[DNSOP] Re: Andy Newton's Discuss on draft-ietf-dnsop-ds-automation-08: (with DISCUSS and COMMENT)

Andy Newton <andy@hxr.us> Wed, 20 May 2026 13:38 UTC

Return-Path: <andy@hxr.us>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id B8FE6F19A293 for <dnsop@mail2.ietf.org>; Wed, 20 May 2026 06:38:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1779284306; bh=9bHi0WviyO6eSlNr+7ilSGZ2K1DRtM6gkhvUWHS18NM=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=Zrgm5kbRWKXPEdLe+c1/gRo36A9j3OFEXiVMQSHTJjRClAxM7j/5t+OpGlVWIFY/X FeWAz7LilDuUR6iMzHs+LENju/57zWPGfxkwkQOn26CF28fYGFHwlyHXpGLTbfZknb au3UOcATVU/z3aSXD7PPRR3KXfYExiytRjz7rvL8=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=hxr-us.20251104.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jZ10iLhALiB8 for <dnsop@mail2.ietf.org>; Wed, 20 May 2026 06:38:25 -0700 (PDT)
Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id B1237F19A28A for <dnsop@ietf.org>; Wed, 20 May 2026 06:38:25 -0700 (PDT)
Received: by mail-lf1-x12a.google.com with SMTP id 2adb3069b0e04-5a8891f0c88so3306268e87.1 for <dnsop@ietf.org>; Wed, 20 May 2026 06:38:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hxr-us.20251104.gappssmtp.com; s=20251104; t=1779284304; x=1779889104; darn=ietf.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=HtWNSn70YObAbIKdhGPBZXDyDJ0zZi5EzAhcPRDQXLc=; b=Szr/RTaj2jB45dYXR2S+7IGUU9BE3ytSRXcVNKt6QTrrUJlDJdtVzWBavgKZ274Ea4 ZSCewRPSq3D5FkS79UHibNIT2XeQejhK5i28och0BQnlPtu3zTEeL1vq+TfS7MxmVOdK HwiqtZi2/UQuMr6F/5hltTUhEfV2g/40UiIGBVYljo/XHla+U3zZoKWVMbhOCxoEgI4K NacJcwU0EA/jf7lyFd8U47S9dWOPQoDtrUkMnWlP7dGNP67B3Gb9FGZg7ORL//bZ/P+t 7nE98PRbxLKAud2Y/ioT5dg8zooD8OJxGywq3asvqQpwYVWLenpNrSyX9RWYVUqYQ8FU rzXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779284304; x=1779889104; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=HtWNSn70YObAbIKdhGPBZXDyDJ0zZi5EzAhcPRDQXLc=; b=cVMA19x0GW9fTyK2CA1lD90h1GL2PfCoWtv2Hsxv7qvtdrgo42iPRjDHaTU+b5s8qJ uVpxFycP/0wPfhPzParP7kjGJhtSbkjKrlVZyMSs/L912/pRcKV2cS0O9ZkFnM1gBqeB JxuHUuaCQxguCCnuSVATHMaAAfMGxyiWiIKsQzDJzIRFpxnTjuv5E/fH/T7fZBAB3Wnh EoV5i0cCIWNsAZ00kOvN/OlYheV9/C9UNdg+9bfHLQmZ+PYvQ8VugiqfT7rd0ImgDoPZ AxPU40OonHkAWsXV5WwaHYBAFhB/xHpgy6bGdeHNGQwLoHu6JNqtYc9xBLiZ1Ol1uoLs YEhw==
X-Forwarded-Encrypted: i=1; AFNElJ9rTaORL5VDB7z09qyENlcTUR5KXeVShVEO8DKBEkpj7SaZJfehZ4yAlv+rwIby6BCeAPgFDA==@ietf.org
X-Gm-Message-State: AOJu0YxsKfoaG7I3fAtfHRVN+yWfbaWdukVFVJ3mpJylj8QLv86AM/8A +zA9r03pSm54J2jDxM89DXKUV3+uojlwroAREhPSpAQLpeD5V6PBUu18H1nI+w7Ato4=
X-Gm-Gg: Acq92OH2pGKdDpKMmBE34PyR7umDoRN6/2Dr2o116zd8z8YrJ4kd2Eq26DK41k2E37O ZGGOU30DD3WJGWgPxiomkw7nOIEhUNEiM/diL+DZRfuUlQS8ScyFKN+ZWBUwO6DbMnlRAjV8J9U YVRuU2iGagLVhOFQ6lKMSi0idC4ynhebGacvNPGw/6H3WS46x+adE4G4DO/Hhmu+UYLCnhQPfT+ g69q8AmhgjUzSNQRqmKGyuJObqZv1cvKaUd0TV+r34v/4wdQFCCwukukUWVNiqxlKbsh8VvwRBc TeKt8FYo3vaTmYkZ7asUXWdc/ws68Xk3tKqklMOSc3mF1+UKBze/bRAhBeovC0D6/zmVahymfyb CXvOJ/VDu0kJ2bBo48MOPGihs/rHQJBeYfszMXsj/yrPOL4CnLIHcPhjBg/Ww8gBOvKBQav1snu M2RD5eVvTSIJFO7XRU8oqJ08ifNYDAG8h0CCp6GW5m827bdQ==
X-Received: by 2002:a05:6512:3d07:b0:5a8:76c0:a7b7 with SMTP id 2adb3069b0e04-5aa0e5ffa5emr7642463e87.7.1779284304192; Wed, 20 May 2026 06:38:24 -0700 (PDT)
Received: from [10.47.61.164] (47-236.dc.icann.org. [192.0.47.236]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5a9164bc166sm5006773e87.46.2026.05.20.06.38.22 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 20 May 2026 06:38:23 -0700 (PDT)
Message-ID: <3e05747a-810d-4d69-ac77-10562ae4df0c@hxr.us>
Date: Wed, 20 May 2026 09:38:21 -0400
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Peter Thomassen <peter@desec.io>, The IESG <iesg@ietf.org>
References: <177923004209.585.3418420922155603562@dt-datatracker-7688897f84-hmm7m> <b35fa2e7-f907-4e12-9df3-25aa1cf80990@desec.io>
Content-Language: en-US
From: Andy Newton <andy@hxr.us>
In-Reply-To: <b35fa2e7-f907-4e12-9df3-25aa1cf80990@desec.io>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: Z2BFSBZJE4WKDOTC753BHGXS2FLERQWS
X-Message-ID-Hash: Z2BFSBZJE4WKDOTC753BHGXS2FLERQWS
X-MailFrom: andy@hxr.us
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop-chairs@ietf.org, dnsop@ietf.org, draft-ietf-dnsop-ds-automation@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Andy Newton's Discuss on draft-ietf-dnsop-ds-automation-08: (with DISCUSS and COMMENT)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/-d5NKfT0a-uTU1eFH14sDG0HsKk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Peter,

Thanks for the response.

On 20-05-2026 7:14 AM, Peter Thomassen wrote:
> Hi Andy,
> 
> Thank you very much for your review!
> 
> On 5/20/26 00:34, Andy Newton via Datatracker wrote:
>> ----------------------------------------------------------------------
>> DISCUSS:
>> ----------------------------------------------------------------------
> [...]
>> #### 5-15 Minutes
>>
>> 240        2.  Parent-side entities (such as registries) SHOULD reduce a DS
>> 241            record set's TTL to a value between 5–15 minutes when a new set
>> 242            of records is published, and restore the normal TTL value at a
>> 243            later occasion (but not before the previous DS RRset's TTL has
>> 244            expired).
>>
>> Why isn't this a MUST? It is a SHOULD for both behaviors (the 5-15 minute TTL)
>> and the restoration of the TTL. At the very least, it seems the restoration of
>> the "normal" TTL value is a MUST. However, why isn't the 5-15 minute value a
>> MUST? Otherwise an operator can set it to 5 years justified with "because I
>> just wanted it that way". If the SHOULD is to remain, isn't there a reasonable
>> upper boundary behavior such as not being greater than the normal TTL value?
> 
> Two thoughts:
> 
> - TTLs accepted by resolvers are bounded in practice. Most do not accept arbitrarily long TTLs, as that has other security issues such as retaining a hijacked delegation beyond its actual removal. I can collect numbers if needed, but my recollection is that TTLs over 1-2d are not honored in practice.
> 
> - The above resolver-side constraint aside, parents can set whatever TTLs they want, even without DS automation. DS automation does not change that. The point of this provision in the document is to mitigate the impact of a botched DS update, not to give general recommendations about what TTLs should be used in a TLD registry. (In practice, TTLs in TLD zones vary between 1h and 48h.)
> 
> - It's not a MUST because there is no problem if the registry uses a TTL of 20 or 30 minutes permanently, for example. Also, when DS automation is performed by the registrar, the registrar may not have the ability to enforce TTL adjustment. -- Now one could say that the document should take the stance that DS automation is to be done by registries and not registrars. However, getting into that discussion was very very clearly rejected by many participants: the registries and registrars want to sort out these responsibilities between themselves. And indeed, it's a business decision, not primarily a technical one.

If there are no interoperability issues with the registry setting 30 minutes as the TTL value, which is outside the 5 to 15 minute suggestion, then this is not a normative requirement and the SHOULD is to be lower-cased and/or changed to use non-BCP14 language.

> 
>> Also, is "normal TTL value" the previous TTL value? If not, what does that mean?
> 
> The "normal TTL value" is indeed the "previous" one when an update is applied. However, for DS initialization, there is no previous one, so the term would only capture updates.
> 
> Happy to change to a better adjective if it's not clear (pls let me know if you have another suggestion). OTOH, this was widely reviewed in the DNS and registry space (e.g., CENTR, APTLD, DNS OARC) and it seems like the use of "normal" was generally clear to the intended audience.

Some could have interpreted it as the previous value and others the default value by policy. I think it is best to be explicit. Perhaps "previous TTL value or default TTL value absent a previous value".

> 
>> #### Both CDNSKEY and CDS
>>
>> 246        3.  DNS operators SHOULD publish both CDNSKEY and CDS records, and
>> 247            follow best practice for the choice of hash digest type
>> 248            [DS-IANA].
>>
>> Section 4.2.3 does a good job of explaining why both CDNSKEY and CDS are
>> needed, so it seems the justification here is a MUST. In other words, if you
>> want to interoperate, the operator MUST do this otherwise there is likely to be
>> a problem.
> 
> There is no problem if the child operator knows which type of update format (CDS or CDNSKEY) the parent consumes. There would only be a problem if the parent insisted on both being published. Indeed, that provision was part of the draft, but was removed in -01 due to argument that it's not a good idea to reject an update just because a redundant format is missing.
> 
> A written record of this argument can be found at https://mailarchive.ietf.org/arch/msg/dnsop/ObpPwt5_HrmsPXE3dG8CrJUP9mg/; more feedback in that direction was gathered during an in-person workshop at DNS OARC 45.
> 
> Given these points, it seems not generally required for interoperability to publish both CDS and CDNSKEY, although if you do so you can be agnostic about the parent's preference and avoid certain risks. But, if you know what you're doing and what the parent expects, the risk goes away. Hence the SHOULD.
> 
> See also https://mailarchive.ietf.org/arch/msg/dnsop/Uv-oyqj-gp1dlfPIofct22Ijqo0/.

Why can't the guidance be more explicit? "Unless the child and parent have agreed upon using either CDS or CDNSKEY, DNS operators MUST publish both CDNSKEY and CDS."

>> #### DS update requests
>>
>> 659        2.  DS update requests SHOULD be executed immediately after
>> 660            verification of their authenticity, regardless of whether they
>> 661            are received in-band or via an out-of-band channel.
>>
>> For proper DS automation, shouldn't this be a MUST? If not immediately, then as
>> soon as possible. Or is it ok for an operator to wait 24 hours?
> 
> The publication intervals for delegation-centric zones (especially TLDs) vary greatly; some publish near-realtime, some publish zonefiles once a day. "MUST immediately" does not match the operational reality of a significant fraction of deployments.
> 
> However, we could say "MUST be executed at the next publication opportunity", or similar. Would that address your concern?

Yes, that works.

> 
>> #### SHOULD NOT initialize
>>
>> 675        5.  In the RRR model, a registry SHOULD NOT automatically initialize
>> 676            DS records when it is known that the registrar does not provide a
>> 677            way for the domain holder to later disable DNSSEC.  If the
>> 678            registrar has declared that it performs automated DS maintenance,
>> 679            the registry SHOULD publish the registrar's [RFC9859]
>> 680            notification endpoint (if applicable) and refrain from registry-
>> 681            side DS automation.
>>
>> Under what conditions are violating these SHOULD NOT/SHOULD acceptable?
>> If there are conditions for doing so, the document should attempt to describe
>> those conditions. Otherwise, aren't these MUST NOT and MUST?
> 
> It's a little complicated. First, about the SHOULD NOT:
> 
> At OARC 45, it was proposed to even remove this provision, because a registrant can always change registrars when they don't like that their registrar doesn't provide a way to remove a DS record when needed. That's of course not very helpful when you're already locked up in a situation where a DS record has been provisioned, and now you can't get rid of it. I'm pointing this out to illustrate that this recommendation itself (independently of which normative word is used) has only rough consensus.
> 
> At OARC 45, it was also discussed to tighten this recommendation. This was deemed unrealistic by registries as there is no protocol for a registry to discover whether a registrar provides a channel for removing a DS record. It seems impossible to design such a protocol that would be more likely to be adopted by registrars than the DS-removal channel itself. Registries present in the room therefore clearly stated that they don't want to be responsible for missing knowledge about which registrar is defective in that sense, and a tighter version did not find consensus.

There may not be a protocol, but there is a relationship between registries and registrars. They exchange money, credentials, allow lists, etc... so there is an opportunity for a registry to learn this about the registrar.

> 
> OTOH, in the gTLD space, registrars are contractually obliged to provide a DS provisioning channel (which I think includes removal), so this recommendation really applies in the ccTLD space only. The scope of this recommendation (and the consequences of it being suboptimal in a way) therefore is not as broad as it might seem at first sight. The SHOULD is supposed to be a strong technical hint ("undesirable stuff happening if you don't adhere!") that takes the above consensus complications into account.

IMHO, this is a MUST NOT as DS automation interoperation can be harmed (assuming removing DS records is a requirement for DS automation). The only reason I can think that the guidance is SHOULD NOT would be if the registry has some fore knowledge that the registrant would never disable DNSSEC.... and that seems implausible.

> 
> As for the SHOULD, no problems are expected if the registry does not publish the RFC9859 notification endpoint. In that case, the registrar may do CDS/CDNSKEY scanning [1][2] and all is fine. Notifications only offer a timing advantage. There is also no problem if the registry does not stop DS automation while the registrar does so as well, as DS updates are idempotent. Parallel automation therefore is unnecessary and wasteful, but not strictly an interoperability problem. For details, see Section 7.2.3 of the draft.
> 
> Examples of registrars doing CDS/CDNSKEY scanning:
> [1] hourly: https://docs.glauca.digital/domains/cds/
> [2] daily: https://domainname.shop/faq?id=395&section=7

Given your explanation, the SHOULD does not seem to be normative.

> 
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>>
>> ## Comments
>>
>> ### EPP Advertising
>>
>> 309        ...  When using the Extensible
>> 310        Provisioning Protocol (EPP) [RFC5730], the domain <info> command
>> 311        described in Section 2.1.1.2 of [RFC9803] is available for
>> 312        advertising the server's TTL policy.
>>
>> The use of the word "advertising" makes me read this as information being
>> provided to the public. However, EPP does not operate that way. I think should
>> be reworded to say EPP can be used to make known to the registrar the
>> acceptable values used by the registry.
> 
> Will do.
> 
>> ### RDAP TTLs
>>
>> 410        5.  The currently active DS configuration SHOULD be made accessible
>> 411            to the registrant (or their designated party) through the
>> 412            customer portal available for domain management.  The DS update
>> 413            history MAY be made available in the same way.
>>
>> https://datatracker.ietf.org/doc/draft-ietf-regext-rdap-ttl-extension/ is also
>> a good way to make the currently active TTL values available to the registrant
>> or their designated party.
> 
> I will make a note in Section 5.2. My impression is that publicly stating the TTL policy would belong into DNSSEC Practice Statements, so I'd be reluctant to include it as a recommendation.

I agree. That is only informative, as is all of item 5.

-andy, ART AD