It's pretty obvious Garth is referring to the Whois record maintained by Internet.bs. http://www.internetbs.net/en/domain-name-registrations/whois.html?domain=bankofswissltd.com You may notice that the above link is to internetbs.net, which internet.bs bounced me to. That appears to be new behavior.

...if one is using the WHOIS output from internet.bs, then it would seem that one has figured out the registrar already. The registry WHOIS for .com reliably identifies the registrar. Using a registrar's WHOIS to identify the registrar seems a bit odd.

Perhaps http://whois.domaintools.com/bankofswissltd.com would have been a better example. I can't remember the last time I had did a two-step Whois lookup on a .com domain.

Because of the disparate output formats of whois data from registrars, there are some WHOIS tools which do the two-step automatically. Win32Whois needs additional TLD support, but spits out the registry and registrar whois along with IP data.

The FULL port 43 whois includes the registrar name - as does any other port 43 whois record for any existing domain name even when the registrar's whois server is offline.

It depends on how you access it. The issue is inconsistency and specific misinformation placed in the record by a reseller with the authority of the Registrar. That's the problem, not the semantic distraction attempted here.

>That's the problem, not the semantic distraction attempted here. The the "issue" and "problem" is all the greedy folks that want their own personal copy of all registrant information. And want constant updates of that information. This then leads to whois metering AND many registrars "randomizing" field data so as to make it extremely hard t parse the data, thus discouraging everyone and their dog from continual harvesting of whois records. But please don't listen to a word I say, have a look at the .AU registry's statement about the problem: http://www.ausregistry.com.au/whois "To address user concerns about privacy and spam, and in line with international best practice, .au Domain Administration (auDA) has implemented Image Verification Check (IVC) for all email addresses on the web-based Whois service. The purpose of IVC is to prevent or hinder unauthorised access by automated data mining programs or scripts. For consistency, auDA has removed all email addresses from Port 43 Whois responses; users of Port 43 Whois will be referred to the web-based Whois service to access email addresses via IVC. Please note that there are restrictions in place on how many queries you can make. Your query limit is 20 per hour and 200 per day from the same IP address. If you exceed this you will be banned for 24 hours. " http://www.ausregistry.com.au/help/frequently-asked-questions/101-what-is-whois-blacklisting "What is WHOIS blacklisting? WHOIS blacklisting occurs when a person makes too many .au WHOIS Search enquiries (please see FAQ How do I find out if a Domain Name is available?). Blacklisting means that a person is banned from using the .au WHOIS Search service for a specified time period. The limit is 20 queries per hour from the same IP address. The ban lasts for 24 hours." This all said, and for the Registrars I represent, I personally would like to see Verisign move to the Thick Registry model. This would place the whois nightmare on the back of the registry, and it's response to these "issues" and "problems" will not so easily be misrepresented.

I personally would like to see Verisign move to the Thick Registry model.

Where can I sign a petition for that? ;-) This has been a request of many registrars for a long time.

I do not consider referencing a reseller as "registrar" to be a "false" record. It's an efficient way to handle something Whois did not foresee. High-Volume queries cause some registrars to make their whois UNPARSABLE and thus inconsistant. This then leads into your wanting this to be easy for people, and it's not because of a different issue. They are linked. So, back to COM/NET implementing a Thick Registry and having to deal with the query overhead problems and metering. This then gives a predicatable standard as well. As an aside, I setup our COM/NET whois server to mimic Afilias' thick registry whois thus harmonizing with .ORG/.INFO/.MOBI/etc standard. I also have NO metering on our whois. I made it as easy as possible for people to read, and to scrape, except I add a long response delay. But you never mentioned that in your report, and you still beat us up on other things you did not like .... I can't think of anybody else that makes their COM/NET records so easy to read .... No brownie points for me. :(

...then that person has already identified the registrar. However, a registrant or technical service provider who needs to make a change to the registration data is best given a clue as to the reseller, where they can resolve the problem. So, despite the inelegant use of the word "registrar", what you are finding deceptive in one context may be positively helpful in another context. I believe that Tucows output states something to the effect of "registration services provided by (reseller name)" to provide that kind of a pointer.

I *think* Tucows also have a system which lets you find the reseller by inputting the domain. In any case we, as a registrar, would be ultimately responsible for any domains on our accreditation.

Tucows was my first thought as well Michelle. For those not aware, Tucows is a "reseller" Registrar that was created to provide companies registry access for very low cost. And Tucows helped support individual branding, and scaling up to their OpenHRS system in which a reseller could move off the shared system (OpenSRS) and be a full ICANN registrar (including the high added costs). There are MANY THOUSANDS of hosting companies across the world running Tucows OpenSRS to provide domain registration services to their customers. Tucows has been extremely respected and was the founder of Afilias and original authors of Afilia's backend system. One might also point out GoDaddy's WildWest registrar was setup to address the needs of small businesses to have their own Branded registrar on a shared system. GoDaddy and others have followed the Tucows model and thus helped serve the ever growing need of small business, and increase competition for such services. And also as you said Michele, the idea that a reseller can run free in the wild is ridiculous. All requirements pass through to the reseller, by the shared registrar getting their creds yanked! The registrar is responsible for their domains not someone they call a reseller.

the idea that a reseller can run free in the wild is ridiculous.

>it's completely at the Registrar's discretion and no one else. No, it's on ICANN at that point. For example, I disagree with Whois metering. But I'm a small private registrar so I have more options. My loading is rounding error in GoDaddy's whois server bandwidth calculation. To reduce our Whois loading and since all our contacts are the same I just said: Registrant, Admin, Tech and Billing: And then listed one single contact after that line. Seems pretty clear to me. ICANN did not agree and I was forced to break out each field individually. Further proof, registrars can't just allow resellers to do anything they want. Furthermore I started on OpenSRS / Tucows, and so I now know full well their contract with resellers CLOSELY follow the contract we singed with ICANN. I don't know what part of a registrar being solely responsible for their registrations you do not understand. I guess you want to take the position that a registrar does not care about ICANN pulling it's creds? Ok, well that's a problem ICANN will take care of, a position that will not last very long.

No. For example Moniker and GoDaddy's recursive whois feature CLEARLY returns the internic records, and thus the authoritative sponsor: http://www.moniker.com/pub/Whois http://who.godaddy.com/whois.aspx?domain=bankofswissltd.com&prog_id=GoDaddy For GoDaddy click on "See Underlying Registry Data". The information is there, and registrars make it available via their HTTP whois lookups. Is the average internet user sufficiently educated to know this? Probably not. Is the average person with just a little experiance tracing down domain ownership aware of this? YES. The people most likely to go after domain registrations know how this all works. And those that want to learn can spend a few minutes on Google to find out how. On Google I searched: domain registrar lookup And the first link was Network Solutions which I click on and was on their recursive whois lookup page. Here is there result: http://www.networksolutions.com/whois-search/BANKOFSWISSLTD.COM The registrar is more than clear without any additional clicks.

>And this goes to the heart of "who is an authoritative source of >information". The authoritative source of information as to what >registrar is responsible for a domain name registration is the >registry and ONLY the registry. That needs to be on a t-shirt, poster, banner, and a movie ... Thanks John! :) >and there are some registrars which will maintain stale WHOIS >data for names that have been long transferred out of them. I know you know this John, but for others: There is no EPP command to see what domains a registrar has in its registry account. Now please go back and read that sentence again. Thus there is no ability for a registrar, at a given moment, to "sync" with the registry. There are weekly reports generated, but they are for a moment BEFORE they are posted. Synchronizing databases of two independent organizations is not fun, espically with no "sync command", nor is it possible at any given moment. There are always errors. For these and many other reasons, a registrar gets out of sync with the registry. How do you solve this as related to whois: Implement a THICK REGISTRY model. This takes away a nasty issue we can't solve. As John said we are NOT the authority.

The answer here is moving COM/NET to the thick registry model. This generally harmonizes whois, thus making it more likely that the most number of people know how to properly use it. Registrars will still using the fields to "misdirect" customers to reseller accounts, and Law Enforcement is still going to be confused. They will eventually figure it out, just as we all have. And if the problem is REALLY that bad, then perhaps you should have somebody build a site for you that you can direct them to to obtain the info they are looking for. This is after all fully automated now, otherwise the system would not work.

But since that output was obtained by the port 43 WHOIS mechanism, they must be sure.

John - exactly There is no way for ICANN, or anyone else, to serve up the WHOIS data for a .com without the registrar's whois server doing the work and without them actually contacting it .. which assumes knowledge of whose it is and where it is located

I used to look at those tourist maps displayed in various cities with the red dot labeled "You are here" and would wonder, "How do they know that?"

"Wherever you go, there you are"

It is absurd to assume the response to his complaint is all the complainant will see, simply because to make the complaint about the data in the first place, he would have had to look for the full (not thick, btw) data (and find a defect in that data) prior to making the complaint.

It's not "fake" registrar data. The authoritative registrar is avialable as already pointed out. If a reseller's business gets forced into the sponsoring registrar's support system, the entirety of the resellers business is destroyed. A domain registration generates perhaps $1 to $2 of revenue per year. The economics of that should be obvious. Any reseller support moved to the sponsor quickly racks up business losses for the sponsoring registrar. I'll give you all a hint, that very tiny markup tells you more about what drives this industry than anything else. When you look at these issues, and yes assuming the entities being discussed are honest, ponder how that low revenue would influence the situation and you'll likely on your own figure out what is really going on and why. If you have one domain at a registrar, and call up for support, when that support call ends how much do you think that call cost relative to what was made from your registration? That call likely resulted in total loss of revenue for your single registration. I have a very similar problem. We lease out or connections to other registrars as part of thier drop catch pools. From the ICANN perspective, their domain registrations are MY PROBLEM and NOBODY else. However, our lease relationship is that none of these registrants are mine. This can be very ugly if I lease to the wrong entity, they can literally kill my registrar and create huge liability - Which is why our lease roughly says "Do anything to threaten our registrar and I'll yank your access immediately!" However I have to setup those registrar websites in a way you claim is "fake". I must do this because I need their registrants to go to their website for support and domain administration. I'd lose money if their customers came to me. This is exactly the same as what you are talking about. Again, this is how the industry works Garth. In my case I have the liability of keeping a registrar up and running, and others have access to those connection on demand. They pay a little extract for this, just as a reseller pays the sponsor a little over registry reg fee. You are throwing the baby out with the bath water ....

I need to add one more thing to my above post. While it changes with time, you'll find that an enormous number of current ICANN registrars are NOT independent registrars, they are in fact part of registrar pools operating under a different name which itself is usually the primary registrar. Now that said, each of those registrars will be a seperate corporation, but there will be a corp they all operate under. In other words the entire "reseller abstraction" is mirrored in these registrar pools. So nothing I've said above is news to anybody that has involvement with registrars, but it's something that very few others are even aware of. At times I think the total number of freestanding registrars might have been as few as 1/3 of the total registrars. In other words maybe as many as 2/3's of the registrars were directly related in some way, via a much smaller number of groups. And yet the industry has thrived with this happening. At one time one catch pool had as many as 250 registrars working together as "one registrar". This again shows how "pushing" a registrant else where through whois is a necessary part of profitable operations, and why it's not intrinsically evil to do it. I need to say these things because, Garth, you create a huge problem for me and others by seeding such ideas in the mind of others. That it's wrong for us to use the whois to remind customers where there admin panel is located. For the most part few care, and if they do care then they know well how to transfer the domain where they want it. They just want to make sure they can manage their domains when they need to and it gets renewed when they pay renewal fees.

It's only stumbling in the sense that it wasn't the original objective of the research that found it. I regularly report to and coordinate with anti-phishing efforts.

...what other steps did you take to alert browser plug-in maintainers, security software updaters, etc. of this site. When I stumble across these sorts of things, I report them to aa419.org, which gets them into the bloodstream of numerous parties who can prevent the users of their software from similarly stumbling upon them. The response time of this network which, yes, includes registrars can be pretty quick, and a lot quicker than any legal mechanism such as a contract compliance action.

Ugh. Everyone of consequence from the ISP to the banks was notified. The issue here is the insertion of fake Registrar data. You're trying to change the subject. It's not just about this particular website, Internet.BS allows free reign to change the details of the WHOIS by its resellers.

Garth, I detailed this out for you. This is done to keep costs low and maximize efficiency of resellers sharing registrar accounts. The more people involved with domain names the better off we all are. That mean "clueless" registrants they need to be directed based on the terms they are aware of. The true sponsor is totally available.

Looking at the Whois information of fake sites is generally pointless.

In the context of the RAA negotiations, one of the points has been to verify the identity of a domain name registrant. One suggestion made was to obtain such information as driver's license, social security numbers, passport numbers, etc. However, this information is useless to a registrar who has no way to confirm that information. I can require someone to provide what they purport to be a driver's license number, but I'd love to know what it is I'm supposed to do with an N digit number, the veracity of which I have absolutely no way of determining. Accordingly, what we need to do is to work together in order to mandate that government bodies which issue identification documents must open up their databases to registrar verification of those identification documents. Then - problem solved. As a targeted alternative, though, what would be much more effective is to require criminals to register themselves and to be issued an official criminal identification document prior to registering domain names and engaging in crimes. Then, when a domain name is used in a crime, then it can be readily confirmed that the domain name was indeed acquired by a duly registered criminal. While there has been a focus on, for example, credit card information used to initially register a domain name, I figure it will be at least several months before those focusing on credit card information will begin to realize that there are several pathways to domain registration which do not involve a credit card transaction in the first place. When, for example, a domain name is registered for a term of several years, that domain name can change hands several times from that initial registration, without one dime going from the current registrant to any registrar. Various permutations of these scenarios figure prominently in any of several domain hi-jacking schemes. However, in a society in which a fair number of people still cannot figure out where the President of the United States was born, there is not going to be any authentication strategy which satisfies everyone.

The Certification Authority and web browser industry is addressing user validation right now. There was a break-in at DigiNotar, and the attackers were able to issue fake SSL certificates for major domains. The problem was dealt with harshly. The Mozilla Foundation (the organization behind Firefox) pulled DigiNotar's root certificate out of their browser. This immediately invalidated the SSL certs of all DigiNotar customers, legitimate or not, when seen in Firefox. Microsoft and Google followed suit. DigiNotar was bankrupt within two weeks. In the CA world, there are audits by external auditors. The rules for those are being tightened, as are the rules for verifying the identity of parties requesting SSL certificates. See "http://www.cabforum.org". The basic rules have been agreed on by CAs representing over 94% of the SSL certs in existence. CAs that don't get on board by July 12, 2012, will probably be locked out of major browsers. The new rules can be seen in section 11 of "http://www.cabforum.org/Baseline_Requirements_V1.pdf" The CA SHALL verify the identity and address of the Applicant using documentation provided by, or through communication with, at least one of the following: 1. A government agency in the jurisdiction of the Applicant’s legal creation, existence, or recognition; 2. A third party database that is periodically updated, which the CA has evaluated in accordance with Section 11.6; 3. A site visit by the CA or a third party who is acting as an agent for the CA; or 4. An Attestation Letter. Databases for verifying business existence and ownership are available. Dun and Bradstreet's Public Record Service, for example, offers them. Domain registrars should require a similar form of validation. If a domain is purchased for a business, the registrar should verify the identity of the business at least by 1) checking that the business has a valid legal existence (corporation or D/B/A name), and 2) that paper mail sent to the address of the business reaches the registrant. It would be sufficient to mail a letter with a passcode to the WHOIS address; until the passcode is entered on line, the domain doesn't go into DNS. If a domain is purchased by an individual, the name and address data for the domain should be that associated with the credit card used to buy the domain. There's pressure on ICANN to clean up the registrars, especially since ICANN has to convince the Department of Commerce to renew their contract over the next few months.

>Domain registrars should require a similar form of validation. I hate "Show my your papers!" and guilty until privon innocent ... And watch the price of domain registrations EXPLODE, and for nobodies real benefit. For example I could create a business to register domains using your process and then transfer / push the domain to someone else. The internet is the success it is BECAUSE of low registration fees. Dramatically increase fees and internet freedom is over. Of course I know some would love to see just that.

What about requiring that registrants have a digital certificate as part of the transaction? This makes the cost of verification an external cost, borne by the consumer.

A neighbor down the street has a one man shop, his own garage. He put up his own website up, mostly a business card website. He's trying to keep his costs as low as possible. I was impressed, he did a nice job. He just kept at it over time making it look nicer. There is no way he's going to be able complete a certificate process himself, nor should he be burdened by a cert he does not need. You just placed a significant, and unacceptable, barrier in front of him and all like him. Why it is nobody thinks of small business anymore? Everybody thinks all businesses are ones loaded with geeks that can bit-bash boat loads of bits in their sleep. And what happens when a child does the lemonaid stand version of a website, perhaps using ebay and paypal? The kid's reward is having the family domain name yanked. What about other monetization, such as PPC? How about affiliate programs? What about people selling banners on their site? PLEASE stop treating everyone like criminals, that everybody is guilty until proven innocent. Thank you! Again, to advance our industry we need to make everyone as low in cost as possible, and as easy as possible. And yes, this gives bad guys a place to hide. Guess what? There will ALWAYS be places for them to hide, ALWAYS. Solutions must minimally affect the good folks, of which most registrants are.

As I've said in other threads, there are other options for privacy whois, such as Post Office Boxes or use of a lawyer's office.

>In the US, you can rent a P.O. Box and not have the ownership >disclosed without a subpoena. (That info used to be available >on request, but that's no longer the case.) Perfect. If I'm not doing anything wrong then go away and leave me alone. If you want to verify this address is associated with the domain, fine, do it. Thus you KNOW this is the POB box to get the subpoena and can prove it to get the subpoena. I want people to have privacy and I think today's society offers many ways of doing that, and allow you to verify my registration detials, while making sure you are not a psycho showing up on my doorstep. :) To flip this around, privacy whois also denies the registrant an internet fingerprint of control of the domain. In other words if you have a domain using privacy whois, and I steal it from you, but don't change the DNS, you will have no idea you lost control. If I can quickly transfer that domain to another registrar, one outside your country and not speaking your language, have fun getting it back as you can't even prove it was yours. This then leads into my desire for registries to offer a paid "WhoWas" service. For a fee you can pull the complete registration history of a domain name. The fee is the carrot for registries to implement such service, and I suspect it's use will generate FAR more revenue that the registrations themselves .... I just keep seeing evidence that privacy whois causes more problems than it solves and other solutions are available.

There's no need - I think there's already an ongoing issues report and possible PDP on the subject as a result of the IRTP-B final report.

Once again I'm being told not to talk about an issue and that everything will be fine. Fat chance.

Garth If you're responding to me then I'm really confused. I merely pointed out that the issue had already been raised and that there should be a PDP on the subject of thick whois I don't honestly see how that can be classed as telling you not to do anything. Regards Michele

>What do you think of the SOCA 5Cs whois validation model? >Garth, especially you - would love to hear your thoughts. > >http://news.dot-nxt.com/2012/03/12/five-cs-whois-validation-model Its a rather extreme example, since I am a registrar, but it's very much like consultants manageing domains and websites for customers. I'm been involved with a local not for profit going on 14 years. I sponsor their domain names in one of my registrars. The whois has little to do with me, and if I were not a registrar I'd set it up the same. Thus, I think, that whois would fail those tests. I've seen too many consultants screw customers over bu holding that customer's domain hostage when they want to use someone else to manage their site. So in effect, the whois matches the person "paying" for the domain but that person is not who *I* would consider the registrant. And yet all the whois if is "correct". Fearing the above, or something happening to me, I take the opposite approach and have all the contact records trace back to the organization. And yet that info is all "wrong" relative to me as I am the one paying (I never asked to be reimbursed) etc. I'd very common for domain whois info to be very different than who I would consider the true "enduser" or "registrant" of the domain. And in many cases that is good because the "right" person is so clueless they should not be on the contact list. These things come back to Professionalism, a word I hardly see used these days. Back to my feeling that we need to stop entertaining the cost burden of "Guilty Until Proven Innocent". If most people were bad, or even a lot of them were, then the internet would never have gotten where it has. We need a surgical knife for the bad guys. As best I've been able to come up with that is "out of channel" whois verification (which your link shows) AND no more privacy whois. The lack of privacy whois does create a regretable cost burden on some registrants, but I've not been able to think of a solution to that. They need to get a POB or use a lawyer, etc. Bottom line if you put a letter in the mail to the listed address it MUST be received by the registrant or their legal rep.

You folks suggest the registrar checks a cert for a domain registration.

Then someone will make a business out of using their "personal" certificate to register domains and than sell a copy of that cert with the domain name.

I'm saying that will happen, in some way, it will happen. It goes back to all certs not being equal. Are you going to impose a limit on the allowed CA's? What is the cost of getting my CA approved? If not, anybody and their dog can download software and roll their own self signed certs and sell them to anybody. Then are not signed against a domain and thus can be used for any domain. If you limit the CA's you now have the problem of people buying a CA and then get mad at the registrar form not accepting it. They have no clue what this is really about. I think this is one of the biggest issues I keep having to remind myself of as well, it's a BIG planet. There are LOTS of places and people that do not care about their "reputation" in the US or most anywhere else for that matter.

Their is a critical difference between the two "thick registry" examples you give. Using your model: When the "thick whois" is served from the regiSTRY, then the data can be considered "authoritative". Then the "thick whois" is served from the registRAR, then the data can NOT be considered "authoritative". For a thread that uses the word "fake" twice in it's title, the "authority" of the whois elements cannot be dismissed. That is why so many of us drew attention to the difference. Using the idea expressed by the word "thick" too freely obfuscates this critical distinction, and why so many registrars want COM/NET whois moved ENTIRELY to the regisTRY. Using the idea expressed by the word "thick" too freely also suggestes there is no good basis for the initiative refered to by Michele: "I think there's already an ongoing issues report and possible PDP on the subject as a result of the IRTP-B final report. " There IS a difference. This is not just word play .....

Did not skip over anything. :) I followed your desired to simplify this for the average person. >Where in the registrar's WHOIS record for the domain in >question does it state "this is not an authoritative record"? See, from here we can argue this either way. In my case, keeping this simple, I'd argue this is reason to implement "a thick registry model" for COM/NET. That way it does not have to say it's not authoritative, because it WILL then be authoritative. And if it's a "thick registry" whois record then the regisTRY will control the "registRAR" field not the registRAR controling the "registRAR" field in the returned text. This is why a thick registry is authoritative, and a thin whois is not, thus precisely "fixing" your concern. Let me try to approach this from a completely different point of view. No ICANN registrar in the world manifests .COM or .NET domain names, not a one. This is what the registry does, and registrars are simply "resellers" of this service that the registry offers. That is registries are able to insert DNS records in the root server chain, registrars are NOT able to do this, we do this by purchasing such records on behalf of third parties. So when a person wants a domain name they can't go to the registry, they must go to a registrar. The registrar then accepts payment for the domain name, and then passes on the registration request to the registry. The registry then inserts a DNS record into the root server chain which manefests the domain name - Now that record might just point to yet another DNS server, but the key here is the control of the root hierarchy which only regisTRIES have. Now whois is the "reverse path" of that reseller relationship. When someone looks up the whois for that domain name the registrar may have a COPY of what it THINKS is the current domain name state, but it's just a copy. In other words the "state" of the domain name now flows through from the regisTRY database to the public "whois" response. The only database description of that domain name that means anything is the one in the regisTRY. So, the registrar then MUST provide accurate domain status fields (such as registration dates) from the registry and then merges in their own internal contact detials of the domain name at that moment. And that is the precise point at which we have a point of confusion. The registry is "authoritative" for the domain status, but not the contact detials. One may fairly argue the regisTRAR is "authoritative" for the contact detials, but NOTHING ELSE. And this is where your OP problem comes in, the registrar does not necessary pass the "authortative domain state" as expressed by the regisTRY at the first query in the chain (Internic), the registrar can only do this since they are NOT truely authoritative. True, one can produce a policy that this data "SHALL" be passed unchanged but this is precisely where I personally disagree with that solution. Instead solve this "by design" which is the "thick registry" by requiring the registrar to "deposit" the contact detials with the regisTRY and then have the registry return the whois. At that point you have a full audit chain over all time, and it's centralized at the regisTRY and it thus authoritative. Yes, you can implement "policies" that will result in the whois data being the same for a "thick registry" and a "thin registry" ..... But only to the extent that registrars follow that policy, and databases remain synchronized. If it's a "by design" implementation, then it's IMPOSSIBLE not to follow. That is why I'd personally prefer to see a thick registry solution. Thus should be clear that a "thick registry" should not be confused with the idea you mention of "thin whois" or "thick whois". However a thick registry produces your "thick whois", de-facto. And this is why consideration of the idea of "authority" is so important == One entity, one point, one place to say how the whois will or will not look like, and do so precisely at the database that manages the root hierarchy record. whois for that domain name the registrar may have a COPY of what it THINKS is the current domain name state, but it's just a copy. In other words the "state" of the domain name now flows through from the regisTRY database to the public "whois" response. The only database description of that domain name that means anything is the one in the regisTRY. So, the registrar then MUST provide accurate domain status fields (such as registration dates) from the registry and then merges in their own internal contact detials of the domain name at that moment. And that is the precise point at which we have a point of confusion. The registry is "authoritative" for the domain status, but not the contact detials. One may fairly argue the regisTRAR is "authoritative" for the contact detials, but NOTHING ELSE. And this is where your OP problem comes in, the registrar does not necessary pass the "authortative domain state" as expressed by the regisTRY at the first query in the chain (Internic), the registrar can only do this since they are NOT truely authoritative. True, one can produce a policy that this data "SHALL" be passed unchanged but this is precisely where I personally disagree with that solution. Instead solve this "by design" which is the "thick registry" by requiring the registrar to "deposit" the contact detials with the regisTRY and then have the registry return the whois. At that point you have a full audit chain over all time, and it's centralized at the regisTRY and it thus authoritative. Yes, you can implement "policies" that will result in the whois data being the same for a "thick registry" and a "thin registry" ..... But only to the extent that registrars follow that policy, and databases remain synchronized. If it's a "by design" implementation, then it's IMPOSSIBLE not to follow. That is why I'd personally prefer to see a thick registry solution. Thus should be clear that a "thick registry" should not be confused with the idea you mention of "thin whois" or "thick whois". However a thick registry produces your "thick whois", de-facto. And this is why consideration of the idea of "authority" is so important == One entity, one point, one place to say how the whois will or will not look like, and do so precisely at the database that manages the root hierarchy record. By