Re: [eppext] draft-ietf-eppext-keyrelay-00 Feedback

["Gould, James" <JGould@verisign.com>]

Antoin,

Thanks for the detailed explanation.  The choice of which form of EPP extension to use (protocol, object, command-response) does not change the process flow at all, but simply determines the syntax of the key relay commands and responses.  Technically draft-ietf-eppext-keyrelay uses both the protocol extension for the command and the object extension for the poll response.  My recommendation is to get down to one type of extension for the specification.   The best way to describe the use of the object and command-response extensions is to provide some examples, which I do below:

Command-Response Extension:

Key Relay Command as extension to empty domain update similar to the restore command in RFC 3915.  To note this is a new verb that is not mixed with the update from a feature and authorization perspective.

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
  xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1"
  xmlns:domain="urn:ietf:params:xml:ns:domain-1.0"
  xmlns:keyrelay="urn:ietf:params:xml:ns:keyrelay-1.0">
  <command>
    <update>
      <domain:update>
        <domain:name>example.org</domain:name>
      </domain:update>
    </update>
    <extension>
      <keyrelay:keyrelay>
        <keyrelay:name>example.org</keyrelay:name>
        <keyrelay:keyData>
           <secDNS:flags>256</secDNS:flags>
           <secDNS:protocol>3</secDNS:protocol>
           <secDNS:alg>8</secDNS:alg>
           <secDNS:pubKey>cmlraXN0aGViZXN0</secDNS:pubKey>
        </keyrelay:keyData>
        <keyrelay:authInfo>
           <domain:pw>JnSdBAZSxxzJ</domain:pw>
        </keyrelay:authInfo>
        <keyrelay:expiry>
           <keyrelay:relative>P1M13D</keyrelay:relative>
        </keyrelay:expiry>
      </keyrelay:keyrelay>
    </extension>
    <clTRID>ABC-12345-XYZ</clTRID>
  </command>
</epp>

Key Relay Poll Response as an extension to the domain info response.

<?xml version="1.0" encoding="UTF-8"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
  xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1"
  xmlns:domain="urn:ietf:params:xml:ns:domain-1.0"
  xmlns:keyrelay="urn:ietf:params:xml:ns:keyrelay-1.0">
  <response>
    <result code="1301">
       <msg>Command completed successfully; ack to dequeue</msg>
    </result>
    <msgQ count="5" id="12345">
       <qDate>1999-04-04T22:01:00.0Z</qDate>
       <msg>Key Relay action completed successfully.</msg>
    </msgQ>
    <resData>
      <domain:infData
        xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
        <domain:name>example.org</domain:name>
        <domain:roid>EXAMPLE1-REP</domain:roid>
        <domain:clID>ClientX</domain:clID>
      </domain:infData>
    </resData>
    <extension>
  <keyrelay:panData>
  <keyrelay:name paResult="true">example.org
  </keyrelay:name>
  <keyrelay:paDate>1999-04-04T22:01:00.0Z
  </keyrelay:paDate>
  <keyrelay:keyData>
  <secDNS:flags>256</secDNS:flags>
  <secDNS:protocol>3</secDNS:protocol>
  <secDNS:alg>8</secDNS:alg>
  <secDNS:pubKey>cmlraXN0aGViZXN0</secDNS:pubKey>
  </keyrelay:keyData>
  <keyrelay:authInfo>
  <domain:pw>JnSdBAZSxxzJ</domain:pw>
  </keyrelay:authInfo>
  <keyrelay:expiry>
  <keyrelay:relative>P24D</keyrelay:relative>
  </keyrelay:expiry>
  <keyrelay:reID>ClientX</keyrelay:reID>
  <keyrelay:acID>ClientY</keyrelay:acID>
  </keyrelay:panData>
    </extension>
    <trID>
       <clTRID>ABC-12345</clTRID>
       <svTRID>54321-XYZ</svTRID>
    </trID>
  </response>
</epp>

Object Extension:

Key Relay is an object that can be created via the create command and can get information via the info command and response.  The poll message is simply a key relay info response.

Key Relay Command using a Key Relay Create Command.

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
  xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1"
  xmlns:domain="urn:ietf:params:xml:ns:domain-1.0"
  xmlns:keyrelay="urn:ietf:params:xml:ns:keyrelay-1.0">
 <command>
   <create>
     <keyrelay:create>
       <keyrelay:name>example.org</keyrelay:name>
       <keyrelay:keyData>
          <secDNS:flags>256</secDNS:flags>
          <secDNS:protocol>3</secDNS:protocol>
          <secDNS:alg>8</secDNS:alg>
          <secDNS:pubKey>cmlraXN0aGViZXN0</secDNS:pubKey>
       </keyrelay:keyData>
       <keyrelay:authInfo>
          <domain:pw>JnSdBAZSxxzJ</domain:pw>
       </keyrelay:authInfo>
       <keyrelay:expiry>
          <keyrelay:relative>P1M13D</keyrelay:relative>
       </keyrelay:expiry>
     </keyrelay:create>
   </create>
   <clTRID>123456</clTRID>
 </command>
</epp>

Key Relay Poll Response

<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
  xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1"
  xmlns:domain="urn:ietf:params:xml:ns:domain-1.0"
  xmlns:keyrelay="urn:ietf:params:xml:ns:keyrelay-1.0">
  <response>
    <result code="1301">
       <msg>Command completed successfully; ack to dequeue</msg>
    </result>
    <msgQ count="5" id="12345">
       <qDate>1999-04-04T22:01:00.0Z</qDate>
       <msg>Key Relay action completed successfully.</msg>
    </msgQ>
    <resData>
      <keyrelay:infData>
        <keyrelay:name paResult="true">example.org
        </keyrelay:name>
        <keyrelay:paDate>1999-04-04T22:01:00.0Z
        </keyrelay:paDate>
        <keyrelay:keyData>
          <secDNS:flags>256</secDNS:flags>
          <secDNS:protocol>3</secDNS:protocol>
          <secDNS:alg>8</secDNS:alg>
          <secDNS:pubKey>cmlraXN0aGViZXN0</secDNS:pubKey>
        </keyrelay:keyData>
        <keyrelay:authInfo>
          <domain:pw>JnSdBAZSxxzJ</domain:pw>
        </keyrelay:authInfo>
        <keyrelay:expiry>
          <keyrelay:relative>P24D</keyrelay:relative>
        </keyrelay:expiry>
        <keyrelay:reID>ClientX</keyrelay:reID>
        <keyrelay:acID>ClientY</keyrelay:acID>
      </keyrelay:infData>
    </resData>
    <trID>
       <clTRID>BCD-23456</clTRID>
       <svTRID>65432-WXY</svTRID>
    </trID>
  </response>
</epp>

In addition, support can be provided for the Relay Info Command and associated Response (example provided already with the poll response).

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
  xmlns:keyrelay="urn:ietf:params:xml:ns:keyrelay-1.0">
 <command>
   <info>
     <keyrelay:info>
       <keyrelay:name>example.org</keyrelay:name>
     </keyrelay:info>
   </info>
   <clTRID>123456</clTRID>
 </command>
</epp>

In looking at the samples, I actually like the Object Extension the best.  I can provide the XSD’s that I validated the examples against if desired.

Thanks,

--

JG



James Gould
Principal Software Engineer
jgould@verisign.com

703-948-3271 (Office)
12061 Bluemont Way
Reston, VA 20190
VerisignInc.com



On 3/13/14, 5:39 AM, "Antoin Verschuren" <antoin.verschuren@sidn.nl<mailto:antoin.verschuren@sidn.nl>> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

op 11-03-14 17:36, Gould, James schreef:

Hi James,

Thanks for your suggestions. We have particularly looked at:

2. Create a Command-Response Extension of the domain mapping that
creates a new keyrelay verb similar to the restore verb in RFC
3915, which is an extension of an empty domain update.  The server
can define who is authorized to invoke the new verb on the domain
name.
By defining Key Relay as a new object or a new verb extension to
the domain object, you get all of the advantages of an object
mapping (extensions, client and server transaction identifier).
My recommendation is to go with option #2, since I view Key Relay
as a verb.  In summary, I don’t believe there is the need to create
a protocol extension for this.

One of the requirements from certain registries for keyrelay was that
since keyrelay is only a "preparation communication step" for a DNS
operator change that may or may not be followed by an NS change or
combined transfer/NS change, they did not want any changes made to
records owned by the registrar of record for a domain object. It's not
compulsory to do this "communication" via the registry, it only
facilitates registrars that have no other secure communication
channel. Sometimes a keyrelay command is not followed by an NS change
as the process is abandoned, and that should not lead to changes in
the DB that need to be reverted. The process would then become more
complex than necessary.

Another requirement that we heard from especially gTLD registries is
that a command for which it was necessary to change the database
tables in a fundamental way would not be implemented by those
registries. Since most EPP commands are processes that change an
object in the registry DB and is only authorized by the current
registrar of record, we looked at  a way to do this communication step
without even touching the DB. EPP keyrelay can be implemented without
any changes to the registry DB, and only queries existing records.
This is also how we implemented it.

We only know of one other command that is NOT authorized by the
current registrar of record for a domain object, and that is a
transfer. But if authorized properly by an auth-info token, the goal
of a transfer command is ultimately also to make changes to the domain
object in the DB.

Keyrelay does not intend to change anything to DB objects. That is
ultimately done by an NS change that usually follows a keyrelay if the
process is continued AND the loosing DNS operator cooperates. If the
loosing DNS operator does not cooperate, a different change to the DB
may follow, and it's complex to predict which action would follow.
There is no default process flow, it's up to the gaining registrar
which next step to take (Abandon, postpone, go insecure, transfer and
leave delegation as is, ...), we want him to be in control.

Could you elaberate on how a Command-Response Extension of the domain
mapping would meet the requirement of not changing anything
fundamental to the registry DB, nor creating a complex unpredictable
state flow?
How would the State Diagram similar to Figure 1 of RFC3915 look like
for EPP keyrelay?

Bear in mind, that a pending NS change state for a secure transfer
cannot be held forever, nor can it be predicted what a reasonable
period for that state is. It depends on DNS TTL values that are not
prescribed nor verified in most registry policies. And since we want
the registrant to be in control over his domain, it may well be that
during a pending state, yet another registrar may invoke a keyrelay if
the registrant chooses to change registrars because the process takes
too long or there is another (technical) reason to change his
delegation. So a state diagram is much more difficult to create than a
state diagram for a grace period that is only dependent on 1 registrar
and a state period defined by the registry's policy.

By completely separating the "preparation communication" from the
state of a domain object, we have avoided the need for a complex state
diagram and fundamental changes to the registry DB. It also extends
EPP with a new command type that may have other benefits in the future.

For an (even more) elaborate explanation on how we came to this
conclusion, we have written a white paper:
https://www.sidnlabs.nl/uploads/tx_sidnpublications/wp_2013_EPP-keyrelay_v1.en.pdf


On 3/11/14, 9:23 AM, "Antoin Verschuren"
<antoin.verschuren@sidn.nl<mailto:antoin.verschuren@sidn.nl> <mailto:antoin.verschuren@sidn.nl>>
wrote:
Hi,
I'd like to answer the question asked in London why EPP keyrelay
is not an object extension or domain update.
Regular EPP commands are submitted to a registry by the current
registrar of record for that object in the database. Only the
registrar of record is allowed to change attributes to a domain
object.
EPP keyrelay is a command that typically is sent to a registry by
a registrar NOT being the registrar of record for that domain
object. So the registrar sending the command is not permitted to
change anything in the database to that object.
EPP keyrelay is therefor only a communication command, and the
domain object is only used to identify the registrar of record for
that domain object as a recipient. The domain object is only
queried to identify the registrar of record, but no attributes are
allowed to be changed.
Hope that clarifies the questions raised in London.
_______________________________________________ EppExt mailing
list EppExt@ietf.org<mailto:EppExt@ietf.org> <mailto:EppExt@ietf.org>
https://www.ietf.org/mailman/listinfo/eppext

- --
Antoin Verschuren

Technical Policy Advisor SIDN
Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands

P: +31 26 3525500  M: +31 6 23368970
Mailto: antoin.verschuren@sidn.nl<mailto:antoin.verschuren@sidn.nl>
XMPP: antoin.verschuren@jabber.sidn.nl<mailto:antoin.verschuren@jabber.sidn.nl>
HTTP://www.sidn.nl/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJTIXzKAAoJEDqHrM883AgnH/sIAKYi48zCXAmWXaNjBc+Jik22
/90SrAeV2E3nG9A3FvaM0+0F6lHH9oiKVNzveYD8E6+9pojOdw++scRENqAOuseh
0cE3XjvAZh6EQAt2HDKv4Be/LyX5ZnJR8iorecMSl8M0BGQhu7/EDZwD31gFe3kw
ac5ePOijelbte4vIb1gN3WjqWbUjbavMJVxt7hQwL75km0uS3WUGdpo0YwKg3Xan
zjSB/2G7tv0KDVoBIMsKnmTWoR38s4aEXTpdZqq1hJUDIwnwdvHwzbJjRq9a9yKV
Hy3+KJfXZvGIPsiHQZBHLyY3vNJJnA3kKCRO7U7twOiBL5WLPyvaqEhscuJqbRs=
=Xyh/
-----END PGP SIGNATURE-----