IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-kumari-ogud-dnsop-cds-02.txt

"Dickson, Brian" <bdickson@verisign.com> Mon, 08 July 2013 18:50 UTC

Return-Path: <bdickson@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9963B21F9590 for <dnsop@ietfa.amsl.com>; Mon, 8 Jul 2013 11:50:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.449
X-Spam-Level:
X-Spam-Status: No, score=-6.449 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8o+bQ7zN7io3 for <dnsop@ietfa.amsl.com>; Mon, 8 Jul 2013 11:50:08 -0700 (PDT)
Received: from exprod6og123.obsmtp.com (exprod6og123.obsmtp.com [64.18.1.241]) by ietfa.amsl.com (Postfix) with ESMTP id 3B5CB21F9D39 for <dnsop@ietf.org>; Mon, 8 Jul 2013 11:50:03 -0700 (PDT)
Received: from peregrine.verisign.com ([216.168.239.74]) (using TLSv1) by exprod6ob123.postini.com ([64.18.5.12]) with SMTP ID DSNKUdsJ2lK+RTPX+UY9wBEXxr2kiRC61RW1@postini.com; Mon, 08 Jul 2013 11:50:08 PDT
Received: from brn1wnexcas02.vcorp.ad.vrsn.com (brn1wnexcas02.vcorp.ad.vrsn.com [10.173.152.206]) by peregrine.verisign.com (8.13.6/8.13.4) with ESMTP id r68Insal002808 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 8 Jul 2013 14:49:58 -0400
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas02.vcorp.ad.vrsn.com ([::1]) with mapi id 14.02.0342.003; Mon, 8 Jul 2013 14:49:54 -0400
From: "Dickson, Brian" <bdickson@verisign.com>
To: Patrik Fältström <paf@frobbit.se>, Olafur Gudmundsson <ogud@ogud.com>, John Dickinson <jad@sinodun.com>, "dnsop@ietf.org WG" <dnsop@ietf.org>
Thread-Topic: [DNSOP] New Version Notification for draft-kumari-ogud-dnsop-cds-02.txt
Thread-Index: AQHOfAvuWrMAm5DHG0e1RfsSfo7aNQ==
Date: Mon, 08 Jul 2013 18:49:53 +0000
Message-ID: <CE0080AE.B7C0%bdickson@verisign.com>
In-Reply-To: <33496ED6-4D88-485B-8369-566B2A1FC7C0@frobbit.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.5.130515
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <36A7349490ADBB40B0DDAA946E6E3DDB@verisign.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [DNSOP] New Version Notification for draft-kumari-ogud-dnsop-cds-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jul 2013 18:50:14 -0000

On 7/8/13 2:28 PM, "Patrik Fältström" <paf@frobbit.se> wrote:

>I have also had a look at this document which I in general do believe is
>sound, although there are a few events I would like to have described in
>the document. Reason for this is that I see it being really important
>that it is implemented the same way in all usage scenarios.
>
>One such situation is what is to happen when NS records changes in the
>parent zone.


I think, perhaps, that a corresponding mechanism for NS change (or change
validation), will be what we eventually conclude is also a good idea (or
even necessary to provide some means of protection/validation to an
otherwise unprotected-but-critical element).

For the same kinds of reasons as parent/child DS vs DNSKEY "mismatch"
(pre-publication of DS without publication of DNSKEY), there are reasons
that parent and child NS sets are not always the same.

So, using the child NS set to directly validate the parent NS set is a
non-starter.

However, maybe something like a "PNS" (parent NS) in the child, where the
child is authoritative for the data, could signal {change | validation}
(depending on the RRR requirements), would do the trick?

Upon receiving a change request for the NS set, the zone publisher could
check the child for matching PNS records.

Facilitates automation, just as CDS would.

Thoughts?

Brian


>
>An immediate reaction is that change of NS records should trigger fetch
>of CDS record from the child zone so that the new DS can be included in
>the new version of the zone that have the new NS records. Careful
>thinking should say whether that is a correct thinking of me.
>
>Another situation is what to do (by the parent) when inconsistent CDS
>records are found from the authoritative servers for the zone (with and
>without identical serial numbers in the SOA).
>
>And a third if the auth servers queried at should be the ones that there
>are NS records for in the parent zone or the NS records that exists in
>the child zone.
>
>This to resolve inconsistencies between information in parent and child
>zones and between auth servers.
>
>Lastly, I think it should be very clear not only what the priority is
>between different versions of CDS records, but also between CDS records
>and epp commands. If different registries implement different policies
>here, the world might risk being much messier than what we want.
>
>Hope this helps.
>
>   Patrik
>
>_______________________________________________
>DNSOP mailing list
>DNSOP@ietf.org
>https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email