Re: [regext] CDS/CDNSKEY vs. EPP update prohibited
Yoshiro YONEYA <yoshiro.yoneya@jprs.co.jp> Fri, 02 December 2022 13:59 UTC
Return-Path: <yoshiro.yoneya@jprs.co.jp>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AA08C14F5E0 for <regext@ietfa.amsl.com>; Fri, 2 Dec 2022 05:59:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.897
X-Spam-Level:
X-Spam-Status: No, score=-6.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bRtof0C3tE6V for <regext@ietfa.amsl.com>; Fri, 2 Dec 2022 05:59:48 -0800 (PST)
Received: from off-send41.osa.jprs.co.jp (off-send41.osa.jprs.co.jp [117.104.133.135]) by ietfa.amsl.com (Postfix) with ESMTP id 29DF4C14F6E5 for <regext@ietf.org>; Fri, 2 Dec 2022 05:59:47 -0800 (PST)
Received: from off-sendsmg31.osa.jprs.co.jp (off-sendsmg31.osa.jprs.co.jp [172.23.8.161]) by off-send41.osa.jprs.co.jp (Postfix) with ESMTP id 146B64058C9 for <regext@ietf.org>; Fri, 2 Dec 2022 22:59:46 +0900 (JST)
Received: from off-sendsmg31.osa.jprs.co.jp (localhost [127.0.0.1]) by postfix.imss91 (Postfix) with ESMTP id 790766028259 for <regext@ietf.org>; Fri, 2 Dec 2022 22:59:45 +0900 (JST)
Received: from NOTE1308.JPRS (off-cpu07.osa.jprs.co.jp [172.23.4.17]) by off-sendsmg31.osa.jprs.co.jp (Postfix) with SMTP id 49F7E602784C for <regext@ietf.org>; Fri, 2 Dec 2022 22:59:45 +0900 (JST)
Date: Fri, 02 Dec 2022 22:59:45 +0900
From: Yoshiro YONEYA <yoshiro.yoneya@jprs.co.jp>
To: "regext@ietf.org" <regext@ietf.org>
Message-Id: <20221202225945.b08324afff4e00f041dd730e@jprs.co.jp>
In-Reply-To: <191008c7-b37c-e311-6d8d-1c43053f1d98@knipp.de>
References: <191008c7-b37c-e311-6d8d-1c43053f1d98@knipp.de>
X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.30; i686-pc-mingw32)
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-TM-AS-GCONF: 00
X-TM-AS-Product-Ver: IMSS-9.1.0.1373-9.0.0.1002-27298.007
X-TM-AS-Result: No--22.580-5.0-31-10
X-imss-scan-details: No--22.580-5.0-31-10
X-TMASE-Version: IMSS-9.1.0.1373-9.0.1002-27298.007
X-TMASE-Result: 10--22.579600-10.000000
X-TMASE-MatchedRID: dIRI8hXRYClITndh1lLRAe5i6weAmSDKGcfGM6EiL4bLN5nQQXYmEgJs fU4xXHDpPyYmaJgL5qjeZYi2olejVZXcI4L+NPzkUUXgF2bFoVIv5vY1YvMqbl/XzVchKhsgLWT vLX2iKNh57PigeFijGaE5/zgY/QEP7Ef9eUvyqg6iVU7u7I4INaVjgXyvS9c/1YzbHoRn9L2y73 u4K6DBeX+9FsF6Co/4B/u9GKCRKsRQD3BO44j0UUWX0DfhVamwMnw4PYbmH37ILi0hRYnZuVxUx 6Nc3kkvB3ah/YwVDQO9uerIIUiIbz73WNFo0qcUprVayUXdq5EQtuqs6BbPJ4JdlyRUJJFMVM2p /cRDyjHaM8Y5y0m1boVGko5YwdKWCXBdHc83YVlkiLB9qoJwH30tCKdnhB58vqq8s2MNhPDPPeN 6HN6d7JYzX80HJ4XXsvUPdmSpWNr/EoO+X7A+8nYJEUfDojP/vECLuM+h4RB+3BndfXUhXQ==
X-TMASE-SNAP-Result: 1.821001.0001-0-1-22:0,33:0,34:0-0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/4nwDRJXGqxvfVy4UTU2Fc7MG4JU>
Subject: Re: [regext] CDS/CDNSKEY vs. EPP update prohibited
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Dec 2022 13:59:52 -0000
Michael, Please refer to the DNSSEC and Security Workshop's "DNSSEC Provisioning Automation" panel presentations. At least: https://cdn.filestackcontent.com/content=t:attachment,f:%223.1%20Crocker%20-%20DS%20Updates%20and%20Multi-signer%20Coordination.pdf%22/AhnRIROT5aurERz0pfuQ Registrars can scan CDS/CDNSKEY/CSYNC RRs and provision them via EPP. It does not break existing RRR model. Regards, Yoshiro On Fri, 2 Dec 2022 12:41:03 +0100 Michael Bauland <Michael.Bauland@knipp.de> wrote: > Hello, > > I've recently come across a case in the context of CDS/CDNSKEY and I'm > unsure what is the best/correct way to handle the situation. > > CDS/CDNSKEY records are meant to notify the registry about a change in > the DS/DNSKEY records, similar to sending an EPP request. > > What should the registry do, if > 1. the serverUpdateProhibited EPP state is set? > 2. the clientUpdateProhibited EPP state is set? > > I tend to say that in Case 1, the domain may not be changed at all and > as a consequence CDS/CDNSKEYs should be ignored. > > For Case 2 my preference is that this is only a kind of safeguard > against unintended changes by the registrar, and the DNSSEC update is > most likely intended and should go through. Furthermore, some registrars > might set this state regularly, which would then take away the > registrant's possibility to roll over their DNSKEY. This most likely is > not intended. > However, one could of course argue: update prohibited means update > prohibited, and as long as that state is set, no changes (other than > removing this state) should be possible. > > What do others think about these cases? > > Cheers, > > Michael > > -- > ____________________________________________________________________ > | | > | knipp | Knipp Medien und Kommunikation GmbH > ------- Technologiepark > Martin-Schmeisser-Weg 9 > 44227 Dortmund > Germany > > Dipl.-Informatiker Fon: +49 231 9703-0 > Fax: +49 231 9703-200 > Dr. Michael Bauland SIP: Michael.Bauland@knipp.de > Software Development E-mail: Michael.Bauland@knipp.de > > Register Court: > Amtsgericht Dortmund, HRB 13728 > > Chief Executive Officers: > Dietmar Knipp, Elmar Knipp > > _______________________________________________ > regext mailing list > regext@ietf.org > https://www.ietf.org/mailman/listinfo/regext >
- [regext] CDS/CDNSKEY vs. EPP update prohibited Michael Bauland
- Re: [regext] CDS/CDNSKEY vs. EPP update prohibited Hollenbeck, Scott
- Re: [regext] CDS/CDNSKEY vs. EPP update prohibited Bill Woodcock
- Re: [regext] CDS/CDNSKEY vs. EPP update prohibited Gould, James
- Re: [regext] CDS/CDNSKEY vs. EPP update prohibited Michael Bauland
- Re: [regext] CDS/CDNSKEY vs. EPP update prohibited Yoshiro YONEYA
- Re: [regext] CDS/CDNSKEY vs. EPP update prohibited Hollenbeck, Scott
- Re: [regext] CDS/CDNSKEY vs. EPP update prohibited Eric Skoglund
- Re: [regext] CDS/CDNSKEY vs. EPP update prohibited Andrew Newton