IETF Logo Mail Archive

Re: [eppext] New draft for keyrelay available

Rik Ribbers <rik.ribbers@sidn.nl> Fri, 30 January 2015 19:08 UTC

Return-Path: <rik.ribbers@sidn.nl>
X-Original-To: eppext@ietfa.amsl.com
Delivered-To: eppext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5DAF1A0368 for <eppext@ietfa.amsl.com>; Fri, 30 Jan 2015 11:08:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.085
X-Spam-Level:
X-Spam-Status: No, score=0.085 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q-afa4p4-6ZM for <eppext@ietfa.amsl.com>; Fri, 30 Jan 2015 11:08:04 -0800 (PST)
Received: from arn2-kamx.sidn.nl (kamx.sidn.nl [IPv6:2a00:d78:0:147:94:198:152:69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B3471A0358 for <eppext@ietf.org>; Fri, 30 Jan 2015 11:08:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=sidn.nl; s=sidn_nl; c=relaxed/relaxed; h=from:to:cc:subject:thread-topic:thread-index:date:message-id:references:in-reply-to:accept-language:content-language:x-ms-has-attach:x-ms-tnef-correlator:x-originating-ip:content-type:mime-version; bh=0rjLPkEJ562FYdzVbnALEF8LuBg/ha6B2fxA+86/gkk=; b=e1Ptp0k/iW2ziVTYs7ZOTuIg+lSPzUUXlXN+wkaD7/EyaPgNBUqpRCtQM79XS01sFvpnqAYfBoNow5VQYnC8792iokmkog/DL9Wg8vP/LfAKl1yR7JkPdvjmMrjUQxzVof7f4dlbLkh+RmLK5MI61eKpIBvt9NOV7lMq/GdLhWY=
Received: from kahubcasn02.SIDN.local ([192.168.2.74]) by arn2-kamx.sidn.nl with ESMTP id t0UJ81JY014215-t0UJ81Ja014215 (version=TLSv1.0 cipher=AES256-SHA bits=256 verify=CAFAIL); Fri, 30 Jan 2015 20:08:01 +0100
Received: from KAMBX2.SIDN.local ([fe80::b1fd:88d9:e136:9655]) by kahubcasn02 ([192.168.2.74]) with mapi id 14.03.0174.001; Fri, 30 Jan 2015 20:07:58 +0100
From: Rik Ribbers <rik.ribbers@sidn.nl>
To: "'Hollenbeck, Scott'" <shollenbeck@verisign.com>
Thread-Topic: [eppext] New draft for keyrelay available
Thread-Index: AdArSKQ+n3FmCyCWSq6l2+OWlzutMwA+eoEAALUP4qAAEcW9gAEZqysAAANycgAALHHTMAIC1EKAAAFOroAAAGLLAAAA000AAAAaFIAAAobIwAADPyWAAAJDmZA=
Date: Fri, 30 Jan 2015 19:07:58 +0000
Message-ID: <C80127C588F8F2409E2B535AF968B768B928BE7B@kambx2.SIDN.local>
References: <C80127C588F8F2409E2B535AF968B768B927CDA8@kambx2.SIDN.local> <0ED7237B-F4E8-45D7-971F-1625350DB0FC@verisign.com> <C80127C588F8F2409E2B535AF968B768B9280B52@kambx2.SIDN.local> <472EF001-1A03-4C50-A7DB-3D6B766B3BA8@verisign.com> <20150119094734.GA27180@miek.nl> <AF040383-7DED-4DDA-A52A-F40978697DF9@dnsbelgium.be> <C80127C588F8F2409E2B535AF968B768B9285C2F@kambx2.SIDN.local> <831693C2CDA2E849A7D7A712B24E257F49F33387@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <46F2F7EA-7FD4-4D47-B80D-CCC795277512@verisign.com> <831693C2CDA2E849A7D7A712B24E257F49F3353E@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <ABCBA930-3045-438C-A526-B6B824390048@verisign.com> <831693C2CDA2E849A7D7A712B24E257F49F338CE@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <C80127C588F8F2409E2B535AF968B768B928BC13@kambx2.SIDN.local> <831693C2CDA2E849A7D7A712B24E257F49F33B36@BRN1WNEXMBX01.vcorp.ad.vrsn.com>
In-Reply-To: <831693C2CDA2E849A7D7A712B24E257F49F33B36@BRN1WNEXMBX01.vcorp.ad.vrsn.com>
Accept-Language: nl-NL, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.2.153]
Content-Type: multipart/related; boundary="_004_C80127C588F8F2409E2B535AF968B768B928BE7Bkambx2SIDNlocal_"; type="multipart/alternative"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/eppext/bPjO09HfB4OgKCj8l-sFEXdehDs>
Cc: "eppext@ietf.org" <eppext@ietf.org>
Subject: Re: [eppext] New draft for keyrelay available
X-BeenThere: eppext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: EPPEXT <eppext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/eppext>, <mailto:eppext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/eppext/>
List-Post: <mailto:eppext@ietf.org>
List-Help: <mailto:eppext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/eppext>, <mailto:eppext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jan 2015 19:08:09 -0000

Scott,

Thanks for the clarification and I did mean adopted.


Ø  but you've indicated a preference to not change the basic approach.

That is indeed our preference but as two people (Ulrich Wisser and Maarten Bosteels) this week clearly stated that they think the proposal of James is the way to go we might have to reconsider as standard track is also our preference. But than again the majority of the working group members do not actively participate in this discussion. So are 2 (Ok 3, as you are someone in the EPP community ;-)) people enough to reconsider? I got no clue on how big the WG actually is (anybody?), but  I'm still hoping that more people (especially the ones that hummed in Honolulu) state on the issue. If the majority of the WG thinks we've done it wrong who are we not to reconsider things and go for the proposal of James, the concept of relaying DNSSEC data doesn't change only the XML will  and in the end the concept is the most important part.

So again I call upon the members of this working group to review the draft and see what the problem is (http://www.ietf.org/mail-archive/web/eppext/current/msg00241.html) and state their opinion on this mailing list. Even if you don't care or have no objection let it know then at least we know where we are standing and can decide on how to proceed.

Kind regards,
Rik Ribbers

From: Hollenbeck, Scott [mailto:shollenbeck@verisign.com]
Sent: vrijdag 30 januari 2015 18:27
To: Rik Ribbers; Gould, James
Cc: Maarten Bosteels; Miek Gieben; eppext@ietf.org
Subject: RE: [eppext] New draft for keyrelay available

> when the document was adapted by the WG the WG acknowledges the need for a standard

No, it means the IETF and the WG decided to work on the document to meet the purpose stated in the WG charter. That purpose and the charter can change if time reveals the need for change. We can propose anything to the IESG for consideration if it makes sense to do so, especially if it becomes clear that we do not have consensus on a particular topic.

You said "adapted" - did you mean adopted? "Adapted" would imply "change", but you've indicated a preference to not change the basic approach. Without consensus on the approach it's going to be tough to produce a Proposed Standard.

Scott

From: Rik Ribbers [mailto:rik.ribbers@sidn.nl]
Sent: Friday, January 30, 2015 11:40 AM
To: Hollenbeck, Scott; Gould, James
Cc: Maarten Bosteels; Miek Gieben; eppext@ietf.org<mailto:eppext@ietf.org>
Subject: RE: [eppext] New draft for keyrelay available

Scott,

The intention of the relay command is more of sending a message (with information) then the manipulation of objects, but James explained it pretty well.

The  thing that triggered me is the second part of your reply:


Ø  I don't have an issue with continuing work on this draft if the intention is to document the existing practice of one operator in an informational way, but I'm not comfortable with pursuing the current approach on the standards track. We should confirm the need before doing standards track work.

Although I'm not an IETF expert I assumed that when the document was adapted by the WG the WG acknowledges the need for a standard. In Honolulu there was a discussion if the documents from the working group should be informational or standards track. And as far I understood it is not up to the WG to make a document informational, that is something the IESG does. Feel free to correct me if I misunderstood things.

However the real question is: Who can confirm this need?

We see the need for an automated secure transfer of domainnames in our daily operation. As the adoption of validating DNSSEC resolver grows it becomes more and more a problem that domainnames cannot be resolved. We choose the solution which is described in the draft and believe it is a good pragmatic solution for a the problem. But  I agree that the need is not extremely high at this point, but it will be in the near future. Should we wait for that or act upon what we believe is inevitable?  We choose not to wait.

Kind regards,
Rik

From: Hollenbeck, Scott [mailto:shollenbeck@verisign.com]
Sent: vrijdag 30 januari 2015 16:35
To: Gould, James
Cc: Rik Ribbers; Maarten Bosteels; Miek Gieben; eppext@ietf.org<mailto:eppext@ietf.org>
Subject: RE: [eppext] New draft for keyrelay available

Jim, that's not how I would have designed it. To each his own.

Scott

From: Gould, James
Sent: Friday, January 30, 2015 10:32 AM
To: Hollenbeck, Scott
Cc: Rik Ribbers; Maarten Bosteels; Miek Gieben; eppext@ietf.org<mailto:eppext@ietf.org>
Subject: Re: [eppext] New draft for keyrelay available

Scott,

EPP can be extended to support new types of objects, and objects can support a different set of commands and responses based on the requirements of those objects.   Objects can be created on the server-side without any support for transform by the client.  In this case, the intent is to create a poll queue message object that is consumed and automatically deleted when consumed, so the create functions as an enqueue and the poll info response functions as a dequeue once acknowledged.  With this, the transient object only needs to support the create transform to insert the message in the poll queue and the poll message in the form of an info response to consume the message.  There is no need for the implementation to create any form of a transient object outside the poll queue, since the poll queue is the transient object store for this object type.


-



JG

[cid:image001.png@01D03CC3.2FECED10]

James Gould
Distinguished Engineer
jgould@Verisign.com

703-948-3271
12061 Bluemont Way
Reston, VA 20190

VerisignInc.com<http://VerisignInc.com>

On Jan 30, 2015, at 10:08 AM, Hollenbeck, Scott <shollenbeck@verisign.com<mailto:shollenbeck@verisign.com>> wrote:

EPP has no concept of "objects" in the poll queue. The poll queue manipulates messages. Objects are manipulated by transform commands like create, delete, etc.

I was thinking that the source client would create a relay object, which would result in a message being queued for the target client. The info could exist in both the poll message (which would be short-lived and lost once dequeued), and in the object (which would be slightly longer-lived, but would be automatically deleted when it expired).

Scott

From: Gould, James
Sent: Friday, January 30, 2015 9:57 AM
To: Hollenbeck, Scott
Cc: Rik Ribbers; Maarten Bosteels; Miek Gieben; eppext@ietf.org<mailto:eppext@ietf.org>
Subject: Re: [eppext] New draft for keyrelay available

Scott,

I believe the intent is to insert the transient object into the poll queue for the target client.  The acknowledgement of the poll message should result in the implicit removal of the transient object from the server.  With what you're proposing, the source client would create the transient object that I'm assuming would result in a poll notification containing a signal to the client to submit an info command to get the transient object information?  I'm assuming that the target client would then need to delete the transient object once they're done with processing the message.  I believe it's simpler and consistent with the concept of creating a transient poll message to support the create to create the poll message and the info response poll message for the consumption of the transient object.  In this case the poll queue is functioning as the repository for the transient object with the signal and data being one and the same, and the deletion of the transient object handled via the standard poll queue mechanism.

-


JG

<image001.png>

James Gould
Distinguished Engineer
jgould@Verisign.com<x-msg://27/jgould@Verisign.com>

703-948-3271
12061 Bluemont Way
Reston, VA 20190

VerisignInc.com<http://verisigninc.com/>

On Jan 30, 2015, at 9:20 AM, Hollenbeck, Scott <shollenbeck@verisign.com<mailto:shollenbeck@verisign.com>> wrote:

-----Original Message-----
From: EppExt [mailto:eppext-bounces@ietf.org] On Behalf Of Rik Ribbers
Sent: Tuesday, January 20, 2015 3:02 AM
To: 'Maarten Bosteels'; Miek Gieben; Gould, James; eppext@ietf.org<mailto:eppext@ietf.org>
Subject: Re: [eppext] New draft for keyrelay available

Hello Maarten,

Thx for the feedback, I hope more people with experience on extending
EPP will state their opinion on the list.

We have implemented the functionality in our registration system, but
it is not very actively used. What we see is that most registrars go
insecure. Most of the time we see a transfer command followed (some
time later in time) by a domain update to remove the old key material
and add new key material. There is even a losing registrar that removes
all DNS key data when a registrant requests its authorization token
before the actual transfer.

One more opinion:

After reading through the draft again I believe I would have designed this differently. EPP commands typically act on or read data from objects, and if I'm reading keyrelay correctly the <relay> command isn't doing either of those things. It's pushing information to the server to be stored temporarily (in what?) so that it can be retrieved with a <poll> command. It would be more architecturally consistent to create a temporary relay object with the needed information and use an <info> command to retrieve the data. <poll> can be used to notify the receiving client that the information is there to be retrieved. Anyway, that's my two cents.

Rik's "not very actively used" comment is telling. DNSSEC isn't widely supported by registrars, so it makes sense that we're not seeing a lot of use. I don't have an issue with continuing work on this draft if the intention is to document the existing practice of one operator in an informational way, but I'm not comfortable with pursuing the current approach on the standards track. We should confirm the need before doing standards track work.

Scott

v2.8.7 | Report a Bug | By Email