Re: [regext] CDS/CDNSKEY vs. EPP update prohibited
"Hollenbeck, Scott" <shollenbeck@verisign.com> Fri, 02 December 2022 14:13 UTC
Return-Path: <shollenbeck@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF241C14F6EB for <regext@ietfa.amsl.com>; Fri, 2 Dec 2022 06:13:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.397
X-Spam-Level:
X-Spam-Status: No, score=-4.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cNO5TqmOqw6r for <regext@ietfa.amsl.com>; Fri, 2 Dec 2022 06:13:49 -0800 (PST)
Received: from mail2.verisign.com (mail2.verisign.com [72.13.63.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3B76C14F6E5 for <regext@ietf.org>; Fri, 2 Dec 2022 06:13:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=2584; q=dns/txt; s=VRSN; t=1669990429; h=from:to:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version:subject; bh=dDgtOSAuLgQPQREpnlhrGo0bfxyqZRCwN63FpD3VC4I=; b=M4wxFr4I8ZplHrsLu+Ib3iXOtfQvPoTL4GeRTZ/LatA0gQDmvuXVtScx wrlywSIna/F2NxdVBjzmQWcr9TqSC6sNRMUVRVW69d1iP2y/87T5OqffC 3pxkoZmqCBcppt9HBtOU98U1u9kQgutDbi0OTehg6n+GA7vugx8R5cIQZ bPoX7ylN10oKPQfaGzFNVr9BDoUBGXGiDqLPvDagUFyu4uG0zitvaT1AO iBRbSvbxIBIYKamNpuOapl/1FjVC8Z7wFkdLpOE9XcdO80BJ6kSZulz3D HrgtD8UE6n3lthjhH6IxlXG7fY82VwSOJdo0Q8I8aI6jxr5U+7pQdo/Df Q==;
IronPort-Data: A9a23:VG8vCai2yzeGigT8Wp40SgSqX161FBEKZh0ujC45NGQN5FlHY01je htvCDqEbP2PMTOkKt5zaIyxpE0Cu8KGmtZnGVQ5pC1mEi8W8JqUDtmndUqhZCn6wu8v7q5Ex 55HNoSfdpBcolv0/ErF3m3J9CEkvU2wbuOgTrSCYkidfCc8IA85kxVvhuUltYBhhNm9Emult Mj7yyHlEAbNNwVcbyRFtcpvlDs15K6o4WlA5ARkDRx2lAS2e0c9Xcp3yZ6ZciOQrrl8RoaSW +vFxbelyWLVlz9F5gSNy+uTnuUiG9Y+DCDW4pZkc/HKbitq/0Te5p0G2M80Mi+7vR3Sxowsl 48d3XCHYVxB0qXkwIzxWjEGS30uZfUuFLXveRBTuuTLp6HKnueFL1yDwyjaMKVBktubD12i+ tRCDB8DUTPavdn1+++hYNJG18koMNn0adZ3VnFIlVk1DN4Me7aafIPn1YcBmik7gdpWW//SI dQDcjwpZxPFC/FNEg5PTsthx6Hx2yK5L20wRFG9/MLb50DIzAt11LXrOtfeefSUSN9UhUeXo CTN+GGR7hQybYzAk2TarSjEaunnmB/6ZbsvG7KE5qA2sASW9EgqIj8wWg7uyRW+ogvkMz5FE GQx+yEupKU2smaiU930WRGQo3iFpgZaV9c4O/c35wyd1oLV7hqXQG8eQVZ8hMcOvtUwHCMs2 0/RxpbyGyYptbyODHiasL2Oq2r0JzIOKykJYipsoRY53uQPabob1nrnJuuP2obs5jEpMVkcG wy3kRU=
IronPort-HdrOrdr: A9a23:0YUihKwByzJ5i8NmmMtnKrPw8b1zdoMgy1knxilNoHtuA6mlfq GV7ZYmPHDP6Ar5NEtPpTniAsa9qBrnnPZICOIqTNSftWfd2VeAHcVN4Yzv2DX8FyC73f4178 tdWpk7LNHrF1B1gYLZ7BnQKbwd6ejC1Kyzn+/RwzNWUAdwZ8hbgjtREAqBDUFsfgVACKc4EJ b03KF6mwY=
X-IronPort-AV: E=Sophos;i="5.96,212,1665446400"; d="scan'208";a="18726772"
Received: from BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.16; Fri, 2 Dec 2022 09:13:47 -0500
Received: from BRN1WNEX02.vcorp.ad.vrsn.com ([10.173.153.49]) by BRN1WNEX02.vcorp.ad.vrsn.com ([10.173.153.49]) with mapi id 15.01.2507.016; Fri, 2 Dec 2022 09:13:47 -0500
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: "Michael.Bauland@knipp.de" <Michael.Bauland@knipp.de>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [EXTERNAL] Re: [regext] CDS/CDNSKEY vs. EPP update prohibited
Thread-Index: AQHZBk8FTlYeMo0RJ0KPWpnqvEQh565a8myA//+tdDA=
Date: Fri, 02 Dec 2022 14:13:46 +0000
Message-ID: <80fce0b921724d48852fd3b90ac458d2@verisign.com>
References: <BA12A2A4-E92C-4F3A-BC03-3C879D27AE5B@verisign.com> <03f1b413-60a4-ed38-c709-58c21eb83445@knipp.de>
In-Reply-To: <03f1b413-60a4-ed38-c709-58c21eb83445@knipp.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/E23UNsPf7Gv1r4RZOGU-EV2quyE>
Subject: Re: [regext] CDS/CDNSKEY vs. EPP update prohibited
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Dec 2022 14:13:54 -0000
> -----Original Message----- > From: regext <regext-bounces@ietf.org> On Behalf Of Michael Bauland > Sent: Friday, December 2, 2022 8:55 AM > To: regext@ietf.org > Subject: [EXTERNAL] Re: [regext] CDS/CDNSKEY vs. EPP update prohibited > > Caution: This email originated from outside the organization. Do not click > links > or open attachments unless you recognize the sender and know the content is > safe. > > Hi, > > On 02.12.2022 14:07, Gould, James wrote: > > Michael, > > > > The prohibited statuses apply to client requests, which matches Case 2. > > The > prohibited statuses can apply to client requests via multiple channels > (e.g., EPP > or Web UI). The prohibited statuses don't apply to server actions (e.g., > auto > renew, transitioning RGP statuses). Use of CDS/CDNSKEY records to signal a > server-side change is an interesting case, where does posting CDS/CDNSKEY > records represent a client request that is processed by the server > asynchronously? I view the CDS/CDNSKEY as a new operation (e.g., DNSSEC > automation update), supported by IETF RFCs, that does not apply to the > existing > EPP prohibited statuses. All domain changes come down to an update, but EPP > included prohibited statuses on a per operation / command basis. > > > > I would then define Case 3, where CDS/CDNSKEY records represent is a new > client operation that does not apply to the existing EPP prohibited > statuses. If > we did want to prohibit this new operation via EPP, then a new prohibited > status would be warranted. > > I tend to agree. Changing the DNSSEC data here is not an operation > requested/initiated by the client (i.e., registrar), but it's something the > server > (registry) does, because it got triggered via the DNS. For this reason the > clientUpdateProhibited flag should be ignored. [SAH] You can't assume that "client" always means "registrar". That's precisely why you don't see the word "registrar" in the specification. Note, also, what 5731 actually says about the status (the other RFCs say the same thing): "Status values that can be added or removed by a client are prefixed with "client"." It's about who can manage the status value. It's not about who can perform the update. "Requests to update the object (other than to remove this status) MUST be rejected." Again, there's nothing here about *who* is performing the update. This use case is covered by the existing specification text. Scott
- [regext] CDS/CDNSKEY vs. EPP update prohibited Michael Bauland
- Re: [regext] CDS/CDNSKEY vs. EPP update prohibited Hollenbeck, Scott
- Re: [regext] CDS/CDNSKEY vs. EPP update prohibited Bill Woodcock
- Re: [regext] CDS/CDNSKEY vs. EPP update prohibited Gould, James
- Re: [regext] CDS/CDNSKEY vs. EPP update prohibited Michael Bauland
- Re: [regext] CDS/CDNSKEY vs. EPP update prohibited Yoshiro YONEYA
- Re: [regext] CDS/CDNSKEY vs. EPP update prohibited Hollenbeck, Scott
- Re: [regext] CDS/CDNSKEY vs. EPP update prohibited Eric Skoglund
- Re: [regext] CDS/CDNSKEY vs. EPP update prohibited Andrew Newton