Re: [DNSOP] Multi Provider DNSSEC Models

Shumon Huque <> Fri, 30 March 2018 20:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3B4F4126DD9 for <>; Fri, 30 Mar 2018 13:45:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2m3hIBLxAZpO for <>; Fri, 30 Mar 2018 13:45:40 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c0b::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C1CD7126D0C for <>; Fri, 30 Mar 2018 13:45:40 -0700 (PDT)
Received: by with SMTP id e98-v6so12494882itd.4 for <>; Fri, 30 Mar 2018 13:45:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=UuqN6B+vzIVkjNZyGbJhvFf1G5rCvXQX1wZLFlBk4TM=; b=KB8CSJnJaECLn05SSCgVsXYE6VWBR1dUVmrzA3ibvOaoTgkcyrwewhcOu/l5/4rLSP 28oRlJCIsMz3DhQ8N+m5FhggyA8dj6Mc8kTkVs9SDmzgZVOAbP0DBqks8vM/kTq4l4PZ aHk4FV0nO4V2SwdD60gHyIZcN5kM0ItniTGK95UJl4ZixSwHzj3phFHfr4+vb2185dnq XSXa4lWJVsSnQtDsR23zJcSPuo9PT3LXV+wgU6TlxS8rIJB4xDA3yOC9tcEA08mdHfnl NhuvvGAgv/zLTRJcyhquAzWWS8xJdE/EycKUGyTmFAEAOMYq6WNt6B9NOUFB/yYQgM2N 0kqQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=UuqN6B+vzIVkjNZyGbJhvFf1G5rCvXQX1wZLFlBk4TM=; b=UsyB6oPm+1sjThou3wTpVNvi7MxAiQXq8jQmWMMDzvhTDbCBuePMPA6Y/JQN07auYJ dvupQi7FNW/N9P4X7TRZ5ANQPiS3kNqChWtDIjzSKV5f+oL+Ssf7gAXcwpVI6gjfdmjV KNkZ1Q8Rq4GWnUwbq1ZoNqeoVqaKEJwTsaXd/vpWW6BjjpBfdwF9+MG7HA1am7lRmve3 CYxih7t+Pes+yRDX5ZjxJ7WKmul3C84prLjOV1mNnVmKxwZhg6bZRo4vSTXH/L0hRaJA tI5S6rQTDieShB2F3RsfZCjJmjOTJlxgVU2XxuKmTm0W+5khSNTkrsvdvgrAtsJTWsfB 7k+w==
X-Gm-Message-State: AElRT7GPYUYHJesclXp9LEG+nudPgXMRLWBxpL5RHigMivM8sQ6GCYj6 90KGvsb8Mpi0eHBQ+4/VvEXFcJ6H5vuyCzFb6IQ=
X-Google-Smtp-Source: AIpwx48pBREO61YUFYWvluQ8T+dUiGxDZAg6N4QygAsribxVpXZ5UAuDxwv9CCMC96R6aw0N6V/uiTtO0Ub4ZMLTGAI=
X-Received: by 2002:a24:5151:: with SMTP id s78-v6mr4401725ita.103.1522442740185; Fri, 30 Mar 2018 13:45:40 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Fri, 30 Mar 2018 13:45:39 -0700 (PDT)
In-Reply-To: <>
References: <> <>
From: Shumon Huque <>
Date: Fri, 30 Mar 2018 16:45:39 -0400
Message-ID: <>
To: Yoshiro YONEYA <>
Cc: " WG" <>
Content-Type: multipart/alternative; boundary="000000000000b840b20568a7525e"
Archived-At: <>
Subject: Re: [DNSOP] Multi Provider DNSSEC Models
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 30 Mar 2018 20:45:43 -0000

On Fri, Mar 30, 2018 at 1:47 AM, Yoshiro YONEYA <>

> Hi Shumon,
> Thank you for starting good document.
> I think this document is also useful for DNS provider transfer (or
> Registrar transfer) without causing DNSSEC insecure state.  Good
> thing is that this document doesn't depend on EPP (can be used with
> TLDs who doesn't employing EPP).

Thanks! Yes, I agree. Although the main goal of the document is
to describe a steady state configuration involving multiple signing
operators, the key management methods described can also aid
non-disruptive transfer of operation from one provider to another. I
already had on my TODO list to eventually add a section on provider
migration, but I haven't gotten there yet.

Regarding EPP, a zone owner deploying one of the multi provider
models may have to use EPP for bootstrapping the DS RRset contents,
if  the zone in question is an SLD and they are under a TLD that uses
or requires it. But as you say, not all TLDs use EPP, and the document
doesn't express a point of view or requirement on this topic.

For the managed DNS providers themselves, we simply say that they
need to provide some sort of API for ZSK or DNSKEY import. In theory
that could be EPP, but more commonly is some sort of REST/Web based
API. It could also be UPDATE I suppose if they supported it.