1// Package rdap is a basic client for checking the age of domains through RDAP.

2package rdap

3

4import (

5 "context"

6 "encoding/json"

7 "errors"

8 "fmt"

9 "io"

10 "net/http"

11 "sort"

12 "strings"

13 "time"

14

15 "github.com/mjl-/mox/dns"

16)

17

18var ErrNoRegistration = errors.New("registration date not found")

19var ErrNoRDAP = errors.New("rdap not available for top-level domain")

20var ErrNoDomain = errors.New("domain not found in registry")

21var ErrSyntax = errors.New("bad rdap response syntax")

22

23// https://www.iana.org/assignments/rdap-dns/rdap-dns.xhtml

24// ../rfc/9224:115

25const rdapBoostrapDNSURL = "https://data.iana.org/rdap/dns.json"

26

27// Example data: ../rfc/9224:192

28

29// Bootstrap data, parsed from JSON at the IANA DNS bootstrap URL.

30type Bootstrap struct {

31 Version string `json:"version"` // Should be "1.0".

32 Description string `json:"description"`

33 Publication time.Time `json:"publication"` // RFC3339

34

35 // Each entry has two elements: First a list of TLDs, then a list of RDAP service

36 // base URLs ending with a slash.

37 Services [][2][]string `json:"services"`

38}

39

40// todo: when using this more regularly in the admin web interface, store the iana bootstrap response in a database file, including cache-controle results (max-age it seems) and the etag, and do conditional requests when asking for a new version. same for lookups of domains at registries.

41

42// LookupLastDomainRegistration looks up the most recent (re)registration of a

43// domain through RDAP.

44//

45// Not all TLDs have RDAP services yet at the time of writing.

46func LookupLastDomainRegistration(ctx context.Context, dom dns.Domain) (time.Time, error) {

47 // ../rfc/9224:434 Against advice, we do not cache the bootstrap data. This is

48 // currently used by the quickstart, which is run once, or run from the cli without

49 // a place to keep state.

50 req, err := http.NewRequestWithContext(ctx, "GET", rdapBoostrapDNSURL, nil)

51 if err != nil {

52 return time.Time{}, fmt.Errorf("new request for iana dns bootstrap data: %v", err)

53 }

54 // ../rfc/9224:588

55 req.Header.Add("Accept", "application/json")

56 resp, err := http.DefaultClient.Do(req)

57 if err != nil {

58 return time.Time{}, fmt.Errorf("http get of iana dns bootstrap data: %v", err)

59 }

60 defer resp.Body.Close()

61 if resp.StatusCode/100 != 2 {

62 return time.Time{}, fmt.Errorf("http get resulted in status %q, expected 200 ok", resp.Status)

63 }

64 var bootstrap Bootstrap

65 if err := json.NewDecoder(resp.Body).Decode(&bootstrap); err != nil {

66 return time.Time{}, fmt.Errorf("%w: parsing iana dns bootstrap data: %v", ErrSyntax, err)

67 }

68

69 // Note: We don't verify version numbers. If the format change incompatibly,

70 // decoding above would have failed. We'll try to work with what we got.

71

72 // ../rfc/9224:184 The bootstrap JSON has A-labels we must match against.

73 // ../rfc/9224:188 Names are lower-case, like our dns.Domain.

74 var urls []string

75 var tldmatch string

76 for _, svc := range bootstrap.Services {

77 for _, s := range svc[0] {

78 // ../rfc/9224:225 We match the longest domain suffix. In practice, there are

79 // currently only single labels, top level domains, in the bootstrap database.

80 if len(s) > len(tldmatch) && (s == dom.ASCII || strings.HasSuffix(dom.ASCII, "."+s)) {

81 urls = svc[1]

82 tldmatch = s

83 }

84 }

85 }

86 // ../rfc/9224:428

87 if len(urls) == 0 {

88 return time.Time{}, ErrNoRDAP

89 }

90 // ../rfc/9224:172 We must try secure transports before insecure (https before http). In practice, there is just a single https URL.

91 sort.Slice(urls, func(i, j int) bool {

92 return strings.HasPrefix(urls[i], "https://")

93 })

94 var lastErr error

95 for _, u := range urls {

96 var reg time.Time

97 reg, lastErr = rdapDomainRequest(ctx, u, dom)

98 if lastErr == nil {

99 return reg, nil

100 }

101 }

102 return time.Time{}, lastErr

103}

104

105// ../rfc/9083:284 We must match json fields case-sensitively, so explicitly.

106// Example domain object: ../rfc/9083:945

107

108// Domain is the RDAP response for a domain request.

109//

110// More fields are available in RDAP responses, we only parse the one(s) a few.

111type Domain struct {

112 // ../rfc/9083:1172

113

114 RDAPConformance []string `json:"rdapConformance"` // E.g. "rdap_level_0"

115 LDHName string `json:"ldhName"` // Domain.

116 Events []Event `json:"events"`

117}

118

119// Event is a historic or future change to the domain.

120type Event struct {

121 // ../rfc/9083:573

122

123 EventAction string `json:"eventAction"` // Required. See https://www.iana.org/assignments/rdap-json-values/rdap-json-values.xhtml.

124 EventDate time.Time `json:"eventDate"` // Required. RFC3339. May be in the future, e.g. date of expiry.

125}

126

127// rdapDomainRequest looks up a the most recent registration time of a at an RDAP

128// service base URL.

129func rdapDomainRequest(ctx context.Context, rdapURL string, dom dns.Domain) (time.Time, error) {

130 // ../rfc/9082:316

131 // ../rfc/9224:177 base URLs have a trailing slash.

132 rdapURL += "domain/" + dom.ASCII

133 req, err := http.NewRequestWithContext(ctx, "GET", rdapURL, nil)

134 if err != nil {

135 return time.Time{}, fmt.Errorf("making http request for rdap service: %v", err)

136 }

137 // ../rfc/9083:2372 ../rfc/7480:273

138 req.Header.Add("Accept", "application/rdap+json")

139 // ../rfc/7480:319 Redirects are handled by net/http.

140 resp, err := http.DefaultClient.Do(req)

141 if err != nil {

142 return time.Time{}, fmt.Errorf("http domain rdap get request: %v", err)

143 }

144 defer resp.Body.Close()

145

146 switch {

147 case resp.StatusCode == http.StatusNotFound:

148 // ../rfc/7480:189 ../rfc/7480:359

149 return time.Time{}, ErrNoDomain

150

151 case resp.StatusCode/100 != 2:

152 // We try to read an error message, perhaps a bit too hard, but we may still

153 // truncate utf-8 in the middle of a rune...

154 var msg string

155 var response struct {

156 // For errors, optional fields.

157 Title string `json:"title"`

158 Description []string `json:"description"`

159 // ../rfc/9083:2123

160 }

161 buf, err := io.ReadAll(io.LimitReader(resp.Body, 100*1024))

162 if err != nil {

163 msg = fmt.Sprintf("(error reading response: %v)", err)

164 } else if err := json.Unmarshal(buf, &response); err == nil && (response.Title != "" || len(response.Description) > 0) {

165 s := response.Title

166 if s != "" && len(response.Description) > 0 {

167 s += "; "

168 }

169 s += strings.Join(response.Description, " ")

170 if len(s) > 200 {

171 s = s[:150] + "..."

172 }

173 msg = fmt.Sprintf("message from remote: %q", s)

174 } else {

175 var s string

176 if len(buf) > 200 {

177 s = string(buf[:150]) + "..."

178 } else {

179 s = string(buf)

180 }

181 msg = fmt.Sprintf("raw response: %q", s)

182 }

183 return time.Time{}, fmt.Errorf("status %q, expected 200 ok: %s", resp.Status, msg)

184 }

185

186 var domain Domain

187 if err := json.NewDecoder(resp.Body).Decode(&domain); err != nil {

188 return time.Time{}, fmt.Errorf("parse domain rdap response: %v", err)

189 }

190

191 sort.Slice(domain.Events, func(i, j int) bool {

192 return domain.Events[i].EventDate.Before(domain.Events[j].EventDate)

193 })

194

195 now := time.Now()

196 for i := len(domain.Events) - 1; i >= 0; i-- {

197 ev := domain.Events[i]

198 if ev.EventDate.After(now) {

199 continue

200 }

201 switch ev.EventAction {

202 // ../rfc/9083:2690

203 case "registration", "reregistration", "reinstantiation":

204 return ev.EventDate, nil

205 }

206 }

207 return time.Time{}, ErrNoRegistration

208}

209