Registration Data Access Protocol (RDAP): what’s behind the Whois alternative

Back in 1982 the IETF published the Whois protocol with the aim of having a request service for what at that time was called ARPANET. The fact that it is still in use a quarter of a century later, now for online queries, is something that has been a thorn in the side of many experts. Nowadays the main criticism directed at Whois is that it no longer meets the technical requirements of the internet. 

One of the main problems is that the Whois protocol is incapable of working with coding, and therefore offers no support for non-Latin text. Another major downside is that access to the domain data does not take place via a secure connection and is unregulated. Even anonymous users get full access and can get their hands on e-mail and postal addresses.

Projects like the Whois++ extension or the IRIS (Internet Registry Information Service) Denic Protocol managed to deliver some improvements, however failed to establish themselves as a solid alternative to Whois. After a long time and many discussions within the ICANN community later on the necessity of further development, in September 2011 the Security and Stability Advisory Committee (SSAC) with its SAC 501 security report gave the decisive push to bring the RDAP working group to life.

In many ways, the RDAP has turned out to be an improved version of Whois. The IEFT working group has concentrated on the old protocol’s weaknesses, meaning that it has focused heavily on the likes of security, structuring, and internationalization for the new query protocol. As a result, several new features emerged, including:

• Structured request and answer semantics (including standardized error messages)
• Secure access to the requested contact details (e.g. via HTTPS)
• Expandability (e.g. addition of output elements)
• ‘Bootstrapping’ mechanism (supported by the search for a suitable authoritative DNS server)
• Web-based (HTTP) and REST compliant
• Uncomplicated translation of output data
• Possibility of granting differentiated access to contact details

In many aspects, the Registration Data Access Protocol has proven itself to be much more flexible than its predecessor. While Whois, as a text-based protocol is linked to TCP and the specific port (43), RDAP uses the web standard HTTP, or even HTTPS. This means that all data is delivered in a standardized, machine-readable JSON format. This means that on the one hand, the RDAP allows for more freedom when it comes to data queries, while also making it easier to program query services that can communicate with the various registration authorities, while outputting the requested data in different languages.

Without a doubt one of the most important new functions that was implemented in the Registration Data Access Protocol is the possibility to come up with different access rights for individual user groups. This allows the registrar to regulate in detail who gets to see what information. This allows anonymous users to only enjoy limited access, while authorized users can view the entire data set. This is an aspect where many people see a need for crucial clarification requirements:

One of the questions it raises, among others, is what to do about criminal prosecutors, who wish to remain anonymous while simultaneously enjoying full access rights. Furthermore, there are no guidelines regarding whether in such a case access to the domain data may also be granted to those outside of a country’s borders. Above all, the priority is the protection of user data and the trust in the website operator who registers the domain that comes with this. And in no way should this trust be compromised by the new RDAP request technology. At the end of 2016, a number of registries appealed against the implementation period imposed by the ICANN, and this has meant that the organization has decided to establish contracts for RDAP with registrars and domain providers.