section

   *  remarks -- see Section 4.3

   *  links -- see Section 4.2

   *  events -- see Section 4.5

   *  asEventActor -- this data structure takes the same form as the
      events data structure (see Section 4.5), but each object in the
      array MUST NOT have an "eventActor" member.  These objects denote
      that the entity is an event actor for the given events.  See
      Appendix B regarding the various ways events can be modeled.

   *  status -- see Section 4.6

   *  port43 -- see Section 4.7

   *  networks -- an array of IP network objects as defined in
      Section 5.4

   *  autnums -- an array of autnum objects as defined in Section 5.5

   Entities may also have other entities embedded with them in an array.
   This can be used to model an organization with specific individuals
   fulfilling designated roles of responsibility.

   The following is an elided example of an entity with embedded
   entities.

   {
     "objectClassName" : "entity",
     "handle" : "ANENTITY",
     "roles" : [ "registrar" ],
     ...
     "entities" :
     [
       {
         "objectClassName" : "entity",
         "handle": "ANEMBEDDEDENTITY",
         "roles" : [ "technical" ],
         ...
       },
       ...
     ],
     ...
   }

                                 Figure 16

   The following is an example of an entity that might be served by a
   DNR.

   {
     "objectClassName" : "entity",
     "handle":"XXXX",
     "vcardArray":[
       "vcard",
       [
         ["version", {}, "text", "4.0"],
         ["fn", {}, "text", "Joe User"],
         ["kind", {}, "text", "individual"],
         ["lang", {
           "pref":"1"
         }, "language-tag", "fr"],
         ["lang", {
           "pref":"2"
         }, "language-tag", "en"],
         ["org", {
           "type":"work"
         }, "text", "Example"],
         ["title", {}, "text", "Research Scientist"],
         ["role", {}, "text", "Project Lead"],
         ["adr",
           { "type":"work" },
           "text",
           [
             "",
             "Suite 1234",
             "4321 Rue Somewhere",
             "Quebec",
             "QC",
             "G1V 2M2",
             "Canada"
           ]
         ],
         ["tel",
           { "type":["work", "voice"], "pref":"1" },
           "uri", "tel:+1-555-555-1234;ext=102"
         ],
         ["email",
           { "type":"work" },
           "text", "joe.user@example.com"
         ]
       ]
     ],
     "status":[ "validated", "locked" ],
     "remarks":[
       {
         "description":[
           "She sells sea shells down by the sea shore.",
           "Originally written by Terry Sullivan."
         ]
       }
     ],
     "links":[
       {
         "value":"https://example.com/entity/XXXX",
         "rel":"self",
         "href":"https://example.com/entity/XXXX",
         "type":"application/rdap+json"
       }
     ],
     "port43":"whois.example.net",
     "events":[
       {
         "eventAction":"registration",
         "eventDate":"1990-12-31T23:59:59Z"
       },
       {
         "eventAction":"last changed",
         "eventDate":"1991-12-31T23:59:59Z",
         "eventActor":"joe@example.com"
       }
     ]
   }

                                 Figure 17

   See Appendix A for use of the entity object class to model various
   types of entities found in both RIRs and DNRs.  See Appendix C
   regarding structured vs.  unstructured postal addresses in entities.

5.2.  The Nameserver Object Class

   The nameserver object class represents information regarding DNS
   nameservers used in both forward and reverse DNS.  RIRs and some DNRs
   register or expose nameserver information as an attribute of a domain
   name, while other DNRs model nameservers as "first class objects".
   Please note that some of the examples in this section include lines
   that have been wrapped for reading clarity.

   The nameserver object class accommodates both models and degrees of
   variation in between.

   The following is an example of a nameserver object.

     {
       "objectClassName" : "nameserver",
       "handle" : "XXXX",
       "ldhName" : "ns1.xn--fo-5ja.example",
       "unicodeName" : "ns.fóo.example",
       "status" : [ "active" ],
       "ipAddresses" :
       {
         "v4": [ "192.0.2.1", "192.0.2.2" ],
         "v6": [ "2001:db8::123" ]
       },
       "remarks" :
       [
         {
           "description" :
           [
             "She sells sea shells down by the sea shore.",
             "Originally written by Terry Sullivan."
           ]
         }
       ],
       "links" :
       [
         {
           "value" : "https://example.net/nameserver/
                      ns1.xn--fo-5ja.example",
           "rel" : "self",
           "href" : "https://example.net/nameserver/
                     ns1.xn--fo-5ja.example",
           "type" : "application/rdap+json"
         }
       ],
       "port43" : "whois.example.net",
       "events" :
       [
         {
           "eventAction" : "registration",
           "eventDate" : "1990-12-31T23:59:59Z"
         },
         {
           "eventAction" : "last changed",
           "eventDate" : "1991-12-31T23:59:59Z",
           "eventActor" : "joe@example.com"
         }
       ]
     }

                                 Figure 18

   Figure 18 is an example of a nameserver object with all appropriate
   values given.  Registries using a first-class nameserver data model
   would embed this in domain objects as well as allowing references to
   it with the "/nameserver" query type (all depending on the registry
   operators policy).  Other registries may pare back the information as
   needed.  Figure 19 is an example of a nameserver object as would be
   found in RIRs and some DNRs, while Figure 20 is an example of a
   nameserver object as would be found in other DNRs.

   The following is an example of the simplest nameserver object:

     {
       "objectClassName" : "nameserver",
       "ldhName" : "ns1.example.com"
     }

                                 Figure 19

   The following is an example of a simple nameserver object that might
   be commonly used by DNRs:

     {
       "objectClassName" : "nameserver",
       "ldhName" : "ns1.example.com",
       "ipAddresses" : { "v6" : [ "2001:db8::123", "2001:db8::124" ] }
     }

                                 Figure 20

   As nameservers can be modeled by some registries to be first-class
   objects, they may also have an array of entities (Section 5.1)
   embedded to signify parties responsible for the maintenance,
   registrations, etc., of the nameservers.

   The following is an elided example of a nameserver with embedded
   entities.

   {
     "objectClassName" : "nameserver",
     "handle" : "XXXX",
     "ldhName" : "ns.xn--fo-5ja.example",
     ...
     "entities" :
     [
       ...
     ],
     ...
   }

                                 Figure 21

   The nameserver object class can contain the following members:

   *  objectClassName -- the string "nameserver"

   *  handle -- a string representing a registry-unique identifier of
      the nameserver

   *  ldhName -- a string containing the LDH name of the nameserver (see
      Section 3)

   *  unicodeName -- a string containing a DNS Unicode name of the
      nameserver (see Section 3)

   *  ipAddresses -- an object containing the following members:

      -  v6 -- an array of strings containing IPv6 addresses of the
         nameserver

      -  v4 -- an array of strings containing IPv4 addresses of the
         nameserver

   *  entities -- an array of entity objects as defined by Section 5.1

   *  status -- see Section 4.6

   *  remarks -- see Section 4.3

   *  links -- see Section 4.2

   *  port43 -- see Section 4.7

   *  events -- see Section 4.5

5.3.  The Domain Object Class

   The domain object class represents a DNS name and point of
   delegation.  For RIRs, these delegation points are in the reverse DNS
   tree, whereas for DNRs, these delegation points are in the forward
   DNS tree.

   In both cases, the high-level structure of the domain object class
   consists of information about the domain registration, nameserver
   information related to the domain name, and entities related to the
   domain name (e.g., registrant information, contacts, etc.).

   The following is an elided example of the domain object showing the
   high-level structure:

   {
     "objectClassName" : "domain",
     "handle" : "XXX",
     "ldhName" : "blah.example.com",
     ...
     "nameservers" :
     [
       ...
     ],
     ...
     "entities" :
     [
       ...
     ]
   }

                                 Figure 22

   The domain object class can contain the following members:

   *  objectClassName -- the string "domain"

   *  handle -- a string representing a registry-unique identifier of
      the domain object instance

   *  ldhName -- a string describing a domain name in LDH form as
      described in Section 3

   *  unicodeName -- a string containing a domain name with U-labels as
      described in Section 3

   *  variants -- an array of objects, each containing the following
      values:

      -  relation -- an array of strings, with each string denoting the
         relationship between the variants and the containing domain
         object (see Section 10.2.5 for a list of suggested variant
         relations).

      -  idnTable -- the character string literal that represents the
         Internationalized Domain Name (IDN) table that has been
         registered in the IANA Repository of IDN Practices
         [IANA_IDNTABLES].

      -  variantNames -- an array of objects, with each object
         containing an "ldhName" member and a "unicodeName" member (see
         Section 3).

   *  nameservers -- an array of nameserver objects as defined by
      Section 5.2

   *  secureDNS -- an object with the following members:

      -  zoneSigned -- boolean true if the zone has been signed, false
         otherwise.

      -  delegationSigned -- boolean true if there are DS records in the
         parent, false otherwise.

      -  maxSigLife -- an integer representing the signature lifetime in
         seconds to be used when creating the RRSIG DS record in the
         parent zone [RFC5910].

      -  dsData -- an array of objects, each with the following members:

         o  keyTag -- an integer as specified by the key tag field of a
            DNS DS record as specified by [RFC4034] in presentation
            format

         o  algorithm -- an integer as specified by the algorithm field
            of a DNS DS record as described by RFC 4034 in presentation
            format

         o  digest -- a string as specified by the digest field of a DNS
            DS record as specified by RFC 4034 in presentation format

         o  digestType -- an integer as specified by the digest type
            field of a DNS DS record as specified by RFC 4034 in
            presentation format

         o  events -- see Section 4.5

         o  links -- see Section 4.2

      -  keyData -- an array of objects, each with the following
         members:

         o  flags -- an integer representing the flags field value in
            the DNSKEY record [RFC4034] in presentation format

         o  protocol -- an integer representation of the protocol field
            value of the DNSKEY record [RFC4034] in presentation format

         o  publicKey -- a string representation of the public key in
            the DNSKEY record [RFC4034] in presentation format

         o  algorithm -- an integer as specified by the algorithm field
            of a DNSKEY record as specified by [RFC4034] in presentation
            format

         o  events -- see Section 4.5

         o  links -- see Section 4.2

            See Appendix D for background information on these objects.

   *  entities -- an array of entity objects as defined by Section 5.1

   *  status -- see Section 4.6

   *  publicIds -- see Section 4.8

   *  remarks -- see Section 4.3

   *  links -- see Section 4.2

   *  port43 -- see Section 4.7

   *  events -- see Section 4.5

   *  network -- represents the IP network for which a reverse DNS
      domain is referenced; see Section 5.4

   The following is an example of a JSON domain object representing a
   reverse DNS delegation point that might be served by an RIR (note
   that the dsData digest value has been modified to fit on one line).

   {
     "objectClassName" : "domain",
     "handle" : "XXXX",
     "ldhName" : "0.2.192.in-addr.arpa",
     "nameservers" :
     [
       {
         "objectClassName" : "nameserver",
         "ldhName" : "ns1.rir.example"
       },
       {
         "objectClassName" : "nameserver",
         "ldhName" : "ns2.rir.example"
       }
     ],
     "secureDNS":
     {
       "delegationSigned": true,
       "dsData":
       [
         {
           "keyTag": 25345,
           "algorithm": 8,
           "digestType": 2,
           "digest": "2788970E18EA14...C890C85B8205B94"
         }
       ]
     },
     "remarks" :
     [
       {
         "description" :
         [
           "She sells sea shells down by the sea shore.",
           "Originally written by Terry Sullivan."
         ]
       }
     ],
     "links" :
     [
       {
         "value": "https://example.net/domain/0.2.192.in-addr.arpa",
         "rel" : "self",
         "href" : "https://example.net/domain/0.2.192.in-addr.arpa",
         "type" : "application/rdap+json"

       }
     ],
     "events" :
     [
       {
         "eventAction" : "registration",
         "eventDate" : "1990-12-31T23:59:59Z"
       },
       {
         "eventAction" : "last changed",
         "eventDate" : "1991-12-31T23:59:59Z",
         "eventActor" : "joe@example.com"
       }
     ],
     "entities" :
     [
       {
         "objectClassName" : "entity",
         "handle" : "XXXX",
         "vcardArray":[
           "vcard",
           [
             ["version", {}, "text", "4.0"],
             ["fn", {}, "text", "Joe User"],
             ["kind", {}, "text", "individual"],
             ["lang", {
               "pref":"1"
             }, "language-tag", "fr"],
             ["lang", {
               "pref":"2"
             }, "language-tag", "en"],
             ["org", {
               "type":"work"
             }, "text", "Example"],
             ["title", {}, "text", "Research Scientist"],
             ["role", {}, "text", "Project Lead"],
             ["adr",
               { "type":"work" },
               "text",
               [
                 "",
                 "Suite 1234",
                 "4321 Rue Somewhere",
                 "Quebec",
                 "QC",
                 "G1V 2M2",
                 "Canada"
               ]

             ],
             ["tel",
               { "type":["work", "voice"], "pref":"1" },
               "uri", "tel:+1-555-555-1234;ext=102"
             ],
             ["email",
               { "type":"work" },
               "text", "joe.user@example.com"
             ]
           ]
         ],
         "roles" : [ "registrant" ],
         "remarks" :
         [
           {
             "description" :
             [
               "She sells sea shells down by the sea shore.",
               "Originally written by Terry Sullivan."
             ]
           }
         ],
         "links" :
         [
           {
             "value": "https://example.net/entity/XXXX",
             "rel" : "self",
             "href" : "https://example.net/entity/XXXX",
             "type" : "application/rdap+json"
           }
         ],
         "events" :
         [
           {
             "eventAction" : "registration",
             "eventDate" : "1990-12-31T23:59:59Z"
           },
           {
             "eventAction" : "last changed",
             "eventDate" : "1991-12-31T23:59:59Z",
             "eventActor" : "joe@example.com"
           }
         ]
       }
     ],
     "network" :
     {
       "objectClassName" : "ip network",
       "handle" : "XXXX-RIR",
       "startAddress" : "192.0.2.0",
       "endAddress" : "192.0.2.255",
       "ipVersion" : "v4",
       "name": "NET-RTR-1",
       "type" : "DIRECT ALLOCATION",
       "country" : "AU",
       "parentHandle" : "YYYY-RIR",
       "status" : [ "active" ]
     }
   }

                                 Figure 23

   The following is an example of a JSON domain object representing a
   forward DNS delegation point that might be served by a DNR.  Note
   that the secureDNS keyData publicKey value has been modified to fit
   on a single line.

   {
     "objectClassName" : "domain",
     "handle" : "XXXX",
     "ldhName" : "xn--fo-5ja.example",
     "unicodeName" : "fóo.example",
     "variants" :
     [
       {
         "relation" : [ "registered", "conjoined" ],
         "variantNames" :
         [
           {
             "ldhName" : "xn--fo-cka.example",
             "unicodeName" : "fõo.example"
           },
           {
             "ldhName" : "xn--fo-fka.example",
             "unicodeName" : "föo.example"
           }
         ]
       },
       {
         "relation" : [ "unregistered", "registration restricted" ],
         "idnTable": ".EXAMPLE Swedish",
         "variantNames" :
         [
           {
             "ldhName": "xn--fo-8ja.example",
             "unicodeName" : "fôo.example"
           }
         ]

       }
     ],
     "status" : [ "locked", "transfer prohibited" ],
     "publicIds":[
       {
         "type":"ENS_Auth ID",
         "identifier":"1234567890"
       }
     ],
     "nameservers" :
     [
       {
         "objectClassName" : "nameserver",
         "handle" : "XXXX",
         "ldhName" : "ns1.example.com",
         "status" : [ "active" ],
         "ipAddresses" :
         {
           "v6": [ "2001:db8::123", "2001:db8::124" ],
           "v4": [ "192.0.2.1", "192.0.2.2" ]
         },
         "remarks" :
         [
           {
             "description" :
             [
               "She sells sea shells down by the sea shore.",
               "Originally written by Terry Sullivan."
             ]
           }
         ],
         "links" :
         [
           {
             "value" : "https://example.net/nameserver/ns1.example.com",
             "rel" : "self",
             "href" : "https://example.net/nameserver/ns1.example.com",
             "type" : "application/rdap+json"
           }
         ],
         "events" :
         [
           {
             "eventAction" : "registration",
             "eventDate" : "1990-12-31T23:59:59Z"
           },
           {
             "eventAction" : "last changed",
             "eventDate" : "1991-12-31T23:59:59Z"
           }
         ]
       },
       {
         "objectClassName" : "nameserver",
         "handle" : "XXXX",
         "ldhName" : "ns2.example.com",
         "status" : [ "active" ],
         "ipAddresses" :
         {
           "v6" : [ "2001:db8::125", "2001:db8::126" ],
           "v4" : [ "192.0.2.3", "192.0.2.4" ]
         },
         "remarks" :
         [
           {
             "description" :
             [
               "She sells sea shells down by the sea shore.",
               "Originally written by Terry Sullivan."
             ]
           }
         ],
         "links" :
         [
           {
             "value" : "https://example.net/nameserver/ns2.example.com",
             "rel" : "self",
             "href" : "https://example.net/nameserver/ns2.example.com",
             "type" : "application/rdap+json"
           }
         ],
         "events" :
         [
           {
             "eventAction" : "registration",
             "eventDate" : "1990-12-31T23:59:59Z"
           },
           {
             "eventAction" : "last changed",
             "eventDate" : "1991-12-31T23:59:59Z"
           }
         ]
       }
     ],
     "secureDNS":
     {

        "zoneSigned": true,
        "delegationSigned": true,
        "maxSigLife": 604800,
        "keyData":
        [
          {
            "flags": 257,
            "protocol": 3,
            "algorithm": 8,
            "publicKey": "AwEAAa6eDzronzjEDbT...Jg1M5N rBSPkuXpdFE=",
            "events":
            [
              {
                "eventAction": "last changed",
                "eventDate": "2012-07-23T05:15:47Z"
              }
            ]
          }
        ]
     },
     "remarks" :
     [
       {
         "description" :
         [
           "She sells sea shells down by the sea shore.",
           "Originally written by Terry Sullivan."
         ]
       }
     ],
     "links" :
     [
       {
         "value": "https://example.net/domain/xn--fo-5ja.example",
         "rel" : "self",
         "href" : "https://example.net/domain/xn--fo-5ja.example",
         "type" : "application/rdap+json"
       }
     ],
     "port43" : "whois.example.net",
     "events" :
     [
       {
         "eventAction" : "registration",
         "eventDate" : "1990-12-31T23:59:59Z"
       },
       {
         "eventAction" : "last changed",
         "eventDate" : "1991-12-31T23:59:59Z",
         "eventActor" : "joe@example.com"
       },
       {
         "eventAction" : "transfer",
         "eventDate" : "1991-12-31T23:59:59Z",
         "eventActor" : "joe@example.com"
       },
       {
         "eventAction" : "expiration",
         "eventDate" : "2016-12-31T23:59:59Z",
         "eventActor" : "joe@example.com"
       }
     ],
     "entities" :
     [
       {
         "objectClassName" : "entity",
         "handle" : "XXXX",
         "vcardArray":[
           "vcard",
           [
             ["version", {}, "text", "4.0"],
             ["fn", {}, "text", "Joe User"],
             ["kind", {}, "text", "individual"],
             ["lang", {
               "pref":"1"
             }, "language-tag", "fr"],
             ["lang", {
               "pref":"2"
             }, "language-tag", "en"],
             ["org", {
               "type":"work"
             }, "text", "Example"],
             ["title", {}, "text", "Research Scientist"],
             ["role", {}, "text", "Project Lead"],
             ["adr",
               { "type":"work" },
               "text",
               [
                 "",
                 "Suite 1234",
                 "4321 Rue Somewhere",
                 "Quebec",
                 "QC",
                 "G1V 2M2",
                 "Canada"
               ]

             ],
             ["tel",
               { "type":["work", "voice"], "pref":"1" },
               "uri", "tel:+1-555-555-1234;ext=102"
             ],
             ["email",
               { "type":"work" },
               "text", "joe.user@example.com"
             ]
           ]
         ],
         "status" : [ "validated", "locked" ],
         "roles" : [ "registrant" ],
         "remarks" :
         [
           {
             "description" :
             [
               "She sells sea shells down by the sea shore.",
               "Originally written by Terry Sullivan."
             ]
           }
         ],
         "links" :
         [
           {
             "value" : "https://example.net/entity/XXXX",
             "rel" : "self",
             "href" : "https://example.net/entity/XXXX",
             "type" : "application/rdap+json"
           }
         ],
         "events" :
         [
           {
             "eventAction" : "registration",
             "eventDate" : "1990-12-31T23:59:59Z"
           },
           {
             "eventAction" : "last changed",
             "eventDate" : "1991-12-31T23:59:59Z"
           }
         ]
       }
     ]
   }

                                 Figure 24

5.4.  The IP Network Object Class

   The IP network object class models IP network registrations found in
   RIRs and is the expected response for the "/ip" query as defined by
   [RFC9082].  There is no equivalent object class for DNRs.  The high-
   level structure of the IP network object class consists of
   information about the network registration and entities related to
   the IP network (e.g., registrant information, contacts, etc.).

   The following is an elided example of the IP network object type
   showing the high-level structure:

   {
     "objectClassName" : "ip network",
     "handle" : "XXX",
     ...
     "entities" :
     [
       ...
     ]
   }

                                 Figure 25

   The following is an example of the JSON object for the network
   registration information.

   {
     "objectClassName" : "ip network",
     "handle" : "XXXX-RIR",
     "startAddress" : "2001:db8::",
     "endAddress" : "2001:db8:0:ffff:ffff:ffff:ffff:ffff",
     "ipVersion" : "v6",
     "name": "NET-RTR-1",
     "type" : "DIRECT ALLOCATION",
     "country" : "AU",
     "parentHandle" : "YYYY-RIR",
     "status" : [ "active" ],
     "remarks" :
     [
       {
         "description" :
         [
           "She sells sea shells down by the sea shore.",
           "Originally written by Terry Sullivan."
         ]
       }
     ],
     "links" :
     [
       {
         "value" : "https://example.net/ip/2001:db8::/48",
         "rel" : "self",
         "href" : "https://example.net/ip/2001:db8::/48",
         "type" : "application/rdap+json"
       },
       {
         "value" : "https://example.net/ip/2001:db8::/48",
         "rel" : "up",
         "href" : "https://example.net/ip/2001:db8::/32",
         "type" : "application/rdap+json"
       }
     ],
     "events" :
     [
       {
         "eventAction" : "registration",
         "eventDate" : "1990-12-31T23:59:59Z"
       },
       {
         "eventAction" : "last changed",
         "eventDate" : "1991-12-31T23:59:59Z"
       }
     ],
     "entities" :
     [
       {
         "objectClassName" : "entity",
         "handle" : "XXXX",
         "vcardArray":[
           "vcard",
           [
             ["version", {}, "text", "4.0"],
             ["fn", {}, "text", "Joe User"],
             ["kind", {}, "text", "individual"],
             ["lang", {
               "pref":"1"
             }, "language-tag", "fr"],
             ["lang", {
               "pref":"2"
             }, "language-tag", "en"],
             ["org", {
               "type":"work"
             }, "text", "Example"],
             ["title", {}, "text", "Research Scientist"],
             ["role", {}, "text", "Project Lead"],
             ["adr",
               { "type":"work" },
               "text",
               [
                 "",
                 "Suite 1234",
                 "4321 Rue Somewhere",
                 "Quebec",
                 "QC",
                 "G1V 2M2",
                 "Canada"
               ]
             ],
             ["tel",
               { "type":["work", "voice"], "pref":"1" },
               "uri", "tel:+1-555-555-1234;ext=102"
             ],
             ["email",
               { "type":"work" },
               "text", "joe.user@example.com"
             ]
           ]
         ],
         "roles" : [ "registrant" ],
         "remarks" :
         [
           {
             "description" :
             [
               "She sells sea shells down by the sea shore.",
               "Originally written by Terry Sullivan."
             ]
           }
         ],
         "links" :
         [
           {
             "value" : "https://example.net/entity/xxxx",
             "rel" : "self",
             "href" : "https://example.net/entity/xxxx",
             "type" : "application/rdap+json"
           }
         ],
         "events" :
         [
           {
             "eventAction" : "registration",
             "eventDate" : "1990-12-31T23:59:59Z"

           },
           {
             "eventAction" : "last changed",
             "eventDate" : "1991-12-31T23:59:59Z"
           }
         ]
       }
     ]
   }

                                 Figure 26

   The IP network object class can contain the following members:

   *  objectClassName -- the string "ip network"

   *  handle -- a string representing the RIR-unique identifier of the
      network registration

   *  startAddress -- a string representing the starting IP address of
      the network, either IPv4 or IPv6

   *  endAddress -- a string representing the ending IP address of the
      network, either IPv4 or IPv6

   *  ipVersion -- a string signifying the IP protocol version of the
      network: "v4" signifies an IPv4 network, and "v6" signifies an
      IPv6 network

   *  name -- a string representing an identifier assigned to the
      network registration by the registration holder

   *  type -- a string containing an RIR-specific classification of the
      network per that RIR's registration model

   *  country -- a string containing the two-character country code of
      the network

   *  parentHandle -- a string containing an RIR-unique identifier of
      the parent network of this network registration

   *  status -- an array of strings indicating the state of the IP
      network as defined by Section 4.6

   *  entities -- an array of entity objects as defined by Section 5.1

   *  remarks -- see Section 4.3

   *  links -- see Section 4.2

   *  port43 -- see Section 4.7

   *  events -- see Section 4.5

5.5.  The Autonomous System Number Object Class

   The Autonomous System number (autnum) object class models Autonomous
   System number registrations found in RIRs and represents the expected
   response to an "/autnum" query as defined by [RFC9082].  There is no
   equivalent object class for DNRs.  The high-level structure of the
   autnum object class consists of information about the Autonomous
   System number registration and entities related to the autnum
   registration (e.g., registrant information, contacts, etc.) and is
   similar to the IP network object class.

   The following is an example of a JSON object representing an autnum.

   {
     "objectClassName" : "autnum",
     "handle" : "XXXX-RIR",
     "startAutnum" : 65536,
     "endAutnum" : 65541,
     "name": "AS-RTR-1",
     "type" : "DIRECT ALLOCATION",
     "status" : [ "active" ],
     "country": "AU",
     "remarks" :
     [
       {
         "description" :
         [
           "She sells sea shells down by the sea shore.",
           "Originally written by Terry Sullivan."
         ]
       }
     ],
     "links" :
     [
       {
         "value" : "https://example.net/autnum/65537",
         "rel" : "self",
         "href" : "https://example.net/autnum/65537",
         "type" : "application/rdap+json"
       }
     ],
     "events" :

     [
       {
         "eventAction" : "registration",
         "eventDate" : "1990-12-31T23:59:59Z"
       },
       {
         "eventAction" : "last changed",
         "eventDate" : "1991-12-31T23:59:59Z"
       }
     ],
     "entities" :
     [
       {
         "objectClassName" : "entity",
         "handle" : "XXXX",
         "vcardArray":[
           "vcard",
           [
             ["version", {}, "text", "4.0"],
             ["fn", {}, "text", "Joe User"],
             ["kind", {}, "text", "individual"],
             ["lang", {
               "pref":"1"
             }, "language-tag", "fr"],
             ["lang", {
               "pref":"2"
             }, "language-tag", "en"],
             ["org", {
               "type":"work"
             }, "text", "Example"],
             ["title", {}, "text", "Research Scientist"],
             ["role", {}, "text", "Project Lead"],
             ["adr",
               { "type":"work" },
               "text",
               [
                 "",
                 "Suite 1234",
                 "4321 Rue Somewhere",
                 "Quebec",
                 "QC",
                 "G1V 2M2",
                 "Canada"
               ]
             ],
             ["tel",
               { "type":["work", "voice"], "pref":"1" },
               "uri", "tel:+1-555-555-1234;ext=102"
             ],
             ["email",
               { "type":"work" },
               "text", "joe.user@example.com"
             ]
           ]
         ],
         "roles" : [ "registrant" ],
         "remarks" :
         [
           {
             "description" :
             [
               "She sells sea shells down by the sea shore.",
               "Originally written by Terry Sullivan."
             ]
           }
         ],
         "links" :
         [
           {
             "value" : "https://example.net/entity/XXXX",
             "rel" : "self",
             "href" : "https://example.net/entity/XXXX",
             "type" : "application/rdap+json"
           }
         ],
         "events" :
         [
           {
             "eventAction" : "registration",
             "eventDate" : "1990-12-31T23:59:59Z"
           },
           {
             "eventAction" : "last changed",
             "eventDate" : "1991-12-31T23:59:59Z"
           }
         ]
       }
     ]
   }

                                 Figure 27

   The Autonomous System number object class can contain the following
   members:

   *  objectClassName -- the string "autnum"

   *  handle -- a string representing the RIR-unique identifier of the
      autnum registration

   *  startAutnum -- an unsigned 32-bit integer representing the
      starting number [RFC5396] in the block of Autonomous System
      numbers

   *  endAutnum -- an unsigned 32-bit integer representing the ending
      number [RFC5396] in the block of Autonomous System numbers

   *  name -- a string representing an identifier assigned to the autnum
      registration by the registration holder

   *  type -- a string containing an RIR-specific classification of the
      autnum per that RIR's registration model

   *  status -- an array of strings indicating the state of the autnum
      as defined by Section 4.6

   *  country -- a string containing the two-character country code of
      the autnum

   *  entities -- an array of entity objects as defined by Section 5.1

   *  remarks -- see Section 4.3

   *  links -- see Section 4.2

   *  port43 -- see Section 4.7

   *  events -- see Section 4.5

6.  Error Response Body

   Some non-answer responses MAY return entity bodies with information
   that could be more descriptive.

   The basic structure of that response is an object class containing a
   REQUIRED error code number (corresponding to the HTTP response code)
   followed by an OPTIONAL string named "title" and an OPTIONAL array of
   strings named "description".

   This is an example of the common response body.

   {
     "errorCode": 418,
     "title": "Your Beverage Choice is Not Available",
     "description":
     [
       "I know coffee has more ummppphhh.",
       "Sorry, dude!"
     ]
   }

                                 Figure 28

   This is an example of the common response body with an
   rdapConformance and notices data structures:

   {
     "rdapConformance" :
     [
       "rdap_level_0"
     ],
     "notices" :
     [
       {
         "title" : "Beverage Policy",
         "description" :
         [
           "Beverages with caffeine for keeping horses awake."
         ],
         "links" :
         [
           {
             "value" : "https://example.net/ip/192.0.2.0/24",
             "rel" : "alternate",
             "type" : "text/html",
             "href" : "https://www.example.com/redaction_policy.html"
           }
         ]
       }
     ],
     "lang" : "en",
     "errorCode": 418,
     "title": "Your beverage choice is not available",
     "description":
     [
       "I know coffee has more ummppphhh.",
       "Sorry, dude!"
     ]
   }

                                 Figure 29

7.  Responding to Help Queries

   The appropriate response to /help queries as defined by [RFC9082] is
   to use the notices structure as defined in Section 4.3.

   This is an example of a response to a /help query including the
   rdapConformance data structure.

   {
     "rdapConformance" :
     [
       "rdap_level_0"
     ],
     "notices" :
     [
       {
         "title" : "Authentication Policy",
         "description" :
         [
           "Access to sensitive data for users with proper credentials."
         ],
         "links" :
         [
           {
             "value" : "https://example.net/help",
             "rel" : "alternate",
             "type" : "text/html",
             "href" : "https://www.example.com/auth_policy.html"
           }
         ]
       }
     ]
   }

                                 Figure 30

8.  Responding To Searches

   [RFC9082] specifies three types of searches: domains, nameservers,
   and entities.  Responses to these searches take the form of an array
   of object instances where each instance is an appropriate object
   class for the search (i.e., a search for /domains yields an array of
   domain object instances).  These arrays are contained within the
   response object.

   The names of the arrays are as follows:

   *  for /domains searches, the array is "domainSearchResults"

   *  for /nameservers searches, the array is "nameserverSearchResults"

   *  for /entities searches, the array is "entitySearchResults"

   The following is an elided example of a response to a /domains
   search.

   {
     "rdapConformance" :
     [
       "rdap_level_0"
     ],
     ...
     "domainSearchResults" :
     [
       {
         "objectClassName" : "domain",
         "handle" : "1-XXXX",
         "ldhName" : "1.example.com",
         ...
       },
       {
         "objectClassName" : "domain",
         "handle" : "2-XXXX",
         "ldhName" : "2.example.com",
         ...
       }
     ]
   }

                                 Figure 31

9.  Indicating Truncated Responses

   In cases where the data of a response needs to be limited or parts of
   the data need to be omitted, the response is considered "truncated".
   A truncated response is still valid JSON, but some of the results in
   a search set or some of the data in an object are not provided by the
   server.  A server may indicate this by including a typed notice in
   the response object.

   The following is an elided example of a search response that has been
   truncated.

   {
     "rdapConformance" :
     [
       "rdap_level_0"
     ],
     "notices" :
     [
       {
         "title" : "Search Policy",
         "type" : "result set truncated due to authorization",
         "description" :
         [
           "Search results are limited to 25 per day per querying IP."
         ],
         "links" :
         [
           {
             "value" : "https://example.net/help",
             "rel" : "alternate",
             "type" : "text/html",
             "href" : "https://www.example.com/search_policy.html"
           }
         ]
       }
     ],
     "domainSearchResults" :
     [
       ...
     ]
   }

                                 Figure 32

   A similar technique can be used with a typed remark where a single
   object has been returned and data in that object has been truncated.
   Such an example might be an entity object with only a partial set of
   the IP networks associated with it.

   The following is an elided example of an entity truncated data.

   {
     "objectClassName" : "entity",
     "handle" : "ANENTITY",
     "roles" : [ "registrant" ],
     ...
     "entities" :
     [
       {
         "objectClassName" : "entity",
         "handle": "ANEMBEDDEDENTITY",
         "roles" : [ "technical" ],
         ...
       },
       ...
     ],
     "networks" :
     [
       ...
     ],
     ...
     "remarks" :
     [
       {
         "title" : "Data Policy",
         "type" : "object truncated due to unexplainable reason",
         "description" :
         [
           "Some of the data in this object has been removed."
         ],
         "links" :
         [
           {
             "value" : "https://example.net/help",
             "rel" : "alternate",
             "type" : "text/html",
             "href" : "https://www.example.com/data_policy.html"
           }
         ]
       }
     ]
   }

                                 Figure 33

10.  IANA Considerations

   IANA has updated the description of the "transfer" event action as
   described in Section 10.2.3.

10.1.  RDAP JSON Media Type Registration

   IANA has updated the media type registration as described below.

   This specification registers the "application/rdap+json" media type.

   Type name:  application

   Subtype name:  rdap+json

   Required parameters:  n/a

   Encoding considerations:  See Section 3.1 of [RFC6839].

   Security considerations:  The media represented by this identifier
      does not have security considerations beyond that found in
      Section 12 of [RFC8259].

   Interoperability considerations:  There are no known interoperability
      problems regarding this media format.

   Published specification:  RFC 9083

   Applications that use this media type:  Implementations of the
      Registration Data Access Protocol (RDAP).

   Additional information:  This media type is a product of the IETF
      REGEXT Working Group.  The REGEXT charter, information on the
      REGEXT mailing list, and other documents produced by the REGEXT
      Working Group can be found at https://datatracker.ietf.org/wg/
      regext/.

   Person & email address to contact for further information:
      IESG <iesg@ietf.org>

   Intended usage:  COMMON

   Restrictions on usage:  none

   Author:  Andy Newton

   Change controller:  IETF

   Provisional Registration:  No

10.2.  JSON Values Registry

   IANA has created a category in the protocol registries labeled
   "Registration Data Access Protocol (RDAP)", and within that category,
   IANA has established a URL-referenceable, stand-alone registry
   labeled "RDAP JSON Values".  This new registry is for use in the
   notices and remarks (Section 4.3), status (Section 4.6), role
   (Section 5.1), event action (Section 4.5), and domain variant
   relation (Section 5.3) fields specified in RDAP.

   Each entry in the registry contains the following fields:

   1.  Value -- the string value being registered.

   2.  Type -- the type of value being registered.  It should be one of
       the following:

       *  "notice or remark type" -- denotes a type of notice or remark.

       *  "status" -- denotes a value for the "status" object member as
          defined by Section 4.6.

       *  "role" -- denotes a value for the "role" array as defined in
          Section 5.1.

       *  "event action" -- denotes a value for an event action as
          defined in Section 4.5.

       *  "domain variant relation" -- denotes a relationship between a
          domain and a domain variant as defined in Section 5.3.

   3.  Description -- a one- or two-sentence description regarding the
       meaning of the value, how it might be used, and/or how it should
       be interpreted by clients.

   4.  Registrant Name -- the name of the person registering the value.

   5.  Registrant Contact Information -- an email address, postal
       address, or some other information to be used to contact the
       registrant.

   This registry is operated under the "Expert Review" policy defined in
   [RFC8126].

   Review of registrations into this registry by the designated
   expert(s) should be narrowly judged on the following criteria:

   1.  Values in need of being placed into multiple types must be
       assigned a separate registration for each type.

   2.  Values must be strings.  They should be multiple words separated
       by single space characters.  Every character should be
       lowercased.  If possible, every word should be given in English
       and each character should be US-ASCII.

   3.  Registrations should not duplicate the meaning of any existing
       registration.  That is, if a request for a registration is
       significantly similar in nature to an existing registration, the
       request should be denied.  For example, the terms "maintainer"
       and "registrant" are significantly similar in nature as they both
       denote a holder of a domain name or Internet number resource.  In
       cases where it may be reasonably argued that machine
       interpretation of two similar values may alter the operation of
       client software, designated experts should not judge the values
       to be of significant similarity.

   4.  Registrations should be relevant to the common usages of RDAP.
       Designated experts may rely upon the serving of the value by a
       DNR or RIR to make this determination.

   The following sections provide initial registrations into this
   registry.

10.2.1.  Notice and Remark Types

   The following values have been registered in the "RDAP JSON Values"
   registry:

   Value:  result set truncated due to authorization
   Type:  notice and remark type
   Description:  The list of results does not contain all results due to
      lack of authorization.  This may indicate to some clients that
      proper authorization will yield a longer result set.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  result set truncated due to excessive load
   Type:  notice and remark type
   Description:  The list of results does not contain all results due to
      an excessively heavy load on the server.  This may indicate to
      some clients that requerying at a later time will yield a longer
      result set.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  result set truncated due to unexplainable reasons
   Type:  notice and remark type
   Description:  The list of results does not contain all results for an
      unexplainable reason.  This may indicate to some clients that
      requerying for any reason will not yield a longer result set.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  object truncated due to authorization
   Type:  notice and remark type
   Description:  The object does not contain all data due to lack of
      authorization.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  object truncated due to excessive load
   Type:  notice and remark type
   Description:  The object does not contain all data due to an
      excessively heavy load on the server.  This may indicate to some
      clients that requerying at a later time will yield all data of the
      object.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  object truncated due to unexplainable reasons
   Type:  notice and remark type
   Description:  The object does not contain all data for an
      unexplainable reason.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

10.2.2.  Status

   The following values have been registered in the "RDAP JSON Values"
   registry:

   Value:  validated
   Type:  status
   Description:  Signifies that the data of the object instance has been
      found to be accurate.  This type of status is usually found on
      entity object instances to note the validity of identifying
      contact information.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  renew prohibited
   Type:  status
   Description:  Renewal or reregistration of the object instance is
      forbidden.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  update prohibited
   Type:  status
   Description:  Updates to the object instance are forbidden.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  transfer prohibited
   Type:  status
   Description:  Transfers of the registration from one registrar to
      another are forbidden.  This type of status normally applies to
      DNR domain names.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  delete prohibited
   Type:  status
   Description:  Deletion of the registration of the object instance is
      forbidden.  This type of status normally applies to DNR domain
      names.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  proxy
   Type:  status
   Description:  The registration of the object instance has been
      performed by a third party.  This is most commonly applied to
      entities.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  private
   Type:  status
   Description:  The information of the object instance is not
      designated for public consumption.  This is most commonly applied
      to entities.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  removed
   Type:  status
   Description:  Some of the information of the object instance has not
      been made available and has been removed.  This is most commonly
      applied to entities.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  obscured
   Type:  status
   Description:  Some of the information of the object instance has been
      altered for the purposes of not readily revealing the actual
      information of the object instance.  This is most commonly applied
      to entities.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  associated
   Type:  status
   Description:  The object instance is associated with other object
      instances in the registry.  This is most commonly used to signify
      that a nameserver is associated with a domain or that an entity is
      associated with a network resource or domain.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  active
   Type:  status
   Description:  The object instance is in use.  For domain names, it
      signifies that the domain name is published in DNS.  For network
      and autnum registrations, it signifies that they are allocated or
      assigned for use in operational networks.  This maps to the "OK"
      status of the Extensible Provisioning Protocol (EPP) [RFC5730].
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  inactive
   Type:  status
   Description:  The object instance is not in use.  See "active".
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  locked
   Type:  status
   Description:  Changes to the object instance cannot be made,
      including the association of other object instances.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  pending create
   Type:  status
   Description:  A request has been received for the creation of the
      object instance, but this action is not yet complete.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  pending renew
   Type:  status
   Description:  A request has been received for the renewal of the
      object instance, but this action is not yet complete.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  pending transfer
   Type:  status
   Description:  A request has been received for the transfer of the
      object instance, but this action is not yet complete.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  pending update
   Type:  status
   Description:  A request has been received for the update or
      modification of the object instance, but this action is not yet
      complete.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  pending delete
   Type:  status
   Description:  A request has been received for the deletion or removal
      of the object instance, but this action is not yet complete.  For
      domains, this might mean that the name is no longer published in
      DNS but has not yet been purged from the registry database.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

10.2.3.  Event Actions

   The following values have been registered in the "RDAP JSON Values"
   registry:

   Value:  registration
   Type:  event action
   Description:  The object instance was initially registered.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  reregistration
   Type:  event action
   Description:  The object instance was registered subsequently to
      initial registration.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  last changed
   Type:  event action
   Description:  An action noting when the information in the object
      instance was last changed.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  expiration
   Type:  event action
   Description:  The object instance has been removed or will be removed
      at a predetermined date and time from the registry.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  deletion
   Type:  event action
   Description:  The object instance was removed from the registry at a
      point in time that was not predetermined.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  reinstantiation
   Type:  event action
   Description:  The object instance was reregistered after having been
      removed from the registry.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  transfer
   Type:  event action
   Description:  The object instance was transferred from one registrar
      to another.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  locked
   Type:  event action
   Description:  The object instance was locked (see the "locked"
      status).
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  unlocked
   Type:  event action
   Description:  The object instance was unlocked (see the "locked"
      status).
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

10.2.4.  Roles

   The following values have been registered in the "RDAP JSON Values"
   registry:

   Value:  registrant
   Type:  role
   Description:  The entity object instance is the registrant of the
      registration.  In some registries, this is known as a maintainer.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  technical
   Type:  role
   Description:  The entity object instance is a technical contact for
      the registration.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  administrative
   Type:  role
   Description:  The entity object instance is an administrative contact
      for the registration.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  abuse
   Type:  role
   Description:  The entity object instance handles network abuse issues
      on behalf of the registrant of the registration.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  billing
   Type:  role
   Description:  The entity object instance handles payment and billing
      issues on behalf of the registrant of the registration.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  registrar
   Type:  role
   Description:  The entity object instance represents the authority
      responsible for the registration in the registry.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  reseller
   Type:  role
   Description:  The entity object instance represents a third party
      through which the registration was conducted (i.e., not the
      registry or registrar).
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  sponsor
   Type:  role
   Description:  The entity object instance represents a domain policy
      sponsor, such as an ICANN-approved sponsor.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  proxy
   Type:  role
   Description:  The entity object instance represents a proxy for
      another entity object, such as a registrant.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  notifications
   Type:  role
   Description:  An entity object instance designated to receive
      notifications about association object instances.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  noc
   Type:  role
   Description:  The entity object instance handles communications
      related to a network operations center (NOC).
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

10.2.5.  Variant Relations

   The following values have been registered in the "RDAP JSON Values"
   registry:

   Value:  registered
   Type:  domain variant relation
   Description:  The variant names are registered in the registry.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  unregistered
   Type:  domain variant relation
   Description:  The variant names are not found in the registry.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  registration restricted
   Type:  domain variant relation
   Description:  Registration of the variant names is restricted to
      certain parties or within certain rules.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  open registration
   Type:  domain variant relation
   Description:  Registration of the variant names is available to
      generally qualified registrants.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

   Value:  conjoined
   Type:  domain variant relation
   Description:  Registration of the variant names occurs automatically
      with the registration of the containing domain registration.
   Registrant Name:  IESG
   Registrant Contact Information:  iesg@ietf.org

11.  Security Considerations

   This specification models information serialized in JSON format.  As
   JSON is a subset of JavaScript, implementations are advised to follow
   the security considerations outlined in Section 12 of [RFC8259] to
   prevent code injection.

   Though not specific to JSON, RDAP implementers should be aware of the
   security considerations specified in [RFC7480] and the security
   requirements and considerations in [RFC7481].

   RDAP responses allow for retrieval of DNSSEC (key) related
   information, but the RRSIG DS from the parent zone is not conveyed
   alongside it.  This means that the DNSSEC keys retrieved by RDAP are
   disconnected from their containing PKI, and as such are not generally
   expected to be trusted without additional information.  In
   particular, the HTTPS channel protecting the RDAP connection is not
   expected to be authorized to certify the validity of the DNSSEC keys.

   Clients caching data, especially clients using RDAP-specific caches
   (instead of HTTP-layer caches), should have safeguards to prevent
   cache poisoning.  See Section 5 for advice on using the self links
   for caching.

   Finally, service operators should be aware of the privacy mechanisms
   noted in Section 13.

12.  Internationalization Considerations

12.1.  Character Encoding

   The default text encoding for JSON responses in RDAP is UTF-8
   [RFC3629], and all servers and clients MUST support UTF-8.

12.2.  URIs and IRIs

   [RFC7480] defines the use of URIs and IRIs in RDAP.

12.3.  Language Tags

   Section 4.4 defines the use of language tags in the JSON responses
   defined in this document.

12.4.  Internationalized Domain Names

   IDNs are denoted in this specification by the separation of DNS names
   in LDH form and Unicode form (see Section 3).  Representation of IDNs
   in registries is described by the "variants" object in Section 5.3
   and the suggested values listed in Section 10.2.5.

13.  Privacy Considerations

   This specification suggests status values to denote contact and
   registrant information that has been marked as private and/or has
   been removed or obscured.  See Section 10.2.2 for the complete list
   of status values.  A few of the status values indicate that there are
   privacy concerns associated with the object instance.  The following
   status codes SHOULD be used to describe data elements of a response
   when appropriate:

   *  private -- The object is not be shared in query responses, unless
      the user is authorized to view this information.

   *  removed -- Data elements within the object have been collected but
      have been omitted from the response.  This option can be used to
      prevent unauthorized access to associated object instances without
      the need to mark them as private.

   *  obscured -- Data elements within the object have been collected,
      but the response value has been altered so that values are not
      easily discernible.  A value changed from "1212" to "XXXX" is an
      example of obscured data.  This option may reveal privacy
      sensitive information and should only be used when data
      sensitivity does not require a more protective option like
      "private" or "removed".

   See Appendix A.1 for an example of applying those values to contacts
   and registrants.

14.  References

14.1.  Normative References

   [ISO.3166.2020]
              International Organization for Standardization, "Codes for
              the representation of names of countries and their
              subdivisions", Fourth edition, ISO Standard 3166, August
              2020.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC3339]  Klyne, G. and C. Newman, "Date and Time on the Internet:
              Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002,
              <https://www.rfc-editor.org/info/rfc3339>.

   [RFC3629]  Yergeau, F., "UTF-8, a transformation format of ISO
              10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
              2003, <https://www.rfc-editor.org/info/rfc3629>.

   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66,
              RFC 3986, DOI 10.17487/RFC3986, January 2005,
              <https://www.rfc-editor.org/info/rfc3986>.

   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "Resource Records for the DNS Security Extensions",
              RFC 4034, DOI 10.17487/RFC4034, March 2005,
              <https://www.rfc-editor.org/info/rfc4034>.

   [RFC5396]  Huston, G. and G. Michaelson, "Textual Representation of
              Autonomous System (AS) Numbers", RFC 5396,
              DOI 10.17487/RFC5396, December 2008,
              <https://www.rfc-editor.org/info/rfc5396>.

   [RFC5646]  Phillips, A., Ed. and M. Davis, Ed., "Tags for Identifying
              Languages", BCP 47, RFC 5646, DOI 10.17487/RFC5646,
              September 2009, <https://www.rfc-editor.org/info/rfc5646>.

   [RFC5890]  Klensin, J., "Internationalized Domain Names for
              Applications (IDNA): Definitions and Document Framework",
              RFC 5890, DOI 10.17487/RFC5890, August 2010,
              <https://www.rfc-editor.org/info/rfc5890>.

   [RFC5952]  Kawamura, S. and M. Kawashima, "A Recommendation for IPv6
              Address Text Representation", RFC 5952,
              DOI 10.17487/RFC5952, August 2010,
              <https://www.rfc-editor.org/info/rfc5952>.

   [RFC7095]  Kewisch, P., "jCard: The JSON Format for vCard", RFC 7095,
              DOI 10.17487/RFC7095, January 2014,
              <https://www.rfc-editor.org/info/rfc7095>.

   [RFC7480]  Newton, A., Ellacott, B., and N. Kong, "HTTP Usage in the
              Registration Data Access Protocol (RDAP)", STD 95,
              RFC 7480, DOI 10.17487/RFC7480, March 2015,
              <https://www.rfc-editor.org/info/rfc7480>.

   [RFC7481]  Hollenbeck, S. and N. Kong, "Security Services for the
              Registration Data Access Protocol (RDAP)", STD 95,
              RFC 7481, DOI 10.17487/RFC7481, March 2015,
              <https://www.rfc-editor.org/info/rfc7481>.

   [RFC8126]  Cotton, M., Leiba, B., and T. Narten, "Guidelines for
              Writing an IANA Considerations Section in RFCs", BCP 26,
              RFC 8126, DOI 10.17487/RFC8126, June 2017,
              <https://www.rfc-editor.org/info/rfc8126>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [RFC8259]  Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
              Interchange Format", STD 90, RFC 8259,
              DOI 10.17487/RFC8259, December 2017,
              <https://www.rfc-editor.org/info/rfc8259>.

   [RFC8288]  Nottingham, M., "Web Linking", RFC 8288,
              DOI 10.17487/RFC8288, October 2017,
              <https://www.rfc-editor.org/info/rfc8288>.

   [RFC9082]  Hollenbeck, S. and A. Newton, "Registration Data Access
              Protocol (RDAP) Query Format", STD 95, RFC 9082,
              DOI 10.17487/RFC9082, June 2021,
              <https://www.rfc-editor.org/info/rfc9082>.

14.2.  Informative References

   [IANA_IDNTABLES]
              IANA, "Repository of IDN Practices",
              <https://www.iana.org/domains/idn-tables>.

   [JSON_ascendancy]
              MacVittie, L., "The Stealthy Ascendancy of JSON", April
              2011, <https://devcentral.f5.com/s/articles/the-stealthy-
              ascendancy-of-json>.

   [JSON_performance_study]
              Nurseitov, N., Paulson, M., Reynolds, R., and C. Izurieta,
              "Comparison of JSON and XML Data Interchange Formats: A
              Case Study", 2009,
              <https://www.cs.montana.edu/izurieta/pubs/caine2009.pdf>.

   [RFC3912]  Daigle, L., "WHOIS Protocol Specification", RFC 3912,
              DOI 10.17487/RFC3912, September 2004,
              <https://www.rfc-editor.org/info/rfc3912>.

   [RFC5730]  Hollenbeck, S., "Extensible Provisioning Protocol (EPP)",
              STD 69, RFC 5730, DOI 10.17487/RFC5730, August 2009,
              <https://www.rfc-editor.org/info/rfc5730>.

   [RFC5910]  Gould, J. and S. Hollenbeck, "Domain Name System (DNS)
              Security Extensions Mapping for the Extensible
              Provisioning Protocol (EPP)", RFC 5910,
              DOI 10.17487/RFC5910, May 2010,
              <https://www.rfc-editor.org/info/rfc5910>.

   [RFC6350]  Perreault, S., "vCard Format Specification", RFC 6350,
              DOI 10.17487/RFC6350, August 2011,
              <https://www.rfc-editor.org/info/rfc6350>.

   [RFC6839]  Hansen, T. and A. Melnikov, "Additional Media Type
              Structured Syntax Suffixes", RFC 6839,
              DOI 10.17487/RFC6839, January 2013,
              <https://www.rfc-editor.org/info/rfc6839>.

Appendix A.  Suggested Data Modeling with the Entity Object Class

A.1.  Registrants and Contacts

   This document does not provide specific object classes for
   registrants and contacts.  Instead, the entity object class may be
   used to represent a registrant or contact.  When the entity object is
   embedded inside a containing object such as a domain name or IP
   network, the "roles" string array can be used to signify the
   relationship.  It is recommended that the values from Section 10.2.4
   be used.

   The following is an example of an elided containing object with an
   embedded entity that is both a registrant and administrative contact:

   {
     ...
     "entities" :
     [
       {
         "objectClassName" : "entity",
         "handle" : "XXXX",
         "vcardArray":[
           "vcard",
           [
             ["version", {}, "text", "4.0"],
             ["fn", {}, "text", "Joe User"],
             ["kind", {}, "text", "individual"],
             ["lang", {
               "pref":"1"
             }, "language-tag", "fr"],
             ["lang", {
               "pref":"2"
             }, "language-tag", "en"],
             ["org", {
               "type":"work"
             }, "text", "Example"],
             ["title", {}, "text", "Research Scientist"],
             ["role", {}, "text", "Project Lead"],
             ["adr",
               { "type":"work" },
               "text",
               [
                 "",
                 "Suite 1234",
                 "4321 Rue Somewhere",
                 "Quebec",
                 "QC",
                 "G1V 2M2",
                 "Canada"
               ]
             ],
             ["tel",
               { "type":["work", "voice"], "pref":"1" },
               "uri", "tel:+1-555-555-1234;ext=102"
             ],
             ["email",
               { "type":"work" },
               "text", "joe.user@example.com"
             ]
           ]
         ],
         "roles" : [ "registrant", "administrative" ],
         "remarks" :
         [
           {
             "description" :
             [
               "She sells sea shells down by the sea shore.",
               "Originally written by Terry Sullivan."
             ]
           }
         ],
         "events" :
         [
           {
             "eventAction" : "registration",
             "eventDate" : "1990-12-31T23:59:59Z"
           },
           {
             "eventAction" : "last changed",
             "eventDate" : "1991-12-31T23:59:59Z"
           }
         ]
       }
     ]
   }

                                 Figure 34

   In many use cases, it is necessary to hide or obscure the information
   of a registrant or contact due to policy or other operational
   matters.  Registries can denote these situations with "status" values
   (see Section 10.2.2).

   The following is an elided example of a registrant with information
   changed to reflect that of a third party.

   {
     ...
     "entities" :
     [
       {
         "objectClassName" : "entity",
         "handle" : "XXXX",
         ...
         "roles" : [ "registrant", "administrative" ],
         "status" : [ "proxy", "private", "obscured" ]
       }
     ]
   }

                                 Figure 35

A.2.  Registrars

   This document does not provide a specific object class for
   registrars, but like registrants and contacts (see Appendix A.1), the
   "roles" string array maybe used.  Additionally, many registrars have
   publicly assigned identifiers.  The publicIds structure (Section 4.8)
   represents that information.

   The following is an example of an elided containing object with an
   embedded entity that is a registrar:

   {
     ...
     "entities":[
       {
         "objectClassName" : "entity",
         "handle":"XXXX",
         "vcardArray":[
           "vcard",
           [
             ["version", {}, "text", "4.0"],
             ["fn", {}, "text", "Joe's Fish, Chips, and Domains"],
             ["kind", {}, "text", "org"],
             ["lang", {
               "pref":"1"
             }, "language-tag", "fr"],
             ["lang", {
               "pref":"2"
             }, "language-tag", "en"],
             ["org", {
               "type":"work"
             }, "text", "Example"],
             ["adr",
               { "type":"work" },
               "text",
               [
                 "",
                 "Suite 1234",
                 "4321 Rue Somewhere",
                 "Quebec",
                 "QC",
                 "G1V 2M2",
                 "Canada"
               ]
             ],
             ["tel",
               {
                 "type":["work", "voice"],
                 "pref":"1"
               },
               "uri", "tel:+1-555-555-1234;ext=102"
             ],
             ["email",
               { "type":"work" },
               "text", "joes_fish_chips_and_domains@example.com"
             ]
           ]
         ],
         "roles":[ "registrar" ],
         "publicIds":[
           {
             "type":"IANA Registrar ID",
             "identifier":"1"
           }
         ],
         "remarks":[
           {
             "description":[
               "She sells sea shells down by the sea shore.",
               "Originally written by Terry Sullivan."
             ]
           }
         ],
         "links":[
           {
             "value":"https://example.net/entity/XXXX",
             "rel":"alternate",
             "type":"text/html",
             "href":"https://www.example.com"
           }
         ]
       }
     ]
   }

                                 Figure 36

Appendix B.  Modeling Events

   Events represent actions that have taken place against a registered
   object at a certain date and time.  Events have three properties: the
   action, the actor, and the date and time of the event (which is
   sometimes in the future).  In some cases, the identity of the actor
   is not captured.

   Events can be modeled in three ways:

   1.  events with no designated actor

   2.  events where the actor is only designated by an identifier

   3.  events where the actor can be modeled as an entity

   For the first use case, the events data structure (Section 4.5) is
   used without the "eventActor" object member.

   This is an example of an "events" array without the "eventActor".

   "events" :
   [
     {
       "eventAction" : "registration",
       "eventDate" : "1990-12-31T23:59:59Z"
     }
   ]

                                 Figure 37

   For the second use case, the events data structure (Section 4.5) is
   used with the "eventActor" object member.

   This is an example of an "events" array with the "eventActor".

   "events" :
   [
     {
       "eventAction" : "registration",
       "eventActor" : "XYZ-NIC",
       "eventDate" : "1990-12-31T23:59:59Z"
     }
   ]

                                 Figure 38

   For the third use case, the "asEventActor" array is used when an
   entity (Section 5.1) is embedded into another object class.  The
   "asEventActor" array follows the same structure as the "events" array
   but does not have "eventActor" attributes.

   The following is an elided example of a domain object with an entity
   as an event actor.

   {
     "objectClassName" : "domain",
     "handle" : "XXXX",
     "ldhName" : "foo.example",
     "status" : [ "locked", "transfer prohibited" ],
     ...
     "entities" :
     [
       {
         "handle" : "XXXX",
         ...
         "asEventActor" :
         [
           {
             "eventAction" : "last changed",
             "eventDate" : "1990-12-31T23:59:59Z"
           }
         ]
       }
     ]
   }

                                 Figure 39

Appendix C.  Structured vs. Unstructured Addresses

   The entity (Section 5.1) object class uses jCard [RFC7095] to
   represent contact information, including postal addresses. jCard has
   the ability to represent multiple language preferences, multiple
   email address and phone numbers, and multiple postal addresses in
   both a structured and unstructured format.  This section describes
   the use of jCard for representing structured and unstructured
   addresses.

   The following is an example of a jCard.

   {
     "vcardArray":[
       "vcard",
       [
         ["version", {}, "text", "4.0"],
         ["fn", {}, "text", "Joe User"],
         ["n", {}, "text",
           ["User", "Joe", "", "", ["ing. jr", "M.Sc."]]
         ],
         ["kind", {}, "text", "individual"],
         ["lang", {
           "pref":"1"
         }, "language-tag", "fr"],
         ["lang", {
           "pref":"2"
         }, "language-tag", "en"],
         ["org", {
           "type":"work"
         }, "text", "Example"],
         ["title", {}, "text", "Research Scientist"],
         ["role", {}, "text", "Project Lead"],
         ["adr",
           { "type":"work" },
           "text",
           [
             "",
             "Suite 1234",
             "4321 Rue Somewhere",
             "Quebec",
             "QC",
             "G1V 2M2",
             "Canada"
           ]
         ],
         ["adr",
           {

             "type":"home",
             "label":"123 Maple Ave\nSuite 90001\nVancouver\nBC\n1239\n"
           },
           "text",
           [
             "", "", "", "", "", "", ""
           ]
         ],
         ["tel",
           { "type":["work", "voice"], "pref":"1" },
           "uri", "tel:+1-555-555-1234;ext=102"
         ],
         ["tel",
           {
             "type":["work", "cell", "voice", "video", "text"]
           },
           "uri",
           "tel:+1-555-555-1234"
         ],
         ["email",
           { "type":"work" },
           "text", "joe.user@example.com"
         ],
         ["geo", {
           "type":"work"
         }, "uri", "geo:46.772673,-71.282945"],
         ["key",
           { "type":"work" },
           "uri", "https://www.example.com/joe.user/joe.asc"
         ],
         ["tz", {},
           "utc-offset", "-05:00"],
         ["url", { "type":"home" },
           "uri", "https://example.org"]
       ]
     ]
   }

                                 Figure 40

   The arrays in Figure 40 with the first member of "adr" represent
   postal addresses.  In the first example, the postal address is given
   as an array of strings and constitutes a structured address.  For
   components of the structured address that are not applicable, an
   empty string is given.  Each member of that array aligns with the
   positions of a vCard as given in [RFC6350].  In this example, the
   following data corresponds to the following positional meanings:

   1.  post office box -- not applicable; empty string

   2.  extended address (e.g., apartment or suite number) -- Suite 1234

   3.  street address -- 4321 Rue Somewhere

   4.  locality (e.g., city) -- Quebec

   5.  region (e.g., state or province) -- QC

   6.  postal code -- G1V 2M2

   7.  country name (full name) -- Canada

   The second example is an unstructured address.  It uses the "label"
   attribute, which is a string containing a newline (\n) character to
   separate address components in an unordered, unspecified manner.
   Note that in this example, the structured address array is still
   given but that each string is an empty string.

Appendix D.  Secure DNS

   Section 5.3 defines the "secureDNS" member to represent secure DNS
   information about domain names.

   DNSSEC provides data integrity for DNS through the digital signing of
   resource records.  To enable DNSSEC, the zone is signed by one or
   more private keys and the signatures are stored as RRSIG records.  To
   complete the chain of trust in the DNS zone hierarchy, a digest of
   each DNSKEY record (which contains the public key) must be loaded
   into the parent zone, stored as DS records, and signed by the
   parent's private key (RRSIG DS record), as indicated in "Resource
   Records for the DNS Security Extensions" [RFC4034].  Creating the DS
   records in the parent zone can be done by the registration authority
   "Domain Name System (DNS) Security Extensions Mapping for the
   Extensible Provisioning Protocol (EPP)" [RFC5910].

   Only DS-related information is provided by RDAP, since other
   information is not generally stored in the registration database.
   Other DNSSEC-related information can be retrieved with other DNS
   tools such as dig.

   The domain object class (Section 5.3) can represent this information
   using either the "dsData" or "keyData" object arrays.  Client
   implementers should be aware that some registries do not collect or
   do not publish all of the secure DNS meta-information.

Appendix E.  Motivations for Using JSON

   This section addresses a common question regarding the use of JSON
   over other data formats, most notably XML.

   It is often pointed out that many DNRs and one RIR support the EPP
   [RFC5730] standard, which is an XML serialized protocol.  The logic
   is that since EPP is a common protocol in the industry, it follows
   that XML would be a more natural choice.  While EPP does influence
   this specification quite a bit, EPP serves a different purpose, which
   is the provisioning of Internet resources between registries and
   accredited registrars and serving a much narrower audience than that
   envisioned for RDAP.

   By contrast, RDAP has a broader audience and is designed for public
   consumption of data.  Experience from RIRs with first generation
   RESTful web services for WHOIS indicate that a large percentage of
   clients operate within browsers and other platforms where full-blown
   XML stacks are not readily available and where JSON is a better fit.

   Additionally, while EPP is used in much of the DNR community it is
   not a universal constant in that industry.  And finally, EPP's use of
   XML predates the specification of JSON.  If EPP had been defined
   today, it may very well have used JSON instead of XML.

   Beyond the specific DNR and RIR communities, the trend in the broader
   Internet industry is also switching to JSON over XML, especially in
   the area of RESTful web services (see [JSON_ascendancy]).  Studies
   have also found that JSON is generally less bulky and consequently
   faster to parse (see [JSON_performance_study]).

Appendix F.  Changes from RFC 7483

   *  Addressed known errata.

   *  Updated references to 7482 to RFC 9082.  Adjusted case of "xxxx"
      used in examples where "XXXX" was previously used, and removed an
      "X" from "XXXXX".  Changed IPv6 address example using "C00" to
      "c00".  Added "a string representing" to the definitions of
      startAddress and endAddress.  Removed "entity" from "Autonomous
      System Number Entity Object Class".  Added "an unsigned 32-bit
      integer" to the definition of startAutnum and endAutnum.  Added "a
      string representing" to the definition of name in the IP network
      and ASN object classes.  Clarified rdapConformance identifier
      registration expectations in Section 4.1.  Changed
      "lunarNic_level_0" to "lunarNIC_level_0".

   *  Clarified that the "value", "rel" and "href" JSON values MUST be
      specified in the "links" array.

   *  Clarified that the "description" array is required in the Notices
      and Remarks data structures and other values are OPTIONAL.

   *  Noted that all members of the "events" and "Public IDs" arrays are
      REQUIRED.

   *  Fix "self" link values in examples.  Changed "http" to "https"
      link values in examples.  Noted that Figure 18 is an example of a
      nameserver object with all "appropriate" values given.  In
      Appendix C, quoted the word "label" in "label attribute".  Added
      reference to "status" definition in the descriptions for IP
      networks and autnums.  Fixed a 404 for the informative reference
      to "The Stealthy Ascendancy of JSON".  Added "boolean" to the
      definition of zoneSigned.

   *  Clarified REQUIRED and OPTIONAL members of the "events" array.

   *  Changed "SHOULD not" to "SHOULD NOT" in Section 5.

   *  Updated normative references (RFC 5226 to RFC 8126, RFC 5988 to
      RFC 8288, RFC 7159 to RFC 8259).  Changed examples using "ns1.xn--
      fo-5ja.example" to split URLs to avoid long lines.

   *  Added acknowledgments.

   *  Changed "The "lang" attribute may appear anywhere in an object
      class or data structure except for in jCard objects" to "The
      "lang" attribute as defined in this section MAY appear anywhere in
      an object class or data structure, except for in jCard objects.
      jCard supports similar functionality by way of the LANGUAGE
      property parameter (see Section 5.1 of RFC 6350 [RFC6350]".

   *  Changed "simple data types conveyed in JSON strings" to "simple
      data types conveyed in JSON primitive types (strings, numbers,
      booleans, and null)".  Changed "In other words, servers are free
      to not include JSON members containing registration data based on
      their own policies" to "In other words, servers are free to omit
      unrequired/optional JSON members containing registration data
      based on their own policies".

   *  Changed "This data structure appears only in the topmost JSON
      object of a response" to "This data structure MUST appear in the
      topmost JSON object of a response".

   *  Changed "Some non-answer responses may return entity bodies with
      information that could be more descriptive" to "Some non-answer
      responses MAY return entity bodies with information that could be
      more descriptive".

   *  Changed "The basic structure of that response is an object class
      containing an error code number (corresponding to the HTTP
      response code) followed by a string named "title" and an array of
      strings named "description"" to "The basic structure of that
      response is an object class containing a REQUIRED error code
      number (corresponding to the HTTP response code) followed by an
      OPTIONAL string named "title" and an OPTIONAL array of strings
      named "description"".

   *  Changed the "Autonomous System Number Object Class" section title
      to "The Autonomous System Number Object Class" for consistency
      with other section titles.  Removed trailing periods in the
      "Terminology and Definitions" section for consistency.  Changed
      instances of "lunarNic" to "lunarNIC" for consistency.  Removed an
      extraneous trailing period after the eventDate description.
      Changed a "." to ";" in the description of the "network" member of
      the domain object class.  Changed "The high-level structure of the
      autnum object class consists of information about the network
      registration" to "The high-level structure of the autnum object
      class consists of information about the Autonomous System number
      registration".  Changed "registry unique" to "registry-unique".

   *  Changed "registrant" to "registrar" in the description of the
      "transfer" event action to address erratum 6158.  Added IANA
      instructions to correct the description of the value in the
      registry.

   *  Added text to Section 4.2 to note that "self" and "related" "href"
      URIs MUST NOT be the same.

   *  Added text to Section 4.2 to describe return of IDNs in LDH name
      format.

   *  Added text to note that the "fn" member of a contact object MAY be
      empty in Section 3.

   *  Added text to clarify rdapConformance requirements in Section 4.1.

   *  Added "obsoletes 7483" to the headers, Abstract, and Introduction.
      Updated BCP 14 boilerplate.  Updated IANA Considerations to note
      that this RFC (a product of the REGEXT Working Group) replaces RFC
      7483.  Changed "simple string" to "simple character string" in
      Sections 3 and 4.7.  Clarified requirement for the "fn" member in
      Section 3.  Modified the requirement for rdapConformance placement
      in Section 4.1.  Changed "jCard" to "vCard" LANGUAGE property
      reference in Section 4.4.  Changed "no use" to "little or no use"
      in Section 5.1.  Added example line wrap note in Section 5.2.
      Modified the definition of "idnTable" in Section 5.3.  Modified
      the dsData and keyData examples in Section 5.3.  Changed
      "2001:c00::/23" to "2001:db8::/32" in Section 5.4.  Expanded the
      definition of "type" in Sections 5.4 and 5.5.  Modified example
      autnums in Section 5.5.  Added text to the Security Considerations
      section to note that DNSSEC information returned in a response
      cannot be trusted directly.

Acknowledgments

   This document is derived from original work on RIR responses in JSON
   by Byron J. Ellacott, Arturo L. Servin, Kaveh Ranjbar, and Andrew L. 
   Newton.  Additionally, this document incorporates work on DNR
   responses in JSON by Ning Kong, Linlin Zhou, Jiagui Xie, and Sean
   Shen.

   The components of the DNR object classes are derived from a
   categorization of WHOIS response formats created by Ning Kong, Linlin
   Zhou, Guangqing Deng, Steve Sheng, Francisco Arias, Ray Bellis, and
   Frederico Neves.

   Tom Harrison, Murray Kucherawy, Ed Lewis, Audric Schiltknecht, Naoki
   Kambe, Maarten Bosteels, Mario Loffredo, and Jasdip Singh contributed
   significant review comments and provided clarifying text.  James
   Mitchell provided text regarding the processing of unknown JSON
   attributes and identified issues leading to the remodeling of events.
   Ernie Dainow and Francisco Obispo provided concrete suggestions that
   led to a better variant model for domain names.

   Ernie Dainow provided the background information on the secure DNS
   attributes and objects for domains, informative text on DNSSEC, and
   many other attributes that appear throughout the object classes of
   this document.

   The switch to and incorporation of jCard was performed by Simon
   Perreault.

   Olaf Kolkman and Murray Kucherawy chaired the IETF's WEIRDS Working
   Group from which this document was originally created.  James Galvin
   and Antoin Verschuren chaired the REGEXT Working Group that worked on
   this document.

Authors' Addresses

   Scott Hollenbeck
   Verisign Labs
   12061 Bluemont Way
   Reston, VA 20190
   United States of America

   Email: shollenbeck@verisign.com
   URI:   https://www.verisignlabs.com/

   Andy Newton
   Amazon Web Services, Inc.
   13200 Woodland Park Road
   Herndon, VA 20171
   United States of America

   Email: andy@hxr.us

=========================================================================

Internet Engineering Task Force (IETF)                       M. Blanchet
Request for Comments: 9224                                      Viagenie
STD: 95                                                       March 2022
Obsoletes: 7484                                                         
Category: Standards Track                                               
ISSN: 2070-1721

   Finding the Authoritative Registration Data Access Protocol (RDAP)
                                Service

Abstract

   This document specifies a method to find which Registration Data
   Access Protocol (RDAP) server is authoritative to answer queries for
   a requested scope, such as domain names, IP addresses, or Autonomous
   System numbers.  This document obsoletes RFC 7484.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc9224.

Copyright Notice

   Copyright (c) 2022 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Revised BSD License text as described in Section 4.e of the
   Trust Legal Provisions and are provided without warranty as described
   in the Revised BSD License.

Table of Contents

   1.  Introduction
   2.  Conventions Used in This Document
   3.  Structure of the RDAP Bootstrap Service Registries
   4.  Bootstrap Service Registry for Domain Name Space
   5.  Bootstrap Service Registries for Internet Numbers
     5.1.  Bootstrap Service Registry for IPv4 Address Space
     5.2.  Bootstrap Service Registry for IPv6 Address Space
     5.3.  Bootstrap Service Registry for AS Number Space
   6.  Entity
   7.  Non-existent Entries or RDAP URL Values
   8.  Deployment and Implementation Considerations
   9.  Limitations
   10. Formal Definition
     10.1.  Imported JSON Terms
     10.2.  Registry Syntax
   11. Security Considerations
   12. IANA Considerations
     12.1.  Bootstrap Service Registry for IPv4 Address Space
     12.2.  Bootstrap Service Registry for IPv6 Address Space
     12.3.  Bootstrap Service Registry for AS Number Space
     12.4.  Bootstrap Service Registry for Domain Name Space
   13. References
     13.1.  Normative References
     13.2.  Informative References
   Appendix A.  Changes since RFC 7484
   Acknowledgements
   Author's Address

1.  Introduction

   Querying and retrieving registration data from registries are defined
   in the Registration Data Access Protocol (RDAP) [RFC7480] [RFC7481]
   [RFC9082] [RFC9083].  These documents do not specify where to send
   the queries.  This document specifies a method to find which server
   is authoritative to answer queries for the requested scope.

   Top-Level Domains (TLDs), Autonomous System (AS) numbers, and network
   blocks are delegated by IANA to Internet registries such as TLD
   registries and Regional Internet Registries (RIRs) that then issue
   further delegations and maintain information about them.  Thus, the
   bootstrap information needed by RDAP clients is best generated from
   data and processes already maintained by IANA; the relevant
   registries already exist at [ipv4reg], [ipv6reg], [asreg], and
   [domainreg].  This document obsoletes [RFC7484].

   Per this document, IANA has created new registries based on a JSON
   format specified in this document, herein named RDAP Bootstrap
   Service Registries.  These new registries are based on the existing
   entries of the above-mentioned registries.  An RDAP client fetches
   the RDAP Bootstrap Service Registries, extracts the data, and then
   performs a match with the query data to find the authoritative
   registration data server and appropriate query base URL.

2.  Conventions Used in This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

3.  Structure of the RDAP Bootstrap Service Registries

   The RDAP Bootstrap Service Registries, as specified in Section 12
   below, have been made available as JSON [RFC8259] objects, which can
   be retrieved via HTTP from locations specified by IANA.  The JSON
   object for each registry contains a series of members containing
   metadata about the registry such as a version identifier, a timestamp
   of the publication date of the registry, and a description.
   Additionally, a "services" member contains the registry items
   themselves, as an array.  Each item of the array contains a second-
   level array, with two elements, each of them being a third-level
   array.

   Each element of the Services Array is a second-level array with two
   elements: in order, an Entry Array and a Service URL Array.

   The Entry Array contains all entries that have the same set of base
   RDAP URLs.  The Service URL Array contains the list of base RDAP URLs
   usable for the entries found in the Entry Array.  Elements within
   these two arrays are not ordered in any way.

   An example structure of the JSON output of an RDAP Bootstrap Service
   Registry is illustrated:

   {
       "version": "1.0",
       "publication": "YYYY-MM-DDTHH:MM:SSZ",
       "description": "Some text",
       "services": [
         [
           ["entry1", "entry2", "entry3"],
           [
             "https://registry.example.com/myrdap/",
             "http://registry.example.com/myrdap/"
           ]
         ],
         [
           ["entry4"],
           [
             "https://example.org/"
           ]
         ]
       ]
   }

   The formal syntax is described in Section 10.

   The "version" corresponds to the format version of the registry.
   This specification defines version "1.0".

   The syntax of the "publication" value conforms to the Internet date/
   time format [RFC3339].  The value is the latest update date of the
   registry by IANA.

   The optional "description" string can contain a comment regarding the
   content of the bootstrap object.

   Per [RFC7258], in each array of base RDAP URLs, the secure versions
   of the transport protocol SHOULD be preferred and tried first.  For
   example, if the base RDAP URLs array contains both HTTPS and HTTP
   URLs, the bootstrap client SHOULD try the HTTPS version first.

   Base RDAP URLs MUST have a trailing "/" character because they are
   concatenated to the various segments defined in [RFC9082].

   JSON names MUST follow the format recommendations of Section 6 of
   [RFC7480].  Any unrecognized JSON object properties or values MUST be
   ignored by implementations.

   Internationalized Domain Name labels used as entries or base RDAP
   URLs in the registries defined in this document MUST be only
   represented using their A-label form as defined in [RFC5890].

   All Domain Name labels used as entries or base RDAP URLs in the
   registries defined in this document MUST be only represented in
   lowercase.

4.  Bootstrap Service Registry for Domain Name Space

   The JSON output of this registry contains domain label entries
   attached to the root, grouped by base RDAP URLs, as shown in this
   example.

   {
       "version": "1.0",
       "publication": "2024-01-07T10:11:12Z",
       "description": "Some text",
       "services": [
         [
           ["net", "com"],
           [
             "https://registry.example.com/myrdap/"
           ]
         ],
         [
           ["org", "mytld"],
           [
             "https://example.org/"
           ]
         ],
         [
           ["xn--zckzah"],
           [
             "https://example.net/rdap/xn--zckzah/",
             "http://example.net/rdap/xn--zckzah/"
           ]
         ]
       ]
   }

   The domain name's authoritative registration data service is found by
   doing the label-wise longest match of the target domain name with the
   domain values in the Entry Arrays in the IANA "Bootstrap Service
   Registry for Domain Name Space".  The match is done per label, from
   right to left.  If the longest match results in multiple entries,
   then those entries are considered equivalent.  The values contained
   in the Service URL Array of the matching second-level array are the
   valid base RDAP URLs as described in [RFC9082].

   For example, a domain RDAP query for a.b.example.com matches the com
   entry in one of the arrays of the registry.  The base RDAP URL for
   this query is then taken from the second element of the array, which
   is an array of base RDAP URLs valid for this entry.  The client
   chooses one of the base URLs from this array; in this example, it
   chooses the only one available, "https://registry.example.com/
   myrdap/".  The segment specified in [RFC9082] is then appended to the
   base URL to complete the query.  The complete query is then
   "https://registry.example.com/myrdap/domain/a.b.example.com".

   If a domain RDAP query for a.b.example.com matches both com and
   example.com entries in the registry, then the longest match applies
   and the example.com entry is used by the client.

   If the registry contains entries such as com and goodexample.com,
   then a domain RDAP query for example.com only matches the com entry
   because matching is done on a per-label basis.

   The entry for the root of the domain name space is specified as "".

5.  Bootstrap Service Registries for Internet Numbers

   This section discusses IPv4 and IPv6 address space and Autonomous
   System numbers.

   For IP address space, the authoritative registration data service is
   found by doing a longest match of the target address with the values
   of the arrays in the corresponding RDAP Bootstrap Service Registry
   for Address Space.  The longest match is done the same way as in
   packet forwarding: the addresses are converted in binary form and
   then the binary strings are compared to find the longest match up to
   the specified prefix length.  The values contained in the second
   element of the array are the base RDAP URLs as described in
   [RFC9082].  The longest match method enables covering prefixes of a
   larger address space pointing to one base RDAP URL while more
   specific prefixes within the covering prefix are being served by
   another base RDAP URL.

5.1.  Bootstrap Service Registry for IPv4 Address Space

   The JSON output of this registry contains IPv4 prefix entries,
   specified in Classless Inter-domain Routing (CIDR) format [RFC4632]
   and grouped by RDAP URLs, as shown in this example.

   {
       "version": "1.0",
       "publication": "2024-01-07T10:11:12Z",
       "description": "RDAP Bootstrap file for example registries.",
       "services": [
         [
           ["198.51.100.0/24", "192.0.0.0/8"],
           [
             "https://rir1.example.com/myrdap/"
           ]
         ],
         [
           ["203.0.113.0/24", "192.0.2.0/24"],
           [
             "https://example.org/"
           ]
         ],
         [
           ["203.0.113.0/28"],
           [
             "https://example.net/rdaprir2/",
             "http://example.net/rdaprir2/"
           ]
         ]
       ]
   }

   For example, a query for "192.0.2.1/25" matches the "192.0.0.0/8"
   entry and the "192.0.2.0/24" entry in the example registry above.
   The latter is chosen by the client because it is the longest match.
   The base RDAP URL for this query is then taken from the second
   element of the array, which is an array of base RDAP URLs valid for
   this entry.  The client chooses one of the base URLs from this array;
   in this example, it chooses the only one available,
   "https://example.org/".  The {resource} specified in [RFC9082] is
   then appended to the base URL to complete the query.  The complete
   query is then "https://example.org/ip/192.0.2.1/25".

5.2.  Bootstrap Service Registry for IPv6 Address Space

   The JSON output of this registry contains IPv6 prefix entries, using
   [RFC5952] text representation of the address prefixes format, grouped
   by base RDAP URLs, as shown in this example.

   {
       "version": "1.0",
       "publication": "2024-01-07T10:11:12Z",
       "description": "RDAP Bootstrap file for example registries.",
       "services": [
         [
           ["2001:db8::/34"],
           [
             "https://rir2.example.com/myrdap/"
           ]
         ],
         [
           ["2001:db8:4000::/36", "2001:db8:ffff::/48"],
           [
             "https://example.org/"
           ]
         ],
         [
           ["2001:db8:1000::/36"],
           [
             "https://example.net/rdaprir2/",
             "http://example.net/rdaprir2/"
           ]
         ]
       ]
   }

   For example, a query for "2001:db8:1000::/48" matches the
   "2001:db8::/34" entry and the "2001:db8:1000::/36" entry in the
   example registry above.  The latter is chosen by the client because
   it is the longest match.  The base RDAP URL for this query is then
   taken from the second element of the array, which is an array of base
   RDAP URLs valid for this entry.  The client chooses one of the base
   URLs from this array; in this example, it chooses
   "https://example.net/rdaprir2/" because it's the secure version of
   the protocol.  The segment specified in [RFC9082] is then appended to
   the base URL to complete the query.  The complete query is therefore
   "https://example.net/rdaprir2/ip/2001:db8:1000::/48".  If the target
   RDAP server does not answer, the client can then use another URL
   prefix from the array.

5.3.  Bootstrap Service Registry for AS Number Space

   The JSON output of this registry contains entries for AS number
   ranges, grouped by base RDAP URLs, as shown in this example.  The
   Entry Array is an array containing the list of AS number ranges
   served by the base RDAP URLs found in the second element.  Each
   element of the array contains two AS numbers represented in decimal
   format, separated by a hyphen, that represents the range of AS
   numbers between the two AS numbers (inclusive), where values are in
   increasing order (e.g., 100-200, not 200-100).  A single AS number is
   represented as a range of two identical AS numbers.  AS numbers are
   represented as 'asplain' as defined in [RFC5396].  Ranges MUST NOT
   overlap.

   {
       "version": "1.0",
       "publication": "2024-01-07T10:11:12Z",
       "description": "RDAP Bootstrap file for example registries.",
       "services": [
         [
           ["64496-64496"],
           [
             "https://rir3.example.com/myrdap/"
           ]
         ],
         [
           ["64497-64510", "65536-65551"],
           [
             "https://example.org/"
           ]
         ],
         [
           ["64512-65534"],
           [
             "http://example.net/rdaprir2/",
             "https://example.net/rdaprir2/"
           ]
         ]
       ]
   }

   For example, a query for AS 65411 matches the 64512-65534 entry in
   the example registry above.  The base RDAP URL for this query is then
   taken from the second element of the array, which is an array of base
   RDAP URLs valid for this entry.  The client chooses one of the base
   URLs from this array; in this example, it chooses
   "https://example.net/rdaprir2/".  The segment specified in [RFC9082]
   is then appended to the base URL to complete the query.  The complete
   query is, therefore, "https://example.net/rdaprir2/autnum/65411".  If
   the server does not answer, the client can then use another URL
   prefix from the array.

6.  Entity

   Entities (such as contacts, registrants, or registrars) can be
   queried by handle as described in [RFC9082].  Since there is no
   global name space for entities, this document does not describe how
   to find the authoritative RDAP server for entities.  However, it is
   possible that, if the entity identifier was received from a previous
   query, the same RDAP server could be queried for that entity, or the
   entity identifier itself is a fully qualified URL that can be
   queried.  The mechanism described in [RFC8521] MAY also be used.

7.  Non-existent Entries or RDAP URL Values

   The registries may not contain the requested value.  In these cases,
   there is no known RDAP server for that requested value, and the
   client SHOULD provide an appropriate error message to the user.

8.  Deployment and Implementation Considerations

   This method relies on the fact that RDAP clients are fetching the
   IANA registries to then find the servers locally.  Clients SHOULD NOT
   fetch the registry on every RDAP request.  Clients SHOULD cache the
   registry, but use underlying protocol signaling, such as the HTTP
   Expires header field [RFC7234], to identify when it is time to
   refresh the cached registry.

   Some authorities of registration data may work together on sharing
   their information for a common service, including mutual redirection
   [REDIRECT-RDAP].

   When a new object is allocated, such as a new AS range, a new TLD, or
   a new IP address range, there is no guarantee that this new object
   will have an entry in the corresponding bootstrap RDAP registry,
   since the setup of the RDAP server for this new entry may become live
   and registered later.  Therefore, the clients should expect that even
   if an object, such as TLD, IP address range, or AS range is
   allocated, the existence of the entry in the corresponding bootstrap
   registry is not guaranteed.

9.  Limitations

   This method does not provide a direct way to find authoritative RDAP
   servers for any other objects than the ones described in this
   document.  In particular, the following objects are not bootstrapped
   with the method described in this document:

   *  entities

   *  queries using search patterns that do not contain a terminating
      string that matches some entries in the registries

   *  nameservers

   *  help

10.  Formal Definition

   This section is the formal definition of the registries.  The
   structure of JSON objects and arrays using a set of primitive
   elements is defined in [RFC8259].  Those elements are used to
   describe the JSON structure of the registries.

10.1.  Imported JSON Terms

   OBJECT:  a JSON object, defined in Section 4 of [RFC8259]

   MEMBER:  a member of a JSON object, defined in Section 4 of [RFC8259]

   MEMBER-NAME:  the name of a MEMBER, defined as a "string" in
      Section 4 of [RFC8259]

   MEMBER-VALUE:  the value of a MEMBER, defined as a "value" in
      Section 4 of [RFC8259]

   ARRAY:  an array, defined in Section 5 of [RFC8259]

   ARRAY-VALUE:  an element of an ARRAY, defined in Section 5 of
      [RFC8259]

   STRING:  a "string", as defined in Section 7 of [RFC8259]

10.2.  Registry Syntax

   Using the above terms for the JSON structures, the syntax of a
   registry is defined as follows:

   rdap-bootstrap-registry:  an OBJECT containing a MEMBER version and a
      MEMBER publication, an optional MEMBER description, and a MEMBER
      services-list

   version:  a MEMBER with MEMBER-NAME "version" and MEMBER-VALUE a
      STRING

   publication:  a MEMBER with MEMBER-NAME "publication" and MEMBER-
      VALUE a STRING

   description:  a MEMBER with MEMBER-NAME "description" and MEMBER-
      VALUE a STRING

   services-list:  a MEMBER with MEMBER-NAME "services" and MEMBER-VALUE
      a services-array

   services-array:  an ARRAY, where each ARRAY-VALUE is a service

   service:  an ARRAY of 2 elements, where the first ARRAY-VALUE is an
      entry-list and the second ARRAY-VALUE is a service-uri-list

   entry-list:  an ARRAY, where each ARRAY-VALUE is an entry

   entry:  a STRING

   service-uri-list:  an ARRAY, where each ARRAY-VALUE is a service-uri

   service-uri:  a STRING

11.  Security Considerations

   By providing a bootstrap method to find RDAP servers, this document
   helps to ensure that the end users will get the RDAP data from an
   authoritative source instead of from rogue sources.  The method has
   the same security properties as the RDAP protocols themselves.  The
   transport used to access the registries uses TLS [RFC8446].

   Additional considerations on using RDAP are described in [RFC7481].

12.  IANA Considerations

   IANA has created the RDAP Bootstrap Services Registries listed below
   and made them available as JSON objects.  The contents of these
   registries are described in Sections 3, 4, and 5, with the formal
   syntax specified in Section 10.  The registries MUST be accessible
   only through HTTPS (TLS [RFC8446]) transport.

   The process for adding or updating entries in these registries
   differs from the normal IANA registry processes: these registries are
   generated from the data, processes, and policies maintained by IANA
   in their allocation registries ([ipv4reg], [ipv6reg], [asreg], and
   [domainreg]), with the addition of new RDAP server information.

   IANA updates RDAP Bootstrap Services Registries entries from the
   allocation registries as those registries are updated.

   This document does not change any policies related to the allocation
   registries; IANA has provided a mechanism for collecting the RDAP
   server information.

   IANA has created a new top-level category on the Protocol Registries
   page: <https://www.iana.org/protocols>.  The group is called
   "Registration Data Access Protocol (RDAP)".  Each of the RDAP
   Bootstrap Services Registries has been made available for on-demand
   download in the JSON format by the general public, and that
   registry's URI is listed directly on the Protocol Registries page.

   Other normal registries will be added to this group by other
   documents, but the reason the URIs for these registries are clearly
   listed on the main page is to make those URIs obvious to implementers
   -- these are registries that will be accessed by software, as well as
   by humans using them for reference information.

   Because these registries will be accessed by software, the download
   demand for the RDAP Bootstrap Services Registries may be unusually
   high compared to normal IANA registries.  The technical
   infrastructure by which registries are published has been put in
   place by IANA to support the load.  Since the publication of
   [RFC7484], no issues have been reported regarding the load or the
   service.

   As discussed in Section 8, software that accesses these registries
   will depend on the HTTP Expires header field to limit their query
   rate.  It is, therefore, important for that header field to be
   properly set to provide timely information as the registries change,
   while maintaining a reasonable load on the IANA servers.

   The HTTP Content-Type returned to clients accessing these JSON-
   formatted registries MUST be "application/json", as defined in
   [RFC8259].

   Because of how information in the RDAP Bootstrap Services Registries
   is grouped and formatted, the registry entries may not be sortable.
   It is, therefore, not required or expected that the entries be
   ordered in any way.

12.1.  Bootstrap Service Registry for IPv4 Address Space

   Entries in this registry contain at least the following:

   *  a CIDR [RFC4632] specification of the network block being
      registered

   *  one or more URLs that provide the RDAP service regarding this
      registration

12.2.  Bootstrap Service Registry for IPv6 Address Space

   Entries in this registry contain at least the following:

   *  an IPv6 prefix [RFC5952] specification of the network block being
      registered

   *  one or more URLs that provide the RDAP service regarding this
      registration

12.3.  Bootstrap Service Registry for AS Number Space

   Entries in this registry contain at least the following:

   *  a range of Autonomous System numbers being registered

   *  one or more URLs that provide the RDAP service regarding this
      registration

12.4.  Bootstrap Service Registry for Domain Name Space

   Entries in this registry contain at least the following:

   *  a domain name attached to the root being registered

   *  one or more URLs that provide the RDAP service regarding this
      registration

13.  References

13.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC3339]  Klyne, G. and C. Newman, "Date and Time on the Internet:
              Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002,
              <https://www.rfc-editor.org/info/rfc3339>.

   [RFC4632]  Fuller, V. and T. Li, "Classless Inter-domain Routing
              (CIDR): The Internet Address Assignment and Aggregation
              Plan", BCP 122, RFC 4632, DOI 10.17487/RFC4632, August
              2006, <https://www.rfc-editor.org/info/rfc4632>.

   [RFC5396]  Huston, G. and G. Michaelson, "Textual Representation of
              Autonomous System (AS) Numbers", RFC 5396,
              DOI 10.17487/RFC5396, December 2008,
              <https://www.rfc-editor.org/info/rfc5396>.

   [RFC5890]  Klensin, J., "Internationalized Domain Names for
              Applications (IDNA): Definitions and Document Framework",
              RFC 5890, DOI 10.17487/RFC5890, August 2010,
              <https://www.rfc-editor.org/info/rfc5890>.

   [RFC5952]  Kawamura, S. and M. Kawashima, "A Recommendation for IPv6
              Address Text Representation", RFC 5952,
              DOI 10.17487/RFC5952, August 2010,
              <https://www.rfc-editor.org/info/rfc5952>.

   [RFC7258]  Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
              Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May
              2014, <https://www.rfc-editor.org/info/rfc7258>.

   [RFC7480]  Newton, A., Ellacott, B., and N. Kong, "HTTP Usage in the
              Registration Data Access Protocol (RDAP)", STD 95,
              RFC 7480, DOI 10.17487/RFC7480, March 2015,
              <https://www.rfc-editor.org/info/rfc7480>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [RFC8259]  Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
              Interchange Format", STD 90, RFC 8259,
              DOI 10.17487/RFC8259, December 2017,
              <https://www.rfc-editor.org/info/rfc8259>.

13.2.  Informative References

   [asreg]    IANA, "Autonomous System (AS) Numbers",
              <https://www.iana.org/assignments/as-numbers>.

   [domainreg]
              IANA, "Root Zone Database",
              <https://www.iana.org/domains/root/db>.

   [ipv4reg]  IANA, "IANA IPv4 Address Space Registry",
              <https://www.iana.org/assignments/ipv4-address-space>.

   [ipv6reg]  IANA, "IPv6 Global Unicast Address Assignments",
              <https://www.iana.org/assignments/ipv6-unicast-address-
              assignments>.

   [REDIRECT-RDAP]
              Martinez, C.M., Ed., Zhou, L., Ed., and G. Rada,
              "Redirection Service for Registration Data Access
              Protocol", Work in Progress, Internet-Draft, draft-ietf-
              weirds-redirects-04, July 2014,
              <https://datatracker.ietf.org/doc/html/draft-ietf-weirds-
              redirects-04>.

   [RFC7071]  Borenstein, N. and M. Kucherawy, "A Media Type for
              Reputation Interchange", RFC 7071, DOI 10.17487/RFC7071,
              November 2013, <https://www.rfc-editor.org/info/rfc7071>.

   [RFC7234]  Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
              Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching",
              RFC 7234, DOI 10.17487/RFC7234, June 2014,
              <https://www.rfc-editor.org/info/rfc7234>.

   [RFC7481]  Hollenbeck, S. and N. Kong, "Security Services for the
              Registration Data Access Protocol (RDAP)", STD 95,
              RFC 7481, DOI 10.17487/RFC7481, March 2015,
              <https://www.rfc-editor.org/info/rfc7481>.

   [RFC7484]  Blanchet, M., "Finding the Authoritative Registration Data
              (RDAP) Service", RFC 7484, DOI 10.17487/RFC7484, March
              2015, <https://www.rfc-editor.org/info/rfc7484>.

   [RFC8446]  Rescorla, E., "The Transport Layer Security (TLS) Protocol
              Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
              <https://www.rfc-editor.org/info/rfc8446>.

   [RFC8521]  Hollenbeck, S. and A. Newton, "Registration Data Access
              Protocol (RDAP) Object Tagging", BCP 221, RFC 8521,
              DOI 10.17487/RFC8521, November 2018,
              <https://www.rfc-editor.org/info/rfc8521>.

   [RFC9082]  Hollenbeck, S. and A. Newton, "Registration Data Access
              Protocol (RDAP) Query Format", STD 95, RFC 9082,
              DOI 10.17487/RFC9082, June 2021,
              <https://www.rfc-editor.org/info/rfc9082>.

   [RFC9083]  Hollenbeck, S. and A. Newton, "JSON Responses for the
              Registration Data Access Protocol (RDAP)", STD 95,
              RFC 9083, DOI 10.17487/RFC9083, June 2021,
              <https://www.rfc-editor.org/info/rfc9083>.

Appendix A.  Changes since RFC 7484

   There are no substantive changes except for minor clarifications.
   This update is primarily to meet the requirements for moving to an
   Internet Standard.

Acknowledgements

   The WEIRDS Working Group had multiple discussions on this topic,
   including a session during IETF 84, where various methods such as in-
   DNS and others were debated.  The idea of using IANA registries was
   discovered by the author during discussions with his colleagues as
   well as by a comment from Andy Newton.  All the people involved in
   these discussions are herein acknowledged.  Linlin Zhou, Jean-
   Philippe Dionne, John Levine, Kim Davies, Ernie Dainow, Scott
   Hollenbeck, Arturo Servin, Andy Newton, Murray Kucherawy, Tom
   Harrison, Naoki Kambe, Alexander Mayrhofer, Edward Lewis, Pete
   Resnick, Alessandro Vesely, Bert Greevenbosch, Barry Leiba, Jari
   Arkko, Kathleen Moriaty, Stephen Farrell, Richard Barnes, and Jean-
   Francois Tremblay provided input and suggestions to the first version
   of this document.

   Guillaume Leclanche was a coauthor of this document for some
   revisions; his support is therein acknowledged and greatly
   appreciated.  The section on formal definition was inspired by
   Section 6.2 of [RFC7071].  This new version [This document] received
   comments and suggestions from Gavin Brown, Patrick Mevzek, John
   Levine, Jasdip Singh, George Michaelson, Scott Hollenbeck, Russ
   Housley, Joel Halpern, Lars Eggert, Benjamin Kaduk, Scott Kelly, Éric
   Vyncke, John Scudder, Erik Kline, and Robert Wilton.  Errata for RFC
   7484 were submitted by Pieter Vandepitte and were applied to this
   document.

Author's Address

   Marc Blanchet
   Viagenie
   246 Aberdeen
   Quebec QC G1R 2E1
   Canada
   Email: Marc.Blanchet@viagenie.ca
   URI:   https://viagenie.ca