Summary
- RDAP's HTTP specification recognizes rate limiting as a defence against scraping and service abuse. It standardizes a 429 response and client backoff behaviour, but it does not prescribe one quota, one identity unit or one entitlement for every registry and user.
- A request count is not a neutral measure of burden. A direct lookup, a broad search, a response containing personal contact data and a repeated cached query can impose different technical, privacy and social costs. Controls should reflect those differences.
- IP-based accounting can combine unrelated users behind carrier-grade NAT, an office gateway or a security provider. RIPE NCC's 2024 move to separate authenticated users from a shared public address for personal-data accounting demonstrates that identity design changes who is blocked.
- Due diligence, transfer review, routing research and abuse response need evidence across many resources and registries. Incumbents may possess old datasets, approved bulk feeds, distributed infrastructure or commercial relationships; a new entrant may meet the public interface first. That asymmetry can become a market barrier even without discriminatory intent.
- Bulk access and paid access can be legitimate alternatives to unrestricted public querying, but eligibility, permitted use, price, data freshness, privacy duties, suspension and renewal should be published and applied consistently. A private negotiation with no comparable terms is not an adequate public standard.
- A fair regime should disclose quota units and reset rules, identify the reason for restriction, return machine-readable retry information, provide an authenticated route for higher legitimate need, and offer timely human review of blocks and access denials.
- Transparency must protect security. Registries need not publish thresholds so precise that attackers can tune floods to them, disclose personal data, or reveal fraud detection. They should publish enough for a compliant user to plan, diagnose and contest treatment.
- Number Resource Society can document cross-registry friction, propose a quota disclosure profile and support evidence-based appeals. It should not promise unrestricted access, warehouse personal records, or label a technical control anticompetitive without comparative evidence.
The missing response at the decisive hour
An IPv4 transfer is approaching its closing date. The prospective recipient has checked the registration, routing history, sanctions exposure, corporate identity and authority of the seller. A late discrepancy appears in one address range. The diligence team expands its queries to related organisations and contacts, then begins receiving access-denied or too-many-request responses from an authoritative service. Its shared office address has also carried automated security traffic all day.
The seller's adviser has a local archive and an established bulk-data arrangement. The buyer's small specialist does not. One side can continue comparing records; the other can either postpone, accept uncertainty or buy information from an intermediary. The registry did not choose the winner and may not know a transaction exists. Yet the access design has distributed evidence capacity between market entities.
Similar moments arise outside transfers. An abuse team follows infrastructure reused across a phishing campaign. A researcher tests whether registration contact quality changed after a policy. A managed security provider maps a client's exposed addresses. A journalist checks the corporate relationships behind a routing event. A public agency verifies whom to contact during an incident. Each can move from an ordinary lookup to a burst of related requests for a legitimate reason.
The contrary case is equally real. A data harvester extracts personal contacts for spam. A bot repeatedly downloads records it could cache. An attacker uses expensive searches to exhaust memory. A commercial service copies public data and resells it without respecting terms. A registry that never limits requests imposes the cost of these users on everyone and may expose people to harm.
The governance question is therefore not whether limits are allowed. It is how the service distinguishes protective friction from exclusion, how users learn the rule, how higher legitimate need is assessed, and what remedy exists when the control makes the wrong decision.
RDAP made access control explicit without deciding policy
The IETF standardized RDAP in 2015 partly to remedy weaknesses of the much older Whois model. RDAP uses HTTP, structured responses, standard query forms, referrals and security mechanisms available at other layers. It can identify and authenticate clients and support differentiated authorization. Those features make a more precise access policy possible.
RFC 7481 is careful about the boundary. It explains that a server operator with differentiated access policies must construct an authorization scheme, while an operator without such a policy may have no need for authentication. The document specifies security capabilities, not which people deserve which data.
RFC 7480 likewise recognizes rate limits used to deter address scraping and other abuse. When a server declines a request for that reason, the specification calls for HTTP 429, tells a client to reduce its query rate, and says it should honour Retry-After when present. The server may provide additional explanation. This creates interoperable behaviour without defining the number of requests, the accounting period or how the client is identified.
That omission is appropriate for a technical standard. RIR databases differ in data, law, architecture and community policy. Search can be more expensive than exact lookup. Personal contact exposure raises a different concern from an address-range response. The standard could not sensibly set one global threshold.
But discretion at the standards layer makes governance at the operator layer more important. If a quota determines access to authoritative evidence, the registry should explain its unit, purpose, alternatives and review. "The protocol permits rate limiting" answers the engineering authority question. It does not answer the fairness question.
Whois left users to learn local customs
Traditional Whois offers no common authentication and authorization model. Query syntax, output and control practices have varied among services. A user can often discover the practical boundary only by hitting it. Even error meanings differ.
RDAP improves the possibility of consistent responses, but it does not automatically harmonize policy. A client can still encounter one registry that limits by IP address, another that counts returned personal records, another that restricts broad search, and another that expects an access agreement for bulk use. HTTP makes the response legible; it does not make the underlying decisions equivalent.
This matters for cross-registry work. An address investigation rarely respects service-region boundaries. Corporate groups hold resources in several regions. Transfer chains can cross RIRs. Attack infrastructure moves. A research method that succeeds against one public service may fail against another for reasons unrelated to the substantive question.
Local variation is not inherently illegitimate. Data protection obligations and registry purposes differ. A service with powerful inverse search may need stricter controls than one offering only exact resource lookup. The problem is unobservable variation: a method appears to measure the world but actually measures which registries allowed the requests.
Researchers and commercial users should disclose these gaps. Registries should make them easier to identify. A response that distinguishes load, personal-data quota, unauthorized search and terms-of-use restriction is far more useful than one generic block. Different reasons support different remedies.
Rate limiting protects a shared public asset
The strongest case for limits is availability. Directory services are shared. A flood of expensive searches can deny ordinary lookups to operators who need a contact or authoritative range. RFC 9082 notes that search typically consumes more memory, processing and bandwidth than basic lookup and points to authorization and rate controls as mitigations.
Privacy is a second case. A sequence of individual public records can become a bulk personal dataset when collected at scale. Restricting returned personal data can reduce harvesting without making every network record inaccessible. Terms can prohibit marketing or republication even when operational and research use remains allowed.
Security is a third case. Query patterns can enumerate assets, test defensive rules or create cover for denial of service. Registries need discretion to slow a source that adapts maliciously. Publishing every detector and exact dynamic threshold would help evasion.
Cost is a fourth case. Capacity, monitoring and support are funded by members or service revenue. An intensive commercial user can impose costs far above those of an occasional operator. It is reasonable to ask whether that user should authenticate, cache, use a bulk channel or contribute to the service.
These rationales support controls, not opacity. Availability limits should be tied to resource consumption. Privacy limits should be tied to sensitive data returned. Security restrictions should preserve a route for wrongly classified users. Cost recovery should use comparable, published terms. A single hidden cap applied to every reason makes diagnosis and accountability impossible.
A query is not a unit of social cost
Counting HTTP requests is easy, but requests differ. An exact lookup for one IP address may use an indexed path and return a compact entity. A search by entity name may scan or join more data and return many entities. One response may include several personal-data sets. Another may contain only organisational and resource fields. A conditional request satisfied from cache can impose less cost than a fresh search.
Users differ too. One human can create dozens of requests by clicking through related records. One well-designed service can answer many customers from a single cached request. A poorly designed client can repeat identical lookups. A research project may create a short, declared burst and then remain quiet for months. An abuse responder may need a burst precisely when malicious infrastructure is changing.
The quota should therefore name what it counts. Requests, returned entities, returned personal-data sets, search complexity, concurrent connections, bandwidth and time can all be relevant. Combining several controls may be more proportionate than using one crude ceiling.
Reset rules matter. A calendar-day reset in the registry's home time gives different effective recovery moments around the world. A rolling window behaves differently from a fixed hour. A token bucket that replenishes gradually is different from a hard daily block. A user cannot design compliant software without knowing the broad model.
Precision has security limits. The registry can disclose that personal-data results are counted per authenticated account over a rolling or calendar period without revealing the threshold at which an adaptive attack detector triggers. Public baseline and confidential anomaly controls can coexist.
Identity design decides who shares the penalty
An IP address is a convenient enforcement key and a poor proxy for one user. Offices, universities, mobile networks, satellite services, public agencies and carrier-grade NAT can place many unrelated users behind one address or prefix. Cloud users can move among addresses, while a determined harvester can distribute traffic across many of them.
The practical consequence is asymmetric. A small organisation behind one gateway can lose access because a colleague or customer consumed the allowance. A larger company can spread legitimate or illegitimate traffic across infrastructure. The rule appears equal at the packet boundary and unequal at the institutional boundary.
RIPE NCC provided a useful public example in 2024. Its announcement on Acceptable Use Policy accounting explained that authenticated RIPE NCC Access users would be counted separately rather than having every person behind an office NAT share the same personal-data limit. Unauthenticated users would continue to be counted by IP address. The change did not abolish limits; it improved the identity unit.
Authentication introduces its own barriers. An account may require personal information, contractual status or a registration procedure unavailable to an occasional investigator. Federated identity can fail across jurisdictions. A person may need to research before revealing an interest. The registry should explain what authentication enables, what it records, how long logs remain and whether non-members can qualify.
The fair design offers layers: a useful anonymous baseline, an authenticated allowance for identifiable legitimate users, and reviewed higher access for demonstrated need. It also prevents account multiplication and connected users from pretending to be independent. Equality requires both protection against aggregation error and protection against avoidance.
The RIPE personal-data rule shows the value of a named unit
The current RIPE Database Acceptable Use Policy illustrates a more legible control. It describes unlimited ordinary query counts under reasonable use, limits the number of personal-data sets returned to an IP address or authenticated account, provides a larger proxy allowance, limits simultaneous connections, and explains temporary and potential permanent blocking.
The published figures make discussion possible. A user can distinguish ordinary resource lookup from personal-data extraction and can decide whether authentication solves a shared-address problem. The policy also says abuse contacts referenced through abuse-c are intended to remain available without restrictions on bulk access, reflecting the operational purpose of that field.
Publication does not settle every fairness question. The policy says the service may slow or block harmful use at its discretion and that permanent blocks may be lifted on request at its discretion. A user may still ask how evidence is assessed, how quickly a request is reviewed, and whether similarly situated users receive similar treatment. Those are governance questions, not criticisms of the legitimate privacy objective.
The example also warns against casual cross-registry comparison. "One thousand" here refers to returned personal-data sets under a particular policy, not one thousand RDAP resource lookups everywhere. Repeating the figure as a universal API limit would be wrong.
A strong comparative study must normalize units, interfaces, authentication and data sensitivity. Until that study exists, this article treats published examples as mechanisms, not as a ranking of registries.
Due diligence is a sequence, not one lookup
Number-resource diligence begins with current registration but rarely ends there. A buyer or lender may need to confirm the resource range, holder, authority to transfer, related organisations, registration history, routing use, route-authorisation state, disputes and consistency across documents. Each discrepancy creates another branch.
The legitimate request volume therefore depends on risk. A clean, well-documented range may require few authoritative checks. A fragmented portfolio with changed names and legacy records may require many. A quota that permits the first case and blocks the second can select against the transactions most in need of scrutiny.
Brokers occupy an ambiguous position. They can reduce information costs and help clients navigate registry procedures. They also have a commercial incentive and may possess accumulated datasets unavailable to a new competitor. Terms designed to prevent resale can restrict how a broker incorporates public records into a paid service even when the service improves transfer safety.
The registry should not decide that every claimed diligence project deserves bulk personal data. It can ask for purpose, minimization, retention, security and output controls. The decision should focus on the requested capability and risk, not the applicant's familiarity or negotiating leverage.
Transaction deadlines should not create automatic entitlement either. Parties choose many private deadlines. An urgent access route is justified where delay threatens registry accuracy, security or an enforceable right, not merely because a commercial agreement assigned an aggressive closing. Still, a clear review timetable lets parties plan rather than discovering an indefinite access question at the end.
Authoritative registration data is still bounded evidence
The importance of access should not be confused with completeness. An RIR response can be authoritative for the registration state and events the service is designed to present. It does not by itself establish beneficial ownership, current operational control of every routed address, the validity of a private sale agreement, the identity behind malicious traffic or compliance with every law.
A diligent reviewer combines registry records with corporate filings, contractual authority, routing observations, RPKI, sanctions materials and direct confirmation. Each has its own date and evidentiary limit. A registration contact may be accurate yet unable to bind the organisation. A route can be visible without proving lawful title. A clean public record can coexist with an undisclosed dispute.
This boundary cuts in both directions. A rate limit should not be blamed for making complete certainty impossible; complete certainty was never available from the directory alone. But loss of authoritative registration evidence still weakens the comparison. The reviewer may be unable to test whether names, dates and resource ranges agree with other materials or whether a discrepancy deserves escalation.
Access regimes should therefore describe the propositions their data supports. They should also resist requests for volume justified by vague claims that the directory will reveal fraud automatically. A higher-access applicant ought to explain the analytic purpose, other evidence used, safeguards against false attribution and how uncertain findings will be represented.
The same caution applies to market analysis. Better registry access can improve diligence, research and abuse response. It does not guarantee a better conclusion. Competition should be assessed through access, method, cost and outcomes rather than assuming that the largest local copy is the most truthful service.
Historical possession can become an incumbent advantage
An established firm may hold years of lawfully acquired registration snapshots. A new entrant begins with current public access. If bulk access rules tighten or interactive limits remain low, the incumbent can answer historical questions from local storage while the entrant cannot recreate the same baseline.
That advantage is not necessarily improper. Collecting, cleaning and securing data is investment. Historical datasets can include stale personal information that should not be freely replicated. A registry may have sound legal reasons not to recreate old access.
The governance concern is path dependence. A rule framed as equal today can preserve unequal evidence accumulated under yesterday's rules. If registries approve exceptions through unpublished relationships, the advantage may deepen. Users cannot tell whether a competitor is more capable because of skill, a compliant bulk arrangement, legacy possession or preferential access.
Transparency should therefore cover access classes, not customer secrets. A registry can publish the number of active bulk agreements by broad purpose, application and approval counts, typical decision time, suspension counts and the categories of data included. Small numbers may need aggregation. The aim is to reveal whether a route exists and how it operates, not to identify investigators.
Where historical data is important for public-interest research, controlled research access can reduce incumbent lock-in. Conditions may include a secure environment, data minimization, publication review for personal information and deletion. Such access should be open to qualified applicants under the same criteria, including researchers outside wealthy institutions.
Abuse response has a burst pattern
Abuse investigation is often event-driven. A campaign reveals one address, then a set of related ranges, contacts, autonomous systems and organisations. The analyst must distinguish shared hosting from common control and current registration from stale attribution. Queries arrive in a burst because the harm is active.
Rate controls can protect the directory while frustrating this pattern. A delayed lookup may allow phishing infrastructure to move or leave a network operator without the right contact. Yet declaring every security vendor an emergency user would invite abuse and expose personal data at scale.
A better model recognizes verified operational roles and incident-specific elevation. The applicant can authenticate, identify the purpose, accept use and retention terms, and request a time-bounded allowance. Automated approval may be possible for established accounts; unusual access can receive human review. Every elevation should be logged and auditable.
Abuse contacts deserve special treatment because their purpose is to receive reports. RIPE's public policy explicitly distinguishes abuse-c bulk availability from other personal data. Other registries may implement different structures, but the design principle travels: access to the official abuse route should not disappear merely because an analyst reached a personal-data quota through unrelated queries.
The economics are subtle. Large security companies can operate distributed collectors and negotiate data feeds. Volunteer researchers, small providers and civil-society investigators may rely on public services. A rule that rewards infrastructure scale can reduce independent scrutiny. At the same time, free unrestricted access can subsidize a profitable commercial collector. Published purpose-based tiers are more defensible than pretending these users are identical.
Research quality depends on access disclosure
Network research often treats registry data as ground truth for allocation and contact relationships. The data is authoritative for defined registration functions, but the observed dataset may be shaped by limits, redaction, search support and collection time. A paper that omits these access conditions risks confusing missing responses with missing resources.
Reproducibility needs more than a list of URLs. Researchers should record date, service, query type, authentication class, response status, retry behaviour, exclusions and whether they used a bulk snapshot. They should publish code that respects backoff and caching without releasing personal data or credentials.
Registries can support reproducibility with versioned policy pages, machine-readable service descriptions, stable error codes and research snapshots. A policy change should have an effective date and archive. Otherwise a later researcher cannot explain why the same method produces a different corpus.
Academic affiliation should not be the sole marker of public interest. Independent researchers, journalists and smaller regional institutions can produce valuable work. Eligibility criteria should examine purpose, competence and safeguards. Requiring an institutional signature may still be justified for sensitive bulk data, but there should be a route for applicants without elite sponsors.
Failed or partial studies also provide evidence. Aggregated reports of where limits prevented completion can help registries distinguish poor client design from unmet legitimate demand. The reporting channel should not punish a user merely for admitting that it reached a limit.
Public-sector users are not automatically privileged
Law-enforcement and regulatory bodies may seek registration data for public duties. Emergency services may need operational contacts. Sanctions screening can affect transfer diligence. Public authority can justify particular access under law, but it should not create an undefined superior tier for every government request.
The registry should separate public data access, protected disclosure and technical quota. A lawful request for non-public information belongs in a documented legal route. A public-sector analyst querying public records should comply with ordinary technical controls unless a defined operational need justifies elevation. Mixing the routes risks both over-disclosure and hidden preference.
Cross-border requests add complexity. Authority in one jurisdiction may not bind a registry in another. Authentication does not establish legal entitlement. The response should identify the route and applicable review rather than silently returning different data.
Transparency can remain aggregate. Registries can report access classes and request outcomes without revealing investigations. Independent oversight should test whether public bodies receive data and capacity under published law and criteria.
Commercial users deserve the same clarity. The fact that one user seeks profit does not make its diligence illegitimate; the fact that another invokes public safety does not make every request proportionate. Purpose, necessity, data class, safeguards and burden are better tests than institutional label.
Bulk access is a substitute with its own gate
When interactive queries are inefficient, a bulk dataset or near-real-time mirror can reduce load. The registry produces one controlled feed; the user searches locally. This can improve both service resilience and research quality. It can also move discretion from a rate limiter to an application desk.
ARIN's Bulk Whois page says it provides public directory entities to organisations using them for Internet operational or technical research, requires an account and signed terms, reviews the intended use, and notifies the applicant of approval or denial. It says applications for products, services or internal systems need a clear broader-community benefit to qualify for a bulk copy. That is a substantive access boundary, not merely a download instruction.
APNIC's bulk-access statement similarly describes approved Internet operational uses and restrictions on passing data onward, marketing and certain commercial applications. These terms reflect privacy, copyright and purpose choices that cannot be reduced to server capacity.
Application review can be legitimate, especially for personal data. It should nevertheless have published required information, decision factors, expected time, duration, renewal, security duties, suspension grounds and a review route. A user denied because its purpose is outside the service should understand whether a narrower dataset or different licence is possible.
Bulk feeds are not a complete answer. They may be delayed, omit historical states or contacts, and require secure storage. Small users may lack the capacity to operate them. A fair regime preserves useful exact lookup and offers scoped extracts or hosted analysis where a full copy would be excessive.
Commercial access needs a tariff, not a favour
Some high-volume users create real cost and commercial value. Charging them can be fairer than making all members subsidize capacity. The danger lies in bespoke access whose price, scope and approval depend on private bargaining.
If a registry offers paid higher-volume access, it should publish classes of service, eligibility, included data, freshness, support, limits, price or price method, privacy duties and termination. Discounts should follow stated factors such as public-interest research or member status, not personal familiarity. Materially similar applicants should receive comparable terms.
Payment must not buy accuracy or authority unavailable to ordinary users. The authoritative meaning of a registration record should remain the same. Paid access can provide volume, delivery method, support or a licensed right to reuse data; it should not create a hidden factual tier that makes public records misleading.
Nor should price become a privacy bypass. Personal and protected data require purpose and legal basis regardless of revenue. Conversely, a blanket ban on every commercial use may block services that help operators prevent fraud or complete compliant transfers. A reviewable licence can distinguish harmful resale from value-added diligence.
The registry should account for revenue and cost at an aggregate level. Members can then assess whether the service recovers incremental cost, cross-subsidizes public access or creates dependence on a few data customers. Commercial confidentiality can protect individual contracts while the tariff principle remains visible.
Non-discrimination needs a comparator
Calling for non-discriminatory access is easy; applying the term requires identifying who is similarly situated. Two users making the same request volume may differ in query cost, data sensitivity, purpose, caching and past abuse. Treating them differently can be justified. Two users with the same declared purpose and safeguards should not receive different terms because one has a larger brand.
A registry should define comparators by access class: anonymous exact lookup, authenticated operational use, approved research, verified incident response, bulk operational feed and commercial reuse. Within each class, baseline terms should be the same. Departures should have recorded reasons and expiry.
Indirect discrimination also matters. An English-only legal form, payment method unavailable in some regions, mandatory corporate status, fixed review calls in one time zone or identity documents difficult to obtain can exclude users without naming their geography. Accessibility and regional participation should be tested.
The evidence for discrimination cannot be inferred from one blocked request. It requires comparable applications, technical records and reasons. Registries should preserve those records and publish aggregate outcomes. Users should be able to present a comparator in an appeal without obtaining another customer's confidential agreement.
This article does not claim that a named RIR has unlawfully discriminated. Public materials do not provide the equivalent applicant-level dataset needed for that conclusion. It argues that the control has distributive effects and therefore needs a design capable of detecting unjustified difference.
Error responses are part of due process
The first remedy is intelligibility. HTTP 429 tells a compliant RDAP client that it should slow down. Retry-After can indicate when to try again. A response body can identify documentation. These simple features prevent wasteful retries and distinguish temporary rate control from a missing record.
The response should include a stable reason category: baseline request quota, personal-data result limit, concurrent connection limit, expensive-search control, suspected abuse, unauthorized access class or terms restriction. It need not expose the detector. It should identify whether the block applies to an IP, prefix, account, token or organisation and whether ordinary exact lookup remains available.
Machine-readable headers should be paired with a human route. A security analyst in an active incident cannot resolve a false block by reading a general policy that says access may be denied. The contact should receive the request identifier and relevant server record so the user does not have to send sensitive query details by email.
Errors should avoid false certainty. Returning "not found" to conceal rate limiting can corrupt research and diligence. RFC 7480 discussed the possibility in an earlier standards context, but authoritative evidence services should prefer explicit restriction unless a concrete security reason requires concealment. If concealment is used, audit and oversight become more important because the user cannot diagnose it.
Clients have duties too. They should cache, deduplicate, serialize expensive searches, honour backoff, identify themselves where appropriate and stop after a clear denial. A fair regime is reciprocal: the registry explains and reviews; the user minimizes and complies.
Appeal should be fast enough to matter
An appeal decided after a transfer closes or an attack ends is formally available and practically weak. Review times should correspond to the access class and consequence. A routine bulk application can take longer than a false automated block during a documented incident.
The first stage can be operational reconsideration. Staff verify the identity unit, traffic pattern, policy and detector. They can restore baseline access, grant temporary scoped capacity or explain the necessary client correction. The decision and duration should be recorded.
A second stage should be available for permanent blocks, denied higher access and contested commercial terms. It should be independent of the original decision to the degree proportionate to the issue. The reviewer needs protected access to technical and application evidence. The user should receive reasons that are specific enough to answer while preserving security and third-party privacy.
Interim relief is important. A narrow allowance can preserve an urgent legitimate act while the full dispute is reviewed. Conditions can restrict query type, resource range, duration and output. If misuse is later shown, the registry can revoke access and apply published sanctions.
Remedies include restoring access, resetting an erroneously shared quota, changing the identity mapping, approving a narrower dataset, refunding a charge, correcting a misleading policy page or revising a systemic rule. An appeal regime that can only repeat the original denial is not effective.
Privacy and access should be designed together
Privacy is sometimes framed as the reason no stronger access right can exist. That creates a false binary. The registry can minimize fields, use role contacts, separate resource and personal-data quotas, authenticate higher-risk access, bind use by terms, log retrieval, expire permissions and provide secure analysis instead of a downloadable copy.
The APNIC WHOIS privacy proposal prop-162 illustrates an active regional debate about reducing unnecessary contact publication and governing bulk access. Its impact discussion distinguishes public search, bulk data, filtering, terms and revocation. The details belong to APNIC's community; the analytical lesson is that disclosure format and access control are policy choices with operational and legal consequences.
Role-based abuse contacts can reduce personal exposure while preserving reachability. Redaction notices can tell a user that information exists but is withheld and identify a lawful request route. Differential access can reveal protected detail only to authorized users. None of these controls eliminates risk, but they are more precise than blocking all requests after a crude count.
Registries should also minimize access logs. A query history can reveal investigations, clients and commercial plans. Retention, staff access and disclosure rules need governance. Authentication that improves quota fairness should not silently become long-term surveillance.
The right balance cannot be copied from one jurisdiction. The durable requirement is to state purpose, collect only what the control needs, protect both registration data and query records, and provide review when privacy is used to deny access.
Caching and local analysis should be rewarded, not assumed
Well-designed clients reduce load by caching authoritative responses within a reasonable freshness period, avoiding duplicate referrals and using bulk files where permitted. Registries should publish cache guidance, validators and update signals that make good behaviour practical.
Caching has limits. A diligence provider must know whether a record changed after the cache time. An abuse contact can become stale. A transfer or route event may require a fresh authoritative response. The registry should not tell users to cache without indicating which fields and events make a refresh necessary.
Local mirrors can improve scale but increase data-protection and security duties. They may contain records later corrected or removed. Access agreements should define refresh, deletion, onward disclosure, breach response and end-of-access handling. Technical revocation cannot retrieve every prior copy, which makes applicant safeguards important.
Small users may benefit from query manifests: submit a declared set of resources, receive a bounded extract, and avoid operating a full mirror. Privacy filters and purpose review can be applied once. This middle tier reduces the choice between a low interactive quota and a complete database.
Good client behaviour should influence review. An applicant that shows deduplication, caching, backoff and secure retention presents lower risk. The criteria and evidence should be public so new entrants can build to them rather than learning through private negotiation.
Cross-RIR consistency should focus on disclosure
One worldwide quota would be superficially simple and substantively poor. RIR services expose different search capabilities, data models, legal duties and operational loads. Consistency should begin with how policies are described.
A common profile could publish endpoint, query classes, baseline identity unit, broad rate model, personal-data controls, authentication options, bulk routes, commercial-use rules, error codes, contact, review time and policy version. Machine-readable metadata would let clients adapt without guessing.
RIRs could also align the meaning of restriction responses and publish test endpoints. A client should be able to distinguish an authoritative absence from a quota without parsing local prose. Cross-registry investigations would then record comparable gaps.
The NRO RIR Governance Document Version 2 calls for stable, reliable, secure, accurate and accountable RIR services using standard protocols adopted through the NRO. It also emphasizes transparency and dispute resolution. Those high-level duties do not dictate a quota. They support a shared disclosure and review baseline while leaving substantive limits to regional governance.
Coordination should not become a cartel of access restrictions. Regional communities must be able to debate whether their data and users justify a different balance. A common minimum should improve legibility and remedy, not freeze the strictest policy everywhere.
Publish usage evidence without publishing users
Policy improves when a registry knows who is being constrained and why. It can measure total requests, expensive searches, cache effectiveness, 429 responses, blocks, authenticated versus shared-address accounting, bulk applications, review times and restored access. Results should be aggregated to protect users and defensive methods.
APNIC's prop-167 on directory-service usage statistics reached community consensus in 2025 and was endorsed by its Executive Council, according to the proposal history. It calls for greater visibility into Whois and RDAP usage and describes machine-readable statistics. Its precise implementation belongs to APNIC, but the debate shows that query evidence is itself a governance subject.
Publication should avoid exposing individual source addresses or investigators. Even a list of top networks can reveal behaviour or create security risk. Aggregation, thresholds, delayed release and privacy assessment are necessary. Resource holders may have a separate interest in seeing access to their own records under authenticated controls.
Statistics need definitions. A blocked request is not a blocked user. One user can hold many addresses; one address can represent many users. A 429 can be correct or erroneous. An application denial can reflect an impermissible purpose or an unclear form. Counts should not be presented as verdicts.
The most useful report connects restriction to remedy: how many users sought review, how many received restored or modified access, why rules changed, and whether shared-address complaints declined after authentication changes. This lets communities test whether limits remain proportionate.
Boards should govern the access market they create
Registry boards may view query controls as an engineering detail. Once access classes, bulk licences or paid tiers determine who can build evidence services, the controls shape a market and require institutional oversight.
The board should approve policy purposes, receive aggregate distribution and review outcomes, and examine major exceptions. It should understand whether revenue from commercial access affects restrictive decisions. Conflicts should be declared when directors or advisory entities are connected to brokers, data vendors or large security firms.
Procurement can shape the same market. A registry that buys a commercial intelligence product while denying comparable raw access to potential competitors should be able to explain the distinction in purpose, licence and safeguards. This is not proof of favouritism; it is a reason for a recorded comparator analysis.
Independent audit should test whether technical configuration matches published policy, whether blocks can be traced to a reason, whether application criteria are applied consistently, and whether access logs are protected. Penetration testing and capacity review can verify that higher access does not endanger the public baseline.
Community consultation should occur before material changes to public baselines, personal-data rules, bulk eligibility or price. Emergency controls may need immediate use, but they should expire or return for review. Quietly leaving a temporary restriction in place converts incident response into policy without consent.
A bounded role for Number Resource Society
NRS can help users describe legitimate need in terms registries can assess: purpose, query class, frequency, urgency, caching, retention, output and privacy safeguards. This is particularly useful for smaller operators and researchers without specialist counsel.
It can maintain a versioned comparison of published RIR access policies and test standard error behaviour with non-invasive requests. The comparison should preserve differences in units and avoid declaring a higher number better. It can collect voluntary accounts of false blocks, delayed reviews and inaccessible application requirements, then submit aggregate evidence through regional channels.
NRS could propose a common quota-disclosure profile, model reason codes and an appeal checklist. It can support a member in requesting a transaction-preserving interim allowance or correcting an account mistakenly combined behind a shared address.
Its limits should be explicit. NRS should not centralize bulk personal data, lend credentials, help users evade controls or guarantee access. It should not use member anecdotes to assert a global denial rate. If it offers a commercial diligence service, that conflict would need disclosure and separation from policy advocacy.
The constructive role is to lower the cost of accountable participation. Authority and data custody remain with the registries.
A model quota charter
A registry access charter could fit on several public pages and one machine-readable document. It would first state purposes: service availability, privacy, security, fair cost and intended registry use. It would map each control to one or more purposes.
It would define access classes and counted units. Anonymous exact lookup might have a resilient baseline. Authenticated users might receive separate accounting and clearer history. Search, personal-data retrieval and concurrency could have distinct controls. Verified operational, research and incident users could request scoped elevation. Bulk and commercial access would have published terms.
The charter would explain reset behaviour, caching expectations, backoff and the broad identity key. It would list standard error codes and documentation links. Dynamic abuse detection could remain confidential, but a blocked user would receive a reason class and request identifier.
Application pages would state required evidence, permissible purposes, data fields, decision target, duration, renewal, suspension, price method and review. Comparable applicants would receive comparable terms, with deviations recorded. Privacy duties would cover both registry data and query logs.
The review section would provide urgent operational reconsideration, independent second-stage review for durable decisions, interim scoped access and remedies. Aggregate reports would show use, restriction, applications and reversals with safe definitions.
Finally, the charter would have an effective date, archive and community amendment route. A policy that changes at the gateway without a versioned public record cannot be audited by its users.
The evidence is incomplete by design and circumstance
Public policy pages reveal stated controls, not every dynamic threshold, commercial agreement, applicant decision or user affected. Security requires some secrecy. Privacy limits publication of query records. Companies rarely disclose how much authoritative data they hold or which licences they negotiated.
There is no equivalent global dataset for 2015-present that identifies every RIR's requests, returned entities, personal-data counts, shared-address effects, 429 responses, permanent blocks, bulk approvals, prices, review times and applicant characteristics. This article therefore cannot quantify the size of the market barrier or declare which user class loses most.
The incumbent-advantage mechanism is an institutional inference: prior datasets, approved feeds, distributed infrastructure and established relationships can reduce dependence on a public quota. Whether that mechanism changes competition in a specific market requires applicant, cost and outcome evidence. The title identifies a risk to examine, not a legal judgment.
Published policies also change. A limit quoted without its date and unit can mislead. Cross-registry terms may not be legally comparable. Commercial-use restrictions can arise from copyright, privacy, membership purpose or contract rather than technical capacity.
These limitations strengthen the case for disclosure and review. They do not support unrestricted extraction. The appropriate response to uncertainty is a regime that produces better evidence while protecting the service and the people represented in its records.
The gate should be capable of giving reasons
A registry directory is not simply a free data product, and a high-volume user is not automatically entitled to consume it without restraint. The registry has duties to preserve availability, protect personal information, prevent abuse and account for member-funded cost.
It also holds authoritative evidence that other actors need to operate, investigate and transact. When access capacity is assigned through a hidden technical threshold, an informal exception or a bespoke contract, the service can privilege incumbency and scale without ever announcing a market policy.
The remedy is not one enormous quota. It is a layered regime: useful anonymous access, fair identity accounting, controls matched to query and data cost, authenticated higher legitimate use, governed bulk and commercial routes, machine-readable restriction, timely appeal and aggregate evidence. Users reciprocate with caching, backoff, minimization and compliance.
A limit becomes institutionally legitimate when a compliant user can answer five questions: what is being counted, why the control applies, what alternative fits the purpose, who reviews an error, and what remedy can arrive in time. Without those answers, 429 is merely a closed gate. With them, it can be a proportionate rule for sharing an authoritative service.
Sources
- RFC 7480, HTTP Usage in the Registration Data Access Protocol - standard HTTP behaviour for RDAP rate limits, 429 responses, client backoff and optional explanatory information.
- RFC 6585, Additional HTTP Status Codes - general definition of HTTP 429 and
Retry-After, while leaving user identification and request counting to the server. - RFC 7481, Security Services for RDAP - access control, authentication, authorization, availability and differentiated-access capabilities without prescribing operator policy.
- RFC 9082, RDAP Query Format - query and search behaviour, including the greater resource-exhaustion risk of search and possible mitigations.
- RIPE Database Acceptable Use Policy - current published units for ordinary queries, personal-data results, proxies, authenticated users, concurrent connections and blocking.
- RIPE NCC, Changes to the Database Acceptable Use Policy and Daily Limit Accounting - explains the 2024 separation of authenticated-user accounting from shared public IP accounting.
- ARIN, Whois and RDAP - RIR RDAP service, query forms, referrals, notices and search behaviour.
- ARIN, Whois Terms of Use - permitted operational, research and abuse uses and restrictions on specified commercial uses.
- ARIN, Bulk Whois Data - account, signed terms, intended-use review, approval or denial, available content and stated purpose boundaries.
- APNIC, Whois Database Acceptable Use Agreement - public description of operational-use, onward-distribution, marketing and commercial restrictions for bulk data.
- APNIC, prop-162: WHOIS Privacy - regional policy development and impact analysis concerning contact publication, bulk filtering, terms and revocation.
- APNIC, prop-167: Published Statistics on Directory Service Usage - regional policy development concerning visibility into Whois and RDAP demand and machine-readable usage evidence.
- NRO, RIR Governance Document Version 2 - transparency, performance, confidentiality, dispute-resolution and audit principles for RIR services.

