Registration Data Access Protocol (RDAP): what’s behind the Whois alternative

There are various reasons why one would acquaint themselves with a domain owner’s contact details. For example, it allows a user to get in touch with a website operator if they encounter a technical issue. It also provides judges and prosecutors with contact details if it so happens that there has been a violation of third-party rights. Furthermore, it might also be that someone needs the contact details with the intention of purchasing the domain in question.

Until now the holder of a domain could be found with the help of Whois services, which is based on the protocol of the same name. However, in 2015, the IETF and ICANN established the first RFC of the RDAP (Registration Data Access Protocol) protocol. If it was based solely on top domain issuing agency then this would already be the main successor to Whois. 

What is the Registration Data Access Protocol (RDAP)?

The concept of the Registration Data Access Protocol (RDAP) came from a work group from the Internet Engineering Task Force (IETF). After a project phase of nearly four years, the first version of the protocol profile (1.0) appeared on 26 July 2016, whose characteristics and applications are outlined in the various Requests for Comments (RFC 7480-7484 and RFC 8056). RDAP offers the possibility of accessing further information on basic internet resources, including

  • Domain names
  • IP addresses
  • Autonomous System Numbers (ASNs)

as well as other related articles. For this reason, the Whois alternative provides the basis for sending queries to the various domain registries. This includes providing your database with, for example, contact details for the domain owners, contact details for any administrative contacts (Admin C), or even the address of the name server being used, including that of the administrator.

Why was RDAP developed?

Back in 1982 the IETF published the Whois protocol with the aim of having a request service for what at that time was called ARPANET. The fact that it is still in use a quarter of a century later, now for online queries, is something that has been a thorn in the side of many experts. Nowadays the main criticism directed at Whois is that it no longer meets the technical requirements of the internet. 

One of the main problems is that the Whois protocol is incapable of working with coding, and therefore offers no support for non-Latin text. Another major downside is that access to the domain data does not take place via a secure connection and is unregulated. Even anonymous users get full access and can get their hands on e-mail and postal addresses.

Projects like the Whois++ extension or the IRIS (Internet Registry Information Service) Denic Protocol managed to deliver some improvements, however failed to establish themselves as a solid alternative to Whois. After a long time and many discussions within the ICANN community later on the necessity of further development, in September 2011 the Security and Stability Advisory Committee (SSAC) with its SAC 501 security report gave the decisive push to bring the RDAP working group to life.

What makes the Registration Data Access Protocol different?

In many ways, the RDAP has turned out to be an improved version of Whois. The IEFT working group has concentrated on the old protocol’s weaknesses, meaning that it has focused heavily on the likes of security, structuring, and internationalization for the new query protocol. As a result, several new features emerged, including:

  • Structured request and answer semantics (including standardized error messages)
  • Secure access to the requested contact details (e.g. via HTTPS)
  • Expandability (e.g. addition of output elements)
  • ‘Bootstrapping’ mechanism (supported by the search for a suitable authoritative DNS server)
  • Web-based (HTTP) and REST compliant
  • Uncomplicated translation of output data
  • Possibility of granting differentiated access to contact details

In many aspects, the Registration Data Access Protocol has proven itself to be much more flexible than its predecessor. While Whois, as a text-based protocol is linked to TCP and the specific port (43), RDAP uses the web standard HTTP, or even HTTPS. This means that all data is delivered in a standardized, machine-readable JSON format. This means that on the one hand, the RDAP allows for more freedom when it comes to data queries, while also making it easier to program query services that can communicate with the various registration authorities, while outputting the requested data in different languages.

RDAP Whois
HTTP-based Text-based
Standardized JSON format No coding schemata
Output data is machine-readable and can be translated uncomplicatedly Output data is in plain data and therefore cannot be further processed automatically
Responses are automatically sent to other registries Reponses contain no follow-on registry information
Possible to define access rights for different groups Different types of access to data not possible

Option for different types of access – still a topic for discussion

Without a doubt one of the most important new functions that was implemented in the Registration Data Access Protocol is the possibility to come up with different access rights for individual user groups. This allows the registrar to regulate in detail who gets to see what information. This allows anonymous users to only enjoy limited access, while authorized users can view the entire data set. This is an aspect where many people see a need for crucial clarification requirements:

One of the questions it raises, among others, is what to do about criminal prosecutors, who wish to remain anonymous while simultaneously enjoying full access rights. Furthermore, there are no guidelines regarding whether in such a case access to the domain data may also be granted to those outside of a country’s borders. Above all, the priority is the protection of user data and the trust in the website operator who registers the domain that comes with this. And in no way should this trust be compromised by the new RDAP request technology. At the end of 2016, a number of registries appealed against the implementation period imposed by the ICANN, and this has meant that the organization has decided to establish contracts for RDAP with registrars and domain providers.