Page History

SSAC Report on

Domain Name WHOIS Terminology and Structure (R1)

Description:

Blocking or altering responses to Domain Name System (DNS) queries is increasingly prominent. Domain name or Internet Protocol (IP) address filtering (or otherwise preventing access to web content as a matter of security policy) may be viewed by some organizations as a natural extension of historical telephony controls that aimed to block people within an organizations from incurring toll charges.

Technical approaches to DNS blocking are intended to affect users within a given administrative domain, such as a privately or publicly operated network. Preventing resolution of the domain name into an IP address will prevent immediate connection to the named host, although circumvention techniques may enable connectivity to the intended system anyway (this includes simply accessing the site via IP address rather than via a Fully Qualified Domain Name (FQDN)). A DNS resolver or network operator could also rewrite a DNS response to contain an IP address mapping the operator chooses, whether rewriting a Non-Existent Domain (NXDOMAIN) response or rewriting the DNS response for an existing FQDN, with potentially harmful effects on DNS Security Extension (DNSSEC)-supporting name servers and their users. A particularly coarse-grained approach is for an operator to silently discard DNS responses, although this results in non-deterministic behavior and may itself be problematic. Regardless of the mechanism used, organizations that implement blocking should apply these principles:

1. The organization imposes a policy on a network and its users over which it exercises administrative control (i.e., it is the administrator of a policy domain).
2. The organization determines that the policy is beneficial to its objectives and/or the interests of its users.
3. The organization implements the policy using a technique that is least disruptive to its network operations and users, unless laws or regulations specify certain techniques.
4. The organization makes a concerted effort to do no harm to networks or users outside its policy domain as a consequence of implementing the policy.

Description:

The ICANN community should adopt the terminology outlined in this report in documents and discussions, in particular:

Domain Name Registration Data (DNRD). The data that domain name registrants provide when registering a domain name and that registrars or registries collects.

Domain Name Registration Data Access Protocol (DNRD-AP). The components of a (standard) communications exchange - queries and responses - that specify the access to DNRD.

Domain Name Registration Data Directory Service (DNRD-DS). The service(s) offered by domain name registries and registrars to implement the DNRD-AP and to provide access to DNRD-DSD.

Additional terminology includes "DNRDe," "DNRD Policy," "DNRD-DS Policy," "Internationalized DNRD," and "Localized DNRD." The term "WHOIS" should only be used when referring to the protocol as currently specified in RFC 3912.

STATUS UPDATES

STATUS UPDATES