Re: New ICANN registrant change process

[Rubens Kuhl <rubensk () gmail com>]

On Wed, Jul 6, 2016 at 11:13 PM, David Conrad <drc () virtualized org> wrote:

> Rubens,
>
> On Jul 6, 2016, at 2:20 PM, Rubens Kuhl <rubensk () gmail com> wrote:
> > > Not sure the RPZ hammer has been brought out in force yet. I've seen a
> few recommendations on various mailing lists, but no concerted effort.
> Unfortunately, there is no easy/scalable way to determine who a registrar
> for a given name is,
> > That is called RDAP,
>
> I said "scalable".
>
> Given RDAP is based on TCP and there is this concept known as
> "registration data lookup rate limiting", I'm somewhat skeptical RDAP is
> the appropriate choice for (e.g.,) a "DNS Block List"-like solution that
> would (say) dump email that came from domains registered via
> operator-specified registrars.

Fair enough. There are though non-standard UDP-based domain lookup
implementations like isavail that could address both this use case and
provide faster availability searches.


> > but ICANN currently blocks gTLD registries from offering RDAP.
>
>
> Ignoring the above, and as I'm sure you're aware, the community has not
> determined the policies by which RDAP may be offered as an official
> registry service using production data, e.g., whether and how
> differentiated services will be permitted among other details.  As such, it
> is more accurate to say that registries are not permitted to deploy new
> services because of contractual obligations the registries entered into
> that requires them to have new services evaluated to ensure those services
> don't impact DNS security, stability or competition, something the
> community required ICANN enforce as a result of the SiteFinder episode ages
> ago. Registries can, of course, request that evaluation and I'm told some
> have and are actually offering RDAP.
>
> But I would agree it is much easier to simply blame ICANN.
RDAP is totally different from other possible registry services since it's
already baked into registries contracts...
https://newgtlds.icann.org/sites/default/files/agreements/agreement-approved-09jan14-en.htm
specification 4. It's basically the same service already offered thru
WHOIS, RDDS, over a different protocol.

The contract already allows ICANN to trigger a requirement to support RDAP,
but doesn't allow registries to support if before they are required. ICANN
could have, and has been suggested to, allow it before it triggers the
requirement in order to have willing registries support it, and hasn't done
it.

So in this particular case I don't have any problems blaming ICANN... and
the great level of transparency of ICANN meetings being recorded and
transcribed provides plenty of evidence in that regard.

As for gTLD registries offering RDAP, I couldn't find any at
https://www.icann.org/resources/pages/rsep-2014-02-19-en, the page where
new registry services are described and published for comments... the only
registries I know deploying RDAP are ccTLDs, which do not operate inside
ICANN gTLD policy framework.
https://rdap.registro.br/domain/icannsaopaulo.br
https://rdap.nic.cz/domain/nic.cz



Rubens