Re: [DNSOP] CDS polling, was Re: [Ext] Re: Clarifying referrals (#35)

Jacques Latour <> Tue, 14 November 2017 20:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 10655128B51 for <>; Tue, 14 Nov 2017 12:02:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id p5_ZqZviSq8d for <>; Tue, 14 Nov 2017 12:02:36 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 2370F1242F7 for <>; Tue, 14 Nov 2017 12:02:31 -0800 (PST)
X-Virus-Scanned: by SpamTitan at
Received: from CRP-EX16-02.CORP.CIRA.CA ( by CRP-EX16-02.CORP.CIRA.CA ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.669.32; Tue, 14 Nov 2017 15:02:28 -0500
Received: from CRP-EX16-02.CORP.CIRA.CA ([fe80::15c6:1482:4083:e9f7]) by CRP-EX16-02.CORP.CIRA.CA ([fe80::15c6:1482:4083:e9f7%13]) with mapi id 15.01.0669.032; Tue, 14 Nov 2017 15:02:28 -0500
From: Jacques Latour <>
To: Tony Finch <>, Evan Hunt <>
CC: Edward Lewis <>, "" <>
Thread-Topic: [DNSOP] CDS polling, was Re: [Ext] Re: Clarifying referrals (#35)
Date: Tue, 14 Nov 2017 20:02:28 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [DNSOP] CDS polling, was Re: [Ext] Re: Clarifying referrals (#35)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 14 Nov 2017 20:02:38 -0000

Parental synchronization is inevitable so we would be better to find the
best way to make it happen.  I think there are 3 plausible methods to do
the synchronization.

1. Child Notification: Child sends NOTIFY to a predefined parental
destination. The parent then polls the child zone for changes and EPP
commands issued to reflect the changes.

2. DNS Operator Notification: DNS Operator changes the child zone. DNS
Operator finds parental agent API via RDAP or TCKL to notify of changes to
be performed. The parent then polls the child zone for changes and EPP
commands issued to reflect the changes.

	- parental agent can be the registrar or the registry

3. Parent Polling*: On a batch/regular basis, the parent then polls all
child zones for changes and EPP commands issued to reflect the changes.
 *The parent can be the registrar or the registry.

	- a la cz.nic, full zone polling
	- it would be nice to send an EPP poll message to the registrar when a
domain is changed by the TLD
	- some of the research we¹ve done shows that there are no ICANN policy
impact of doing #3 across the board (ccTLD and gTLD).

Personally, I like a mix of #3 and #1, on a regular basis poll the entire
zone for changes, and have a mechanism to listen to child notifications
for urgent changes.

_AND_ remember, the preferred method by far is to submit a DS/DNSKEY
record is via the RRR EPP model.  The above is when that RRR EPP model is
non functional.


On 2017-11-14, 7:08 AM, "DNSOP on behalf of Tony Finch"
< on behalf of> wrote:

>Evan Hunt <> wrote:
>> In the present context, I was only suggesting this method be used for
>> NOTIFY, not UPDATE -- to signal the parent that it should poll the child
>> for CDS/CDNSKEY.  (I guess CSYNC could be included in the mix as well,
>> though, for updating NS and glue.)
>> I would suggest the child should be polled periodically regardless. If
>> the SRV record were spoofed, causing the child to send a NOTIFY to the
>> wrong address, synchronization should still occur, just not as quickly.
>The starting point for this thread was parental agents saying they don't
>like polling, but having thought about this a bit more I think I agree
>that it would be unwise not to poll. If there's a way to get polled early
>by NOTIFY then that's probably still good for both parent and child -
>parent can poll more slowly, and child can get prompt updates.
>I read Mark Elkins' article with interest. I would prefer to use NOTIFY
>rather than a web hook because it's much more plausible to imagine
>supporting this inside a DNS server with some kind of notify-parent
>I like the idea of being able to automatically discover where to send
>parental notifies. But this can only work if the parental agent doesn't
>require TSIG. On the other hand, we can't rely on autodiscovery because
>I wouldn't bet on the registries publishing the necessary SRV records...
>Any opinions on whether this is worth pursuing?
>f.anthony.n.finch  <>  -  I xn--zr8h
>Viking, North Utsire: Northwesterly backing westerly 5 to 7. Moderate or
>rough, occasionally very rough later in north. Squally showers. Good.
>DNSOP mailing list