IETF Logo Mail Archive

Re: [regext] [Ext] [DNSOP] Best Practices for Managing Existing Delegations When Deleting a Domain or Host

Q Misell <q@as207960.net> Tue, 25 July 2023 22:05 UTC

Return-Path: <q@as207960.net>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80586C151AE3 for <regext@ietfa.amsl.com>; Tue, 25 Jul 2023 15:05:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=as207960.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qo4nEwyksSd5 for <regext@ietfa.amsl.com>; Tue, 25 Jul 2023 15:04:57 -0700 (PDT)
Received: from mail-ej1-x636.google.com (mail-ej1-x636.google.com [IPv6:2a00:1450:4864:20::636]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5DF1C151AE0 for <regext@ietf.org>; Tue, 25 Jul 2023 15:04:56 -0700 (PDT)
Received: by mail-ej1-x636.google.com with SMTP id a640c23a62f3a-98de21518fbso984927666b.0 for <regext@ietf.org>; Tue, 25 Jul 2023 15:04:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=as207960.net; s=google; t=1690322695; x=1690927495; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=iREpzabp+jrQX7xzaTFMqxumyMasWSYC9zSTYJuKF/I=; b=W3bDyYCx8WrFsxhjNYjITaASOYFjOu+LRxqKJSmaTJNoW5bPIgLbKf0akVWus2fMsS Gduky8VZ4H2ON+7fwf89+txNTMlVo3eOiHfxJu4bWmN1TBH75maWQ+MSsULw0xsAX00c S5ZSDUL1bUIFzBGp9Eb7hICIwqVAUMutlkrL0odtJ149uvHyMtMsTtp8oFi6Xgx4UFi1 Il+0QjYLPmQcsuKPu7g5uN7sXVmuEwRuycoTfp4/OzuoJ/8Lepw1qFe/K/VC52lXGtlb 6U7GZ+85v1GJH6vlby5uLLE+XC3FttBBAp5wPhQYCg35EzfwiQdwuV/yMvvh6cDxwNnB bg0w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690322695; x=1690927495; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=iREpzabp+jrQX7xzaTFMqxumyMasWSYC9zSTYJuKF/I=; b=f6S0TOUD8nc/zmU+/h8bKYh35RgHpHur53G/PEbw27niMpyVBqy+sodTjFtYlYMA4u fOs2un4Uy/MlOBUaWLtjtgyFvLVnOQmIhlYRfE/xkrqCYePNSXyTinmDvAbHi/5yAgB4 tatjbzWkdndRpPOqFKRYBuNDZwUGCoIcdaJtVu+fCO8J+ADX4Ib5PXiiQ6yGn49f/B2d KtXiaOxqntHYgq742jWDpUGDbmRQ9wPjOsVsdn2g/N63PPRjKzeh5qU6D+/2QXSDDg0L 3aW0vorlAx11YdIMvEnhg2cR+NNQooOvHu7rNbkdvhbsqfR1nfaNPVdTLf3nRMho7HHw AdLw==
X-Gm-Message-State: ABy/qLbePKdoCLkfoDgev5mpg1UcF6tfrgI7SQEAr8KJuPe9/sC/0qsA 7twAZBHM7iOAOVNGXuZItGgOYwViHiH0tYhSoYUd8z2MODrXwiUVz/ZcK3oD
X-Google-Smtp-Source: APBJJlElqxnscSIE5NKdRrPPe78b8PhcNQQJ85QJNGAPPIEgTYYOvjXv3skKGwIsoUXMqeJLy897uaw8dsJKqafsqak=
X-Received: by 2002:a17:906:7791:b0:99b:237e:6ee with SMTP id s17-20020a170906779100b0099b237e06eemr101103ejm.30.1690322695168; Tue, 25 Jul 2023 15:04:55 -0700 (PDT)
MIME-Version: 1.0
References: <f22489a2b7c14b3bb4d250dabb4b5999@verisign.com> <205E819D-ABFA-435C-8C23-1E0BE949AD64@iana.org>
In-Reply-To: <205E819D-ABFA-435C-8C23-1E0BE949AD64@iana.org>
From: Q Misell <q@as207960.net>
Date: Tue, 25 Jul 2023 15:04:18 -0700
Message-ID: <CAMEWqGs0+oBY8gjRFufQvnAwQYvp0uQkjq5BzzEJJ-cT0v=UcQ@mail.gmail.com>
To: James Mitchell <james.mitchell@iana.org>
Cc: "Hollenbeck, Scott" <shollenbeck=40verisign.com@dmarc.ietf.org>, "regext@ietf.org" <regext@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000cd35ba060156eb61"
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/KHtqxoH1dxU_kXfzS8_Lk3lP1p0>
Subject: Re: [regext] [Ext] [DNSOP] Best Practices for Managing Existing Delegations When Deleting a Domain or Host
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jul 2023 22:05:01 -0000

> Host rename always seemed a dangerous operation

Why so?
------------------------------

Any statements contained in this email are personal to the author and are
not necessarily the statements of the company unless specifically stated.
AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan Terrace,
Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a company
registered in Wales under № 12417574
<https://find-and-update.company-information.service.gov.uk/company/12417574>,
LEI 875500FXNCJPAPF3PD10. ICO register №: ZA782876
<https://ico.org.uk/ESDWebPages/Entry/ZA782876>. UK VAT №: GB378323867. EU
VAT №: EU372013983. Turkish VAT №: 0861333524. South Korean VAT №:
522-80-03080. AS207960 Ewrop OÜ, having a registered office at Lääne-Viru
maakond, Tapa vald, Porkuni küla, Lossi tn 1, 46001, trading as Glauca
Digital, is a company registered in Estonia under № 16755226. Estonian VAT
№: EE102625532. Glauca Digital and the Glauca logo are registered
trademarks in the UK, under № UK00003718474 and № UK00003718468,
respectively.


On Tue, 25 Jul 2023 at 14:39, James Mitchell <james.mitchell@iana.org>
wrote:

> Feedback my own and not from IANA.
>
>
>
> If I recall correctly, the approach I took when building an EPP server
> several years ago was:
>
>    - allow deletion of domains with linked subordinate hosts – there is
>    no need to prevent this if the registrar can simply rename the subordinate
>    hosts and free themselves of this restriction
>    - when the domain is removed from DNS (deletion, but also
>    client/serverHold) then the delegation and any glue is removed from the DNS
>    – queries for the name result in NXDomain. I believe we left lame
>    delegations from other domains for simplicity, but these lame nameservers
>    could also have been pulled from the DNS.
>    - when the domain is purged, purge all subordinate hosts, including
>    all their nameserver associations, and remove those records from the DNS.
>    At this point there are no NS records with target at or below the deleted
>    domain - no lame delegations.
>    - domains with one remaining name server remain published in the DNS
>
>
>
> It may be worth noting that we used a narrow glue policy - only publish
> glue address records for name servers below the delegation. A wide glue
> policy may require slightly different actions to prevent promoting glue
> records to authoritative.
>
>
>
> Host rename always seemed a dangerous operation – we ended up allowing it
> but restricted to renaming hosts within the same domain, eg
> ns1.example.com to nsa.example.com, but not to nsa.another-example.com.
>
>
>
> I was not okay with allowing a third-party registrar to prevent deletion
> of a domain by creating subordinate hosts, and I was not okay by allowing
> one registrar to change the delegation for another domain (through a rename
> outside the existing domain boundary).
>
>
>
> Best,
>
> James Mitchell
>
>
>
> On Jul 11, 2023, at 12:07 PM, Hollenbeck, Scott <shollenbeck=
> 40verisign.com@dmarc.ietf.org> wrote:
>
> Folks, we could really use feedback from people with DNS expertise to help
> document a set of best practices for managing existing DNS delegations at
> the
> TLD level when EPP domain and host objects are deleted. As described in
> this
> draft:
>
>
> https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-hollenbeck-regext-epp-delete-bcp/__;!!PtGJab4!41ouVfZv-H-PkXJbxqURrX_y9d7JQb9SgFWJPcgp_h5k9ANClcwQBC_sayAWJb2Vf3GsszmkeckGNdzGeTAzkX7_dChe_p3b2Lnb-bPfrw$
> [datatracker[.]ietf[.]org]
>
> EPP includes recommendations to not blindly delete objects associated with
> existing delegations because, among other reasons, doing so can lead to
> DNS
> resolution failure. That's led some domain name registrars to implement
> creative practices that expose domains to risks of both lame delegation
> [1]
> and management hijacking. The draft includes descriptions of current known
> practices and suggests that some should be avoided, some are candidates
> for
> "best", and there are others that haven't been used that might also be
> candidates for "best". The authors would like to learn if others agree
> with
> our assessments and/or can suggest improvements.
>
> Please help. ICANN's SSAC is also looking at this issue and expert
> opinions
> will help us improve DNS resolution resilience. I plan to mention this
> quickly
> at IETF-117 given that the WG agenda is already full, but on-list
> discussion
> would be extremely valuable.
>
> Scott
>
> [1] As described in draft-ietf-dnsop-rfc8499bis.
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
>
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/dnsop__;!!PtGJab4!41ouVfZv-H-PkXJbxqURrX_y9d7JQb9SgFWJPcgp_h5k9ANClcwQBC_sayAWJb2Vf3GsszmkeckGNdzGeTAzkX7_dChe_p3b2Ll6XinPdw$
> [ietf[.]org]
>
> _______________________________________________
> regext mailing list
> regext@ietf.org
> https://www.ietf.org/mailman/listinfo/regext
>

v2.23.0 | Report a Bug | By Email