[DNSOP] Re: WG Last Call: draft-ietf-dnsop-ds-automation-02 (Ends 2026-01-30)
"Hollenbeck, Scott" <shollenbeck@verisign.com> Thu, 05 February 2026 12:19 UTC
Return-Path: <shollenbeck@verisign.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id DA4FBB23C237; Thu, 5 Feb 2026 04:19:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.398
X-Spam-Level:
X-Spam-Status: No, score=-4.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 61CIixH3VWvL; Thu, 5 Feb 2026 04:19:37 -0800 (PST)
Received: from mail3.verisign.com (mail3.verisign.com [72.13.63.32]) by mail2.ietf.org (Postfix) with ESMTP id 73DECB23C225; Thu, 5 Feb 2026 04:19:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=3420; q=dns/txt; s=VRSN; t=1770293977; h=from:to:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version:subject; bh=1hSsLTwD4bkI9WEnsQh4WLfN0dM7zKofF7DGrZ64U44=; b=NBceL3Sn40IMHG719E5GvfbaN2YTUdJluZ1ls0DcXEoOOzky+507VwCJ u05mmxjkGMKjF8dPkHp5HmNJy9n8r+8rXhZBsIvzDKkcX6jU4fUp85QsQ 3PWcB29moiamt+EQwemiaPnV8kq+tnQhwaco2VnizUTinwBIrG20+Pm2Q GjiEknUC5IbwjY2w2UXCzMfWSU147YPCgTokkIRVAb5v9IiK2AfI8Nf9c mZOKHgbuSqvLbCss3CtwmfyhKJGwmdGDD0MeGU6zfx8pdwYdL8cYRVdHC hJK85fjWl+BRU8+NEWBVGefbc4MBvIIMaA+Ao7X9mYusVbyOu523jnXsn A==;
X-CSE-ConnectionGUID: PfpghcwmT6yCV8RSYiaW/w==
X-CSE-MsgGUID: jvSTQNE+SeS6z9b+SX5zgQ==
X-ThreatScanner-Verdict: Negative
IronPort-Data: A9a23:MYLQOaBp+A3TrhVW/87iw5YqxClBgxIJ4kV8jS/XYbTApG921DYAn TZOUG/Qa6neZTD9etxxb420oBlV75LczoVqTANkpHpgcSlH+JHPbTi7wuUcHAvJd5GeExg3h yk6QoOdRCzhZiaE/n9BCpC48z8kk/3OHuOiYAL9EngZbRd+Tys8gg5Ulec8g4p56fC0GArlV ena+qUzA3f7nWQtWo4ow/jb8k035qyv4GpwUmEWPpingnePzxH5M7pCfcldH1OgKqFIE+izQ fr0zb3R1gvx4xc3B9q5pa3we0sMT6S6FVDmZq1+AvXKbrBq/0Te445jXBYuQR4/Zwahxrid/ O5wWamYEm/FCIWXwbhADEMIe81JFfYuFLfveRBTuOTNlxGWKyOEL/9GVCnaNqVAkgp77P0nG VX151nhYzja799azo5XRcFUiNwsLML0Ob9Bq1penQviPPcvftfcFvCiCd9whF/ch+hrPNLxP vU/RAo3NVLeaBpVIhEeBNQghvyuwHL4dlW0qnrM/extvzaVlVErluK0WDbWUoXiqcF9hUafo mbL+W70CRIyKtGFyCGE/XTqjejK9c/+cN5PSObnqqY26LGV7m4NMyEvc3b4mvSC1FzvUZFkG xEG9RN7+MDe82TuFLERRSaQuHOYswRJB4JcHvY340eMzYLY5g+DDS4FQyJPLts8u6ceXjw3z 0KEt9zsDD1r9raSTBq1+rGPqiv3MigcLHUZTS4JUQVD5MPsyKk/iAnIVv5iHbK7yNrvFlnYz yqDojR7hrgPg4sH0b685RXLmHelu4TOSwcp5wLRdmOo8g0/Y5SqD7FE8nDe7PJPdZmfQ0nZ5 T0fhdLY6eEVSJuK0i2JT7xLAquy4bCONzi0bUNTIqTNPg+FoxaLFb28KhknTKu1Gq7ooQPUX XI=
IronPort-HdrOrdr: A9a23:bgRW46A5UFtFqgLlHelx55DYdb4zR+YMi2TDsHoBLCC9E/bo9f xG88566faZslgssRIb9uxoUZPoKU80nqQFgrX5U43CYCDW/EWlK4145ZbvznnKC0TFmtJ15O NFf7JlANP9SXp3na/BijWQIpIFzMOc+K6lwd3CyWxgJDsGV4h74xxnBh2gHkp6eQlDCfMCf6 ah2g==
X-Talos-CUID: 9a23:rVrJnGgk9y/2MvNIO8tV9AvdFDJuSnPFw3fbPEqEV3dCdu2vcm6R8ZwjjJ87
X-Talos-MUID: 9a23:bzcvJgv+X1VFzxymiM2nhi9ZCP5OzueVBXtTg8QM+PK0aD5/AmLI
X-IronPort-AV: E=Sophos;i="6.21,274,1763424000"; d="scan'208";a="45437404"
Received: from MILG1WNEX02.vcorp.ad.vrsn.com (10.246.152.23) by MILG1WNEX01.vcorp.ad.vrsn.com (10.246.152.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.35; Thu, 5 Feb 2026 07:19:36 -0500
Received: from MILG1WNEX02.vcorp.ad.vrsn.com ([10.246.152.23]) by MILG1WNEX02.vcorp.ad.vrsn.com ([10.246.152.23]) with mapi id 15.02.2562.035; Thu, 5 Feb 2026 07:19:36 -0500
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: "peter=40desec.io@dmarc.ietf.org" <peter=40desec.io@dmarc.ietf.org>, "shuque@gmail.com" <shuque@gmail.com>, "dnsop-chairs@ietf.org" <dnsop-chairs@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, "draft-ietf-dnsop-ds-automation@ietf.org" <draft-ietf-dnsop-ds-automation@ietf.org>
Thread-Topic: [EXTERNAL] Re: [DNSOP] Re: WG Last Call: draft-ietf-dnsop-ds-automation-02 (Ends 2026-01-30)
Thread-Index: AQHck7gWdd8iuAZAu0mEfnD2BJVnH7V0CD7A
Date: Thu, 05 Feb 2026 12:19:36 +0000
Message-ID: <c714c4e53d1a422392346bfc59821196@verisign.com>
References: <176856870440.110819.15196252598377327203@dt-datatracker-865585c994-4fgh4> <1e06022f347b464aadbcf09511f1af81@verisign.com> <b21e58f6-4f35-4ef4-a54e-ca170bed5235@desec.io>
In-Reply-To: <b21e58f6-4f35-4ef4-a54e-ca170bed5235@desec.io>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.246.152.17]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Message-ID-Hash: OHEWHBJLSHXR5JHYGJRGMMIZGFIEVLCF
X-Message-ID-Hash: OHEWHBJLSHXR5JHYGJRGMMIZGFIEVLCF
X-MailFrom: shollenbeck@verisign.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: WG Last Call: draft-ietf-dnsop-ds-automation-02 (Ends 2026-01-30)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/HlD1tae08L2-5OoBLocpLRZd_S8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
> -----Original Message----- > From: Peter Thomassen <peter=40desec.io@dmarc.ietf.org> > Sent: Sunday, February 1, 2026 3:20 PM > To: Hollenbeck, Scott <shollenbeck@verisign.com>; shuque@gmail.com; > dnsop-chairs@ietf.org; dnsop@ietf.org; draft-ietf-dnsop-ds- > automation@ietf.org > Subject: [EXTERNAL] Re: [DNSOP] Re: WG Last Call: draft-ietf-dnsop-ds- > automation-02 (Ends 2026-01-30) > > Caution: This email originated from outside the organization. Do not click links > or open attachments unless you recognize the sender and know the content is > safe. > > Hi Scott, > > Thank you for your suggestion. Before I include it, I'd like to fully understand it. > > You pointed out that > a) "A server MAY alter or override status values set by a client, subject to local > server policies" (RFC 5731), > b) automated DNSSEC delegation trust maintenance may well be part of a > server policy. > > However, DNSSEC delegation trust maintenance does not alter EPP statuses. > Rather, the recommendation (with which you said you agree) is to perform DS > automation (that is, change DS RRsets, not EPP statuses) even when > clientUpdateProhibited or serverUpdateProhibited is set. > > So, while I think both (a) and (b) are true, I'm not sure how (a) is relevant for > DS automation. > > I might have missed your point -- can you please elaborate? [SAH] Section 4 of the draft discusses registration locks. There are client-set status values, such as clientUpdateProhibited, that could, under most circumstances, prevent a DNS service provider from updating DNSSEC information if that particular status value is set. I'm merely pointing out that RFC 5731 specifically allows the server operator to override that restriction if the server implements a policy that supports DS automation. Section 4.2.2 of the draft describes the rationale for overriding an "update prohibited" status, but it doesn't mention the fact the 5731 makes it explicitly possible. I think it would be helpful to add a sentence in 4.2.2 to acknowledge that ability. Perhaps something like this at the end of the first paragraph in 4.2.2: OLD Such changes entail updating the delegation's DS records. NEW Such changes entail updating the delegation's DS records. These changes are consistent with the guidance provided in RFC 5731, which explicitly states that "A server MAY alter or override status values set by a client, subject to local server policies" [RFC5731]. Scott
- [DNSOP] WG Last Call: draft-ietf-dnsop-ds-automat… Shumon Huque via Datatracker
- [DNSOP] Re: WG Last Call: draft-ietf-dnsop-ds-aut… Mark Elkins
- [DNSOP] Re: WG Last Call: draft-ietf-dnsop-ds-aut… Hollenbeck, Scott
- [DNSOP] Re: WG Last Call: draft-ietf-dnsop-ds-aut… Stefan Ubbink
- [DNSOP] Re: WG Last Call: draft-ietf-dnsop-ds-aut… Oli Schacher
- [DNSOP] Re: WG Last Call: draft-ietf-dnsop-ds-aut… Josh Simpson
- [DNSOP] Re: WG Last Call: draft-ietf-dnsop-ds-aut… Csillag Tamas
- [DNSOP] Re: WG Last Call: draft-ietf-dnsop-ds-aut… Philip Homburg
- [DNSOP] Re: WG Last Call: draft-ietf-dnsop-ds-aut… Peter Thomassen
- [DNSOP] Re: WG Last Call: draft-ietf-dnsop-ds-aut… Libor Peltan
- [DNSOP] Re: WG Last Call: draft-ietf-dnsop-ds-aut… Matthijs Mekking
- [DNSOP] Re: WG Last Call: draft-ietf-dnsop-ds-aut… Peter Thomassen
- [DNSOP] Re: WG Last Call: draft-ietf-dnsop-ds-aut… Hollenbeck, Scott
- [DNSOP] Re: WG Last Call: draft-ietf-dnsop-ds-aut… Philip Homburg
- [DNSOP] Re: WG Last Call: draft-ietf-dnsop-ds-aut… Peter Thomassen
- [DNSOP] Re: DNSOPWG Last Call: draft-ietf-dnsop-d… Wes Hardaker
- [DNSOP] Re: DNSOPWG Last Call: draft-ietf-dnsop-d… Peter Thomassen
- [DNSOP] Re: DNSOPWG Last Call: draft-ietf-dnsop-d… Wes Hardaker
- [DNSOP] Re: WG Last Call: draft-ietf-dnsop-ds-aut… Benno Overeinder