Nominet .uk RDAP

[webber]

What is RDAP?
The RDAP is the new standard that will eventually replace the plaintext Whois.
ICANN already mandates that all gTLDs must have this in place, and Nominet did so for the .wales and other gTLDs they manage. But it's up to each ccTLDs if they want to implement this standard or not.
The benefit of RDAP is that the data is JSON formatted and therefore machine readable, so there will be a single standard worldwide to query domain data.

So what about Nominet?
Nominet slipped this one through in a recent announcement and later confirmed it was a soft launch.
But the service is not yet officially launched since it's not listed at IANA.
The service can be accessed at https://rdap.nominet.uk/uk/domain/theukdomain.uk (you can replace the theukdomain.uk with any .uk domain)

Why is this important?
First of all, if you have a self-managed tag, this service is most likely leaking your personal phone number, email and home address. The Abuse contact, which you can change in the WDM, is set by default to use your personal data and is made public in this way despite no mention of that in the documentation.
In the Tag settings in WDM there is also the Public details section for each tag which includes
Address, Telephone, Email, and which up until now were not in fact public at all, but are now shared via the RDAP. You should definitely check what RDAP is showing for your domains!

RDAP is the only way to check the EPP status codes of a domain that is not on your tag.
For domains on your own tag you can use EPP <domain:info> to get the status codes. But for other domains <domain:info> does not work so you can only see these status codes via RDAP. The most important status code must be serverRenewProhibited which will tell you if a domain is definitely going to drop or if there is still a chance of it being renewed.
Once the new drop lists are implemented, a new status code pendingDelete will mean the domain can no longer be renewed.

You can see for the first time a few other bits of data which you couldn't access before in whois or DAC, things like the tag that first registered the domain, the time of registration, when nameservers were created, and the EPP status code.
There have been some interesting findings coming out of this new RDAP data:
https://twitter.com/carlheaton/status/1459485560599420931
https://twitter.com/carlheaton/status/1456013067737837577
https://twitter.com/carlheaton/status/1459506199079096323
https://twitter.com/carlheaton/status/1454100459111784452

 

[Siusaidh]

It is very poor that Nominet did not contact each member in advance to warn them that their private contact details were going to leak and be publically available via RDAP. Some of us have personal security reasons why they don't want their phone number leaked without consent and advance warning. If you've ever been stalked by an obsessive, you will know that this is not some minor matter. Release of personal info should always be done with explicit request and consent.

 

[Siusaidh]

I've just been checking some people on this forum, and the same thing - telephone numbers are viewable on RDAP. That's fine if you don't want them to be private, but I still think we should have been asked in advance. I've messaged one or two people. As Ciprian says, you can check for yourself:

The service can be accessed at https://rdap.nominet.uk/uk/domain/theukdomain.uk (you can replace the theukdomain.uk with any .uk domain)

 

[webber]

If you're looking at he RDAP results page and you think this is just a load of garbage, then please keep in mind this is JSON structured data.
You need an interpreter to view the data in a more human-readable way.
I've set up a quick RDAP client here: webber.biz/rdap/
Or use a browser plugin that beautifies the JSON: JSON Viewer - Chrome
Or something like jsoneditoronline.org

 

[jasman]

Surely this is a serious privacy breach. They effectively are publishing people's personal details online without consent. And since it is machine readable, who knows who could be building up a database of this. Ridiculous that they are publishing name, phone number, email etc when to stay on the safe side of GDPR they decided to remove name from many whois records!

 

[webber]

Surely this is a serious privacy breach.

I think so too, but Nominet doesn't agree.
I do recommend you write them an email to tell them what you think.

It is very poor that Nominet did not contact each member in advance to warn them that their private contact details were going to leak and be publically available via RDAP

Yeah, they'll bombard you with messages to vote against the EGM for example, but won't give you a heads up that they'll share your private details or that they'll block you from renewing domains

 

[webber]

Ever wanted a uk domain but was already taken?
No problem! With Nominet the same domain can be registered twice (case sensitive):
https://webber.biz/rdap/?type=domain&object=Stephenpage.me.uk
https://webber.biz/rdap/?type=domain&object=stephenpage.me.uk

Source: twitter.com/carlheaton/status/1460189257390243843?s=20

 

[Ben Thomas]

I wonder what the ICO would have to say about this? As it's clearly a privacy breach.

EDIT: TBF, probably nothing because they don't give a shit really.

 

[ian]

Shocking, yet not surprised!

 

[webber]

I've only scanned this but where do they take the information from? I assume it is associated with the tag rather than the specific domain because I see my phone number on there, yet I don't include the phone number on the specific domain contact.

Yes, it's tag specific and you can change these in WDM:
Tag Abuse contact: https://secure.nominet.org.uk/contacts/manage-contacts.html?currentGroupId=2
Tag Public details: https://secure.nominet.org.uk/tags/edit.html

 

[ukbackorder]

Yeah don't change your email address for your abuse contact. I did that on Saturday and I've been unable to log into my tag ever since beyond a page with two menu options and an empty(broken) drop down box.

 

[ian]

Yeah don't change your email address for your abuse contact. I did that on Saturday and I've been unable to log into my tag ever since beyond a page with two menu options and an empty(broken) drop down box.

Wish I had seen that first, just did that and now locked out!

 

[ukbackorder]

I'm sure they're busy working on it - probably why they're not free to answer any emails on the subject.

 

[Ben Thomas]

Yeah don't change your email address for your abuse contact. I did that on Saturday and I've been unable to log into my tag ever since beyond a page with two menu options and an empty(broken) drop down box.

I did that years ago, apparently changes the whole account email because they are (stupidly) linked and it changes all 4 of your email addresses.

Something to that effect.

 

[ELIFE-MZ]

Wish I had seen that first, just did that and now locked out!

Been there, got the shirt

You need to create a new contact instead of editing the contact. Then assign that as main contact for abuse.

 

[webber]

Yeah don't change your email address for your abuse contact. I did that on Saturday and I've been unable to log into my tag ever since beyond a page with two menu options and an empty(broken) drop down box.

Indeed, don't just update the email address on the Abuse contact since that will change it for all the roles that contact is assigned to and potentially be locked out of WDM as a result.
You should create a new dummy contact with some details in it which you are happy to have public (for example), then assign that contact to the Abuse role and make it primary;

 

[ian]

Phew, a few squeeky bum minutes and Katy (Katie) from Nominet managed to get the technical team to revert for me. They are aware of the issue, yet are allowing it to still happen. They recommended making the request via email to [email protected] instead! Think I'll leave for now!

 

[ian]

I've been off the radar for quite a while, so didn't know anything about this until now. Can I ask @webber how long you've been aware of the RDAP issue? Have you immediately disclosed this to members (via Acorn) or have Nominet effectively put a gag order on it for a period of time?

 

[webber]

The availability of the RDAP was shared by Nominet here around the 27 October as a response to questions on that webinar.
We've had discussions privately (including between ukrac members) and on Twitter about this and how best to disclose it.
Nominet was notified, confirmed it was a soft launch, but said sharing Abuse contact details is expected behaviour.

 

[ian]

The availability of the RDAP was shared by Nominet here around the 27 October as a response to questions on that webinar.
We've had discussions privately (including between ukrac members) and on Twitter about this and how best to disclose it.
Nominet was notified, confirmed it was a soft launch, but said sharing Abuse contact details is expected behaviour.

Thanks for that. It makes you wonder what else Nominet share that could be found and used to abuse the drop catch process!