What is RDAP and how does it differ from WHOIS?

The WHOIS Problem and Why RDAP Exists

WHOIS has been the standard protocol for querying domain registration and IP address information for decades. However, WHOIS has significant limitations that have become increasingly problematic as the internet has grown. The protocol is inconsistent across registrars and registries, doesn't properly handle internationalization, provides limited security features, and offers no standardized data structure or querying mechanisms.

RDAP (Registration Data Access Protocol) is designed to be the modern replacement for WHOIS. Developed by ICANN and standardized by the Internet Engineering Task Force (IETF), RDAP addresses many of WHOIS's limitations while providing a more secure, structured, and consistent way to query domain and IP address registration information.

Key Differences Between WHOIS and RDAP

Protocol Technology:

• WHOIS: Simple text-based protocol using port 43, dating back to the 1980s
• RDAP: REST API using standard HTTPS (port 443), modern architecture

WHOIS connections are unencrypted and unauthenticated. Anyone can connect to a WHOIS server and pull all data without authentication. RDAP uses HTTPS, which provides encryption and can support authentication.

Data Structure:

• WHOIS: Unstructured text responses that vary by registry/registrar
• RDAP: Structured JSON responses with consistent formatting

With WHOIS, parsing response data requires custom logic for each registrar because formats differ significantly. RDAP provides consistent JSON that can be processed programmatically.

WHOIS Response (unstructured):
Domain Name: EXAMPLE.COM
Registry Domain ID: 2138514_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.verisign-grs.com
Updated Date: 2024-01-15T12:00:00Z
Creation Date: 1995-03-17T05:00:00Z

RDAP Response (structured JSON):
{
  "objectClassName": "domain",
  "handle": "example.com",
  "ldhName": "example.com",
  "links": [...],
  "events": [
    {
      "eventAction": "registration",
      "eventDate": "1995-03-17T05:00:00Z"
    },
    {
      "eventAction": "last update of RDAP database",
      "eventDate": "2024-01-15T12:00:00Z"
    }
  ]
}

Query Syntax:

• WHOIS: Non-standard commands that vary by server (some accept domain.com, others require domain domain.com)
• RDAP: Standardized URL-based queries

WHOIS:
whois domain.com
(format varies by server)

RDAP:
https://rdap.icann.org/domain/example.com
https://rdap.arin.net/rest/ip/192.0.2.0

Data Consistency:

• WHOIS: Highly inconsistent formatting across registries and registrars
• RDAP: Standardized field names and structure across all registries

Privacy and Access Control:

• WHOIS: Limited privacy features, full public access to all data
• RDAP: Supports privacy protections through redaction and access control

RDAP allows registries and registrars to implement privacy controls at a technical level, rather than relying on registrant-side privacy services like WHOIS privacy does.

Internationalization (i18n):

• WHOIS: Limited support for non-ASCII characters
• RDAP: Full internationalization support with proper handling of non-Latin scripts

Authentication and Rate Limiting:

• WHOIS: No authentication; rate limiting is inconsistent and often absent
• RDAP: Supports authentication and standard HTTP rate limiting through status codes

How RDAP Works

Bootstrapping: RDAP uses a bootstrapping mechanism to discover which RDAP server to query for a given domain or IP address. You query the ICANN bootstrap service, which tells you which RDAP server has authoritative data.

Query: What RDAP server has data for example.com?
Response: https://rdap.verisign.com/

Query: What RDAP server has data for 192.0.2.0?
Response: https://rdap.arin.net/

Domain Queries:

https://rdap.verisign.com/com/v1/domain/example.com

Returns:

{
  "rdapConformance": ["rdap_level_0"],
  "objectClassName": "domain",
  "handle": "example.com",
  "ldhName": "example.com",
  "punycodeName": "example.com",
  "links": [
    {
      "value": "https://rdap.verisign.com/com/v1/domain/example.com",
      "rel": "self",
      "href": "https://rdap.verisign.com/com/v1/domain/example.com",
      "type": "application/rdap+json"
    }
  ],
  "events": [
    {
      "eventAction": "registration",
      "eventDate": "1995-03-17T05:00:00Z"
    }
  ],
  "status": ["active"],
  "entities": [
    {
      "objectClassName": "entity",
      "handle": "vrsn-57936",
      "roles": ["registrar"]
    }
  ]
}

IP Address Queries:

https://rdap.arin.net/rest/ip/192.0.2.0

Search Capabilities: RDAP supports structured searching (domains, registrars, entities) with specific query parameters:

https://rdap.icann.org/domain?name=example*
https://rdap.icann.org/domain?nsLdhName=ns.example.com
https://rdap.icann.org/entity?fn=John*

Current State of RDAP Adoption

Adoption Status: As of 2024, RDAP adoption is increasing but incomplete. Most major domain registries have implemented RDAP:

• VeriSign (.com, .net): Full RDAP support
• ARIN (North American IP addresses): Full RDAP support
• APNIC (Asia-Pacific IP addresses): Full RDAP support
• RIPE NCC (European IP addresses): Full RDAP support
• Most new registries: RDAP support required

However, some registrars still provide better WHOIS support than RDAP support. This is changing, but WHOIS remains necessary for complete coverage.

Sunset of WHOIS: ICANN has signaled plans to eventually sunset WHOIS in favor of RDAP. Timeline is still being finalized, but the direction is clear. Organizations should plan to transition to RDAP.

Practical Advantages of RDAP

For Security Researchers:

• Structured data is easier to parse and analyze
• Standard field names enable automated analysis across multiple domains
• HTTPS encryption protects queries from eavesdropping
• Better search capabilities for investigating campaigns

For Developers:

• Standardized JSON responses simplify integration
• No need for custom parsers for different registrars
• Consistent error handling
• Programmatic discovery of RDAP endpoints

For Compliance:

• RDAP supports privacy controls and data redaction
• Audit trails for access to sensitive data
• Authentication support for regulated data access
• Better separation of public vs. confidential information

For Organizations:

• More secure queries (HTTPS)
• Less infrastructure overhead (no need to query dozens of different WHOIS servers)
• Standardized data for better analysis
• Future-proof (WHOIS will eventually be deprecated)

Privacy Implications of RDAP

RDAP provides better privacy protections than WHOIS:

Privacy Objects: Registrars can mark certain fields as private, redacting them from public RDAP queries:

{
  "objectClassName": "domain",
  "handle": "example.com",
  "registrant": {
    "handle": "REDACTED FOR PRIVACY",
    "objectClassName": "entity"
  },
  "adminContact": {
    "handle": "REDACTED FOR PRIVACY",
    "objectClassName": "entity"
  }
}

Access Control: RDAP can require authentication for accessing sensitive data, with proper authorization checks.

Comparing WHOIS and RDAP Queries

Finding Domain Registrar:

WHOIS: whois example.com | grep -i registrar
RDAP:  curl https://rdap.icann.org/domain/example.com | jq '.entities[] | select(.roles[] | contains("registrar"))'

Finding Domain Creation Date:

WHOIS: whois example.com | grep -i "creation\|created"
RDAP:  curl https://rdap.icann.org/domain/example.com | jq '.events[] | select(.eventAction == "registration")'

Finding IP Address Block Details:

WHOIS: whois 192.0.2.0
RDAP:  curl https://rdap.arin.net/rest/ip/192.0.2.0

Challenges and Limitations of RDAP

Coverage Gaps: Not all registries and registrars have fully implemented RDAP. Some still have better WHOIS coverage.

Privacy vs Transparency Trade-off: RDAP's better privacy controls mean some data that was previously public (under WHOIS) is now redacted. This affects security researchers and domain investigators.

Adoption Lag: Many tools still use WHOIS because it's more widely available. Transitioning all tools to RDAP is a gradual process.

Complexity: While RDAP is more structured, it's more complex than simple WHOIS text responses. This requires more sophisticated client implementations.

Tools and Services for RDAP

Command-Line Tools:

• rdap (Python library and CLI)
• curl with JSON parsing for direct API queries
• jq for processing JSON responses

Web Interfaces:

• ICANN RDAP web interface
• Individual registry/registrar RDAP interfaces

Libraries:

• Python: rdappy, rdap-python
• JavaScript/Node.js: rdap npm package
• Java: JDAP library

Transitioning from WHOIS to RDAP

For organizations currently using WHOIS:

1. Assess your tools: Identify which tools rely on WHOIS queries
2. Plan migration: Determine which tools can be updated to use RDAP
3. Test in parallel: Use both WHOIS and RDAP initially to verify data consistency
4. Update scripts: Rewrite shell scripts and automated tools to use RDAP
5. Train staff: Ensure your team understands RDAP query syntax and advantages
6. Monitor sunset: Stay aware of ICANN's WHOIS sunset timeline

Conclusion

RDAP represents a significant modernization of how registration data is queried and accessed. With structured JSON responses, HTTPS encryption, standardized data formats, and better privacy controls, RDAP is superior to WHOIS in almost every technical dimension. While WHOIS adoption remains necessary today due to incomplete RDAP coverage, organizations should plan for RDAP adoption as it becomes more widely available. The transition from WHOIS to RDAP represents an opportunity to modernize your domain and IP address investigation processes, enabling better automation, security, and compliance with evolving data privacy requirements.