IETF Logo Mail Archive

Re: [regext] Poll messages with unhandled namespaces (was Re: I-D Action: draft-ietf-regext-change-poll-07.txt)

"Gould, James" <jgould@verisign.com> Mon, 16 July 2018 17:58 UTC

Return-Path: <jgould@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CD1E130EF9 for <regext@ietfa.amsl.com>; Mon, 16 Jul 2018 10:58:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id haYYIA7npQWx for <regext@ietfa.amsl.com>; Mon, 16 Jul 2018 10:58:38 -0700 (PDT)
Received: from mail6.verisign.com (mail6.verisign.com [69.58.187.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F55A131172 for <regext@ietf.org>; Mon, 16 Jul 2018 10:58:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=7702; q=dns/txt; s=VRSN; t=1531763918; h=from:to:date:message-id:content-id: content-transfer-encoding:mime-version:subject; bh=+7yH0uPRf5PIkdi7CrXgUnFeApW9Qk5Ui3ZTvAlX+8U=; b=gNcdEDhGgf7bsNDXc3iC8wAdZgnVMdc026H09JQJ1DK0fF3CrfpRQwH3 wUxmN9iatxCcHQH6CoMEsDdV4Z3fepp1TtqqP095Y+hu942gzCuFl62Li P4H5ZOlw6bcK2DqyRdIDLvwy5AIc6LqvVfrywU/V8VtihBnFgCSy0e+KA nlnI14QGI4SGwFP0AcpHFQpjcXPk0Amuytvi7QSOATMe/OOIfsPhRYkKw MAA7Kj3Z2l7kOAl4FzEd50F+pMQDEBz7g1Lmz6jNiwrxN8jqsrXMXCBO+ IJAh9RX7n0XUt4gIPw+uuef21TYkK5ngJ81Sfs2am5Fry5PlxUeGX7vh3 g==;
X-IronPort-AV: E=Sophos;i="5.51,362,1526356800"; d="scan'208";a="5211677"
IronPort-PHdr: 9a23:OB97RxctM4A2epSgiyVjVjqllGMj4u6mDksu8pMizoh2WeGdxc26ZxCN2/xhgRfzUJnB7Loc0qyK6/6mATRIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSizexfbJ/IA+qoQnNq8IbnZZsJqEtxxXTv3BGYf5WxWRmJVKSmxbz+MK994N9/ipTpvws6ddOXb31cKokQ7NYCi8mM30u683wqRbDVwqP6WACXWgQjxFFHhLK7BD+Xpf2ryv6qu9w0zSUMMHqUbw5Xymp4rx1QxH0ligIKz858HnWisNuiqJbvAmhrAF7z4LNfY2ZKOZycqbbcNgHR2ROQ9xRWjRBDI2icoUPE+QPM+VWoIn8u1QAohSxCBKwBOz0zz9EmmP60Lc43uknDArI3BYgH9ULsHnMotn7NaASUf2xzKbV1TnIcvdY1i346IfWaRAtr+yHULVyccrezkkvCgfFgUiLpIz7ITyVzOUNs3Oa7+pvU+KjkXIoqwZ0ojW2wMonl4fHhoUQyl/e9CV5xp44JcOmR05hYN6kC5pQty6cN4t3RMMtX3tktzo9yr0DoZK7fTYFyIgpxxLFbPyHaYeI7xT+X+iSOTd1nG9pdK6lixqv80WtxPfwWtS03VtEtCZInd3BumgQ2xDP8MSLV/lw8lu71TqS2A3e6ftILV03mKbDJZ4u3L09moYWvEnGBCD7m0H7g7STe0gq5OSn9uXqb7D9qZKYNoJ5iATzP6ogl8G9HOs1NBUFUXKB9uSmzrLj+FX0QLBNjvIrjKbUqIvaJcEHpq6hBA9Vz5oj5w6/Dzi41NQYmmEKIU9ZdhyfkoTmO0nALv/5AvujnVigiilryOzBPr37GpXBNGLMn6r7cbZj8U5c0wwzwcpD6JJTD7ENOPPzWknvu9zEFhI1LhC4z/z6BNh/2I4SQ3+DD6+XPa/IvlKF4vojI+yWa48UvDb9JeIl5/nrjXIhm18dcq6p3YYTaH+lBflmPVuWYWDtgtcaEGcKsQw+QPb2h12FVD5ff2yyUL4k5jEnFIKmCp/ORoW3j7ybwCe7H5tWanpaBV+WCnfnbYOEW/ASaC2IOcJhiTIFVbm9S4A91RGirhP1y7p/JOrO5iIYrY7j1MRy5+DLjxE96zN0ANqS0mGRVGx0n30HRyM43Kxlpkx90FiDguBEhKl9HMZP5vUBeQ4hPJjb0eUyX9X7QB7AeJGCQU2vRNK4CBkqUdMtyN9IaEYrX53olB3M0jq2K74Yi7LNA4Y7uOqIxXX+KtZh43fLyKdniEMpFJhhL2qj0+RQ8BXXC8qBsUycmr3gPfAe0ynQ8Gur02eUvVpZXwg2WqLACyNMLnDKpMj0sxuRB4SlDq4qZ04YkZaP
X-IPAS-Result: A2FhAwB320xb/zGZrQpZAxoBAQEBAQIBAQEBCAEBAQGDG4ERgScKg3KWTIM4kgEUgSsXHQcLGAsLg3hGGYJsNhYBAgEBAQEBAQIBAQKBBQyCNSQBDi8cLwgBBQEBAQEBAScBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEIAggHNRIBARkBBQEBDBURMQkdAQgYAgIRAQEMBwIEJQsVEgQBCQmDIAGCDqksgS6KQYELiU8+gTiCaoMZAQGBGx4RFgwLCgsTCAECgjcxgiQCmVwDBgKGCIJkgmmFE0ODTogRh32COgKHNAIEAgQFAhSBSASCAHAVOyoBgj4JghwXEYM0hRSFPm8NI4sdAg0egQGBGgEB
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1466.3; Mon, 16 Jul 2018 13:58:36 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1466.003; Mon, 16 Jul 2018 13:58:36 -0400
From: "Gould, James" <jgould@verisign.com>
To: Martin Casanova <martin.casanova@switch.ch>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [EXTERNAL] Re: [regext] Poll messages with unhandled namespaces (was Re: I-D Action: draft-ietf-regext-change-poll-07.txt)
Thread-Index: AQHUHS6enyM1Hr/mKE+NYu3v4AdOGw==
Date: Mon, 16 Jul 2018 17:58:36 +0000
Message-ID: <1490ED7C-1EB9-4ABB-AA42-508A27FDAF12@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.e.1.180613
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="utf-8"
Content-ID: <D12684068F6B7440AC863D47400E4C98@verisign.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/VVRD613dJc4p_-SDbe27qwbQPP4>
Subject: Re: [regext] Poll messages with unhandled namespaces (was Re: I-D Action: draft-ietf-regext-change-poll-07.txt)
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Jul 2018 17:58:49 -0000

Hopefully both Martin and Patrick will participate in the REGEXT working session on the Unhandled Namespaces.  

I agree that the DNSSEC extension falls into the unhandled namespace discussion; although the scenario is less severe than poll messages since a poll message can block the poll queue.  I believe that the login services defines what the server can return to the client, so if the client does not support the DNSSEC extension it is completely reasonable for the server not to return it.  If a client wants to see the DNSSEC information returned they should include the URI in their login services.  A client that can accept any extension back from the server can simply mirror the greeting services in the login services.  Returning the extension irrespective of the client services is not in line with the protocol.  Use of the <extValue> approach provides a middle ground of returning the information without breaking the services defined in the login services since it will not be parsed, validated, and marshalled by a validating client.  
  
—
 
JG



James Gould
Distinguished Engineer
jgould@Verisign.com

703-948-3271
12061 Bluemont Way
Reston, VA 20190

Verisign.com <http://verisigninc.com/> 

On 7/16/18, 12:44 PM, "regext on behalf of Martin Casanova" <regext-bounces@ietf.org on behalf of martin.casanova@switch.ch> wrote:

    
    @Thoma Corte: Sorry if my formulation was not precise enough:
    
    “The precondition of this approach is, that we actually can ask all registrars to prepare their clients to at least tolerate new poll messages and to update their business logic in order to process the newly given information properly if they wish to do so.” 
    
    With this statement I wanted to support the  <extValue> approach. No (validating) client will have a  technical problem receiving such a message regardless of what was configured at login. But as I was speaking to a registrar he told me: “So far you only sent me outgoing transfer poll messages and thats all my client is prepared for. ” So in our case we need to announce to registrars that they should build tolerant clients to be prepared to also receive unexpected poll messages with content in <extValue> eg. also low balance notifications in the future.. And that not every poll message will be automatically an outgoing transfer notification anymore.
    
    @Patrick
    In deed, for domain info requests on DNSSec domains we so far left out the DNSSec part in the domain info response if the client was not DNSSec enabled at login. In the future this content could also be transmitted in the <extValue>. To me it falls also under the “unhandled namespace” problem.
    
    Martin Casanova
    ________________________________________
    Von: regext [regext-bounces@ietf.org]&quot; im Auftrag von &quot;Patrick Mevzek [pm@dotandco.com]
    Gesendet: Montag, 16. Juli 2018 18:02
    An: regext@ietf.org
    Betreff: Re: [regext] Poll messages with unhandled namespaces (was Re: I-D Action: draft-ietf-regext-change-poll-07.txt)
    
    On Mon, Jul 16, 2018, at 17:41, Patrick Mevzek wrote:
    > This is indeed more pragmatic. But all this mechanism to define which
    > messages to accept
    > will be outside the EPP protocol and this WG.
    
    But please also remember that if we want to tackle this problem in a generic way (and also taking care of different servers and clients strategies regarding handling of namespaces and inline/offline parsing and use) it is not limited to a single extension (the thread started long ago with changePoll) nor in fact limited to poll messages.
    
    Imagine registrar A wanting to request a transfer from registrar B. In some registries it means that regitrar A can do a domain:info on the domain, with the authInfo to get access to all details, and specifically the contacts.
    But a domain can have a secDNS part in the domain:info reply.
    What happens if the registrar A did not login with the secDNS extension (maybe this case does not exist in gTLDs where DNSSEC is mandatory but again we have other registries cases to take into account)?
    
    Should the domain:info return an error? Return everything as is? Return everything but the secDNS part?
    
    The last case is the worst to me: some registrars may like not to support DNSSEC at all (and hence will not log in at all, or you have other cases where registries mandate specific tests to be "DNSSEC" accredited so it may not even be possible to log in with secDNS extension even if the registrar would like to) but, and especially for this, being able to detect beforehand if some client is trying to transfer to them a domain using DNSSEC, that they would like to refuse transferring.
    
    
    Of course the above is only one example with a domain:info and the secDNS extension but I am sure we can find others.
    
    This illustrates I think the distinction I made in earlier messages and the different semantic I attach to extensions listed as login: for me they are those that the client announce it will use. Of course, it has no control over messages or objects he is not the origin or the sponsor, all cases where other namespaces may appear.
    
    
    --
      Patrick Mevzek
    
    _______________________________________________
    regext mailing list
    regext@ietf.org
    https://www.ietf.org/mailman/listinfo/regext
    
    _______________________________________________
    regext mailing list
    regext@ietf.org
    https://www.ietf.org/mailman/listinfo/regext

v2.23.0 | Report a Bug | By Email