at ICANN69's virtual Techday, Alex Mayrhofer of nic.at speaks about the current state of .at's RDAP server prototype. The primary goal of the prototype is to the provide the local CERT with in-depth information about .at domain names. The prototype is used to develop and test-drive a few advanced RDAP features and pave the way to a potential public service.
💚😋 Bilaspur Escort Service Call Girls, 9352852248 ₹5000 To 25K With AC💚😋
RDAP @ .at
1. 1 · www.nic.at
ICANN69 vTechDay · Status public
RDAP @ .at
ICANN69 vTechday
ICANN69 vTechDay · Status public
2020-10-19 · Alex Mayrhofer · Head of R&D · alexander.mayrhofer@nic.at
2. 2 · www.nic.at
ICANN69 vTechDay · Status public
Agenda
• RDAP: Brief overview
• RDAP @ .at: Project reasoning & goals
• High-level Architecture
• Implementation details
• Current features
• Future plans
3. 3 · www.nic.at
ICANN69 vTechDay · Status public
Registration Data Access Protocol
• WHOIS (RFC 954, 1985)
Very simple / old protocol
No encryption
non-ASCII text is hard
No data format
„command line“ protocol
• RDAP (RFC 7482, 2015!)
New! Shiny!
Web-based (Encryption,
UTF8, Clients)!
Data in structured JSON!
4. 4 · www.nic.at
ICANN69 vTechDay · Status public
Project Reasoning
• The CERT angle
Austrian CERT is an in-house department of the ccTLD
CERT requires access to domain registration details..
Let‘s use RDAP!
• The ccTLD angle
RDAP will likely replace WHOIS at some point
Create a prototype-level implementation
Gain experience for potential public service
5. 5 · www.nic.at
ICANN69 vTechDay · Status public
Project Goals
• Create an RDAP server to provide domain registration
details to CERT
• Integrate with the available data sources
• Test-drive „advanced“ RDAP topics
Authentication (OpenID Connect / JWT)
Differentiated Access
Searches
6. 6 · www.nic.at
ICANN69 vTechDay · Status public
Architecture – Data Sources
RDAP core
Additional Contacts
• RDAP „core“
Provides full
(unredacted) domain
and entity data
• Supplemental contacts
Provides additional
entities
• Data Warehouse
Searches
• How to combine these?
7. 7 · www.nic.at
ICANN69 vTechDay · Status public
Architecture - Frontend
RDAP core
Frontend (RDAP
Web App)
Caching
(Redis)
OpenID
Authentication
• Faces the RDAP Clients
• Collects data from sources
• Assembles responses
• Performs authentication /
authorization
Differentiated Access
Data Filtering
Access Controls (Search!)
Rate Limiting
Logging / Auditing
8. 8 · www.nic.at
ICANN69 vTechDay · Status public
Implementation RDAP core
• RDAP data provided directly from the Registry database
PostgreSQL database procedures
Directly produces JSON
(same strategy for existing WHOIS server)
• Always provides the full (unredacted) data
• Doesn‘t care about users, roles, rate limiting
(„Additional contacts“: PostgreSQL database, accessed via
SQL)
9. 9 · www.nic.at
ICANN69 vTechDay · Status public
Implementation „Frontend“
• „RDAP is a web service“
• Therefore, let‘s use a web framework!
• Laravel (PHP)
Extensive Knowledge available in-house
Model/View/Controller pattern
Tons of features, flexible, but steep learning curve
10. 10 · www.nic.at
ICANN69 vTechDay · Status public
Current Features
• „Pipe-through“ of RDAP data from
RDAP core source
• „Enrich“ registrar information with
supplemental contact information
• Authentication / Authorization
Currently via nic.at internal
authentication infrastructure
Who‘s asking?
11. 11 · www.nic.at
ICANN69 vTechDay · Status public
A few details…
• Authentication / Authorization
OpenID Connect
Identity Provider: Keycloak
Existing infrastructure @ nic.at
• jCard Handling
This is … tiring..
Sabre vObject PHP library to the
rescue
• Rate Limiting
Laravel „Middleware“
https://www.keycloak.org/
12. 12 · www.nic.at
ICANN69 vTechDay · Status public
Frontend Infrastructure
• Docker-based, currently 3 containers
Web-Server (nginx)
Scripting-Engine (PHP-FPM) -> Laravel
Caching Layer (Redis)
(Frontend only, data Sources are outside of that docker host)
13. 13 · www.nic.at
ICANN69 vTechDay · Status public
Challenges
• jCard is hard to parse / create
Use of Sabre vObject PHP library
• Validation / Testing
RDAP has a decently complex structure – are we
doing the right thing?
First „validation“ steps with openrdap client
Server is internal, so web-based validation services
do not work
• Laravel is very flexible and mighty
Some tasks require just a single line of code!
But it also has 4822 buttons to press..
Photo by Leonel Fernandez on Unsplash
14. 14 · www.nic.at
ICANN69 vTechDay · Status public
Next steps
• Machine-to-machine authentication / API Tokens
Probably moving to long-lived JWTs
Addition of a web interface to manage those tokens
• Differentiated Access
Goal: Have a „script language“ for filtering + templates
Looking at jq / libjq and respective PHP bindings
• Searches
Addition of new data source „Data Ware House“
Conflict between requirements and currently existing RDAP
search specifications – custom extension?
15. 15 · www.nic.at
ICANN69 vTechDay · Status public
Summary / Questions?
• We‘ve created an internal RDAP server to expose the .at registration
details to the local in-house CERT in a standardized way
• This also serves as a prototype to explore the path to a future public
service.
• The server uses multiple data sources as backends (RDAP core,
supplemental contacts DB, data warehouse – searches!)
• The RDAP Frontend interacts with the client, assembles/filters
responses, and is based on the Laravel PHP framework
• Authentication / Authorization is done with OpenID Connect
16. 16 · www.nic.at
ICANN69 vTechDay · Status public
nic.at GmbH
Jakob-Haringer-Str. 8/V · 5020 Salzburg · Austria
T +43 662 4669 - 34 · F -29
alexander.mayrhofer@nic.at · www.nic.at