Latest news of the domain name industry

Recent Posts

ICANN’s private Whois data request service goes live

Kevin Murphy, November 28, 2023, Domain Registrars

ICANN has this evening gone live with its service that enables anyone to request private Whois data on any gTLD domain.

The Registration Data Request Service lets people request contact information on registrants that would otherwise be redacted in the public Whois due to laws such as the GDPR.

The press release announcing the launch seems to have come out an hour or two before the service actually became accessible, but it’s definitely live now and I’ve tried it out.

The system is defined largely by what it isn’t. It isn’t an automated way to get access to private data. It isn’t guaranteed to result in private data being released. It isn’t an easy workaround to post-GDPR privacy restrictions.

It is a way to request an unredacted Whois record knowing only the domain and not having to faff around figuring out who the registrar is and what their mechanisms and policies are for requesting the data.

After scaling back the extremely complex and expensive original community recommendations for a post-GDPR Whois service, ICANN based the RDRS on its now decade-old Centralized Zone Data Service, which acts as an intermediary between registries and people like myself who enjoy sniffing around in zone files.

The RDRS merely connects Whois data requestors — the default settings in the interface suggest that ICANN thinks they’ll mostly be people with court orders — with the registrars in charge of the domains they are interested in.

Anyone who has used CZDS will recognize the interface, but the requesting process is longer, more complex, and requires accepting more disclaimers and Ts&Cs. That said, it’s not particularly confusing.

At first glance, it looks fine. Slick, even. I’ve used it to submit a test request with GoDaddy for my own Whois data, specifying that whoever deals with the request is free to ignore it. Let’s see what happens.

ICANN signs Whois’ death warrant in new contracts

Kevin Murphy, May 3, 2023, Domain Policy

Whois as we have known it for decades will be phased out of gTLDs over the next couple of years, after ICANN approved changes to its contracts at the weekend.

The board of directors signed off on amendments to the base Registry Agreement and Registrar Accreditation Agreement after they were approved by the requisite majority of registries and registrars earlier this year.

The changes outline how registries and registrars must make the move away from Whois, the technical specification, toward the functionally similar RDAP, the Registration Data Access Protocol.

After the amendments go into effect, contracted parties will have about 18 months to make the migration. They’ll be allowed to run Whois services in parallel if they wish after the transition.

People will in all likelihood carry on referring to such services as “Whois”, regardless, rather than the official replacement term “Registration Data Directory Services” or RDDS.

The RAA amendment will also require registrars to provide full RDAP output, rather than relying on “thick” registries to do it for them.

None of the changes affect how much personal information is returned for domain ownership lookups.

New ICANN contracts chart the death throes of Whois

Kevin Murphy, September 12, 2022, Domain Policy

Whois is on its death bed, and new versions of ICANN’s standard contracts put a timeline to its demise.

The Org has posted proposed updates to its Registrar Accreditation Agreement and Registry Agreement, and most of the changes focus on the industry-wide transition from the Whois standard to the newer Registration Data Access Protocol.

We’re only talking about a change in the technical spec and terminology here. There’ll still be query services you can use to look up the owner of a domain and get a bunch of redactions in response. People will probably still even refer to it as “Whois”.

But when the new RAA goes into effect, likely next year, registrars and registries will have roughly 18 months to make the transition from Whois to RDAP.

Following the contract’s effective date there’ll be an “RDAP Ramp-up Period” during which registrars will not be bound by RDAP service-level agreements. That runs for 180 days.

After the end of that phase, registrars will only have to keep their Whois functioning for another 360 days, until the “WHOIS Services Sunset Date”. After that, they’ll be free to turn Whois off or keep it running (still regulated by ICANN) as they please.

ICANN’s CEO and the chair of the Registrars Stakeholder Group will be able to delay this sunset date if necessary.

Most registrars already run an RDAP server, following an order from ICANN in 2019. IANA publishes a list of the service URLs. One registrar has already lost its accreditation in part because it did not deploy one.

There’ll be implementation work for some registrars, particularly smaller ones, to come into compliance with the new RAA, no doubt.

There’ll also be changes needed for third-party software and services that leverage Whois in some way, such as in the security field or even basic query services. Anyone not keeping track of ICANN rules could be in for a sharp shock in a couple of years.

The contracted parties have been negotiating these changes behind closed doors for almost three years. It’s been almost a decade since the last RAA was agreed.

The contracts are open for public comment until October 24.

ICANN adds another six months to Whois reform roadmap

Kevin Murphy, November 4, 2021, Domain Policy

ICANN says that its preparatory work for possible Whois reforms will take another six months.

The Operational Design Phase for the System for Standardized Access and Disclosure will now conclude “by the end of February 2022”, ICANN said this week.

That’s after the Org missed its original September deadline after six months of work.

ICANN program manager Diana Middleton said at ICANN 72 last week that ODP had been delayed by various factors including surveys taking longer than expected and throwing up more questions than they answered.

A survey of Governmental Advisory Committee members due September 17 was extended until the end of October.

But she added that ICANN intends to throw its first draft of the output — an Operational Design Assessment — at its technical writers by the end of the month, with a document going before the board of directors in early February.

SSAD is the proposed system that would funnel requests for private Whois data through ICANN, with a new veneer of red tape for those wishing to access such data.

The ODP is ICANN’s brand-new process for deciding how it could be implemented, how much it would cost, and indeed whether it’s worthwhile implementing it at all.

It’s also being used to prepare for the next round of new gTLDs, with a 13-month initial deadline.

The longer the current ODP runs, the greater the cost to the eventual SSAD user.

Whois rule changes that nobody likes get approved anyway

Kevin Murphy, November 3, 2021, Domain Services

ICANN’s Generic Names Supporting Organization Council has approved a handful of changes to Whois policy, despite the fact that pretty much nobody was fully on-board with the proposals and how they were made.

The new recommendations call for a new field in Whois records to flag up whether the registrant is a private individual, whose privacy is protected by law, or a legal entity like a company, which have no privacy rights.

But the field will be optional, with no obligation for registries or registrars to use it in their Whois services, which has angered intellectual property interests, governments and others.

The working group that came up with the recommendations also declined to find that Whois records should come with an anonymized registrant email address as standard. This absence of change was also adopted by the Council, causing more disappointment.

In short, nothing much is happening to Whois records for the foreseeable future as a result of these policy changes.

But the process to arrive at this conclusion has highlighted not just the deep divisions in the ICANN community but also, some argue, deficiencies in the ICANN process itself.

The Expedited Policy Development Process working group that has since 2018 been looking at the interaction between Whois and privacy protection law, primarily the European Union’s General Data Protection Regulation, had been asked two final questions earlier this year, to wrap up its long-running work.

First, should registrars and registries be forced to distinguish between legal and natural persons when deciding what data to publish in Whois?

Second, should there be a registrant-based or registration-based anonymized email published in Whois to help people contact domain owners and/or correlate ownership across records?

The answer on both counts was that it’s up to the registry or registrar to decide.

On legal versus natural, the EPDP decided that ICANN should work with the technical community to create a new field in the Whois standard (RDAP), but that there should be no obligation for the industry to use it.

On anonymized email addresses, the working group recommendations were even hand-wavier — they merely refer the industry to some legal advice on how to implement such a system in a GDPR-compliant way.

While this phase of the EPDP’s work was super-fast by ICANN standards (taking about nine months) and piss-weak with its output, it nevertheless attracted a whole lot of dissent.

While its tasks appeared straightforward to outsiders, it nevertheless appears to have inherited the simmering tensions and entrenched positions of earlier phases and turned out to be one of the most divisive and fractious working groups in the modern ICANN period.

Almost every group involved in the work submitted a minority statement expressing either their displeasure with the outcome, or with the process used to arrive at it, or both. Even some of the largely positive statements reek of sarcasm and resentment.

EPDP chair Keith Drazek went to the extent of saying that the minority statements should be read as part and parcel of the group’s Final Report, saying “some groups felt that the work did not go as far as needed, or did not include sufficient detail, while other groups felt that certain recommendations were not appropriate or necessary”.

This Final Report constitutes a compromise that is the maximum that could be achieved by the group at this time under our currently allocated time and scope, and it should not be read as delivering results that were fully satisfactory to everyone.

The appears to be an understatement.

The Intellectual Property Constituency and Business Constituency were both the angriest, as you might expect. They wanted to be able to get more data on legal persons, and to be able to reverse-engineer domain portfolios using anonymous registrant-baed email addresses, and they won’t be able to do either.

The Governmental Advisory Committee and Security and Stability Advisory Committee both expressed positions in line with the IPC/BC, dismayed that no enforceable contract language will emerge from this process.

Councilor Marie Pattullo of the BC said during the GNSO Council vote last Wednesday that the work “exceeds what is necessary to protect registrant data” and that the EPDP failed to “preserve the WHOIS database to the greatest extent possible”.

The “optional differentiation between legal and natural persons is inadequate”, she said, resulting in “a significant number of records being needlessly redacted or otherwise being made unavailable”. The approved policies contain “no real policy and places no enforceable obligations on contracted parties”, she said.

IPC councilor John McElwaine called the EPDP “unfinished work” because the working group failed to reach a consensus on the legal/natural question. The IPC minority statement had said:

Requiring ICANN to coordinate the technical community in the creation of a data element which contracted parties are free to ignore altogether falls far short of “resolving” the legal vs. natural issue. And failing to require differentiation of personal and non-personal data fails to meet the overarching goal of the EPDP to “preserve the WHOIS database to the greatest extent possible” while complying with privacy law.

But McElwaine conceded that “a minority of IPC members did favor these outputs as being minor, incremental changes that are better than nothing”.

The BC and IPC both voted against the proposals, but that was not enough to kill them. They would have needed support from at least one councilor on the the other side of the GNSO’s Non-Contracted Parties House, the Non-Commercial Stakeholders Group, and that hand was not raised.

While the NCSG voted “aye”, and seemed generally fine with the outcome, it wasn’t happy with the process, and had some stern words for its opponents. It said in its minority statement:

The process for this EPDP has been unnecessarily long and painful, however, and does not reflect an appreciation for ICANN’s responsibility to comply with data protection law but rather the difficulty in getting many stakeholders to embrace the concept of respect for registrants’ rights…

With respect to the precise issues addressed in this report, we have stressed throughout this EPDP, and in a previous PDP on privacy proxy services, that the distinction between legal and natural is not a useful distinction to make, when deciding about the need to protect data in the RDS. It was, as we have reiterated many times, the wrong question to ask, because many workers employed by a legal person or company have privacy rights with respect to the disclosure of their personal information and contact data. The legal person does not have privacy rights, but people do.

While welcoming the result, the Registrars Stakeholder Group had similar concerns about the process, accusing its opponents of trying to impose additional legal risks on contracted parties. Its minority statement says:

it is disappointing that achieving this result was the product of significant struggle. Throughout the work on this Phase, the WG revisited issues repeatedly without adding anything substantially new to the discussion, and discussed topics which were out of scope. Perhaps most importantly, the WG was on many occasions uninterested in or unconcerned with the legal and financial risks that some proposed obligations would create for contracted parties in varying jurisdictions or of differing business models, or the risks to registrants themselves.

The Registries Stakeholder Group drilled down even more on the “out of scope” issue, saying the recommendation to create a new legal vs natural field in Whois went beyond what the working group had been tasked with.

They disagreed with, and indeed challenged, Drazek’s decision that the discussion was in-scope, but reluctantly went ahead and voted on the proposals in Council in order to finally draw a line under the whole issue.

The question of whether the legal vs natural question has been in fact been resolved seems to be an ongoing point of conflict, with the RySG, RrSG and NCSG saying it’s finally time to put the matter to bed and the IPC and BC insisting that consensus has not yet been reached.

The RySG wrote that it is “well past time to consider the issue closed” and that the EPDP had produced a “valuable and acceptable outcome”, adding:

The RySG is concerned that some have suggested this issue is not resolved. This question has been discussed in three separate phases of the EPDP and the result each time has been that Contracted Parties may differentiate but are not required to do so. This clearly demonstrates that this matter has been addressed appropriately and consistently. A perception that this work is somehow unresolved could be detrimental to the ICANN community and seen as undermining the effectiveness of the multistakeholder model.

Conversely, the BC said the report “represents an unfortunate failure of the multistakeholder process” adding that “we believe the record should state that consensus opinion did not and still does not exist”.

The IPC noted “a troubling trend in multistakeholder policy development”, saying in a clear swipe at the contracted parties that “little success is possible when some stakeholders are only willing to act exclusively in their own interests with little regard for compromise in the interest of the greater good.”

So, depending on who you believe, either the multistakeholder process is captured and controlled by intransigent contracted parties, or it’s unduly influenced by those who want to go ultra vires to interfere with the business of selling domains in order to violate registrant privacy.

And in either case the multistakeholder model is at risk — either “agree to disagree” counts as a consensus position, or it’s an invitation for an infinite series of future policy debates.

Business as usual at the GNSO, in other words.

DI Leaders Roundtable #2 — Should we kill off “Whois”?

Kevin Murphy, November 11, 2019, Domain Tech

Should we stop using the word “Whois” to describe registration data lookup services?
That’s the question I posed for the second DI Leaders Roundtable.
I’m sure you’re all very well aware that the Registration Data Access Protocol (RDAP) is the imminent replacement for the Whois protocol, as the technical method by which domain registrant contact information is stored, transmitted and displayed.
ICANN also regularly refers to Registration Data Directory Services (RDDS) as a protocol-independent blanket term covering the concept of looking up Whois or RDAP data.
You may also recall that ICANN, which is ostensibly a technical body, appears to bedeprecating the word “Whois” in favor of “Lookup” on its own web-based query service.
ICANN has a track record of introducing new acronyms to describe already well-understood functions. The IANA has technically been called “Public Technical Identifiers” for years, but does anyone actually call it “PTI”? No, everyone still talks about “IANA”.
So I wanted to know:

Should we continue to call it “Whois” after the technical transition to RDAP is complete? Will you continue to refer to “Whois”? Should we change to a different word or acronym? Should the industry standardardize its language one way or the other?

There seems to be a general consensus that “Whois” ain’t going anywhere.
The responses, in no particular order.
Jothan Frakes, Executive Director, Domain Name Association
Mugshot

The term WHOIS won’t quickly leave the zeitgeist due to the decades of its use as a description of the lookup process. Lookup is somewhat confusing, as there is DNS Query lookup that works across the resolution system, and WHOIS Lookup that works to find registrant info via the registration system. As far as the term “Lookup” as the label for the new normal that is poised to replace WHOIS? It is better than the acronym “RDDS”. The general public probably would not assume that RDDS is a way to find out about a domain owner or registration information, because it sounds like it involves dentistry (DDS) if one is not following the ICANN world as close as insiders. Despite the evolutionary path the basic function seems to be on, it is likely that WHOIS continues to be what the nickname for the lookup process called, regardless of the support technology layers below it not literally being WHOIS.

Frank Schilling, CEO, Uniregistry
Mugshot

WHOIS IS DEAD, LONG LIVE WHOIS.
The echo of “Whois” will live long after Whois is dead and gone. The very nature of its replacement word “Lookup” ensures that the information hungry public will expect more fulsome data than ICANN intends the word to provide. There will continue to be services who try to engineer a Whois hack and provide accurate underlying data for paying customers. Whois is going to outlive all of us. Even those who diet, exercise, and eat organic food.

Dave Piscitello, Partner, Interisle Consulting Group

MugshotJust as most of the world isn’t familiar with new TLDs, most have no appreciation for the differences between Whois and RDAP. The term “Whois” is convenient, memorable, and embedded. It also represents a service to most users, not a protocol, so if we do “standardize” we should use “RDS”. While we sort out the disastrous effects of ICANN’s Temp Spec policy on both investigators and victims of DNS abuse, most parties involved with educating policy makers and legislators should continue to use Whois for consistency’s sake.

Christa Taylor, CMO, MMX

MugshotAs the old adage goes, “Don’t fix what’s not broken.” While “Whois” may have lost some of its luster due to GDPR I prefer to retain the term — it’s simple, representative of the information it provides and avoids adding any confusion especially for people outside of ICANN. Employing standardized language is, of course, logical and after twenty years of using “Whois” it is the accepted term both inside and outside the industry.

Sandeep Ramchamdani, CEO, Radix Registry

MugshotFirst up, the transition to the RDAP system is much needed given the fundamental flaws of Whois.
It would help in placing some guardrails around customers’ privacy while still providing agencies such as law enforcement authenticated access that they need to do their work.
Whois is a major cause of spam and in the age where privacy is top currency, public, unauthenticated availability of personal data is unacceptable.
It should also smooth out inter-registrar transfers and lower customer frustration while moving out to a different service provider.
When it comes to its name, calling it “RDAP” or “Lookup” would be a branding error. It would cause some confusion and for those not intimately involved in the industry, who may find it hard to discover the new system.
In my mind, keeping the original nomenclature “Whois”, while making it clear that it’s a newer avatar of the same solution would be the way to go.
Can’t think of a better term than “Whois 2.0”.
Very easy to understand that it’s a newer, more advanced iteration of the same product.

Michele Neylon, CEO, Blacknight
Mugshot

Whois was originally a simple little protocol that allowed network operators to contact each other to address technical issues. It predates the usage of domain names or the “web”.
When domains were introduced the same concept was simply transposed over to the new identifiers.
However over the past 20 plus years the way that people viewed Whois has morphed dramatically. The first time I spoke at an ICANN meeting 12 years ago was on the subject of Whois!
Now the term is used both to talk about the technical protocol, which is being replaced in the gTLD space and the data that it is used to store and possibly display. We talk about “Thin Whois”, “Thick Whois” and so many other services and issues linked back to it.
Whois as a protocol is far from perfect, which is why replacing the technical side of it makes a lot of sense.
So with the world slowly moving towards a new technical method for processing domain registration data then maybe we should come up with another word for it. However I’m not sure if there’s much to be gained by doing that.
We are all used to the floppy disk icon to save a document, even if floppy disks are no longer used. With the term “Whois” being part of people’s vocabulary for the nearly a quarter of a century. it’d be pretty hard to find a simple replacement and have people adopt it widely. Sure, in the more technical conversations it makes sense to use more accurate terms like “RDAP”, but the average punter just wants to be able to use a term that they can understand.
Those of us who work with domains and internet technology in our day jobs might care about the “correct” terminology, but we’re in a minority. We all get excited when the mainstream media picks up on a story involving domain names or the DNS and even gets half of it right! If we conjure up some new term that we think is accurate it’ll take years before anyone outside our bubble is comfortable with it. So I don’t think we should.
We should simply accept that “Whois” is a term used to refer to domain registration data no matter what technology under the hood is used to handle it.

Rick Schwartz, domain investor

MugshotHate to give the same basic answer to two questions in a row, but who cares?
Really!! Who cares? Nobody!
This is inside baseball that doesn’t affect anyone on the entire planet except for a handful of domain investors and ICANN etc.
Call it whatever you like just make sure it’s public info.

ICANN enters talks to kill off Whois for good

Kevin Murphy, October 23, 2019, Domain Tech

Whois’ days are numbered.
ICANN is to soon enter talks with accredited registrars and contracted gTLD registries with the aim of naming a date to finally “sunset” the aging protocol.
It wants to negotiate amendments to the Registrar Accreditation Agreement and Registry Agreement with a view to replacing obligations to publish Whois with obligations to publish Registration Data Access Protocol data.
In letters to the chairs of its registrar and registry constituencies this week, ICANN CEO Göran Marby wrote:

The primary focus of the amendment is to incorporate contractual requirements for the Registration Data Access Protocol (RDAP) into the Registration Data Directory Services. This should include definition of the plan and provisions to sunset the obligations related to the WHOIS protocol as we transition Registration Data Services to RDAP.

For avoidance of doubt, people will still be able to look up the contact information for domain name owners after the change, but the data they see (very likely redacted for privacy reasons nowadays) will be delivered over a different protocol.
The contract amendment processes involve both registry and registrar constituencies to nominate a few people to engage in talks with ICANN negotiators, which is expected to conclude within 90 days.
When they come up with mutually acceptable language, the amendments will be open for both public comment and a vote of registries and registrars, before going to the ICANN board of directors for final approval.
The voting process is complex, designed to avoid capture by the largest registrars, and based on a balance of the number of voting registrars and the number of domains they collectively manage.
The contractual changes will come as no surprise to contracted parties, which have been on-notice for years that Whois is on its way out in favor of RDAP.
Most registrars already operate an RDAP server in parallel to their old Whois service, following an ICANN deadline in August.
We could be looking at the death of Whois within a year.

Whois killer deadline has passed. Did most registrars miss it?

Kevin Murphy, August 28, 2019, Domain Registrars

The deadline for registrars to implement the new Whois-killer RDAP protocol passed yesterday, but it’s possible most registrars did not hit the target.
ICANN told registrars in February (pdf) that they had six months to start making RDAP (Registration Data Access Protocol) services available.
RDAP is the replacement for the age-old Whois protocol, and provides virtually the same experience for the end user, enabling them to query domain ownership records.
It’s a bit more structured and flexible, however, enabling future services such as tiered, authenticated access.
Despite the August 26 deadline coming and going, ICANN records suggest that as many as three quarter of accredited registrars have not yet implemented RDAP.
The IANA department started publishing the base URLs for registrar RDAP servers recent.
According to this list, there are 2,454 currently accredited registrars, of which only 615 (about 25%) have an RDAP server.
But I’m not convinced this number is particularly useful.
First, just because a registrar’s RDAP server is not listed, does not mean it does not have one.
For example, the two largest registrars, Tucows and GoDaddy, do not have servers on the list, but both are known to have been working on RDAP services for a long time through public pilots or live services. Similarly, some CentralNic registrars have servers listed while others do not.
Second, of the 1,839 accreditations without servers, at least 1,200 are DropCatch.com shells, which tips the scales towards non-compliance considerably.
Still, it seems likely that some registrars did in fact miss their deadline. How stringently ICANN chooses to enforce this remains to be seen.
ICANN itself replaced its “Whois” service with a “Lookup” service last month.
According to Michele Neylon of the registrar Blacknight, contracted parties can also discover RDAP URLs via ICANN’s closed RADAR registrar information portal.
RDAP and Whois will run concurrently for a while before Whois takes its final bow and disappears forever.

ICANN dumps the “Whois” in new Whois tool

Kevin Murphy, July 31, 2019, Domain Tech

Of all the jargon regularly deployed in the domain name industry and ICANN community, “Whois” is probably the one requiring the least explanation.
It’s self-explanatory, historically doing exactly what it says on the tin. But it’s on its way out, to be replaced by the far less user-friendly “RDAP”.
The latest piece of evidence of this transition: ICANN has pushed its old Whois query tool aside in favor of a new, primarily RDAP-based service that no longer uses the word “Whois”.
RDAP is the Registration Data Access Protocol, the IETF’s standardized Whois replacement to which gTLD registries and registrars are contractually obliged to migrate their registrant data.
Thankfully, ICANN isn’t branding the service on this rather opaque acronym. Rather, it’s using the word “Lookup” instead.
The longstanding whois.icann.org web site has been deprecated, replaced with lookup.icann.org. Visitors to the old page will be bounced to the new one.
The old site looked like this:
Whois
The new site looks like this:
Whois
It’s pretty much useless for most domains, if you want to find out who actually owns them.
If you query a .com or .net domain, you’ll only receive Verisign’s “thin” output. This does not included any registrant information.
That’s unlike most commercial Whois services, which also ping the relevant registrar for the full thick record.
For non-Verisign gTLDs, ICANN will return the registry’s thick record, but it will be very likely be mostly redacted, as required under ICANN’s post-GDPR privacy policy.
While contracted parties are still transitioning away from Whois to RDAP, the ICANN tool will fail over to the old Whois output if it receives no RDAP data.
Under current ICANN Whois policy, registries and registrars have until August 26 to deploy RDAP services to run alongside their existing Whois services.

Registrars given six months to deploy Whois killer

Kevin Murphy, March 1, 2019, Domain Policy

ICANN has started the clock ticking on the mandatory industry-wide deployment of RDAP.
gTLD registries and registrars have until August 26 this year to roll out RDAP services, which will one day replace the age-old Whois spec, ICANN said this week.
Registration Data Access Protocol fulfills the same function as Whois, but it’s got better support for internationalization and, importantly given imminent work on Whois privacy, tiered access to data.
ICANN’s RDAP profile was created in conjunction with contracted parties and public comments. The registries and registrars knew it was coming and told ICANN this week that they’re happy for the 180-day implementation deadline to come into effect.
The profile basically specs out what registrars and registries have to show in their responses to Whois (or RDAP, if you’re being pedantic) queries.
It’s based on the current Temporary Specification for Whois, and will presumably have to be updated around May this year, when it is expected that the Temp Spec will be replaced by the spec created by the Whois EPDP.