26 Whois

Prototypical answer:

gTLDFull Legal NameE-mail suffixDetail
.artDadotart, Inc.deviantart.comView

Q26 - Whois

1. Overview

The CORE Registration System used by CORE Internet Council of Registrars to operate the .ART TLD will offer Registration Data Directory Services (RDDS) in compliance with Specification 4 of the Registry Agreement, consisting of a Whois Service, Zone File Access and Bulk Registration Data Access.

2. Whois Service

2.1 Interfaces

2.1.1 Port 43 Whois Service

Whois data for .ART will be accessible via an interface on TCP port 43 at whois.nic.ART, using the ʺWhoisʺ protocol (as defined in RFC 3912).

While the interface is publicly available, general use is rate limited to prevent data mining and mitigate denial of service attacks. Registrars may request to be exempted from the rate limiting measures by specifying IP addresses or address ranges to be put on a whitelist. Clients sending Whois requests from whitelisted IP addresses have unlimited access to the service. Input Format

The input sent by Whois clients to the port 43 Whois server consists of two parts: the query options (starting with a hyphen character) and the query itself.

By default, the port 43 Whois service searches for domain names and name server names matching the query string. By the following keywords, the search type can be specified explicitly:

* ʺdomainʺ: Search for domains with matching names or IDs.
* ʺnameserverʺ: Search for name servers with matching names, IDs or IP addresses.
* ʺcontactʺ: Search for contacts with matching IDs.
* ʺregistrarʺ: Search for registrars with matching IDs or organisation names.

The remaining tokens in the input are taken as the search parameter. It may contain the percent sign (‘%’) as a wildcard for any number (including zero) of characters or the underscore character (‘_’) for a single character. For data mining prevention and resource protection, the number of objects returned for wildcard searches is limited to 50.

Evidently, the query format resulting from this input format specification is fully compliant with Specification 4, since it allows querying

* domains via: whois example.ART,
* registrars via: whois ʺregistrar Example Registrar, Inc.ʺ,
* name servers via: whois ʺns1.example.ARTʺ and
* name servers via: whois ʺnameserver (IP Address)ʺ. Output Format

The Whois implementation used by CORE follows a template-based approach for its output to achieve maximum flexibility with regard to the desired format. Key-value output templates containing well-defined placeholders (e.g., for domain name, registrar name, name servers, or contact fields) for variable data allow customising the output for each response type to meet ICANNʹs demands. To supply values for the placeholders in the templates, the local Whois database is fed with all properties of registrars, domains, contacts and name servers that need to be present in the Whois output. Metadata such as the ʺlast Whois updateʺ date, is also available for use in templates. Thanks to this template mechanism, adjustments for changing requirements over time may be implemented easily.

Additionally, the Whois implementation supports internationalised output. If a contact uses ʺlocalisedʺ address fields in addition to ʺinternationalisedʺ data (as supported by RFC 5733), some data fields may contain non-US-ASCII characters. Also, internationalised domain names (IDN) allow the use of non-US-ASCII characters.

The results of a Whois query are encoded using either the US-ASCII character set, or, if a valid character set has been specified via the -C query option, the selected character set. If the output contains characters for which no encoding exists in the selected character set, they are replaced with a question mark, and a warning comment is added to the beginning of the output. Please see the answer to question 44 for more information about IDN support.

The format for values such as dates, times and phone⁄fax numbers in the Whois output conforms to the mappings specified in the EPP RFCs 5730-5734, since the SRS enforces compliant values for requests from registrars, stores them as received and feeds them to the Whois instances unmodified.

Overall, this means that the response formats for domains, registrars, and name servers, as described in ICANNʹs Specification 4 of the Registry Agreement, are fully supported by the Whois implementation used by CORE.

2.1.2 Web-based Whois Service

The web Whois service operated at whois.nic.ART shares the same functionality as the port 43 service, but receives query input via an HTML form. The output format is the same as for the port 43 service.

To prevent the Web interface from being abused for data mining, a CAPTCHA test (ʺCompletely Automated Public Turing test to tell Computers and Humans Apartʺ) must be passed upon each web Whois query before any response data is displayed.

2.2 Searchable Whois

COREʹs Whois implementation offers search capabilities in accordance with Specification 2, Section 1.8. They allow complex searches for Whois database records based on the content of various data fields, thereby considerably exceeding common Whois query functionality.

This provides powerful means of information retrieval, such as finding all domain names registered by a certain person or company. When made available to unauthorised parties, this data may be abused for undesirable activities such as data mining (e.g. for advertising purposes) or social profiling. Restrictions must be imposed to prevent such abuse.

Consequently, this feature is offered exclusively on the web-based Whois interface (not the port 43 Whois), and is only available to authenticated users after they logged in by supplying proper credentials (i.e., user name and password). The .ART Registry will issue such credentials exclusively to eligible users and institutions that supply sufficient proof of their legitimate interest in extended Whois searches, like e.g. law enforcement agencies. Authorisation policies and procedures are established in close collaboration with ICANN, and in compliance with any privacy laws and policies that may apply.

The search capabilities offered meet and exceed the requirements of Specification 2:

* Searches using the wildcards ʹ%ʹ and ʹ_ʹ (with semantics as described above) are possible on the following fields (thus allowing partial matches):
** domain name
** contact data (across all contact types, including the registrant):
*** name
*** organisation
*** address fields (street, city, state⁄province, postal code, country code)
* Exact match searches are possible on the following fields:
** registrar ID
** name server name
** name server IPv4 or IPv6 address (if stored in the registry for glue records)
* Multiple such search criteria may be joined by the logical operators (listed in descending precedence):
** NOT
** AND
** OR

The web interface offers a graphical editor for convenient creation of complex searches, allowing to group sets of search criteria in order to override the defined precedence of operators (thus providing the equivalent of parentheses in classic boolean expressions).

The search results are presented as a list of domain names matching the criteria. If more than 50 results are found, only the first 50 matches are presented on the initial result page, along with an indication of the total number of matches. Links allow the user to navigate through pages of search results.

2.3 Whois Data Distribution

The Whois implementation used by CORE is written as an autonomous system component running in its own server instance, i.e. it is not part of the server running the SRS component. Multiple Whois instances, all serving the same SRS data, are run in parallel; these instances may be located in diverse locations (both geographically and in terms of network topology).

All instances of the Whois service operate on their own databases. This ensures a load decoupling between the SRS and the Whois servers - high request rates on the Whois servers will not affect the main registry systemʹs performance, and vice versa.

The database of a Whois server is continuously synchronised with the registryʹs database via a VPN connection. A special communication protocol (ʺWhois feedʺ) is used to supply information about objects that have been created, modified or deleted in the SRS to all connected Whois servers.

As soon as changes to the registryʹs database have been made persistent, these changes are forwarded to all Whois servers. The Whois servers update their own databases with the data and publish the new information. This way, changes to the registry will become visible on the Whois server typically in less than a minute, resulting in an RDDS update time well under the 60 minutes permitted by Specification 10.

The Whois feed protocol has been carefully designed to allow a graceful recovery from temporary SRS⁄Whois disconnections. In case of a communication problem or a maintenance of the Whois instance, changes that occurred since the last successful update are automatically identified and transferred.

2.4 Network Structure

The Whois network structure (for queries and the feed) is depicted in Figure Q26-F1.

The green path shows how a Whois instance is continuously fed with data from the SRS. To obtain updates, a Whois server instance (D) in the Demilitarised Zone (DMZ) maintains a TCP connection to the EPP backend (B) in the Trust zone through a firewall (C) which separates the two zones. The EPP backend fetches the required data from the primary SRS database (A) and sends a corresponding feed data stream to the Whois instance.

The yellow path illustrates the data flow of Whois queries. A port 43⁄web query coming in from the Internet enters the Untrust zone via a network router (1) and passes a firewall (2) into the DMZ. A load balancer (3) dispatches the request to one of the available Whois instances (4), which processes the requests and sends the response back to the Whois client or web browser.

As the server hardware and network setup planned for the Whois subsystem is part of the overall registry infrastructure, it shares its design principles and implementation. Please see the answers to Questions 31 and 32 for further details.

2.5 Inner Workings of a Whois Server Instance

The inner structure of a Whois server instance is depicted in Figure Q26-F2. It shows how incoming port 43 or web traffic from a load balancer (at the top) is processed internally.

Port 43 queries are handled by the RFC 3912 protocol implementation. A rate limiter component ensures that query limits are enforced for connections not originating from whitelisted IP addresses. Non-blocked requests are passed on to a query evaluator component, which parses the request, fetches required data from the instanceʹs local database engine and prepares the response based on the configured output templates. A separate statistics collector module gathers query statistics (such as query type and response time) in dedicated database tables; this data is used to create monthly ICANN reports.

Web-based queries are handled in a similar fashion. Clients connect to the Whois web frontend; if both the CAPTCHA and the rate limiter component are passed, the query from the web form is processed and answered (as well as included in statistics) just like port 43 requests. For this purpose, the web application container hosting the web Whois has direct access to the local database engine, i.e. it does not utilise the port 43 implementation, but processes requests autonomously. In contrast to the port 43 server, the web Whois also contains an LDAP authentication component; it is used to validate the credentials of users logging in for accessing the extended search features described above.

The bottom of the diagram shows the Whois feed client component, which is responsible for maintaining a connection to the Whois feed service of the EPP backend, processing the feed data and updating the local Whois database.

2.6 Whois Data Privacy Measures

The Whois server implementation used by CORE is designed to support various levels of privacy regarding the content of query responses.

2.6.1 Consideration of EPP Data Disclosure Preferences

The EPP 1.0 standard, particularly its contact mapping as described in RFC 5733, provides means for registrars to specify their preferences concerning the handling of contact data submitted to the registry. Using optional <contact:disclose> elements when creating or modifying contacts, the registrar is able to identify contact fields that require special handling regarding their disclosure to third parties.

The Whois service is designed to respect the data disclosure preferences specified by registrars using these mechanisms. Unless registry policy dictates otherwise, contact fields will be included in or excluded from the Whois output according to the respective disclosure setting. The governing registry policy will be carefully tuned to be in line with applicable data protection laws.

2.6.2 Web Whois

The Whois serverʹs web interface uses the same output restrictions as the port 43 interface.

The CAPTCHA mechanism used to let only humans (as opposed to machines) access the Web whois provides protection against Whois data abuses like data mining or spam. As an additional guard against spam, any e-mail addresses within the Whois output can optionally be displayed as images only (instead of HTML text).

2.7 Support for Emerging Technologies

CORE is aware of the shortcomings in todayʹs RDDS technology. The Whois protocol, as defined in RFC 3912, only defines the basic exchange between client and server, without any specification of input and output formats. This has led to a large number of different output formats among registries, posing problems for automated Whois clients.

In September 2011, ICANN’s Security and Stability Advisory Committee (SSAC) published SAC 051, a Report on Domain Name Whois Terminology and Structure. It contains recommendations for a domain name registration data access protocol suitable for replacing the current Whois technology. In February 2012, ICANN published a draft roadmap for the implementation of these recommendations. CORE is committed to participate in this process, and to comply with and fully support any future RDDS technologies (such as an XML-based, RESTful Whois) emerging from it.

2.8 Whois Resiliency and Performance

Thanks to the Whois subsystemʹs intrinsic ability to run an arbitrary number of Whois instances in geographically diverse locations (all fed from the same data source in a near-realtime fashion), it offers considerable resiliency. In such a setup, the outage of a single Whois instance will not disrupt Whois services for Internet users.

The same feature also guarantees a high level of scalability and performance. Should the monitoring system operated by CORE suggest an increased demand for Whois queries for names in the .ART TLD, additional Whois servers can quickly be added to the existing setup. The decoupling of SRS and Whois services described above ensures that bursts in Whois usage will not impact SRS performance. Using such scaling measures if need be, even unusual peak volumes can be handled.

Please see the answer to question 34 (Geographic Diversity) for details about the locations planned for .ART Whois instances.

In the initial setup, each Whois instance is capable of handling up to 500 queries per second. It is assumed that the average load will be at most 100 queries per second, so there is sufficient headroom for future load increases and bursts.

2.9 Compliance with Specification 10 of the Registry Agreement

The technical features described above ensure that the RDDS (Whois) implementation provided by the CORE Registration System for .ART will be in full compliance with Specification 10 of the Registry Agreement. RDDS availability, query round trip time (RTT) and update time will be maintained well within the permissible limits.

Due to the unpredictable complexity of searches conducted using wildcards or boolean operators, it is assumed that they are not used in queries for measuring RDDS availability and query RTT. Also, the service levels for these two metrics are only guaranteed for queries returning a maximum of 10 results.

3. Zone File Access

CORE will enter into standardised agreement with Internet users seeking access to .ART zone file data by following the procedures laid out in Specification 2, Section 2. For this purpose, the SRS prepares a .ART zone data file compliant with the specified File Format Standard, which is made available at the ICANN-specified and managed URL (i.e. ftp:⁄⁄ART.zda.icann.org). Through facilitation of the CZDA provider, users presenting sufficient credentials will be granted access to this data. Full cooperation and assistance will be provided to ICANN and the CZDA provider in this context.

In addition, bulk access to the zone files for .ART will also be provided to ICANN or its designee, as well as to the Emergency Operators on a continuous basis.

4. Bulk Registration Data Access

As described in the answer to question 38 (Data Escrow), the Escrow module of the CORE Registration System is capable of creating files containing Thin Registration Data, as well as Thick Registration Data restricted to the domain names of a single registrar. Using this facility, CORE will grant ICANN periodic access to Thin Registration Data, as well as exceptional access to a failing registrarʹs Thick Registration Data, in a format and on a schedule fully compliant with Specification 2, Section 3.

5. Experience in providing ICANN-compliant Whois services

CORE has been operating Shared Registry Systems (SRS) since 1997, which all require a connected port 43 Whois server. In its role as the registry backend operator for .cat and .museum, CORE has continuously provided (and still provides) reliable Whois services for these registries, being in full compliance with RFC 3912 and ICANN registry agreements.

The experience gathered from these previous Whois related activities enables CORE to develop and operate a Whois subsystem for the .ART Registry that is fully compliant with all ICANN requirements.

6. Resourcing Plans

The CORE Registration System already supports the Whois services as described above at the time of writing. Since the system is designed to be highly configurable, the realisation of different privacy policies merely requires changing the respective settings within the system configuration.

This means that no development resources will be needed for the Whois service during the initial setup of the system. However, the staff on duty at CORE will need to define the related policies and configure the system accordingly.

6.1 Initial implementation

For the initial setup, the following resources are allotted:

* Registry Policy Officer: finalising policies, creating documentation: 1.5 man days
* System Administrator: configuring system for policies: 4 man hours
* First Level Support: training: 2 man hours per person

6.2 Ongoing maintenance

For the ongoing system maintenance, the following resources are allotted:

* System Administrator: system maintenance: 0.5 man days per month
* First Level Support: support: 6 man hours per month
* Second Level Support: access authorisation: 5 man hours per month

Employees already working for CORE Internet Council of Registrars will be handling these tasks. The numbers above were determined by averaging the effort required for comparable tasks conducted by CORE in the past over the course of 12 months.

Similar gTLD applications: (33)

gTLDFull Legal NameE-mail suffixzDetail
.scotDot Scot Registry Limitedcorenic.org-4.1Compare
.mangoPUNTO FA S.L.ubilibet.com-4.1Compare
.онлайнCORE Associationaxone.ch-4.1Compare
.сайтCORE Associationaxone.ch-4.1Compare
.quebecPointQuébec Incpointquebec.org-4.1Compare
.bcnMunicipi de Barcelonajosoc.cat-4.1Compare
.barcelonaMunicipi de Barcelonajosoc.cat-4.1Compare
.seatSEAT, S.A. (Sociedad Unipersonal)abril.cat-4.1Compare
.eusPuntueus Fundazioapuntueus.org-4.1Compare
.movistarTelefónica S.A.interdomain.org-4.1Compare
.galAsociación puntoGALpuntogal.org-4.1Compare
.eurovisionEuropean Broadcasting Union (EBU)ebu.ch-4.1Compare
.terraTelefónica S.A.interdomain.org-4.1Compare
.telefonicaTelefónica S.A.interdomain.org-4.1Compare
.erniERNI Group Holding AGerni.ch-4.09Compare
.cataloniaGeneralitat de Catalunyadomini.cat-4.09Compare
.radioEuropean Broadcasting Union (EBU)ebu.ch-4.09Compare
.swissSwiss Confederationbakom.admin.ch-4.09Compare
.madridComunidad de Madridmadrid.org-4.07Compare
.بازارCORE Associationaxone.ch-4.03Compare
.SAPSAP AGknipp.de-3.97Compare
.manMAN SEknipp.de-3.97Compare
.payDOTPAY SAsedari.com-3.96Compare
.ifmifm electronic gmbhknipp.de-3.96Compare
.koelnNetCologne Gesellschaft für Telekommunikation mbHnetcologne.de-3.96Compare
.cologneNetCologne Gesellschaft für Telekommunikation mbHnetcologne.de-3.96Compare
.bauhausWerkhaus GmbHknipp.de-3.96Compare
.nrwMinds + Machines GmbHgmail.com-3.96Compare
.gmx1&1 Mail & Media GmbH1und1.de-3.96Compare
.mail1&1 Mail & Media GmbH1und1.de-3.96Compare
.ruhrregiodot GmbH & Co. KGdotzon.com-3.93Compare