Re: [DNSOP] CDS polling, was Re: [Ext] Re: Clarifying referrals (#35)

Mark Elkins <> Tue, 14 November 2017 09:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 01B27129400 for <>; Tue, 14 Nov 2017 01:16:00 -0800 (PST)
X-Quarantine-ID: <GmHRvdK7Y3x6>
X-Virus-Scanned: amavisd-new at
X-Amavis-Alert: BAD HEADER SECTION, Improper folded header field made up entirely of whitespace (char 20 hex): X-Spam-Report: ...that system for details.\n \n Content previ[...]
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id GmHRvdK7Y3x6 for <>; Tue, 14 Nov 2017 01:15:57 -0800 (PST)
Received: from ( [IPv6:2001:43f8:790:61::200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C4E8C12008A for <>; Tue, 14 Nov 2017 01:15:56 -0800 (PST)
Received: from [] (port=39884 by with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) (envelope-from <>) id 1eEXIx-0004x7-Ep for; Tue, 14 Nov 2017 11:14:52 +0200
References: <> <> <> <> <> <> <> <> <> <> <>
From: Mark Elkins <>
Organization: Posix Systems
Message-ID: <>
Date: Tue, 14 Nov 2017 11:15:17 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Content-Language: en-GB
Archived-At: <>
Subject: Re: [DNSOP] CDS polling, was Re: [Ext] Re: Clarifying referrals (#35)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 14 Nov 2017 09:16:00 -0000

On 14/11/2017 01:37, Evan Hunt wrote:
> On Tue, Nov 14, 2017 at 09:16:43AM +1100, Mark Andrews wrote:
>> Remember the draft was designed to handle ALL record updates to the
>> parent zone after being approved by the registrar in a unified manner.
>> NS, DS, A, DNAME, AAAA, TXT, CNAME, etc. This isn’t restricted to DS
>> records.  
> In the present context, I was only suggesting this method be used for
> NOTIFY, not UPDATE -- to signal the parent that it should poll the child
> for CDS/CDNSKEY.  (I guess CSYNC could be included in the mix as well,
> though, for updating NS and glue.)
> I would suggest the child should be polled periodically regardless. If
> the SRV record were spoofed, causing the child to send a NOTIFY to the
> wrong address, synchronization should still occur, just not as quickly.

Getting the parent to examine the child in order to examine changes in
CDS/CDNSKEY is something I'd dearly like to see done.
With foot firmly stuck in mouth and probably breaking all protocols....

Who am I:
I'm a 'local' Registrar (Non-ICANN Accredited), running DNSSEC for
clients. I speak EPP mainly to the ZACR (South African Central Registry)
- usually for the CO.ZA Domain name space. I also speak EPP to a bunch
of other people.
I either run the DNS zone for the client - so know when to send an EPP
update to the Registry (this is totally automated) or run a
"Registration Only" service where clients run their own (DNSSEC Signed)
zones. When the latter do a KSK rollover, they are currently obliged to
login to into their account, find their Domain and
push a [Reread Zone info] button which does a DNS Lookup over TCP using
a DNSSEC aware recursive resolver to see what NS and DNSKEY records have
changed, brings them back and presents them to the user. I automatically
generate CDS records from the DNSKEY. A short time later - these are
pushed to the Parent via EPP.

More ideally, this [Reread Zone info] button should be triggered by the
client using a well documented standard (RFC?), probably a URL and
passing to the URL the Domain Name to "check". (I like to call this the
"tickle RFC").

The same could be used directly with Registry systems...
If you want to get CO.ZA to "Poll" your Nameservers, look for a DNS
record (lets call it TCKL) in the top of the zone which should return a
web like URL which you can then "GET" with... (GET seems more simple
than POST)    IN    TCKL    ""
(Most ccTLD's might do the same?)

For myself, I'd tell my clients mentioned above to look for:    IN    TCKL    ""
(Most COM type Registrars might do the same?)

I guess one could have multiple answers for redundancy.
No "security" as in passwords should be needed.
I don't see this being used to DDOS Registries, only do something
further if the domain is one of yours, only if it is already DNSSEC
signed, and only trust the answer if the DNS Connection validates
properly, any faults - wait 5 seconds and then report an error (if so

I don't quite see how a SVR record could do this as per

I also don't remember seeing any DNS record types where the RHS is a full URL.

To me, for now, this would only be used for DNSSEC updates (i.e. CDS/CDNSKEY where the Child Zone is already signed)

Anyway - that's my baby step, so just a small foot in my mouth. Please be gentle.

Mark James ELKINS  -  Posix Systems - (South) Africa       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: