RDAP @ .at
- 1. 1 · www.nic.at ICANN69 vTechDay · Status public RDAP @ .at ICANN69 vTechday ICANN69 vTechDay · Status public 2020-10-19 · Alex Mayrhofer · Head of R&D · alexander.mayrhofer@nic.at
- 2. 2 · www.nic.at ICANN69 vTechDay · Status public Agenda • RDAP: Brief overview • RDAP @ .at: Project reasoning & goals • High-level Architecture • Implementation details • Current features • Future plans
- 3. 3 · www.nic.at ICANN69 vTechDay · Status public Registration Data Access Protocol • WHOIS (RFC 954, 1985) Very simple / old protocol No encryption non-ASCII text is hard No data format „command line“ protocol • RDAP (RFC 7482, 2015!) New! Shiny! Web-based (Encryption, UTF8, Clients)! Data in structured JSON!
- 4. 4 · www.nic.at ICANN69 vTechDay · Status public Project Reasoning • The CERT angle Austrian CERT is an in-house department of the ccTLD CERT requires access to domain registration details.. Let‘s use RDAP! • The ccTLD angle RDAP will likely replace WHOIS at some point Create a prototype-level implementation Gain experience for potential public service
- 5. 5 · www.nic.at ICANN69 vTechDay · Status public Project Goals • Create an RDAP server to provide domain registration details to CERT • Integrate with the available data sources • Test-drive „advanced“ RDAP topics Authentication (OpenID Connect / JWT) Differentiated Access Searches
- 6. 6 · www.nic.at ICANN69 vTechDay · Status public Architecture – Data Sources RDAP core Additional Contacts • RDAP „core“ Provides full (unredacted) domain and entity data • Supplemental contacts Provides additional entities • Data Warehouse Searches • How to combine these?
- 7. 7 · www.nic.at ICANN69 vTechDay · Status public Architecture - Frontend RDAP core Frontend (RDAP Web App) Caching (Redis) OpenID Authentication • Faces the RDAP Clients • Collects data from sources • Assembles responses • Performs authentication / authorization Differentiated Access Data Filtering Access Controls (Search!) Rate Limiting Logging / Auditing
- 8. 8 · www.nic.at ICANN69 vTechDay · Status public Implementation RDAP core • RDAP data provided directly from the Registry database PostgreSQL database procedures Directly produces JSON (same strategy for existing WHOIS server) • Always provides the full (unredacted) data • Doesn‘t care about users, roles, rate limiting („Additional contacts“: PostgreSQL database, accessed via SQL)
- 9. 9 · www.nic.at ICANN69 vTechDay · Status public Implementation „Frontend“ • „RDAP is a web service“ • Therefore, let‘s use a web framework! • Laravel (PHP) Extensive Knowledge available in-house Model/View/Controller pattern Tons of features, flexible, but steep learning curve
- 10. 10 · www.nic.at ICANN69 vTechDay · Status public Current Features • „Pipe-through“ of RDAP data from RDAP core source • „Enrich“ registrar information with supplemental contact information • Authentication / Authorization Currently via nic.at internal authentication infrastructure Who‘s asking?
- 11. 11 · www.nic.at ICANN69 vTechDay · Status public A few details… • Authentication / Authorization OpenID Connect Identity Provider: Keycloak Existing infrastructure @ nic.at • jCard Handling This is … tiring.. Sabre vObject PHP library to the rescue • Rate Limiting Laravel „Middleware“ https://www.keycloak.org/
- 12. 12 · www.nic.at ICANN69 vTechDay · Status public Frontend Infrastructure • Docker-based, currently 3 containers Web-Server (nginx) Scripting-Engine (PHP-FPM) -> Laravel Caching Layer (Redis) (Frontend only, data Sources are outside of that docker host)
- 13. 13 · www.nic.at ICANN69 vTechDay · Status public Challenges • jCard is hard to parse / create Use of Sabre vObject PHP library • Validation / Testing RDAP has a decently complex structure – are we doing the right thing? First „validation“ steps with openrdap client Server is internal, so web-based validation services do not work • Laravel is very flexible and mighty Some tasks require just a single line of code! But it also has 4822 buttons to press.. Photo by Leonel Fernandez on Unsplash
- 14. 14 · www.nic.at ICANN69 vTechDay · Status public Next steps • Machine-to-machine authentication / API Tokens Probably moving to long-lived JWTs Addition of a web interface to manage those tokens • Differentiated Access Goal: Have a „script language“ for filtering + templates Looking at jq / libjq and respective PHP bindings • Searches Addition of new data source „Data Ware House“ Conflict between requirements and currently existing RDAP search specifications – custom extension?
- 15. 15 · www.nic.at ICANN69 vTechDay · Status public Summary / Questions? • We‘ve created an internal RDAP server to expose the .at registration details to the local in-house CERT in a standardized way • This also serves as a prototype to explore the path to a future public service. • The server uses multiple data sources as backends (RDAP core, supplemental contacts DB, data warehouse – searches!) • The RDAP Frontend interacts with the client, assembles/filters responses, and is based on the Laravel PHP framework • Authentication / Authorization is done with OpenID Connect
- 16. 16 · www.nic.at ICANN69 vTechDay · Status public nic.at GmbH Jakob-Haringer-Str. 8/V · 5020 Salzburg · Austria T +43 662 4669 - 34 · F -29 alexander.mayrhofer@nic.at · www.nic.at