IETF Logo Mail Archive

Re: [eppext] [provreg] Publishing of the Change Poll EPP Extension IETF Draft

Patrick Mevzek <Patrick.Mevzek@afnic.fr> Sun, 31 May 2015 19:38 UTC

Return-Path: <Patrick.Mevzek@afnic.fr>
X-Original-To: eppext@ietfa.amsl.com
Delivered-To: eppext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E59CB1A89F5 for <eppext@ietfa.amsl.com>; Sun, 31 May 2015 12:38:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.75
X-Spam-Level: *
X-Spam-Status: No, score=1.75 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_FR=0.35, J_CHICKENPOX_66=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z27hO-Llq7R5 for <eppext@ietfa.amsl.com>; Sun, 31 May 2015 12:38:04 -0700 (PDT)
Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D95741A8A0B for <eppext@ietf.org>; Sun, 31 May 2015 12:38:03 -0700 (PDT)
Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id DFA9B2801BE; Sun, 31 May 2015 21:38:01 +0200 (CEST)
Received: from relay1.nic.fr (relay1.nic.fr [192.134.4.162]) by mx4.nic.fr (Postfix) with ESMTP id D8D2A2802B1; Sun, 31 May 2015 21:38:01 +0200 (CEST)
Received: from [IPv6:::1] (citrine.tech.ipv6.nic.fr [IPv6:2001:67c:1348:7::86:96]) by relay1.nic.fr (Postfix) with ESMTP id 422414C0053; Sun, 31 May 2015 21:37:31 +0200 (CEST)
Message-ID: <1433101049.5289.13.camel@citrine-mobile>
From: Patrick Mevzek <Patrick.Mevzek@afnic.fr>
To: "Gould, James" <JGould@verisign.com>
Date: Sun, 31 May 2015 21:37:29 +0200
In-Reply-To: <34236AD6-86DD-4B52-AE9C-1AA3AB9C6C32@verisign.com>
References: <211D0420-18A3-43D7-9A3D-553B34C6DF43@verisign.com> <CAJ9-zoVSoY=g+70ZfYFkYG7KEFM88x0BxVRH5jUxNYqMsMt+8A@mail.gmail.com> <77F1013C-BF41-4982-9845-C1F87F69B5F5@verisign.com> <4D5E61F9-D8ED-48A1-BF40-6CE42B09601B@nic.br> <1429972004.16625.6.camel@citrine-mobile> <34236AD6-86DD-4B52-AE9C-1AA3AB9C6C32@verisign.com>
Organization: AFNIC
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.8.5-2+b1
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/eppext/I69jEXB4lZRQqzhKDbPPA_QwBkE>
Cc: "gtld-tech@icann.org" <gtld-tech@icann.org>, "eppext@ietf.org" <eppext@ietf.org>, Rubens Kuhl <rubensk@nic.br>
Subject: Re: [eppext] [provreg] Publishing of the Change Poll EPP Extension IETF Draft
X-BeenThere: eppext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: EPPEXT <eppext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/eppext>, <mailto:eppext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/eppext/>
List-Post: <mailto:eppext@ietf.org>
List-Help: <mailto:eppext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/eppext>, <mailto:eppext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 May 2015 19:38:07 -0000

Hello James,

Le lundi 27 avril 2015 à 13:04 +0000, Gould, James a écrit :

> We discussed the Change Poll Extension and the use case of DNS
> deferred publication at the Registration Operations Workshop (ROW)
> prior to IETF-92.  The question was whether the deferred publication
> was part of pending operations (e.g. pendingCreate, pendingUpdate).
> No one could speak to the use case.  Can you describe the domain
> operation flow of a registry that supports deferred publication?  

Sorry for my delay. I can give you some details on how it was done at
the .FR registry in the past (we are not doing it anymore).
Basically any DNS change had to be checked against some rules, using the
then active tool zonecheck (which also meant that you could only change
nameservers in one operation, you could not mix it with other updates at
the same time).
In our case, at that time, creation was not possible with nameservers.
You had to first register the domain, then modify it if you want to add
nameservers.

> I see two different flows:
> 
> 
>      1. Pending Action  
>              1. Client sends domain create with NS (domain update
>                 would work in a similar fashion)
>              2. Server puts the domain on pendingCreate status and
>                 returns the 1001 “Command completed successfully;
>                 action pending” response
>              3. Server validates the NS (DNS servers respond correctly
>                 )
>              4. If NS validate 
>                      1. Remove the pendingCreate status
>                      2. Insert pending action (<domain:panData> ) poll
>                         message with a positive result ( “paResult=1”
>                         )
>              5. else if within validation period 
>                      1. Validate again at the next interval
>              6. else  
>                      1. Remove domain ( or reject update )
>                      2. Insert pending action (<domain:panData> ) poll
>                         message with negative result ( “paResult=0” ).
>                         An extension could be added to provide more
>                         error detail.

We were basically doing that except for the following points :
- no creation with nameservers, hence the above workflow was for updates
only
- either it valides or not, but in all cases the operation was done at
that time, either successfully or not. the registry did not try to
validate again, the onus would be on the registrar to send again a
domain:update command to trigger a recheck.
- for the more details part (basically the validation result), we did
not design an extension but just put the error message as a text in the
notification. Clearly not as good as the new drafts to convey such kind
of information, but at that time, it was good enough.

>      1. Registration Deferred Publication ( My thoughts without any
>         detail previously provided ) 
>              1. Client sends domain create with NS ( domain update may
>                 work in a similar fashion, but I see some added
>                 complexity)
>              2. Server accepts the domain create for deferred
>                 publication and sets the “serverHold” and
>                 “ serverUpdateProhibited” statuses pending the
>                 validation. 
>                      1. A domain update would be more complex, since I
>                         imagine that the update would not add any
>                         server statuses to support the deferred
>                         validation.  I also imagine that the domain
>                         would not be removed from the zone based on
>                         the update deferred validation by putting the
>                         “serverHold” on it.  Is update of NS validated
>                         via a deferred validation model?
>              3. Server validates the NS (DNS servers respond correctly
>                 )
>              4. If NS validate 
>                      1. Remove the “serverHold” and “serverUpdate”
>                         statuses 
>                      2. Poll message here is in question.  Should this
>                         be a Change Poll message reflecting the update
>                         made by the server to remove the and
>                         “ serverUpdateProhibited” statuses based on
>                         the successful deferred publication
>                         validation? 
>                              1. If so, I see the server operation as
>                                 “update” and the reason as something
>                                 like “Deferred publication validation
>                                 success”.  The reason is free-form
>                                 text.  The change poll message (domain
>                                 info response) should reflect the
>                                 removal of the “serverHold” and
>                                 “serverUpdateProhibited” statuses.  
>              5. else if within validation period 
>                      1. Validate again at the next interval.  No poll
>                         message required, since the state of the
>                         domain has not changed.
>              6. else  
>                      1. Remove the “serverUpdateProhibited” status to
>                         enable the client to modify the NS
>                      2. Poll message here is in question.  Should this
>                         be a Change Poll message reflecting the update
>                         made by the server to remove the
>                         “serverUpdateProhibited” status based on the
>                         failed deferred publication validation?   
>                              1. If so, I see the server operation as
>                                 “update” and the reason as something
>                                 like “Deferred publication validation
>                                 failed”.  The reason is free-form
>                                 text.  The change poll message (domain
>                                 info response) should reflect the
>                                 removal of the
>                                 “serverUpdateProhibited” status, and
>                                 not the “serverHold” status still
>                                 set. 
>                                      1. If additional information is
>                                         required for this failure, I
>                                         recommend creating a separate
>                                         deferred publication failure
>                                         extension or a generic
>                                         validation failure extension
>                                         that is attached to the change
>                                         poll message.  The info
>                                         response would provide the
>                                         state of the object (domain in
>                                         this case), the change poll
>                                         extension would provide the
>                                         what, when, why for the
>                                         server-side change, and the
>                                         validation failure extension
>                                         would provide the failure
>                                         detail.      

This is more complex, and like I said I have past experience only for
updates.
Using statuses in that way seems to me a problem since they do not
"stack". A domain can have a serverHold for various reasons: if it has
serverHold before the domain:update for example because of a dispute or
something out of band, at the end of the procedure it may have been
removed, but wrongly.

Also, it breaks the domain: if you put serverHold right at the beginning
of the domain:update and if the zonefile data is published in real time
or near real time, and if the validation itself takes more time than the
average publication delay, then you create a window were the current
domain can be published without its (past) nameservers at all, which is
for me a no-go.

So I would think the first case is simpler for anyone.

Also, we may have the same problem for secDNS changes (if the registry
wants to validate them before applying them)

> I don’t see the operations done by the server above as being anything
> other than an “update” with the reason communicating the deferred
> publication validation result.  There are two forms of extensibility
> of operations defined in the draft that is supported by the
> <changePoll:operation> “op” attribute, which can be used to define a
> sub-operation (e.g. <changePoll:operation
> op=“deferredPublication”>update</changePoll:operation>) or a custom
> operation (e.g. <changePoll:operation
> op=“deferredPublication”>custom</changePoll:operation> ), which
> handles extensibility without the need for a new XML schema and
> requiring an extension to an extension.  Is there any other form of
> extensibility that you are looking for?  

No, my fault sorry, I overlooked this possible extension, which indeed
solves my question.

-- 
Patrick Mevzek

v2.8.7 | Report a Bug | By Email