| Internet-Draft | Verifying Contacts in RDAP | July 2025 |
| Loffredo, et al. | Expires 5 January 2026 | [Page] |
This document describes an extension to the Registration Data Access Protocol (RDAP) that allows the inclusion of verification status information for contact fields such as email addresses and phone numbers. The goal is to improve data quality and trustworthiness of RDAP responses by indicating which pieces of contact data have been verified and how.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 5 January 2026.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The Registration Data Access Protocol (RDAP) provides access to registration data for domain names, IP addresses, and autonomous system numbers. However, RDAP responses do not currently include explicit information about whether contact information such as email addresses or phone numbers has been verified.¶
This document defines a simple extension that enables RDAP providers to include verification status for contact fields. This is useful in contexts where contact verification may be legally required or strongly recommended.¶
In particular, Article 28 of Directive (EU) 2022/2555 ([NIS2]) requires top-level domain (TLD) name registries and domain name registrars to collect and maintain accurate and complete domain name registration data. It also mandates them to verify, to the extent possible, the accuracy of such data. The extension defined in this document can support compliance with this obligation by enabling the inclusion of verification status for contact fields in RDAP responses.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
Servers implementing this extension MUST include the string "verifiedContacts" in the "rdapConformance" ([RFC9083]) array of all relevant RDAP responses. The registration of the "verifiedContacts" extension identifier is described in Section 6.¶
The verification information is conveyed via a new top-level object member named "verifiedContacts_data" within the entity objects.¶
{
"objectClassName": "entity",
"handle": "ABC123-EXAMPLE",
"rdapConformance": ["rdap_level_0", "verifiedContacts"],
...
"verifiedContacts_data": {
"email": {
"verificationDate": "2025-03-15T12:00:00Z",
"method": "email-verification"
}
...
}
}
The "verifiedContacts_data" member is an object whose keys are contact details (e.g., "email", "phone", "address"). Each value is an object containing:¶
Instead of returning an object for each verified contact detail, a server MAY use the "all" key to signal that all data has been verified.¶
IANA is requested to register the following value in the RDAP Extensions Registry:¶
Contact verification data may have privacy implications. Servers MUST ensure that disclosure of this information complies with applicable data protection laws and policies.¶