Re: [DNSOP] CPE devices doing DNSSEC

Patrik Fältström <paf@frobbit.se> Sun, 09 March 2014 13:18 UTC

Return-Path: <paf@frobbit.se>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 184C41A0326 for <dnsop@ietfa.amsl.com>; Sun, 9 Mar 2014 06:18:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.202
X-Spam-Level:
X-Spam-Status: No, score=0.202 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HELO_EQ_SE=0.35, J_CHICKENPOX_31=0.6, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WXBe5V2mXuGg for <dnsop@ietfa.amsl.com>; Sun, 9 Mar 2014 06:18:38 -0700 (PDT)
Received: from mail.frobbit.se (mail.frobbit.se [IPv6:2a02:80:3ffe::176]) by ietfa.amsl.com (Postfix) with ESMTP id 28A5D1A011D for <dnsop@ietf.org>; Sun, 9 Mar 2014 06:18:38 -0700 (PDT)
Received: from ix-2.local (unknown [194.72.72.170]) by mail.frobbit.se (Postfix) with ESMTPSA id 7CA0D20153; Sun, 9 Mar 2014 14:18:32 +0100 (CET)
Message-ID: <531C6A27.6000404@frobbit.se>
Date: Sun, 09 Mar 2014 13:18:31 +0000
From: =?windows-1252?Q?Patrik_F=E4ltstr=F6m?= <paf@frobbit.se>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Patrik Wallstrom <pawal@blipp.com>
References: <20140307100524.2F42810CD58F@rock.dv.isc.org> <A0D47DA8-6E19-4A61-8A7C-FE960A0FA7E9@cybersecurity.org> <20140308090009.5E51210D1595@rock.dv.isc.org> <531C2637.6020405@frobbit.se> <6175B0CC-D8E3-44BB-83DD-7DA8548E6120@blipp.com> <531C5C4D.4010700@frobbit.se> <545AE25E-A609-4D03-A3DD-AFD41E573820@blipp.com>
In-Reply-To: <545AE25E-A609-4D03-A3DD-AFD41E573820@blipp.com>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="KPKr0Ukdgs4Kufh1jvfvhRqjdxujcnwaq"
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/MJzfM1mepEa6KYjpdtXL0m6PWYk
Cc: dnsop@ietf.org, Paul Hoffman <paul.hoffman@cybersecurity.org>
Subject: Re: [DNSOP] CPE devices doing DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Mar 2014 13:18:40 -0000

On 2014-03-09 12:55, Patrik Wallstrom wrote:
> 
> Yes, there is. Let me explain how.
> 
> Registries are using variants of the same protocol, EPP. Registries are typically serving exactly one name space. And this is where the lock-in  for the registrar come in - there are no other registries that serve the same name space.
> 
> Registrars are not using the same protocol, if any, as anybody else at all. They typically serve multiple name spaces. The large registrars have most of the name spaces available.

No Patrik. The difference is so large between registries that there is
not much money to save between implementations of epp to different
registries.

> I totally agree with your description of the registrars interface, and this was my main point.
> 
> Since I have looked in more detail on many registrar interfaces, they typically do not resemble each other in any way at all. They all serve different purposes.
> 
> 1. Manage domains (register or delete domains).
> 2. Manage wallets (to see their invoices, refill accounts).
> 3. Update zone content (unusual).
> 4. Manage web sites.
> 5. Manage web site content.
> 6. Manage virtual private servers (VPS).
> 7. Update DNSSEC material (extremely unusual).
> 
> These are also all mixed up, so there is no interface that covers all of it, some choose only one or two of the things in the list, with any combination they choose.
> 
> The API:s are also implemented in a variety of flavours as well, XMP-RPC, REST, SOAP and whatever they can come up with.
> 
> This also makes it extremely difficult (on a whole other level compared to registrars talking to registries) for a registrant to move their automated interaction with one registrar to another registrar.

To me this looks very similar to what registries do.

Compare .DK, .EU, .SE and .ORG for example.

>> In no particular order:
>>
>> 1. By having people stop claiming epp is one protocol and blaming the
>> registrars being the problem. Pointing fingers does not help, because as
>> in this thread, energy has to be spent on explaining the differences in
>> epp between TLDs.
> 
> Yes. Nobody is pointing any fingers here. And this is all good work.

I do not agree, there is a large portion of finger pointing going on.

>> 2. By having registries agreeing on whether DS or DNSKEY is the data
>> they want, or by accepting both.
> 
> It seems that this is not going to happen.

Then you will not see a harmonized interface to registrars either.

>> 3. By having the IETF effort of to start with cataloging the epp
>> extensions used by registries, and secondly working hard to try to
>> harmonize the extensions.
> 
> This is what the eppext wg is doing now.

Correct.

>> 4. By having the registrars that have an API harmonize their efforts
>> just like registries harmonize theirs.
> 
> Have you, as a registrar, put any effort into this? Where do you suggest this work is going to take place?

Oh yes. There are a number of things that must happen first, but one big
obstacle is that different registrars concentrate on certain registries,
like Frobbit concentrating on .SE. The interface to other registries is
so different that registrars that concentrate on other registries will
by definition have a different API.

Now, whether you think two REST API's with different semantics for
different registrars is better than what we have today, that is up to you.

> An “interesting" idea would be having ICANN to implement the base of this as part of the RAA.

No, that will not help. ccTLDs must be part of the story.

And the RAA is broken anyways, as it for example violates the regulation
and laws of the European Union, so they need to be cleaned up before for
example you can have _any_ ICANN Accredited Registrar from the European
Union (at least most member states -- it depends a bit on how they have
implemented the data protection directive).

I think CENTR, LACTLD, APTLD etc is the right forum.

> Well, registries have made registrars do DNSSEC before. So if we would actually try to describe a standardised interface for the registrars, there could be ways to make the registrars implement this new interface. Pressure from customers, registrars and ICANN combined, perhaps?

Once again, as long as registries do NOT have the same interface for
DNSSEC from registrars, how would registries be able to force the
registrars implement the SAME interface for DNSSEC to registrants?

> There are way more problems for a registrar to implement EPP for the different registries than the extensions. You know that as well.

Possibly if you strictly talk about the extension(s).

> Registries have different policies regarding what names are allowed, how different objects are actually used, and different ways of handling expired domains. And this is already within the defined standard without any extensions.

Correct. And those differences are problematic. As well.

   Patrik