Skip to content

RDAP in Iris Investigate

RDAP Background

Registration Data Access Protocol - RDAP- is a replacement for WHOIS. WHOIS has been in use for over 40 years, and was never designed for the scale it is being used at today. While WHOIS is a text file, RDAP is machine readable JSON format. Major internet management organizations like ICANN and IANA are driving adoption of RDAP as the successor to WHOIS.

RDAP was initially standardized by the IETF in 2015. Its adoption was slow at first but has been gaining momentum, at global scale, particularly for registries and registrars in the "global TLDs" (gTLDs) administered by ICANN.

RDAP supports registration data for domains, IP addresses, and ASNs. Domain RDAP is the priority for DomainTools - that is what is in the Iris Investigate Beta available now.

For domains, RDAP supports all the same fields displayed in Pivot Engine, for example registrar, registrant, registrant organization, emails/contact information, Create and Expiration dates. Contact mailing addresses are present but structured in a less specific way than WHOIS. DomainTools parses contact addresses, but there will be differences between RDAP and WHOIS data due to the different structures.

In the majority of cases, data redacted in WHOIS is also being redacted in RDAP (and vice-versa). Anecdotal analysis shows that in some cases RDAP has more redacted data, and in other cases, WHOIS has more. As many registries/registrars are still maturing their RDAP tooling, it's likely the amount of privacy redacted data in RDAP will increase.

The main driver for domain RDAP adoption is ICANN. They aspire to fully migrate from WHOIS to RDAP for registries and registrars working the gTLDs they administer. Country Code TLDs (ccTLDs) are not administered by ICANN and thus the registries and registrars there are not directly influenced by ICANN as they are in gTLDs. We have seen a few ccTLDs supporting RDAP, although many do not. As ccTLDs adopt RDAP, if their servers are added to IANA's bootstrapping process - which identifies RDAP servers that DomainTools can query - those ccTLD's RDAP data will also be gathered by DomainTools.

In August of 2023, ICANN published a "Global Amendment to the Base gTLD Registry Agreement" that includes provisions for sunsetting the obligation to provide WHOIS for registries and registrars under their purview. Some registries and registrars have since discontinued WHOIS services. DomainTools supports both WHOIS and RDAP during this transition.

RDAP in Iris Investigate

Registration Data

A key assumption is most customers don't care about WHOIS vs. RDAP, they typically just want domain registration data. A goal of the RDAP implementation in Iris Investigate is to remove the complexity of which protocol is being used.

The Iris dataset includes a new concept, "registration data" which is the default data sources from either RDAP or WHOIS. The current logic for choosing registration data between RDAP and WHOIS is as follows:

  • If both an RDAP and WHOIS record is gathered for a domain within three days of each other, the record with data for more fields becomes the registration data.
  • If there is a tie in the number of fields with data, the RDAP is favored.
  • If a record for either WHOIS or RDAP is received on a given day (but not for both) and the record for the other protocol that is more than three days older than the newer record, the older record is not included in the comparison. The newer record wins regardless of the number of fields populated in each record.

Iris Investigate Pivot Engine

Data displayed in Pivot Engine and the upper portion of the Domain Profile panel is the registration data - all the previously exclusive WHOIS fields.

Pivot Engine showing Registration data by default Pivot Engine showing Registration data by default

When right-clicking on a registration data field, the operations menu pop-up window shows the count for the registration data. Below that is the data for each RDAP and WHOIS. By default, either the RDAP or WHOIS value will appear normally, and the other will be dimmed. This is to signify which protocol has been chosen for populating Registration data - the one that is not dimmed is what is used for Registration data.

The counts for guided pivots will similarly be based on registration data, not just WHOIS data. As RDAP data populates registration data (when the RDAP record is used over the WHOIS record) then RDAP data will be included in counts for guided pivots. That means data points like emails and contact information will have counts that bridge RDAP and WHOIS - making the transition from WHOIS to RDAP seamless in most cases.

Guided Pivot showing Registration counts, plus separate counts for RDAP and WHOIS Guided Pivot showing Registration counts, plus separate counts for RDAP and WHOIS

Viewing RDAP Records in Iris Investigate

In the Domain Profile tab, a new element at the bottom shows the most recent parsed RDAP record. You can alternatively toggle to view the WHOIS record. The raw RDAP record's JSON can be copied to the clipboard for viewing in a code editor of the user's choice. When the Parsed RDAP record uses data from both the registry and registrar, you can choose which record they want to copy to their clipboard. Approximately one-third of Parsed RDAP records include data from both the registry and registrar.

RDAP record displayed in Domain Profile RDAP record displayed in Domain Profile

Searching RDAP Data

Searches by default will use registration data. From Advanced Search, there is a new "auto" mode that is used by default - it searches on the registration data for the given field. If you want to search specifically against RDAP or WHOIS, the "auto" value can be changed accordingly from "auto" to the protocol-specific option.

Searching for Registration data via "Auto" Searching for Registration data via "Auto"

Searching for exclusively RDAP or WHOIS data Searching for exclusively RDAP or WHOIS data

Registrar IANA Code: New Field From RDAP

A key new field parsed from RDAP is the Registrar IANA code. The main benefit of IANA codes is easier searching for domains associated with a registrar in cases where it's difficult to rely on the registrar name alone. There are two reasons why this can happen:

  • Data from both RDAP and WHOIS can reference different versions of a registrar's name. For instance, Namesilo can be "Namesilo", "NameSilo", "Namsilo, LLC", "Namesilo Technologies Corp." and more. Searching on IANA can be easier than trying to track all the variants.
  • Larger registrars can have multiple business affiliations that all operate under the same IANA but use different names. IANA helps tie registrars with different branding to the same business entity. Alternatively, some registrars have multiple IANA IDs and you may want to search on the specific ID. The full list is HERE.

IANA ID is only parsed from RDAP records. IANA ID is populated in Pivot Engine and is queryable from Advanced Search, including records where the registration data is based on WHOIS.

Phone Numbers From RDAP

With RDAP, there is a change in how phone numbers are parsed compared to WHOIS. In WHOIS, non-numeric data is stripped out of the data stored in the Iris data set. The result is a phone number that appears in WHOIS as +44.12345678 is stored as 4412345678. Phone number parsing has been updated to preserve the data as originally presented in the RDAP record. The result is an RDAP phone number will now appear as +44.12345678 or even tel:+44.12345678.

When right-clicking on a phone number in Pivot Engine (or Domain Profile), the Operations Menu pop-up will show three sets of values and counts:

  • Registration data
  • RDAP data
  • WHOIS data

Phone numbers in both RDAP and WHOIS parsed formats Phone numbers in both RDAP and WHOIS parsed formats

If a domain you are viewing shows the fully formatted phone number - with "+" and more - the operations menu helps you see how many other domains have the older WHOIS format with the special characters stripped out.

RDAP Data in Domain History

Domain History supports RDAP changes and allows users to toggle between displaying WHOIS or RDAP. See the upper-right of the screenshot below.

Toggling RDAP vs. WHOIS in Domain History Toggling RDAP vs. WHOIS in Domain History

Gathering RDAP Records

RDAP records are gathered whenever a WHOIS record gathering is attempted. That means that RDAP records are automatically gathered for newly discovered domains and then every 90 days thereafter. Manually triggering a domain refresh in the Iris Investigate application will cause an RDAP record to be re-gathered, along with a screenshot, web content, and SSL certificates.

RDAP and Iris Investigate and Enrich APIs

The Iris Investigate and Enrich APIs are backwards compatible, so customers need to take no action to continue receiving the same data they always have. The legacy fields for WHOIS-related fields are automatically updated to include registration data.

Reversing queries in the Investigate API for fields like Registrar, Registrant and other fields previously from WHOIS will query registration data, which can now be either RDAP or WHOIS. There is an option to reverse query specifically for RDAP or WHOIS values.

Similarly, to receive RDAP and WHOIS data in the response if desired: By default, only registration data is included in the response, but a flag can be set to have the response also include RDAP and WHOIS values.