[council] Whois Access - from RAPWG Final Report

[Marika Konings <marika.konings@xxxxxxxxx>]

Dear All,

To provide some further context in relation to the discussion on Whois Access, 
please find below an excerpt from the RAP WG Final Report regarding Whois 
Access.

With best regards,

Marika

7.        WHOIS Access

7.1           Issue / Definition

The RAPWG found that the basic accessibility of WHOIS has an inherent 
relationship to domain registration process abuses, and is a key issue related 
to the malicious use of domain names. It appears that WHOIS data is not always 
accessible on a guaranteed or enforceable basis, is not always provided by 
registrars in a reliable, consistent, or predictable fashion, and that users 
sometimes receive different WHOIS results depending on where or how they 
perform the lookup. These issues interfere with registration processes, 
registrant decision-making, and with the ability of parties across the Internet 
to solve a variety of problems.

WHOIS is an area within GNSO policy-making scope and has had a long history of 
discussion.  Below, the RAPWG comments on the basic availability of and access 
to WHOIS data, and not the accuracy of contact data or the use of proxy contact 
services. To avoid duplication of effort and charter scope problems, the RAPWG 
decided to identify when WHOIS is seen to be a contributing factor in other 
problems, and not to discuss WHOIS issues for which the GNSO has already 
commissioned studies. (Those are: WHOIS contact data accuracy, the use of proxy 
contact and privacy services, implications of non-ASCII registration data in 
WHOIS records, and technical requirements for the WHOIS service itself – 
including potential replacements. For background, please see: 
http://gnso.icann.org/issues/whois/).

WHOIS data availability problems have been discussed in other GNSO working 
groups, for example:

 *   The Post-Expiration Domain Name Recovery Working Group (PEDNR-WG) 
discussed how access to WHOIS data is essential for parties to determine if 
contact data has been updated upon the expiration of a domain name, and to 
check domain name expiration dates. A majority of the registrars polled may 
make substantial updates to WHOIS data upon expiration.[1]
 *   The Inter-Registrar Transfer Policy Part A PDP Working Group (IRTP-WG)[2] 
noted in its final report that gaining registrars sometimes have difficulty 
accessing WHOIS data, and therefore Administrative Contact e-mail addresses.
 *   The Fast-Flux PDP Working Group (FFWG) discussed how responders must 
access WHOIS data when mitigating illicit uses of domain names.


Published WHOIS data for domain names involved in malicious conduct is an 
irreplaceable part of the investigation and mitigation processes used by 
registrars, registry operators, registrants, security companies, brand owners, 
victims, and law enforcement.

 *   The national law enforcement agencies of the United States, the United 
Kingdom, Australia, Canada, and New Zealand have recommended that “ICANN should 
require Registrars to have a Service Level Agreement for their Port 43 
servers.” These authorities consider that this is required in order “to aid the 
prevention and disruption of efforts to exploit domain registration procedures 
by criminal groups for criminal purposes.”[3]
 *   The Anti-Phishing Working Group’s DNS Policy Committee has stated that 
published WHOIS is “an invaluable resource, in fact, without which most of the 
cited cases would not have been successful. For cases in which legitimate 
machines or services have been hacked or defrauded, published domain name WHOIS 
information is an important tool used to quickly locate and communicate with 
site owners and service providers. For cases where domain names are 
fraudulently registered, the published domain name WHOIS information can often 
be tied to other bogus registrations or proven false to allow for quick 
shutdown.”[4]

7.2           Background

ICANN’s current registry contracts require registry operators to adhere to port 
43 WHOIS Service Level Agreements (SLAs). TheseSLAs require that port 43 WHOIS 
service be highly accessible and fast. For example, the .ORG contract requires 
that WHOIS service be functional at least 99.31% of the time per month (with 
exceptions for scheduled maintenance), and that responses be provided in less 
than 800 milliseconds. Failure of registries to meet these SLAs have been very 
rare according to monthly registry reports.[5]

The majority of gTLD registries are “thick” registries, in which all 
authoritative WHOIS data—including contact data—is maintained at the registry. 
The .COM and .NET registries are “thin,” and contact data is located only at 
each domain name’s sponsoring registrar. Registrars are therefore responsible 
for providing WHOIS service for .COM/.NET names so that contactdata may be 
retrieved. The .COM/.NET registry contains approximately 85% of the gTLD 
domains in existence,[6] so registrar WHOIS accessibility is very important. 
When displaying WHOIS data for thick TLD domains names—especially on their Web 
sites—registrars often query the registry’s WHOIS, and display that output to 
users.

The Registrar Accreditation Agreements (RAAs)[7] require that registrars 
provide:

 *   port 43 WHOIS access
 *   a Web-based WHOIS
 *   a listed set of information (WHOIS data fields), including:
    *   identity of the registrar
    *   domain name’s expiration date
    *   nameservers associated to the domain; and
    *   specified fields of data for the Registrant Contact, Administrative 
Contact, and Technical Contact.

There are no service levels (SLAs) in the Registrar Accreditation Agreements 
(RAAs). A registrar-provided WHOIS service is not required to be online for any 
particular amount of time, nor provided with any particular response speed.

Port 43 is designed for use with automated and machinequeries. It can also be 
queried manually by users who know how to perform telnet sessions and the 
“whois" command in Linux/Unix/macosx shell. The percentage of Internet users 
who are technically fluent enough to perform these types of queries (or even 
know about port 43 at all) is small. Thus, it is required that registrars have 
a Web-based WHOIS query on their sites.

A sub-team of RAPWG members performed some basic research by querying the 
Web-based and port 43 servers of 50 registrars. This set included the top 20 
registrars by gTLD market share, 15 randomly-chosen mid-sized registrars, and 
15 randomly-chosen small registrars. When a registrar’s site was in a language 
other than English, the assistance of a native speaker was obtained. In 
addition to manual checks, automated queries of port 43 were performed to test 
availability over time.

The sub-team members found WHOIS accessibility situations with 19 of the 50 
registrars sampled. Four registrars may have been in violation of their 
contractual WHOIS access requirements:

 *   Two did not provide a functional Web-based WHOIS.
 *   One registrar's WHOIS listed a sponsoring registrar different from that 
provided by the .COM/.NET registry WHOIS. The registrar’s port 43 server 
provided an expiration date different from that listed in the registry. The 
registrar’s Web WHOIS provided two different expiration dates for the same 
domain name.
 *   One registrar did not identify the sponsoring registrar of its domains. 
The registrar does not operate its port 43 server on the domain indicated by 
the .COM/.NET registry WHOIS; the registrar’s WHOIS service is evidently 
subcontracted to a second registrar on that registrar’s domain; and the 
sponsoring registrar’s Web WHOIS is provided on a third domain not branded as 
the sponsoring registrar.

In addition, one registrar provided facially invalid registrant contact data 
for its own .COM name -- including a registrant contact e-mail address on the 
domain “icann.org”.  This appears to be a violation of the RAA.

Fifteen other registrars presented these situations:

 *   Three registrars had port 43 servers that did not return replies for a 
notable number of queries. One was offline/nonresponsive 21% of the time, one 
was offline/nonresponsive 20% of the time, and one was offline/nonresponsive 
14% of the time. (Based on 100 queries per registrar, spread out over several 
weeks).
 *   Ten provided different WHOIS data on their port 43 servers than they did 
via their Web WHOIS.
    *   Four provided only thin contact data via their Web WHOIS, while 
providing thick contact data only on port 43.
    *   In two cases, registrars provided two different expiration dates for 
each domain name via the Web WHOISes. One of the two expiration dates did not 
match the expiration date provided by the .COM/.NET registry.
    *   Two sometimes provided full contact data on their Port 43 servers, and 
sometimes provided just Registrant contact data (and no Admin or Tech contact 
data) on their port 43 servers.  It is unknown if this was due to a 
rate-limiting activity.
    *   One registrar did not provide registrant contact data via port 43, and 
did not provide Admin or Tech contact data via its Web WHOIS.
    *   One registrar provided a required data field (Tech and Admin contact 
phone numbers) on port 43 but not via its Web WHOIS.
 *   Four cut off telnet sessions to port 43 very quickly--effectively 
disallowing manual queries via that method.

These results indicate that:

 1.  Some registrars appear to be in violation of their contractual WHOIS 
accessibility obligations;
 2.  Users are occasionally unable to obtain contact data due to WHOIS 
availability problems.
 3.  Registrars occasionally provide registration data that differs from that 
provided by the registry.
 4.  Users are sometimes given different registration data depending on the 
method they use to access the sponsoring registrar’s WHOIS.
 5.  Users are sometimes given different registration data depending upon who 
they are; perhaps depending upon whether they are being rate-limited.

These issues were distributed across a notable number of registrars, with 
different sizes, business models, and locations around theworld.

The reasons why registrars provide different data on port 43 versus their Web 
sites requires further investigation. Some might be attempts to prevent 
automated data mining by spammers, competitors, and other parties. The RAPWG 
notes that reasonable rate-limiting WHOIS can be a valid, prudent practice – 
for example it can prevent spammers from mining WHOIS information[8], and can 
prevent WHOIS servers from being overwhelmed by excessive queries. During 
Web-based WHOIS sampling, the RAPWG members observed that only some registrars 
employ CAPCHAs on their Web-based WHOIS services as a protectionagainst 
automated queries.

In addition to the research conducted by working-groupmembers, the RAPWG 
requested information from the ICANN Compliance Department about how it 
monitors registrar WHOIS access. The ICANN Compliance Department noted: "ICANN 
has developed a Whois server audit tool which monitors access to registrars’ 
Whois servers over a Port 43 connection. The script developed for this task 
retrieves data for 4 registered domain names for each accredited registrar…. 
The purpose of the audit is to flag Whois servers that are down for an amount 
of time that is suspect and probably not just a manifestation of periodic 
server maintenance or scheduled update. … What is the “reasonable amount of 
time” for a server to be down? Probably no more than an hour or so per day, 
although these are ICANN internal, ‘soft metrics’, not agreed-upon timeframes 
with registrars. The script records the results and flags registrars that 
prevent access to data on registered names. Transient network problems are less 
of a concern, so ICANN focuses on long-term behavior, i.e., registrars which 
ICANN is unable to communicate with for several days in a row. ….ICANN also 
reaches out toregistrars that provide access to data on registered names but 
provide ‘thin’, not ‘thick’, Whois data. The former does not provide details on 
the registered name holder and additional contacts, which is required by the 
RAA.”[9]

Over the last three years, ICANN’s Compliance Department has sent seven 
escalated compliance notices (e.g. notices of breach, termination, or RAA 
non-renewal) to seven registrars for failure to comply with WHOIS access 
requirements of the Registrar Accreditation Agreement:
·       One registrar did not have its contract renewed solely for failure to 
provide WHOIS access. (South America Domains dba NameFrog.com, which had less 
than 300 gTLD names under sponsorship at the time.)
·       The other six registrars were cited for both WHOIS access breaches AND 
at least one other contract violation, such as failure to pay ICANN fees, 
failure to escrow data, and/or failure to respond to WHOIS accuracy complaints.

ICANN’sCompliance Department is in contact with registrars to resolve issues 
before escalated compliance notices become necessary. The Compliance staff 
noted to the RAPWG that “some registrars block incoming WHOIS queries traffic 
by IP address, and Compliance works with the registrars to get them unblocked 
when there may be a misunderstanding.” and, “Aside from metrics on informal 
outreach to resolve blocked Whois servers and incomplete, or ‘thin’, Whois data 
with registrars, which have been more than two dozen in the past 6-8 months, 
Compliance could provide bi-weekly statistics to the WG from here on out on the 
number of registrars that showed a pattern of restricting access to their Whois 
server over a Port 43 connection. These statistics have not been published 
before.”

So, it appears that some contractual violations are cured in an amicable 
manner, and that public breach letters have apparently been used as a tool of 
last resort. It is unknown how many WHOIS accessibility issues have been 
discovered but not resolved.

The last timethat ICANN published WHOIS access compliance data was 2007.[10] 
That year, ICANN’s Compliance Department examined every ICANN-Accredited 
Registrar’s Web site, and did not examine port 43 access. [11]

The Compliance Department numbers indicate that WHOIS access problems are found 
regularly.Above and beyond those, the RAPWG research indicates that a notable 
percentage of registrars might not make WHOIS data available in a reliable, 
consistent, or predictable fashion.

7.3           Recommendations

Recommendation 1:

The GNSO should determine what additional research and processes may be needed 
to ensure that WHOIS data is accessible in an appropriately reliable, 
enforceable, and consistent fashion.
The GNSO Council should consider how such might be related to other WHOIS 
efforts, such as the upcoming review of WHOIS policy and implementation 
required by ICANN’s new Affirmation of Commitments.  The Affirmation of 
Commitments says: “ICANN additionally commits to enforcing its existing policy 
relating to WHOIS, subject to applicable laws. Such existing policy requires 
that ICANN implement measures to maintain timely, unrestricted and public 
access to accurate andcomplete WHOIS information, including registrant, 
technical, billing, and administrative contact information. One year from the 
effective date of this document [30 September 2009] and then no less frequently 
than every three years thereafter, ICANN will organize a review of WHOIS policy 
and its implementation to assess the extent to which WHOIS policy is effective 
and its implementation meets the legitimate needs of law enforcement and 
promotes consumer trust.”[12]
The WG achieved unanimous consensus on the above recommendation. In favour 
(14): Aaron (RySG), Amadoz (RySG), Bladel (RrSG), Cobb (CBUC), Felman 
(MarkMonitor), Neuman (RySG), O’Connor (CBUC), Queern (CBUC), Rasmussen 
(Internet Identity), Rodenbaugh (CBUC), Seltzer (NCSG), Shah 
(MarkMonitor),Sutton (CBUC), Young (RySG). Against, or alternate views: none.


Recommendation 2.



The GNSO should request that the ICANN Compliance Department publish more data 
about WHOIS accessibility, on at least an annual basis. This data should 
include a) the number of registrars that show a pattern of unreasonable 
restriction of access to their port 43 WHOIS servers, and b) the results of an 
annual compliance audit of compliance with all contractual WHOIS access 
obligations.

The WG achieved unanimous consensus on the above recommendation. In favour 
(13): Aaron (RySG), Amadoz (RySG), Bladel (RrSG), Cobb (CBUC), Felman 
(MarkMonitor), Neuman (RySG), O’Connor (CBUC), Queern (CBUC), Rasmussen 
(Internet Identity), Rodenbaugh (CBUC), Shah (MarkMonitor), Sutton (CBUC), 
Young (RySG). Abstentions (1): Seltzer (NCSG). Against, or alternate views:none.

________________________________

[1] “Draft Initial Report on the Post-Expiration Domain Name Recovery Policy 
Development Process”: 
https://st.icann.org/data/workspaces/post-expiration-dn-recovery-wg/attachments/post_expiration_domain_name_recovery_wg:20100112125658-0-27743/original/Draft%20Initial%20Report%20-%20PEDNR%20PDP%20-%2012%20January%202010.doc

[2] “Draft Final Report on the Inter-Registrar Transfers Policy - Part A Policy 
Development Process”: 
https://st.icann.org/data/workspaces/irtp_jun08_pdp-wg/attachments/irtp_part_a_pdp_wg_pdp_jun08:20090318145458-1-14319/original/Draft%20Final%20Report%20-%20IRTP%20Part%20A%20-%2018%20March%202009.doc%20%5BCompatibility%20Mode%5D.pdf

[3] “Law Enforcement Recommended RAA Amendments and ICANN Due Diligence”, 
November 2009, 
https://st.icann.org/raa-related/index.cgi/LawEnforcementRAArecommendations%20(2).doc?action=attachments_download;page_name=05_january_2010;id=20091118185109-0-21002

[4] “Issues in Using DNS Whois Data for Phishing Site Take Down,” 
http://www.antiphishing.org/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf

[5] http://www.icann.org/en/tlds/monthly-reports/

[6] “VeriSign Domain Name Industry Brief,” September 2009, 
http://www.verisign.com/domain-name-services/domain-information-center/domain-name-resources/domain-name-report-dec09.pdf

[7] http://www.icann.org/en/registrars/agreements.html

[8] See: “SAC 023: Is the WHOIS Service a Source for

Email Addresses for Spammers?”: 
http://www.icann.org/en/committees/security/sac023.pdf

[9] http://forum.icann.org/lists/gnso-rap-dt/msg00454.html

[10] http://forum.icann.org/lists/gnso-rap-dt/msg00454.html

[11] 
http://www.icann.org/en/compliance/reports/contractual-compliance-audit-report-18oct07.pdf

[12] http://www.icann.org/en/announcements/announcement-30sep09-en.htm