Re: [DNSOP] CPE devices doing DNSSEC

Patrik Wallstrom <pawal@blipp.com> Sun, 09 March 2014 12:56 UTC

Return-Path: <pawal@blipp.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E605D1A0207 for <dnsop@ietfa.amsl.com>; Sun, 9 Mar 2014 05:56:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.547
X-Spam-Level:
X-Spam-Status: No, score=-1.547 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_31=0.6, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.547] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IQqYYUUc8bV0 for <dnsop@ietfa.amsl.com>; Sun, 9 Mar 2014 05:56:08 -0700 (PDT)
Received: from vic20.blipp.com (vic20.blipp.com [192.195.142.21]) by ietfa.amsl.com (Postfix) with ESMTP id 371EA1A01AD for <dnsop@ietf.org>; Sun, 9 Mar 2014 05:56:08 -0700 (PDT)
Received: from [192.168.0.118] (h185n2-asp-a13.ias.bredband.telia.com [217.210.64.185]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by vic20.blipp.com (Postfix) with ESMTPSA id 57B1938200; Sun, 9 Mar 2014 13:56:01 +0100 (CET)
Content-Type: multipart/signed; boundary="Apple-Mail=_4FEBDCC3-A183-4A25-80F7-9027AFDB81B0"; protocol="application/pgp-signature"; micalg=pgp-sha1
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Patrik Wallstrom <pawal@blipp.com>
In-Reply-To: <531C5C4D.4010700@frobbit.se>
Date: Sun, 9 Mar 2014 13:55:55 +0100
Message-Id: <545AE25E-A609-4D03-A3DD-AFD41E573820@blipp.com>
References: <20140307100524.2F42810CD58F@rock.dv.isc.org> <A0D47DA8-6E19-4A61-8A7C-FE960A0FA7E9@cybersecurity.org> <20140308090009.5E51210D1595@rock.dv.isc.org> <531C2637.6020405@frobbit.se> <6175B0CC-D8E3-44BB-83DD-7DA8548E6120@blipp.com> <531C5C4D.4010700@frobbit.se>
To: =?iso-8859-1?Q?Patrik_F=E4ltstr=F6m?= <paf@frobbit.se>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/XBgFOdvpcE9NEX4uTNwSRInzj_o
Cc: dnsop@ietf.org, Paul Hoffman <paul.hoffman@cybersecurity.org>
Subject: Re: [DNSOP] CPE devices doing DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Mar 2014 12:56:11 -0000

On 09 Mar 2014, at 13:19, Patrik Fältström <paf@frobbit.se> wrote:

> On 2014-03-09 10:19, Patrik Wallstrom wrote:
>> But the fact is that EPP is several magnitudes better harmonized
>> between TLDs compared to that registrars are offering their
>> customers. There is no way around that today, and the registrars have
>> no incentive at all to improve the situation. For all the registrars
>> to offer the same API to their customers would really remove the
>> lock-in effect that the proprietary interfaces that they have today.
> 
> The same lock-in as registries use already today with registrars.

No, it is not the same lock-in.

> My point is that there is absolutely no difference between how
> registries lock in registrars (and because of that the registrants) and
> how the registrars lock in customers.

Yes, there is. Let me explain how.

Registries are using variants of the same protocol, EPP. Registries are typically serving exactly one name space. And this is where the lock-in  for the registrar come in - there are no other registries that serve the same name space.

Registrars are not using the same protocol, if any, as anybody else at all. They typically serve multiple name spaces. The large registrars have most of the name spaces available.

> Harmonizing the interface to registrars is _extremely_hard_ given how
> different the epp implementation is for the registries. The registrars
> that "lock in" (using your terminology) the registrants do that mainly
> because they support a specific flavor of registries, and have designed
> their API for those registries. If other registries where to be
> supported, the API would be different.

I totally agree with your description of the registrars interface, and this was my main point.

Since I have looked in more detail on many registrar interfaces, they typically do not resemble each other in any way at all. They all serve different purposes.

1. Manage domains (register or delete domains).
2. Manage wallets (to see their invoices, refill accounts).
3. Update zone content (unusual).
4. Manage web sites.
5. Manage web site content.
6. Manage virtual private servers (VPS).
7. Update DNSSEC material (extremely unusual).

These are also all mixed up, so there is no interface that covers all of it, some choose only one or two of the things in the list, with any combination they choose.

The API:s are also implemented in a variety of flavours as well, XMP-RPC, REST, SOAP and whatever they can come up with.

This also makes it extremely difficult (on a whole other level compared to registrars talking to registries) for a registrant to move their automated interaction with one registrar to another registrar.

>> So how could we change this? I don’t see this happening from a
>> standard organization at all. So yes - registrars is really a big
>> reason for incompatibility. Registries could easily bypass the
>> current rrr model by exposing API:s directly to registrants, but it
>> wouldn’t be very popular with the registrars…
> 
> In no particular order:
> 
> 1. By having people stop claiming epp is one protocol and blaming the
> registrars being the problem. Pointing fingers does not help, because as
> in this thread, energy has to be spent on explaining the differences in
> epp between TLDs.

Yes. Nobody is pointing any fingers here. And this is all good work.

> 2. By having registries agreeing on whether DS or DNSKEY is the data
> they want, or by accepting both.

It seems that this is not going to happen.

> 3. By having the IETF effort of to start with cataloging the epp
> extensions used by registries, and secondly working hard to try to
> harmonize the extensions.

This is what the eppext wg is doing now.

> 4. By having the registrars that have an API harmonize their efforts
> just like registries harmonize theirs.

Have you, as a registrar, put any effort into this? Where do you suggest this work is going to take place?

An “interesting" idea would be having ICANN to implement the base of this as part of the RAA.

> Also: note that registries do sent the wholesale price for the domain
> registration, and the price on the market today for domain names is set
> by the ones that cross subsidize domain name costs with income from
> other services. Because of that there is a price squeeze which in some
> markets turn into negative revenue for registrars that sell domain
> names. Registries that now and then dump the wholesale prices does not
> make the situation better, as the end users start to believe the price
> is very low. Registrars complain on this behavior by registries, but the
> registries continue to do price dumping -- i.e. continue the price squeeze.
> 
> Given this pricing structure, and that registries do change their
> implementations far too often, where do you think registrars do spend
> the money they have? They MUST support what the changes the registries
> do, they do not HAVE TO implement a common API.

Well, registries have made registrars do DNSSEC before. So if we would actually try to describe a standardised interface for the registrars, there could be ways to make the registrars implement this new interface. Pressure from customers, registrars and ICANN combined, perhaps?

> So, the registries MUST be the ones that start. Although there are many
> registrars that will follow. Including Frobbit that I am technical lead at.
> 
> Now as I wrote above, IETF have started some very good work on epp
> extensions but I am amazed how many registries refuse to participate,
> complain, and fight against it. As long as they do, why should
> registrars be nice(r)?
> 
> The market is broken, and as I said, I think we in IETF (when I was Area
> Director btw) where too nice when the whole epp work took place.

There are way more problems for a registrar to implement EPP for the different registries than the extensions. You know that as well.

Registries have different policies regarding what names are allowed, how different objects are actually used, and different ways of handling expired domains. And this is already within the defined standard without any extensions.