<<<
Chronological Index
>>> <<<
Thread Index
>>>
[council] Whois Access - from RAPWG Final Report
- To: "council@xxxxxxxxxxxxxx" <council@xxxxxxxxxxxxxx>
- Subject: [council] Whois Access - from RAPWG Final Report
- From: Marika Konings <marika.konings@xxxxxxxxx>
- Date: Sat, 23 Jun 2012 06:00:00 -0700
- Accept-language: en-US
- Acceptlanguage: en-US
- List-id: council@xxxxxxxxxxxxxx
- Sender: owner-council@xxxxxxxxxxxxxx
- Thread-index: Ac1RQBy7gMQr/twYQfewN+tCNFKZzA==
- Thread-topic: Whois Access - from RAPWG Final Report
- User-agent: Microsoft-MacOutlook/14.2.2.120421
Dear All,
To provide some further context in relation to the discussion on Whois Access,
please find below an excerpt from the RAP WG Final Report regarding Whois
Access.
With best regards,
Marika
7. WHOIS Access
7.1 Issue / Definition
The RAPWG found that the basic accessibility of WHOIS has an inherent
relationship to domain registration process abuses, and is a key issue related
to the malicious use of domain names. It appears that WHOIS data is not always
accessible on a guaranteed or enforceable basis, is not always provided by
registrars in a reliable, consistent, or predictable fashion, and that users
sometimes receive different WHOIS results depending on where or how they
perform the lookup. These issues interfere with registration processes,
registrant decision-making, and with the ability of parties across the Internet
to solve a variety of problems.
WHOIS is an area within GNSO policy-making scope and has had a long history of
discussion. Below, the RAPWG comments on the basic availability of and access
to WHOIS data, and not the accuracy of contact data or the use of proxy contact
services. To avoid duplication of effort and charter scope problems, the RAPWG
decided to identify when WHOIS is seen to be a contributing factor in other
problems, and not to discuss WHOIS issues for which the GNSO has already
commissioned studies. (Those are: WHOIS contact data accuracy, the use of proxy
contact and privacy services, implications of non-ASCII registration data in
WHOIS records, and technical requirements for the WHOIS service itself –
including potential replacements. For background, please see:
http://gnso.icann.org/issues/whois/).
WHOIS data availability problems have been discussed in other GNSO working
groups, for example:
* The Post-Expiration Domain Name Recovery Working Group (PEDNR-WG)
discussed how access to WHOIS data is essential for parties to determine if
contact data has been updated upon the expiration of a domain name, and to
check domain name expiration dates. A majority of the registrars polled may
make substantial updates to WHOIS data upon expiration.[1]
* The Inter-Registrar Transfer Policy Part A PDP Working Group (IRTP-WG)[2]
noted in its final report that gaining registrars sometimes have difficulty
accessing WHOIS data, and therefore Administrative Contact e-mail addresses.
* The Fast-Flux PDP Working Group (FFWG) discussed how responders must
access WHOIS data when mitigating illicit uses of domain names.
Published WHOIS data for domain names involved in malicious conduct is an
irreplaceable part of the investigation and mitigation processes used by
registrars, registry operators, registrants, security companies, brand owners,
victims, and law enforcement.
* The national law enforcement agencies of the United States, the United
Kingdom, Australia, Canada, and New Zealand have recommended that “ICANN should
require Registrars to have a Service Level Agreement for their Port 43
servers.” These authorities consider that this is required in order “to aid the
prevention and disruption of efforts to exploit domain registration procedures
by criminal groups for criminal purposes.”[3]
* The Anti-Phishing Working Group’s DNS Policy Committee has stated that
published WHOIS is “an invaluable resource, in fact, without which most of the
cited cases would not have been successful. For cases in which legitimate
machines or services have been hacked or defrauded, published domain name WHOIS
information is an important tool used to quickly locate and communicate with
site owners and service providers. For cases where domain names are
fraudulently registered, the published domain name WHOIS information can often
be tied to other bogus registrations or proven false to allow for quick
shutdown.”[4]
7.2 Background
ICANN’s current registry contracts require registry operators to adhere to port
43 WHOIS Service Level Agreements (SLAs). TheseSLAs require that port 43 WHOIS
service be highly accessible and fast. For example, the .ORG contract requires
that WHOIS service be functional at least 99.31% of the time per month (with
exceptions for scheduled maintenance), and that responses be provided in less
than 800 milliseconds. Failure of registries to meet these SLAs have been very
rare according to monthly registry reports.[5]
The majority of gTLD registries are “thick” registries, in which all
authoritative WHOIS data—including contact data—is maintained at the registry.
The .COM and .NET registries are “thin,” and contact data is located only at
each domain name’s sponsoring registrar. Registrars are therefore responsible
for providing WHOIS service for .COM/.NET names so that contactdata may be
retrieved. The .COM/.NET registry contains approximately 85% of the gTLD
domains in existence,[6] so registrar WHOIS accessibility is very important.
When displaying WHOIS data for thick TLD domains names—especially on their Web
sites—registrars often query the registry’s WHOIS, and display that output to
users.
The Registrar Accreditation Agreements (RAAs)[7] require that registrars
provide:
* port 43 WHOIS access
* a Web-based WHOIS
* a listed set of information (WHOIS data fields), including:
* identity of the registrar
* domain name’s expiration date
* nameservers associated to the domain; and
* specified fields of data for the Registrant Contact, Administrative
Contact, and Technical Contact.
There are no service levels (SLAs) in the Registrar Accreditation Agreements
(RAAs). A registrar-provided WHOIS service is not required to be online for any
particular amount of time, nor provided with any particular response speed.
Port 43 is designed for use with automated and machinequeries. It can also be
queried manually by users who know how to perform telnet sessions and the
“whois" command in Linux/Unix/macosx shell. The percentage of Internet users
who are technically fluent enough to perform these types of queries (or even
know about port 43 at all) is small. Thus, it is required that registrars have
a Web-based WHOIS query on their sites.
A sub-team of RAPWG members performed some basic research by querying the
Web-based and port 43 servers of 50 registrars. This set included the top 20
registrars by gTLD market share, 15 randomly-chosen mid-sized registrars, and
15 randomly-chosen small registrars. When a registrar’s site was in a language
other than English, the assistance of a native speaker was obtained. In
addition to manual checks, automated queries of port 43 were performed to test
availability over time.
The sub-team members found WHOIS accessibility situations with 19 of the 50
registrars sampled. Four registrars may have been in violation of their
contractual WHOIS access requirements:
* Two did not provide a functional Web-based WHOIS.
* One registrar's WHOIS listed a sponsoring registrar different from that
provided by the .COM/.NET registry WHOIS. The registrar’s port 43 server
provided an expiration date different from that listed in the registry. The
registrar’s Web WHOIS provided two different expiration dates for the same
domain name.
* One registrar did not identify the sponsoring registrar of its domains.
The registrar does not operate its port 43 server on the domain indicated by
the .COM/.NET registry WHOIS; the registrar’s WHOIS service is evidently
subcontracted to a second registrar on that registrar’s domain; and the
sponsoring registrar’s Web WHOIS is provided on a third domain not branded as
the sponsoring registrar.
In addition, one registrar provided facially invalid registrant contact data
for its own .COM name -- including a registrant contact e-mail address on the
domain “icann.org”. This appears to be a violation of the RAA.
Fifteen other registrars presented these situations:
* Three registrars had port 43 servers that did not return replies for a
notable number of queries. One was offline/nonresponsive 21% of the time, one
was offline/nonresponsive 20% of the time, and one was offline/nonresponsive
14% of the time. (Based on 100 queries per registrar, spread out over several
weeks).
* Ten provided different WHOIS data on their port 43 servers than they did
via their Web WHOIS.
* Four provided only thin contact data via their Web WHOIS, while
providing thick contact data only on port 43.
* In two cases, registrars provided two different expiration dates for
each domain name via the Web WHOISes. One of the two expiration dates did not
match the expiration date provided by the .COM/.NET registry.
* Two sometimes provided full contact data on their Port 43 servers, and
sometimes provided just Registrant contact data (and no Admin or Tech contact
data) on their port 43 servers. It is unknown if this was due to a
rate-limiting activity.
* One registrar did not provide registrant contact data via port 43, and
did not provide Admin or Tech contact data via its Web WHOIS.
* One registrar provided a required data field (Tech and Admin contact
phone numbers) on port 43 but not via its Web WHOIS.
* Four cut off telnet sessions to port 43 very quickly--effectively
disallowing manual queries via that method.
These results indicate that:
1. Some registrars appear to be in violation of their contractual WHOIS
accessibility obligations;
2. Users are occasionally unable to obtain contact data due to WHOIS
availability problems.
3. Registrars occasionally provide registration data that differs from that
provided by the registry.
4. Users are sometimes given different registration data depending on the
method they use to access the sponsoring registrar’s WHOIS.
5. Users are sometimes given different registration data depending upon who
they are; perhaps depending upon whether they are being rate-limited.
These issues were distributed across a notable number of registrars, with
different sizes, business models, and locations around theworld.
The reasons why registrars provide different data on port 43 versus their Web
sites requires further investigation. Some might be attempts to prevent
automated data mining by spammers, competitors, and other parties. The RAPWG
notes that reasonable rate-limiting WHOIS can be a valid, prudent practice –
for example it can prevent spammers from mining WHOIS information[8], and can
prevent WHOIS servers from being overwhelmed by excessive queries. During
Web-based WHOIS sampling, the RAPWG members observed that only some registrars
employ CAPCHAs on their Web-based WHOIS services as a protectionagainst
automated queries.
In addition to the research conducted by working-groupmembers, the RAPWG
requested information from the ICANN Compliance Department about how it
monitors registrar WHOIS access. The ICANN Compliance Department noted: "ICANN
has developed a Whois server audit tool which monitors access to registrars’
Whois servers over a Port 43 connection. The script developed for this task
retrieves data for 4 registered domain names for each accredited registrar….
The purpose of the audit is to flag Whois servers that are down for an amount
of time that is suspect and probably not just a manifestation of periodic
server maintenance or scheduled update. … What is the “reasonable amount of
time” for a server to be down? Probably no more than an hour or so per day,
although these are ICANN internal, ‘soft metrics’, not agreed-upon timeframes
with registrars. The script records the results and flags registrars that
prevent access to data on registered names. Transient network problems are less
of a concern, so ICANN focuses on long-term behavior, i.e., registrars which
ICANN is unable to communicate with for several days in a row. ….ICANN also
reaches out toregistrars that provide access to data on registered names but
provide ‘thin’, not ‘thick’, Whois data. The former does not provide details on
the registered name holder and additional contacts, which is required by the
RAA.”[9]
Over the last three years, ICANN’s Compliance Department has sent seven
escalated compliance notices (e.g. notices of breach, termination, or RAA
non-renewal) to seven registrars for failure to comply with WHOIS access
requirements of the Registrar Accreditation Agreement:
· One registrar did not have its contract renewed solely for failure to
provide WHOIS access. (South America Domains dba NameFrog.com, which had less
than 300 gTLD names under sponsorship at the time.)
· The other six registrars were cited for both WHOIS access breaches AND
at least one other contract violation, such as failure to pay ICANN fees,
failure to escrow data, and/or failure to respond to WHOIS accuracy complaints.
ICANN’sCompliance Department is in contact with registrars to resolve issues
before escalated compliance notices become necessary. The Compliance staff
noted to the RAPWG that “some registrars block incoming WHOIS queries traffic
by IP address, and Compliance works with the registrars to get them unblocked
when there may be a misunderstanding.” and, “Aside from metrics on informal
outreach to resolve blocked Whois servers and incomplete, or ‘thin’, Whois data
with registrars, which have been more than two dozen in the past 6-8 months,
Compliance could provide bi-weekly statistics to the WG from here on out on the
number of registrars that showed a pattern of restricting access to their Whois
server over a Port 43 connection. These statistics have not been published
before.”
So, it appears that some contractual violations are cured in an amicable
manner, and that public breach letters have apparently been used as a tool of
last resort. It is unknown how many WHOIS accessibility issues have been
discovered but not resolved.
The last timethat ICANN published WHOIS access compliance data was 2007.[10]
That year, ICANN’s Compliance Department examined every ICANN-Accredited
Registrar’s Web site, and did not examine port 43 access. [11]
The Compliance Department numbers indicate that WHOIS access problems are found
regularly.Above and beyond those, the RAPWG research indicates that a notable
percentage of registrars might not make WHOIS data available in a reliable,
consistent, or predictable fashion.
7.3 Recommendations
Recommendation 1:
The GNSO should determine what additional research and processes may be needed
to ensure that WHOIS data is accessible in an appropriately reliable,
enforceable, and consistent fashion.
The GNSO Council should consider how such might be related to other WHOIS
efforts, such as the upcoming review of WHOIS policy and implementation
required by ICANN’s new Affirmation of Commitments. The Affirmation of
Commitments says: “ICANN additionally commits to enforcing its existing policy
relating to WHOIS, subject to applicable laws. Such existing policy requires
that ICANN implement measures to maintain timely, unrestricted and public
access to accurate andcomplete WHOIS information, including registrant,
technical, billing, and administrative contact information. One year from the
effective date of this document [30 September 2009] and then no less frequently
than every three years thereafter, ICANN will organize a review of WHOIS policy
and its implementation to assess the extent to which WHOIS policy is effective
and its implementation meets the legitimate needs of law enforcement and
promotes consumer trust.”[12]
The WG achieved unanimous consensus on the above recommendation. In favour
(14): Aaron (RySG), Amadoz (RySG), Bladel (RrSG), Cobb (CBUC), Felman
(MarkMonitor), Neuman (RySG), O’Connor (CBUC), Queern (CBUC), Rasmussen
(Internet Identity), Rodenbaugh (CBUC), Seltzer (NCSG), Shah
(MarkMonitor),Sutton (CBUC), Young (RySG). Against, or alternate views: none.
Recommendation 2.
The GNSO should request that the ICANN Compliance Department publish more data
about WHOIS accessibility, on at least an annual basis. This data should
include a) the number of registrars that show a pattern of unreasonable
restriction of access to their port 43 WHOIS servers, and b) the results of an
annual compliance audit of compliance with all contractual WHOIS access
obligations.
The WG achieved unanimous consensus on the above recommendation. In favour
(13): Aaron (RySG), Amadoz (RySG), Bladel (RrSG), Cobb (CBUC), Felman
(MarkMonitor), Neuman (RySG), O’Connor (CBUC), Queern (CBUC), Rasmussen
(Internet Identity), Rodenbaugh (CBUC), Shah (MarkMonitor), Sutton (CBUC),
Young (RySG). Abstentions (1): Seltzer (NCSG). Against, or alternate views:none.
________________________________
[1] “Draft Initial Report on the Post-Expiration Domain Name Recovery Policy
Development Process”:
https://st.icann.org/data/workspaces/post-expiration-dn-recovery-wg/attachments/post_expiration_domain_name_recovery_wg:20100112125658-0-27743/original/Draft%20Initial%20Report%20-%20PEDNR%20PDP%20-%2012%20January%202010.doc
[2] “Draft Final Report on the Inter-Registrar Transfers Policy - Part A Policy
Development Process”:
https://st.icann.org/data/workspaces/irtp_jun08_pdp-wg/attachments/irtp_part_a_pdp_wg_pdp_jun08:20090318145458-1-14319/original/Draft%20Final%20Report%20-%20IRTP%20Part%20A%20-%2018%20March%202009.doc%20%5BCompatibility%20Mode%5D.pdf
[3] “Law Enforcement Recommended RAA Amendments and ICANN Due Diligence”,
November 2009,
https://st.icann.org/raa-related/index.cgi/LawEnforcementRAArecommendations%20(2).doc?action=attachments_download;page_name=05_january_2010;id=20091118185109-0-21002
[4] “Issues in Using DNS Whois Data for Phishing Site Take Down,”
http://www.antiphishing.org/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf
[5] http://www.icann.org/en/tlds/monthly-reports/
[6] “VeriSign Domain Name Industry Brief,” September 2009,
http://www.verisign.com/domain-name-services/domain-information-center/domain-name-resources/domain-name-report-dec09.pdf
[7] http://www.icann.org/en/registrars/agreements.html
[8] See: “SAC 023: Is the WHOIS Service a Source for
Email Addresses for Spammers?”:
http://www.icann.org/en/committees/security/sac023.pdf
[9] http://forum.icann.org/lists/gnso-rap-dt/msg00454.html
[10] http://forum.icann.org/lists/gnso-rap-dt/msg00454.html
[11]
http://www.icann.org/en/compliance/reports/contractual-compliance-audit-report-18oct07.pdf
[12] http://www.icann.org/en/announcements/announcement-30sep09-en.htm
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|