11. Security Considerations

This specification models information serialized in JSON format. As JSON is a subset of JavaScript, implementations are advised to follow the security considerations outlined in Section 12 of [RFC8259] to prevent code injection.

Though not specific to JSON, RDAP implementers should be aware of the security considerations specified in [RFC7480] and the security requirements and considerations in [RFC7481].

RDAP responses allow for retrieval of DNSSEC (key) related information, but the RRSIG DS from the parent zone is not conveyed alongside it. This means that the DNSSEC keys retrieved by RDAP are disconnected from their containing PKI, and as such are not generally expected to be trusted without additional information. In particular, the HTTPS channel protecting the RDAP connection is not expected to be authorized to certify the validity of the DNSSEC keys.

Clients caching data, especially clients using RDAP-specific caches (instead of HTTP-layer caches), should have safeguards to prevent cache poisoning. See Section 5 for advice on using the self links for caching.

Finally, service operators should be aware of the privacy mechanisms noted in Section 13.