IETF Logo Mail Archive

[eppext] FW: New draft for keyrelay available

Rik Ribbers <rik.ribbers@sidn.nl> Fri, 30 January 2015 21:30 UTC

Return-Path: <rik.ribbers@sidn.nl>
X-Original-To: eppext@ietfa.amsl.com
Delivered-To: eppext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CA181A700F for <eppext@ietfa.amsl.com>; Fri, 30 Jan 2015 13:30:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.085
X-Spam-Level:
X-Spam-Status: No, score=0.085 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lqkVjVAXxJSt for <eppext@ietfa.amsl.com>; Fri, 30 Jan 2015 13:30:52 -0800 (PST)
Received: from arn2-kamx.sidn.nl (kamx.sidn.nl [IPv6:2a00:d78:0:147:94:198:152:69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FD081A1A59 for <eppext@ietf.org>; Fri, 30 Jan 2015 13:30:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=sidn.nl; s=sidn_nl; c=relaxed/relaxed; h=from:to:subject:thread-topic:thread-index:date:message-id:references:in-reply-to:accept-language:content-language:x-ms-has-attach:x-ms-tnef-correlator:x-originating-ip:content-type:mime-version; bh=BjBt2oAYURDpN3QpaoZoniM+hrBdpbriZAjiH3sgZWU=; b=qXEtxCdmETJdGv254WA0PuSSmXOK6zMELOU9A/JgzKQi2ILw/S1jPzJ/LgNscb2AiSTUup/uD4qpvdo4VVEn7Imlyzf9iYvIfILp2ZFUpLwFuSWW29A9+P1VzWZqHY3fLELFsdTI/t3qodJrNimhwH9U4tQQeC2w8HyG3kPMJxo=
Received: from kahubcasn01.SIDN.local ([192.168.2.73]) by arn2-kamx.sidn.nl with ESMTP id t0ULUoLj019090-t0ULUoLl019090 (version=TLSv1.0 cipher=AES256-SHA bits=256 verify=CAFAIL) for <eppext@ietf.org>; Fri, 30 Jan 2015 22:30:50 +0100
Received: from KAMBX2.SIDN.local ([fe80::b1fd:88d9:e136:9655]) by kahubcasn01 ([192.168.2.73]) with mapi id 14.03.0174.001; Fri, 30 Jan 2015 22:30:46 +0100
From: Rik Ribbers <rik.ribbers@sidn.nl>
To: "eppext@ietf.org" <eppext@ietf.org>
Thread-Topic: New draft for keyrelay available
Thread-Index: AdArSKQ+n3FmCyCWSq6l2+OWlzutMwRfVugQAAJJBTAAATSlQA==
Date: Fri, 30 Jan 2015 21:30:45 +0000
Message-ID: <C80127C588F8F2409E2B535AF968B768B928C0A3@kambx2.SIDN.local>
References: <C80127C588F8F2409E2B535AF968B768B927CDA8@kambx2.SIDN.local> <cc9301a8806f4f0e979d0cef96c09719@MBX1.impetus.co.in> <C80127C588F8F2409E2B535AF968B768B928C08C@kambx2.SIDN.local>
In-Reply-To: <C80127C588F8F2409E2B535AF968B768B928C08C@kambx2.SIDN.local>
Accept-Language: nl-NL, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.2.153]
Content-Type: multipart/alternative; boundary="_000_C80127C588F8F2409E2B535AF968B768B928C0A3kambx2SIDNlocal_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/eppext/WSuidrHWmyj4o8el26iIb-wDzio>
Subject: [eppext] FW: New draft for keyrelay available
X-BeenThere: eppext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: EPPEXT <eppext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/eppext>, <mailto:eppext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/eppext/>
List-Post: <mailto:eppext@ietf.org>
List-Help: <mailto:eppext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/eppext>, <mailto:eppext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jan 2015 21:30:55 -0000

Forgot to include the list.... sorry

From: Rik Ribbers
Sent: vrijdag 30 januari 2015 22:30
To: 'Santosh Kalsangrah'
Subject: RE: New draft for keyrelay available

Hello Santosh,

Thx for the feedback. Here are my answers:


1)      This draft uses the validated trusted EPP channel. According to RFC5734, section 8 this must be a TCP/TLS connection. The idea is here that a registrar doesn't always know how or to whom the DNSSEC key material must be send. By using the registry EPP interface there is a secure and trusted path.

2)      In the draft we state that depending on the use case a server must determine what elements of the data must be used for 1) validating the request and 2) determining the registrar to relay the data to. For the keyrelay usecase this is  the authInfo element for 1) and for 2) the domainname is used.

3)      This is actually out-of scope for this specific draft. The mechanism is  to send the command and if the server approves (return EPP code 1000) the gaining registrar must assume the message is on the poll queue of the losing registrar. There is a different draft which describes the process of a secure domain transfer which describes the complete process (https://tools.ietf.org/html/draft-koch-dnsop-dnssec-operator-change-06 )

4)      This depends on the policy of the registry. For us a registrar must acknowledge the poll message what happens afterwards it out of our hands and depends on the registrars. There are several issues (e.g. the registrar is not always the DNS-operator) that are involved with the secure transfer of a domainname that are not covered here. This draft focusses on relaying  the keymaterial from registrar 1 and 2. Again see the draft https://tools.ietf.org/html/draft-koch-dnsop-dnssec-operator-change-06 for more information.

Kind regards,
Rik

From: Santosh Kalsangrah [mailto:santosh.kalsangrah@impetus.co.in]
Sent: vrijdag 30 januari 2015 21:36
To: Rik Ribbers; eppext@ietf.org<mailto:eppext@ietf.org>
Subject: RE: New draft for keyrelay available

Rik,

Here is my feedback, (actually questions:))


1.       It seems it's assumed that all EPP messaging between registrar 1<->registry<->registrar 2 proposed in this draft is over secure transport. Is that ok if either or both registrar(s) connects to registry over non-secure transport?

2.       How is key information validated by receiving registrar that it is what was sent by the  other registrar. Or how is sender assured that key information would be sent as is to other end? Or this is not important?

3.       How would gaining registrar be notified back that key info it has sent is acknowledged/read by losing registrar. Or is it that gaining registrar need not to know?

4.       In case if losing registrar does not support extension in this draft, what will happen to key info?

Thanks,
Santosh K

From: EppExt [mailto:eppext-bounces@ietf.org] On Behalf Of Rik Ribbers
Sent: Thursday, January 08, 2015 7:12 PM
To: eppext@ietf.org<mailto:eppext@ietf.org>
Subject: [eppext] New draft for keyrelay available

All,

As you (may) have noticed we submitted a new version of the keyrelay draft. In this draft we tried to solve all the open issues, remarks and feedback we received.

The major  changes are:

  1.  Introducing the <relay> command, and thus seperating the data and
       the command.

   2.  Updated the Introduction, describing the general use of relay vs
       the intended use-case of relaying DNSSEC key data.

   3.  Restructuring the document to make it more inline with existing
       EPP extensions.

In the end it has become a major rewrite and as always feedback is welcome.

Kind regards,
Rik Ribbers

________________________________






NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.

v2.8.7 | Report a Bug | By Email