Re: [DNSOP] New draft on delegation revalidation

[Patrick Mevzek <mevzek@uniregistry.com>]

On 22/04/2020 14:32, Shumon Huque wrote:
> Based on history to date, it seems to be rather intractable, but I would
> love to be proven wrong. The interfaces that registrars use to update
> delegation records in the registries don't even offer any TTL
> configuration option that I've seen (even if the registries were willing
> to support it). Does the EPP DNS mapping even support setting TTL?

I am not sure what you refer to by "EPP DNS mapping".

In EPP world there are host objects (or host attributes).
Those are created by the registrar, in the registry system, and the
registry will use them to publish NS records, and potentially glues.

Those objects have name, IP addresses and a few extra meta data but
nothing about TTL.
And when you update domains for new NS you just specify the host object
IDs you want to use (which are in fact there name). For registries using
hosts as attributes instead you then there provide also glues, if
needed, but nothing more.

To give another data point, that goes into your direction, there is a
secDNS extension, that registrars uses to pass DS/DNSKEY materials to
registries, for publication.

It has the following specified:

        An OPTIONAL <secDNS:maxSigLife> element that indicates a
         child's preference for the number of seconds after signature
         generation when the parent's signature on the DS information
         provided by the child will expire.  A client SHOULD specify the
         same <secDNS:maxSigLife> value for all <secDNS:dsData> elements
         associated with a domain.  If the <secDNS:maxSigLife> is not
         present, or if multiple <secDNS:maxSigLife> values are
         requested, the default signature expiration policy of the
         server operator (as determined using an out-of-band mechanism)
         applies.

and

   The <secDNS:update> element contains an OPTIONAL "urgent" attribute.
   In addition, the <secDNS:dsData> element contains OPTIONAL <secDNS:
   maxSigLife> and <secDNS:keyData> elements.  The server MUST abort
   command processing and respond with an appropriate EPP error if the
   values provided by the client can not be accepted for syntax or
   policy reasons.


While those are not TTL per se they are in the same bag: they try to
influence what the registry publishes at the DNS level.

And while most registries implement this EPP extension to do DNSSEC
operations I know of not one of them honoring the above two parameters
(but I can certainly miss some).

So I am pretty sure that even if you defined an EPP mapping to pass TTL
data, very few registries, if not none, would use it. But that is just
my opinion, I am not a registry nor speaking for them.


-- 
Patrick Mevzek