Nominet .uk RDAP

webber · Nov 13, 2021

What is RDAP?
The RDAP is the new standard that will eventually replace the plaintext Whois.
ICANN already mandates that all gTLDs must have this in place, and Nominet did so for the .wales and other gTLDs they manage. But it's up to each ccTLDs if they want to implement this standard or not.
The benefit of RDAP is that the data is JSON formatted and therefore machine readable, so there will be a single standard worldwide to query domain data.

So what about Nominet?
Nominet slipped this one through in a recent announcement and later confirmed it was a soft launch.
But the service is not yet officially launched since it's not listed at IANA.
The service can be accessed at https://rdap.nominet.uk/uk/domain/theukdomain.uk (you can replace the theukdomain.uk with any .uk domain)

Why is this important?
First of all, if you have a self-managed tag, this service is most likely leaking your personal phone number, email and home address. The Abuse contact, which you can change in the WDM, is set by default to use your personal data and is made public in this way despite no mention of that in the documentation.
In the Tag settings in WDM there is also the Public details section for each tag which includes
Address, Telephone, Email, and which up until now were not in fact public at all, but are now shared via the RDAP. You should definitely check what RDAP is showing for your domains!

RDAP is the only way to check the EPP status codes of a domain that is not on your tag.
For domains on your own tag you can use EPP <domain:info> to get the status codes. But for other domains <domain:info> does not work so you can only see these status codes via RDAP. The most important status code must be serverRenewProhibited which will tell you if a domain is definitely going to drop or if there is still a chance of it being renewed.
Once the new drop lists are implemented, a new status code pendingDelete will mean the domain can no longer be renewed.

You can see for the first time a few other bits of data which you couldn't access before in whois or DAC, things like the tag that first registered the domain, the time of registration, when nameservers were created, and the EPP status code.
There have been some interesting findings coming out of this new RDAP data:
https://twitter.com/carlheaton/status/1459485560599420931
https://twitter.com/carlheaton/status/1456013067737837577
https://twitter.com/carlheaton/status/1459506199079096323
https://twitter.com/carlheaton/status/1454100459111784452

Siusaidh · Nov 14, 2021

It is very poor that Nominet did not contact each member in advance to warn them that their private contact details were going to leak and be publically available via RDAP. Some of us have personal security reasons why they don't want their phone number leaked without consent and advance warning. If you've ever been stalked by an obsessive, you will know that this is not some minor matter. Release of personal info should always be done with explicit request and consent.

Siusaidh · Nov 14, 2021

I've just been checking some people on this forum, and the same thing - telephone numbers are viewable on RDAP. That's fine if you don't want them to be private, but I still think we should have been asked in advance. I've messaged one or two people. As Ciprian says, you can check for yourself:

webber said:
The service can be accessed at https://rdap.nominet.uk/uk/domain/theukdomain.uk (you can replace the theukdomain.uk with any .uk domain)

webber · Nov 14, 2021

If you're looking at he RDAP results page and you think this is just a load of garbage, then please keep in mind this is JSON structured data.
You need an interpreter to view the data in a more human-readable way.
I've set up a quick RDAP client here: webber.biz/rdap/
Or use a browser plugin that beautifies the JSON: JSON Viewer - Chrome
Or something like jsoneditoronline.org

jasman · Nov 15, 2021

Surely this is a serious privacy breach. They effectively are publishing people's personal details online without consent. And since it is machine readable, who knows who could be building up a database of this. Ridiculous that they are publishing name, phone number, email etc when to stay on the safe side of GDPR they decided to remove name from many whois records!

webber · Nov 15, 2021

jasman said:
Surely this is a serious privacy breach.

I think so too, but Nominet doesn't agree.
I do recommend you write them an email to tell them what you think.

Siusaidh said:
It is very poor that Nominet did not contact each member in advance to warn them that their private contact details were going to leak and be publically available via RDAP

Yeah, they'll bombard you with messages to vote against the EGM for example, but won't give you a heads up that they'll share your private details or that they'll block you from renewing domains

webber · Nov 15, 2021

Ever wanted a uk domain but was already taken?
No problem! With Nominet the same domain can be registered twice (case sensitive):
https://webber.biz/rdap/?type=domain&object=Stephenpage.me.uk
https://webber.biz/rdap/?type=domain&object=stephenpage.me.uk

Source: twitter.com/carlheaton/status/1460189257390243843?s=20

ian · Nov 15, 2021

Shocking, yet not surprised!

webber · Nov 15, 2021

ian said:
I've only scanned this but where do they take the information from? I assume it is associated with the tag rather than the specific domain because I see my phone number on there, yet I don't include the phone number on the specific domain contact.

Yes, it's tag specific and you can change these in WDM:
Tag Abuse contact: https://secure.nominet.org.uk/contacts/manage-contacts.html?currentGroupId=2
Tag Public details: https://secure.nominet.org.uk/tags/edit.html

ukbackorder · Nov 15, 2021

Yeah don't change your email address for your abuse contact. I did that on Saturday and I've been unable to log into my tag ever since beyond a page with two menu options and an empty(broken) drop down box.

ian · Nov 15, 2021

sigh said:
Yeah don't change your email address for your abuse contact. I did that on Saturday and I've been unable to log into my tag ever since beyond a page with two menu options and an empty(broken) drop down box.

Wish I had seen that first, just did that and now locked out!

ukbackorder · Nov 15, 2021

I'm sure they're busy working on it - probably why they're not free to answer any emails on the subject.

ELIFE-MZ · Nov 15, 2021

ian said:
Wish I had seen that first, just did that and now locked out!

Been there, got the shirt

You need to create a new contact instead of editing the contact. Then assign that as main contact for abuse.

webber · Nov 15, 2021

sigh said:
Yeah don't change your email address for your abuse contact. I did that on Saturday and I've been unable to log into my tag ever since beyond a page with two menu options and an empty(broken) drop down box.

Indeed, don't just update the email address on the Abuse contact since that will change it for all the roles that contact is assigned to and potentially be locked out of WDM as a result.
You should create a new dummy contact with some details in it which you are happy to have public (for example), then assign that contact to the Abuse role and make it primary;

ian · Nov 15, 2021

Phew, a few squeeky bum minutes and Katy (Katie) from Nominet managed to get the technical team to revert for me. They are aware of the issue, yet are allowing it to still happen. They recommended making the request via email to [email protected] instead! Think I'll leave for now!

ian · Nov 15, 2021

I've been off the radar for quite a while, so didn't know anything about this until now. Can I ask @webber how long you've been aware of the RDAP issue? Have you immediately disclosed this to members (via Acorn) or have Nominet effectively put a gag order on it for a period of time?

webber · Nov 15, 2021

The availability of the RDAP was shared by Nominet here around the 27 October as a response to questions on that webinar.
We've had discussions privately (including between ukrac members) and on Twitter about this and how best to disclose it.
Nominet was notified, confirmed it was a soft launch, but said sharing Abuse contact details is expected behaviour.

ian · Nov 15, 2021

webber said:
The availability of the RDAP was shared by Nominet here around the 27 October as a response to questions on that webinar.
We've had discussions privately (including between ukrac members) and on Twitter about this and how best to disclose it.
Nominet was notified, confirmed it was a soft launch, but said sharing Abuse contact details is expected behaviour.

Thanks for that. It makes you wonder what else Nominet share that could be found and used to abuse the drop catch process!

ukbackorder · Nov 17, 2021

So I don't quite understand this.
Take iguk.co.uk which this morning had:
status":["server hold","server renew prohibited","server transfer prohibited","server update prohibited","inactive"]

Does the 'server renew prohibited' mean it can't be renewed?
Because not long ago the tag was changed from NOMINET to UKPHA and then shortly after the domain was renewed until 2023. It didn't drop.

webber · Nov 17, 2021

sigh said:
Does the 'server renew prohibited' mean it can't be renewed?

Yes, but this status code can be removed from the domain by a DB admin.
Officially you could request this by calling up Nominet only until 30 Oct, but they might still have some leniency considering how major their blunder was
See https://registrars.nominet.uk/system-announcements/21st-september-2021-renewal-change-notice/

Nominet .uk RDAP

webber

Siusaidh

Siusaidh

webber

jasman

webber

webber

ian

webber

ukbackorder

ian

ukbackorder

ELIFE-MZ

webber

ian

ian

webber

ian

ukbackorder

webber

Similar threads

The Rule #1

Members online

☆ Premium Listings

Sedo - it.com Premiums

Premium Members

Calendar events

Latest Comments

Spread the Word!

New Threads

Domain Forum Friends

Our Mods' Businesses

Settings Notifications

Options

We value your privacy