JSON Responses for the Registration Data Access Protocol (RDAP)
draft-ietf-regext-rfc7483bis-05
Yes
(Barry Leiba)
No Objection
(Alvaro Retana)
(Deborah Brungard)
(Magnus Westerlund)
Note: This ballot was opened for revision 04 and is now closed.
Erik Kline
No Objection
Comment
(2021-02-15 for -04)
Sent
[[ comments ]] [ section 5.4 ] * <picorant> It seems a shame that the startAddress/endAddress keys are used with IPv6 prefixes. I do wish there could be some cidrBlock key instead. Oh well. </picorant> [[ questions ]] [ section 4.5 ] * Is there a formal constraint on the format of string values of "eventDate"? If so, is it called out somewhere? All the examples are of a very obvious, specific format...but is that required?
Murray Kucherawy
No Objection
Comment
(2021-02-18 for -04)
Sent
I concur with Alissa's observation. This is a "bis" document, after all. Thanks for Section 11. Section 10.1 is an update to an existing media type registration, not a new one. Therefore: * Shouldn't this become the referenced document? Or is RFC 7483 still controlling for this registration? * If the latter, should this section be deleted? * If the former, should the registration still mention WEIRDS, or should it be updated to REGEXT?
Roman Danyliw
No Objection
Comment
(2021-02-14 for -04)
Sent
Thank you to Rich Salz for the SECDIR review, and the discussion around it is appreciated. ** Section 3. handle. Per “This value is a simple string”, is this making a statement about the JSON data type? I didn’t follow what this clarification added on top of the original text in RFC7483. ** Section 3. Editorial. OLD The "fn" member is required and MUST NOT be null according to [RFC6350], where an empty "fn" member MAY be used when the contact name does not exist or is redacted. NEW The "fn" member is required and MUST NOT be null according to [RFC6350]. An empty "fn" member MAY be used when the contact name does not exist or is redacted.
Warren Kumari
No Objection
Comment
(2021-02-17 for -04)
Not sent
In a shocking turn of events, and which will likely come as a complete surprise at this point, this should list that it Obsoletes RFC 7483 :-)
Éric Vyncke
No Objection
Comment
(2021-02-18 for -04)
Sent
Thank you for the work put into this document. Due to lack of time, I only quickly browsed through this document but I appreciate the use of many IPv6 examples. Please find below some non-blocking COMMENT points (but replies would be appreciated). I hope that this helps to improve the document, Regards, -éric == COMMENTS == -- Section 1.1 -- As noticed by others, please use BCP14 template. -- Section 5.4 -- Please do not use a non-example network as in "https://example.net/ip/2001:c00::/23" but rather "https://example.net/ip/2001:db8::/32"
Barry Leiba Former IESG member
Yes
Yes
(for -04)
Unknown
Alissa Cooper Former IESG member
No Objection
No Objection
(2021-02-16 for -04)
Sent
The fact that this document obsoletes RFC 7483 should be indicated in the header, abstract, and introduction.
Alvaro Retana Former IESG member
No Objection
No Objection
(for -04)
Not sent
Benjamin Kaduk Former IESG member
No Objection
No Objection
(2021-02-16 for -04)
Sent
Should the errata against RFC 7483 in state "reported" be verified or otherwise processed before this document gets approved? My understanding (based on the draft name and shepherd writeup) is that this document is intended to Obsolete: RFC 7483. If so, that should be indicated in the header, abstract, and introduction, as (in my understanding) the Gen-ART reviewer pointed out. Thank you for keeping the diff from RFC 7483 minimal -- that made things very easy to read! (FWIW, I do consider converting all the links to the "https" scheme worth the churn; thank you for that as well.) Some of the examples have gone stale, though (or were inaccurate from the start), particularly with respect to the cryptographic digests and algorithms used for DNSSEC. I do not think that we can in good conscience publish, in 2021, an Internet Standard that shows RSA/MD5 signatures as an example! (Specifics in the editorial section-by-section remarks.) Also, for Section 1.1, RFC 8174 has an updated BCP 14 boilerplate text to use. It's probably worth making a pass through the examples to check for cases where the handle "XXXX" is being used for distinct entities within a single example (as that's not really self-consistent). It may be worth noting in the security considerations that, while these RDAP responses allow for retrieval of DNSSEC (key) related information, (AFAICT) the RRSIG DS from the parent zone is not conveyed alongisde it. This means that the DNSSEC keys retrieved by RDAP are disconnected from their containing PKI, and as such are not generally expected to be trusted without additional information. In particular, just the HTTPS channel protecting the RDAP connection is not expected to be authorized to certify the validity of the DNSSEC keys. The rest of my remarks are basically editorial or nit level, and I don't expect specific responses to them. Section 3 Contact information is defined using jCards as described in [RFC7095]. The "fn" member is required and MUST NOT be null according to [RFC6350], where an empty "fn" member MAY be used when the contact name does not exist or is redacted. (editorial) The way the last sentence is written suggests that [use of empty "fn" when the name does not exist or is redacted] is a behavior specified in RFC 6350, but based on text searches in RFC 6350 I suspect that this statement is actually a clarification new to this document about how the jCard format is being used. Section 4.1 Going from 7483 to this document we now say that "rdapConformance" MUST appear in the topmost JSON object of a response (vs "appears only" in it). Is the intent to forbid "rdapConformance" from appearing anywhere else in addition to the topmost JSON object? If so, the current text seems insufficient to me. Section 4.2 The following is an example of the link structure: { "value" : "https://example.com/context_uri", "rel" : "self", "href" : "https://example.com/target_uri", I am prone to confusing myself about RFC 8288 links, but it surprised me that "href" differed from "value" for a relation of type "self". The JSON name/values of "rel", "href", "hreflang", "title", "media", and "type" correspond to values found in Section 3 of [RFC8288]. The "value" JSON value is the context URI as described by [RFC8288]. The "value", "rel" and "href" JSON values MUST be specified. [...] Looking just at the diff from RFC 7483 makes it seem that we gain a MUST-level requirement for the "rel" value to be specified, which would not normally be allowed in a transition to Internet Standard. However, it seems that RFC 8288 itself requires the presence of "rel", so this is not in practice a new requirement, and thus safe. Section 4.5 I think it's vCard that has a LANGUAGE property; in jCard that would be the "language" key. Section 5.1 [I did not attempt to validate that the jCards contained in any of the examples conform to RFC 7095.] and names of organizations and individuals. Many of the types of information that can be represented with jCard have no use in RDAP, such as birthdays, anniversaries, and gender. (nit) I suggest s/no use/little or no use/, just on my instinct of avoiding absolutes when not needed. ("Only a Sith deals in absolutes", right?) The following is an elided example of an entity with embedded entities. (nit) I'd suggest "abbreviated" or "condensed" instead of "elided", which as written would seem to imply that the entire example is omitted. This applies to more than one instance, but I will only mention it once. Section 5.3 - idnTable -- the name of the Internationalized Domain Name (IDN) table of codepoints, such as one listed with the IANA (see IDN tables [IANA_IDNTABLES]). (nit) the definite article "the" in "the [IDN] table of codepoints" implies that the context should indicate which one we are referring to (perhaps the one used in the variant names?), but I am failing to tell from context which table is being indicated. "keyTag": 12345, "algorithm": 3, "digestType": 1, "digest": "49FD46E6C4B45C55D4AC" Could we maybe use SHA-256 for the example instead of the no-longer-safe-for-general-use SHA-1 (so, digest type 2 instead of 1, and corresponding digest length)? [Hmm, the existing SHA-1 example is 20 hex digits, which is only 80 bits, not the full 160-bit SHA-1 output...] Likewise for the signature algorithm (algorithm 3 is DSA/SHA-1, and there are lots of stronger alternatives listed at https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml) "flags": 257, "protocol": 3, "algorithm": 1, "publicKey": "AQPJ////4Q==", Similarly, the key data here indicates the algorithm 1, or RSA/MD5 which is deprecated. (The public key is also a laughably small 40-bit modulus when decoded. A nice strong Ed25519 key, algorithm 15, would not expand the example unreasonably in my opinion.) "eventAction" : "expiration", "eventDate" : "2016-12-31T23:59:59Z", "eventActor" : "joe@example.com" (side note) Perhaps an expiration in the future is more useful as an example, though it is clearly not wrong to list the expiration event even when it is in the past. Section 5.5 The following is an example of a JSON object representing an autnum. { "objectClassName" : "autnum", "handle" : "XXXX-RIR", "startAutnum" : 10, "endAutnum" : 15, IIUC AS numbers 10 through 15 are assigned by ARIN, including AS 11 that is assigned to Harvard University (last updated 2019-08-12) and appears to be in current use. Perhaps the reserved ASN 0 would make for a safer example? [...] "links" : [ { "value" : "https://example.net/autnum/xxxx", "rel" : "self", "href" : "https://example.net/autnum/xxxx", "type" : "application/rdap+json" Hmm, my reading of 7482bis suggests that the bit after /autnum/ should be an actual AS number, not a handle. But it doesn't seem to give much guidance on how to represent a block of AS numbers as opposed to a single one within a block... * type -- a string containing an RIR-specific classification of the autnum (nit) is this the RIR's classification of the number itself, or the allocation/registration? Section 10 I think that sometimes we see "-bis" documents that just say "IANA has updated the registrations made by RFCXXXX to refer to this document", but I don't particularly mind repeating the registration information in the now-primary reference document. Section 10.1 Published specification: RFC 7483 Presumably we want this updated to the rfc-to-be? Section 10.2.4 Description: The entity object instance represents a third party through which the registration was conducted (i.e. not the registry or registrar). (nit/side-note) I am pretty sure the RFC Editor is going to add the comma back after "i.e." (but expect that leaving it for them to do will cause the right thing to happen). Perhaps we should ask IANA and the RFC Editor to get on the same page... Section 13.1 The default text encoding for JSON responses in RDAP is UTF-8 [RFC3629], and all servers and clients MUST support UTF-8. (I note that UTF-8 preference is one of the things that changed from RFC 7159 to RFC 8259, so this may be redundant now. I didn't think about it very hard and don't expect anyone else to, as there's no harm in leaving it alone.) Section A.1 The following is an elided example of a registrant with information changed to reflect that of a third party. { ... "entities" : [ { "objectClassName" : "entity", "handle" : "XXXX", ... "roles" : [ "registrant", "administrative" ], "status" : [ "proxy", "private", "obscured" ] (editorial) it might be nice to show a little more, so that we can contrast "Joe User" with "Anonymizing Proxy Service" (or whatever). Section A.1 ["email", { "type":"work" }, "text", "joes_fish_chips_and_domains@example.com" I wonder if the 'example' TLD might be more apropos for this case (e.g., support@joes-fish-chips-domains.example). (The link might be altered similarly as well.) Section D DNSSEC provides data integrity for DNS through the digital signing of resource records. [...] It also provides source authenticity, which is equally important.
Deborah Brungard Former IESG member
No Objection
No Objection
(for -04)
Not sent
Magnus Westerlund Former IESG member
No Objection
No Objection
(for -04)
Not sent
Robert Wilton Former IESG member
No Objection
No Objection
(2021-02-15 for -04)
Sent
Hi, Thank you for this update to RFC 7483. A couple of minor comments: In section 5.2. The Nameserver Object Class: It might be helpful to warn the reader that some lines have been wrapped for display purposes. E.g. the link value and href. Alternative, the approach/tooling from RFC 8792 could be used. It also wasn't clear to me whether the Appendix "Changes from RFC 7483" was going to be kept - there is no RFC editor note to suggest that it be removed. Generally, I think that have a short section explaining how a RFC has changed from a previously published version is helpful. But if this is kept, then I would try and condense this text down to just the list of important changes from RFC 7483. Regards, Rob