Re: [DNSOP] CDS polling, was Re: [Ext] Re: Clarifying referrals (#35)

[Jacques Latour <Jacques.Latour@cira.ca>]

Parental synchronization is inevitable so we would be better to find the
best way to make it happen.  I think there are 3 plausible methods to do
the synchronization.

1. Child Notification: Child sends NOTIFY to a predefined parental
destination. The parent then polls the child zone for changes and EPP
commands issued to reflect the changes.

2. DNS Operator Notification: DNS Operator changes the child zone. DNS
Operator finds parental agent API via RDAP or TCKL to notify of changes to
be performed. The parent then polls the child zone for changes and EPP
commands issued to reflect the changes.

	- 
https://tools.ietf.org/html/draft-ietf-regext-dnsoperator-to-rrr-protocol-0
4
	- parental agent can be the registrar or the registry

3. Parent Polling*: On a batch/regular basis, the parent then polls all
child zones for changes and EPP commands issued to reflect the changes.
 *The parent can be the registrar or the registry.

	- a la cz.nic, full zone polling
(https://en.blog.nic.cz/2017/06/21/lets-make-dns-great-again/)
	- it would be nice to send an EPP poll message to the registrar when a
domain is changed by the TLD
	- some of the research we¹ve done shows that there are no ICANN policy
impact of doing #3 across the board (ccTLD and gTLD).

Personally, I like a mix of #3 and #1, on a regular basis poll the entire
zone for changes, and have a mechanism to listen to child notifications
for urgent changes.

_AND_ remember, the preferred method by far is to submit a DS/DNSKEY
record is via the RRR EPP model.  The above is when that RRR EPP model is
non functional.

Jack


On 2017-11-14, 7:08 AM, "DNSOP on behalf of Tony Finch"
<dnsop-bounces@ietf.org on behalf of dot@dotat.at> wrote:

>Evan Hunt <each@isc.org> wrote:
>>
>> In the present context, I was only suggesting this method be used for
>> NOTIFY, not UPDATE -- to signal the parent that it should poll the child
>> for CDS/CDNSKEY.  (I guess CSYNC could be included in the mix as well,
>> though, for updating NS and glue.)
>
>Yes.
>
>> I would suggest the child should be polled periodically regardless. If
>> the SRV record were spoofed, causing the child to send a NOTIFY to the
>> wrong address, synchronization should still occur, just not as quickly.
>
>The starting point for this thread was parental agents saying they don't
>like polling, but having thought about this a bit more I think I agree
>that it would be unwise not to poll. If there's a way to get polled early
>by NOTIFY then that's probably still good for both parent and child -
>parent can poll more slowly, and child can get prompt updates.
>
>I read Mark Elkins' article with interest. I would prefer to use NOTIFY
>rather than a web hook because it's much more plausible to imagine
>supporting this inside a DNS server with some kind of notify-parent
>feature.
>
>I like the idea of being able to automatically discover where to send
>parental notifies. But this can only work if the parental agent doesn't
>require TSIG. On the other hand, we can't rely on autodiscovery because
>I wouldn't bet on the registries publishing the necessary SRV records...
>
>Any opinions on whether this is worth pursuing?
>
>Tony.
>-- 
>f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/  -  I xn--zr8h
>punycode
>Viking, North Utsire: Northwesterly backing westerly 5 to 7. Moderate or
>rough, occasionally very rough later in north. Squally showers. Good.
>
>_______________________________________________
>DNSOP mailing list
>DNSOP@ietf.org
>https://www.ietf.org/mailman/listinfo/dnsop