Return-Path: X-Original-To: regext@ietfa.amsl.com Delivered-To: regext@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34974C14F71D; Mon, 15 Jul 2024 05:08:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.208 X-Spam-Level: X-Spam-Status: No, score=-4.208 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BcS6rvfUgGAE; Mon, 15 Jul 2024 05:08:08 -0700 (PDT) Received: from ppa2.lax.icann.org (ppa2.lax.icann.org [192.0.33.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F023C14F6B8; Mon, 15 Jul 2024 05:08:08 -0700 (PDT) Received: from MBX112-E2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.7]) by ppa2.lax.icann.org (8.18.1.2/8.18.1.2) with ESMTPS id 46FC87S9006203 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 15 Jul 2024 12:08:07 GMT Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.34; Mon, 15 Jul 2024 05:08:06 -0700 Received: from MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) by MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) with mapi id 15.02.1258.034; Mon, 15 Jul 2024 05:08:06 -0700 From: Gavin Brown To: Orie Steele Thread-Topic: [regext] Re: [Ext] AD Evaluation: draft-ietf-regext-epp-ttl-14 Thread-Index: AQHazAZL5cvEIvhSc0CZ4v8KssxBibHzXK2AgADLs4CABBQ3gA== Date: Mon, 15 Jul 2024 12:08:06 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [192.0.47.234] x-source-routing-agent: True Content-Type: text/plain; charset="us-ascii" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-07-15_06,2024-07-11_01,2024-05-17_01 Message-ID-Hash: MRCASG6UPY2VUTFMNVRJUHJ3AKNORUJE X-Message-ID-Hash: MRCASG6UPY2VUTFMNVRJUHJ3AKNORUJE X-MailFrom: gavin.brown@icann.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-regext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Registration Protocols Extensions , "draft-ietf-regext-epp-ttl@ietf.org" X-Mailman-Version: 3.3.9rc4 Precedence: list Subject: =?utf-8?q?=5Bregext=5D_Re=3A_=5BExt=5D_AD_Evaluation=3A_draft-ietf-regext-ep?= =?utf-8?q?p-ttl-14?= List-Id: Registration Protocols Extensions Working Group Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Hi Orie, comments below. I will shortly publish a new version with the amendments discussed in this = thread. > On 12 Jul 2024, at 22:50, Orie Steele wrote: >=20 > Gavin, thanks for your comments. >=20 > Nothing major or blocking here, but still some clarifying questions on my= side. >=20 > Inline replies: [snip] > > > Consider a record that is already registered with IANA, TLSA for exam= ple. >=20 > > As I understand it, TLSA is not appropriate for publication at a delega= tion point, so using TLSA here would not make any more sense than DELEG. Pe= rhaps this should just be some placeholder value, such as MYCUSTOMTYPE? >=20 > > Elsewhere in the document it states the record must be registered, so p= roviding an example that is registered seems better than a placeholder valu= e for an example. >=20 > I don't have strong opinions on this, but I think DELEG is not a good cho= ice, because it is a work in progress. OK, I have settled on "NEWRRTYPE" and will use that. > > ### Are 2 modes really needed? > >=20 > > ``` > > 308 It has a single OPTIONAL policy attribute, which takes a boolean > > 309 value with a default value of false. > > ``` > >=20 > > Should this be interpreted as Default Mode is mandatory to support and = Policy Mode is optional? >=20 > No. The text extract only describes the permitted XML syntax of the exten= sion elements. >=20 > By default, an command just returns information about the specifie= d object. The purpose of the Policy Mode is to allow the client to a= lso determine the server policy, that is, the supported DNS record types an= d the corresponding min, default and max TTL values. >=20 > Is it the case that servers always have a policy, but that it is just not= always requested? Yes, servers will always have a policy. Or rather, they will need to decide= what the values of the "min" and "max" attributes should be as part of the= implementation of this extension (the "default" TTL is whatever value is a= lready used for a given record type). > I'm imagining an implementer who might just prefer to implement one solut= ion, and get back extra info which they ignore when they don't care. > It feels like there could be a reduction in implementation burden here, a= m I wrong about that? Client implementers may well implement a "policy mode by default" approach,= that's their choice. A previous version of this document included policy information in all responses, but feedback from the WG was that it should only be included = when specifically requested. > > Is Policy Mode supported by `` and `` ? > >=20 > > I assume the answer is yes, but explicit examples might make this clear= er. >=20 > No, only. In the document, Default Mode and Policy Mode are only s= pecified in the context of the command. >=20 > I see... mutations are only setting the ttl value, and the responses neve= r include the policy information. Correct. > > > ### When can servers ignore the host attribute? > > >=20 > > > ``` > > > 771 EPP servers that use the "host attribute" model SHOULD use any = A and/ > > > 772 or AAAA TTL values specified for the domain object when publish= ing > > > 773 NS, A and AAAA records derived from host attributes. > > > ``` > > >=20 > > > When can this SHOULD be ignored? Why not MUST? >=20 > > This is basically saying the same thing as the preceding paragraph, jus= t in the scenario where an EPP server uses host attributes rather than host= objects. See Section 1.1 of RFC 5731 for an explanation of the difference. >=20 > Thanks, this took a few readings for me to understand, the reason this is= not a MUST is the same. >=20 > You may consider adding a sentence at the end to tie both of these SHOULD= s to section 4, like: >=20 > Regardless of if "host attributes" or "host objects" are in use, Section = 4 explains that TTL values can change out of band. >=20 > This is probably obvious to people with more experience with EPP though. These paragraphs appear immediately before Section 4, so I am not sure addi= ng something is needed.=20 > > ### Operational considerations > >=20 > > ``` > > 796 Historically, registry operators have used a global TTL value for= all > > 797 delegations within their zones, which could then be tuned to an > > 798 optimum value. > > ``` > >=20 > > Is this a recommendation? Can it be turned into one or removed? >=20 > It's not a recommendation, just a description of historical practice. It = could be removed. >=20 > This reads to me as a recommendation, if you are not trying to recommend = implementers continue this trend, I suggest removing it.=20 Will do (or rather, have done). > =20 > > ``` > > 800 Registry operators SHOULD implement limits on the maximum and min= imum > > 801 accepted TTL values that are narrower than the values permitted i= n > > 802 the XML schema in the Formal syntax (which were chosen to allow a= ny > > 803 TTL permitted in DNS records), in order to prevent scenarios wher= e an > > 804 excessively high or low TTL causes operational issues on either s= ide > > 805 of the zone cut. > > ``` > >=20 > > This feels like it is in conflict with the Default Mode, which is manda= tory to support? >=20 > This is not correct. "Default Mode" provides clients with a way to discov= er the current TTL settings for an object (as opposed to "Policy Mode" whic= h also returns the server policy, see above). These two modes, which only a= pply to the command, are not intended to, and indeed cannot, effect = the server's ability to implement its own policy in relation to TTL values. >=20 > Does this sentence imply then that there always exists a server policy, e= ven if it's not requested in the info command? Yes, servers will always have a policy. Or rather, they will need to decide= what the values of the "min" and "max" attributes should be as part of the= implementation of this extension (the "default" TTL is whatever value is a= lready used for a given record type). > > > ### additional security considerations for ttl > > >=20 > > > Consider commenting on the impact of TTL on DDoS. > > > Consider commenting on the impact of TTL on DNS Spoofing. > > > Consider commenting on the impact of TTL on DNS Cache Poisoning. >=20 > > I don't believe this draft has any implications on these topics. If you= think it might, then I think I would want to get input from DNSOP and/or t= he DNS Directorate. >=20 > I see your point. The draft simply describes an extension to EPP which en= ables clients to manage TTL. >=20 > Since you comment on the impact of choice of TTL value in security consid= erations in relation to fast flux, I wondered if you should comment on the = choice of TTL and its impact on these topics. >=20 > Seems fine to leave off these considerations since they are not specific = to this EPP extension, but TTL in general. Noted. G. -- Gavin Brown Principal Engineer, Global Domains & Strategy Internet Corporation for Assigned Names and Numbers (ICANN) https://www.icann.org