On Wed, Jul 6, 2016 at 11:13 PM, David Conrad <drc@virtualized.org> wrote:
Rubens,
On Jul 6, 2016, at 2:20 PM, Rubens Kuhl <rubensk@gmail.com> wrote:
Not sure the RPZ hammer has been brought out in force yet. I've seen a few recommendations on various mailing lists, but no concerted effort. Unfortunately, there is no easy/scalable way to determine who a registrar for a given name is, That is called RDAP,
I said "scalable".
Given RDAP is based on TCP and there is this concept known as "registration data lookup rate limiting", I'm somewhat skeptical RDAP is the appropriate choice for (e.g.,) a "DNS Block List"-like solution that would (say) dump email that came from domains registered via operator-specified registrars.
Fair enough. There are though non-standard UDP-based domain lookup implementations like isavail that could address both this use case and provide faster availability searches.
but ICANN currently blocks gTLD registries from offering RDAP.
Ignoring the above, and as I'm sure you're aware, the community has not determined the policies by which RDAP may be offered as an official registry service using production data, e.g., whether and how differentiated services will be permitted among other details. As such, it is more accurate to say that registries are not permitted to deploy new services because of contractual obligations the registries entered into that requires them to have new services evaluated to ensure those services don't impact DNS security, stability or competition, something the community required ICANN enforce as a result of the SiteFinder episode ages ago. Registries can, of course, request that evaluation and I'm told some have and are actually offering RDAP.
But I would agree it is much easier to simply blame ICANN.
RDAP is totally different from other possible registry services since it's already baked into registries contracts... https://newgtlds.icann.org/sites/default/files/agreements/agreement-approved... specification 4. It's basically the same service already offered thru WHOIS, RDDS, over a different protocol. The contract already allows ICANN to trigger a requirement to support RDAP, but doesn't allow registries to support if before they are required. ICANN could have, and has been suggested to, allow it before it triggers the requirement in order to have willing registries support it, and hasn't done it. So in this particular case I don't have any problems blaming ICANN... and the great level of transparency of ICANN meetings being recorded and transcribed provides plenty of evidence in that regard. As for gTLD registries offering RDAP, I couldn't find any at https://www.icann.org/resources/pages/rsep-2014-02-19-en, the page where new registry services are described and published for comments... the only registries I know deploying RDAP are ccTLDs, which do not operate inside ICANN gTLD policy framework. https://rdap.registro.br/domain/icannsaopaulo.br https://rdap.nic.cz/domain/nic.cz Rubens