IETF Logo Mail Archive

Re: [regext] CDS/CDNSKEY vs. EPP update prohibited

Andrew Newton <andy@hxr.us> Fri, 02 December 2022 20:16 UTC

Return-Path: <andy@hxr.us>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D39CC14CEE1 for <regext@ietfa.amsl.com>; Fri, 2 Dec 2022 12:16:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.894
X-Spam-Level:
X-Spam-Status: No, score=-6.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hxr-us.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cp7apwPvXWP5 for <regext@ietfa.amsl.com>; Fri, 2 Dec 2022 12:16:22 -0800 (PST)
Received: from mail-ot1-x32b.google.com (mail-ot1-x32b.google.com [IPv6:2607:f8b0:4864:20::32b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AD0AC14F613 for <regext@ietf.org>; Fri, 2 Dec 2022 12:16:22 -0800 (PST)
Received: by mail-ot1-x32b.google.com with SMTP id g51-20020a9d12b6000000b0066dbea0d203so3594344otg.6 for <regext@ietf.org>; Fri, 02 Dec 2022 12:16:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hxr-us.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=A4rCGHNn2O6gxmbEDO+hc7YF6P5sR5iKVHT8bAkUKsY=; b=ylOrzt2K17TrI470tMHdactvDKooIdftB56U4Gf0EG+kmXjkCZizCMmD5Vbh/G99lJ mDsB/w7W+ap8tFtNNsvEfl6xRAQ61mCJ2Ne9Ra0rXRkP/fLYWP/knu97YejwFz3TBn1d BDppb8AiSIO24luDdtF0odzkMhpoQPHkFBVjcea9wyvVXdolCEe2IUXJjzWHhrOCvPq9 WlEeYdLqkqSxv9r7FSaKBlFZ8smcXx8QyvNvPJ5oY6nV0zIssh5SkbJX5iJ1T00ElW6h HljWPWtbpuaQpn8jPwIEU0tV8r8S371QJUncevoqVFsifEFaygnQt50/3iKeFo5zmPVt WHQQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=A4rCGHNn2O6gxmbEDO+hc7YF6P5sR5iKVHT8bAkUKsY=; b=renbJXmfNjN+SAsjcI7sHc5fhVH7Eq/VgRsgw2c5n/zkHBN76t1wDBB80vVUe8xLlS romc03KEnwTaATnnX3GH66maca3Pcjqucq8SKUDmEQKz2A8h5lNPpuPwMtftoGKOm79i YpfARD9QyHGkOgv2nFMc2NuOkxsnSmNlks0OeOprtJ1F7xPlSkxXOTbXbbKWPI63qj6M 7Ih9mh4BWzV6u/lFODczA5H39RfBvQ3b5lK1g+Lu9wLJxYz1vrk/4dkwjV+jbo6FE9AC p9bRXHl3zlRXlhRz3ioADuqt+O+UiTWR/z/kRAXGUMSwbJYniDn3WoD9XNPSxk3F8hA1 W4AA==
X-Gm-Message-State: ANoB5pml7ewysyezPtU9MYXe+XSszL/f25xAben3uj58kkr3uDLdto0V 6Tx5DkKUVUwuF0VsLuuZHIV3E1m3H2mS9PRCQAQMnGtI/amaY34t+oFMLQ==
X-Google-Smtp-Source: AA0mqf7RGnS3Jh6B1lqcaz6rMejd35XYal+shkLGeghzanroCCxPzUW1//ukPuBAPgbKNTpOfImk2Z49eFsKLONWxd8=
X-Received: by 2002:a05:6830:186:b0:66e:7d07:2ead with SMTP id q6-20020a056830018600b0066e7d072eadmr3483038ota.154.1670012181347; Fri, 02 Dec 2022 12:16:21 -0800 (PST)
MIME-Version: 1.0
References: <BA12A2A4-E92C-4F3A-BC03-3C879D27AE5B@verisign.com> <03f1b413-60a4-ed38-c709-58c21eb83445@knipp.de>
In-Reply-To: <03f1b413-60a4-ed38-c709-58c21eb83445@knipp.de>
From: Andrew Newton <andy@hxr.us>
Date: Fri, 02 Dec 2022 15:16:10 -0500
Message-ID: <CAAQiQReSirco6KAvZZ7J2N9-AW2Pm9TKoYBHF2jBk1V+w6utAA@mail.gmail.com>
To: Michael Bauland <Michael.Bauland@knipp.de>
Cc: regext@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/313BEnMageRF0wodVd109JvQEo8>
Subject: Re: [regext] CDS/CDNSKEY vs. EPP update prohibited
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Dec 2022 20:16:24 -0000

I don't have much of an opinion either way, but from a basic
troubleshooting perspective if EPP update prohibited applies to
CDS/CDNSKEY then there might be a best practice to make sure the
appropriate update prohibited status is set in RDAP, thus allowing the
DNS admin some notion of why things are not working.

Reading RFC 8078, the abstract does hint to CDS/CDNSKEY being a
work-around to EPP. Section 3 also discusses acceptance policy and
there is no notion of an EPP like mechanism in there. Although it does
seem like Section 3.4 would make a good EPP extension which could
strike the right balance.

-andy

On Fri, Dec 2, 2022 at 8:54 AM Michael Bauland <Michael.Bauland@knipp.de> wrote:
>
> Hi,
>
> On 02.12.2022 14:07, Gould, James wrote:
> > Michael,
> >
> > The prohibited statuses apply to client requests, which matches Case 2.  The prohibited statuses can apply to client requests via multiple channels (e.g., EPP or Web UI).  The prohibited statuses don't apply to server actions (e.g., auto renew, transitioning RGP statuses).  Use of CDS/CDNSKEY records to signal a server-side change is an interesting case, where does posting CDS/CDNSKEY records represent a client request that is processed by the server asynchronously?  I view the CDS/CDNSKEY as a new operation (e.g., DNSSEC automation update), supported by IETF RFCs, that does not apply to the existing EPP prohibited statuses.  All domain changes come down to an update, but EPP included prohibited statuses on a per operation / command basis.
> >
> > I would then define Case 3, where CDS/CDNSKEY records represent is a new client operation that does not apply to the existing EPP prohibited statuses.  If we did want to prohibit this new operation via EPP, then a new prohibited status would be warranted.
>
> I tend to agree. Changing the DNSSEC data here is not an operation
> requested/initiated by the client (i.e., registrar), but it's something
> the server (registry) does, because it got triggered via the DNS. For
> this reason the clientUpdateProhibited flag should be ignored.
>
> The RFC states:
> "Requests to update the object (other than to remove this status)
> MUST be rejected."
>
> The question is then, is the server looking for CDS records in the DNS a
> request? I don't think it is. It is the server carrying out some
> maintenance work (e.g., key rollover), admittedly for the registrant (or
> rather the registrant's DNS provider). Nevertheless, it's the server's
> decision, when and if a found CDS records leads to an update of the
> domain's DNSSEC data.
>
> Cheers,
>
> Michael
>
>
> --
> ____________________________________________________________________
>       |       |
>       | knipp |            Knipp  Medien und Kommunikation GmbH
>        -------                    Technologiepark
>                                   Martin-Schmeisser-Weg 9
>                                   44227 Dortmund
>                                   Germany
>
>       Dipl.-Informatiker          Fon:    +49 231 9703-0
>                                   Fax:    +49 231 9703-200
>       Dr. Michael Bauland         SIP:    Michael.Bauland@knipp.de
>       Software Development        E-mail: Michael.Bauland@knipp.de
>
>                                   Register Court:
>                                   Amtsgericht Dortmund, HRB 13728
>
>                                   Chief Executive Officers:
>                                   Dietmar Knipp, Elmar Knipp
>
> _______________________________________________
> regext mailing list
> regext@ietf.org
> https://www.ietf.org/mailman/listinfo/regext

v2.23.0 | Report a Bug | By Email