Re: [regext] CDS/CDNSKEY vs. EPP update prohibited
"Gould, James" <jgould@verisign.com> Fri, 02 December 2022 13:07 UTC
Return-Path: <jgould@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8472C14F728 for <regext@ietfa.amsl.com>; Fri, 2 Dec 2022 05:07:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.397
X-Spam-Level:
X-Spam-Status: No, score=-4.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tZH7DHskAi8g for <regext@ietfa.amsl.com>; Fri, 2 Dec 2022 05:07:30 -0800 (PST)
Received: from mail2.verisign.com (mail2.verisign.com [72.13.63.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D467C14F741 for <regext@ietf.org>; Fri, 2 Dec 2022 05:07:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=5576; q=dns/txt; s=VRSN; t=1669986450; h=from:to:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=+BX3ssCpdSh/wb/jvitoxRyoLzVl2NmKAxQF0aenItQ=; b=e+H0P7fOXsxLb9Pr/ZSJvYfaogSpinmrXGacUkkNvB3v9/C4Ft5M4EqG LFlWcoY+NfR0i+VFeF78gy3dBxr8pS7BJUONBl1oW9PWBw7jVf6aleVTR x6ux/BwgpSJEVeO+uIvOD2grzecM2s/+HyeF4EDsl0rxcX4C/M3S89dHG /03ngNQ9UsAdAEHtl7eMa1UBGDiIvXlOS+uApyHR1FSeI/zM9pcbYkZf2 /W8aeyq6FX1S/iJr3Uy56gP0dX2N9+XYEBPcTmqIkQ+aohvB18nzHzYvZ C7PNq7B60zFIQWMGMH/0SnxO7G+t3IO7uVaAy9eYFDkyqzDDzxt7Cl+JX A==;
IronPort-Data: A9a23:SpPM1q6FYc+rJP80u9T+oQxRtFHGchMFZxGqfqrLsTDasY5as4F+v mZNWmqBPf/eYmfxf91zOY+1/EwD7ZKAzoNiSAI4/i02Eysa+MHIO4+Ufxz6V8+wwm8vb2o8t plDNYOQRCwQZiWBzvt4GuG59RGQ7YnRGvymTras1hlZHWdMUD0mhQ9oh9k3i4tphcnRKw6Ws LsemeWGULOe82MyYzx8B56r8ks15q2o4GlA5DTSWNgQ1LPgvyhNZH4gDfzpR5fIatE8NvK3Q e/F0Ia48gvxl/v6Ior4+lpTWhRiro/6ZWBiuFIPM0SRqkEqShgJ70oOHKF0hXF/0GzVwo8rm L2hgrTrIeshFvWkdO01DUEEQ3kmVUFM0OevzXOX6aR/w6BaGpdFLjoH4EweZOUlFuhL7W5ms vdIMRUfQCK/3fvsxuugVs5TvPoKFZy+VG8fkikIITDxJ8wAGK/lbpWSv5lG1zAqnoZHEbDAf dEfLzFoaXwsYTUWYhFOV8l4xbrzwCWuG9FbgAv9Sa4f4WfU0Qh9+KbgKtvOe9OMA85Smy50o 0qfrzujX0tGbbRzzxLc8nGTg+vKsRnrQa8rCJ6kz/NDnFickzl75Bo+EAHTTeOComu/UNJWJ khS0CMzqaE0+GSoSNjlR1u0rRaspBMTVspMO+w39A/LzbDbizt1HUAOVDgYd9orpJdsACc0z BmMnsisDzspuqeTEDSD7KyS6zi1PED5MFM/WMPNdiNdi/GLnW35pkinogpLeEJtsuDIJA==
IronPort-HdrOrdr: A9a23:egnlM63KVIaS4Ih2/4pNPgqjBJ8kLtp133Aq2lEZdPUMSL36qy g39M5rrSMc+wxhOk3I/urwQ5VoIEmsjKKdjrNxAV7PZmPbUQiTXftfBOnZowEIcheWnoVgPM xbH5SWfeefMbEMt6nHCWeDfurIi+P3lZxAzd2uq0uEB2tRGsZdBilCe2CmLnE=
X-IronPort-AV: E=Sophos;i="5.96,212,1665446400"; d="scan'208";a="18725241"
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.16; Fri, 2 Dec 2022 08:07:24 -0500
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) by BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) with mapi id 15.01.2507.016; Fri, 2 Dec 2022 08:07:24 -0500
From: "Gould, James" <jgould@verisign.com>
To: "Michael.Bauland@knipp.de" <Michael.Bauland@knipp.de>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [regext] CDS/CDNSKEY vs. EPP update prohibited
Thread-Index: AQHZBk8FTlYeMo0RJ0KPWpnqvEQh5w==
Date: Fri, 02 Dec 2022 13:07:24 +0000
Message-ID: <BA12A2A4-E92C-4F3A-BC03-3C879D27AE5B@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.66.22101101
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="utf-8"
Content-ID: <1B11FCD960F4784FB8960EA3D49EA36D@verisign.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/_YehK5A7zQIrCWXt52RNYPU94RA>
Subject: Re: [regext] CDS/CDNSKEY vs. EPP update prohibited
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Dec 2022 13:07:34 -0000
Michael, The prohibited statuses apply to client requests, which matches Case 2. The prohibited statuses can apply to client requests via multiple channels (e.g., EPP or Web UI). The prohibited statuses don't apply to server actions (e.g., auto renew, transitioning RGP statuses). Use of CDS/CDNSKEY records to signal a server-side change is an interesting case, where does posting CDS/CDNSKEY records represent a client request that is processed by the server asynchronously? I view the CDS/CDNSKEY as a new operation (e.g., DNSSEC automation update), supported by IETF RFCs, that does not apply to the existing EPP prohibited statuses. All domain changes come down to an update, but EPP included prohibited statuses on a per operation / command basis. I would then define Case 3, where CDS/CDNSKEY records represent is a new client operation that does not apply to the existing EPP prohibited statuses. If we did want to prohibit this new operation via EPP, then a new prohibited status would be warranted. -- JG James Gould Fellow Engineer jgould@Verisign.com <applewebdata://13890C55-AAE8-4BF3-A6CE-B4BA42740803/jgould@Verisign.com> 703-948-3271 12061 Bluemont Way Reston, VA 20190 Verisign.com <http://verisigninc.com/> On 12/2/22, 6:41 AM, "regext on behalf of Michael Bauland" <regext-bounces@ietf.org on behalf of Michael.Bauland@knipp.de> wrote: Hello, I've recently come across a case in the context of CDS/CDNSKEY and I'm unsure what is the best/correct way to handle the situation. CDS/CDNSKEY records are meant to notify the registry about a change in the DS/DNSKEY records, similar to sending an EPP request. What should the registry do, if 1. the serverUpdateProhibited EPP state is set? 2. the clientUpdateProhibited EPP state is set? I tend to say that in Case 1, the domain may not be changed at all and as a consequence CDS/CDNSKEYs should be ignored. For Case 2 my preference is that this is only a kind of safeguard against unintended changes by the registrar, and the DNSSEC update is most likely intended and should go through. Furthermore, some registrars might set this state regularly, which would then take away the registrant's possibility to roll over their DNSKEY. This most likely is not intended. However, one could of course argue: update prohibited means update prohibited, and as long as that state is set, no changes (other than removing this state) should be possible. What do others think about these cases? Cheers, Michael -- ____________________________________________________________________ | | | knipp | Knipp Medien und Kommunikation GmbH ------- Technologiepark Martin-Schmeisser-Weg 9 44227 Dortmund Germany Dipl.-Informatiker Fon: +49 231 9703-0 Fax: +49 231 9703-200 Dr. Michael Bauland SIP: Michael.Bauland@knipp.de Software Development E-mail: Michael.Bauland@knipp.de Register Court: Amtsgericht Dortmund, HRB 13728 Chief Executive Officers: Dietmar Knipp, Elmar Knipp _______________________________________________ regext mailing list regext@ietf.org https://secure-web.cisco.com/1mEpKtXjsuVbK-xXNutAu2eLBX3bt-bjQqZChp1HEVcTMmoCcnfG_0hMFCo-Ofk6lXl_mTcEgh18oXp1y9xBCLBIC96tcHfPB2EzViMvxW7b5j7MPJ0Mmwlbi0E1p4cY-ho7Ovt1EDkg5DdwoskqCbaGAU0AEeESOH2-Zw3qYdWQruN3Wrvbt1WYQ7COdIo49RfNj5p2K_fzit1-pi_9yTtkVO8bl4Vok6E9VvpWGP2G8RhZhtB6Fr8LRi219iUiq6io42GCY1aX5J-qt52SPBvJsXQhqvz1q0GcNsZlPXX0/https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fregext
- [regext] CDS/CDNSKEY vs. EPP update prohibited Michael Bauland
- Re: [regext] CDS/CDNSKEY vs. EPP update prohibited Hollenbeck, Scott
- Re: [regext] CDS/CDNSKEY vs. EPP update prohibited Bill Woodcock
- Re: [regext] CDS/CDNSKEY vs. EPP update prohibited Gould, James
- Re: [regext] CDS/CDNSKEY vs. EPP update prohibited Michael Bauland
- Re: [regext] CDS/CDNSKEY vs. EPP update prohibited Yoshiro YONEYA
- Re: [regext] CDS/CDNSKEY vs. EPP update prohibited Hollenbeck, Scott
- Re: [regext] CDS/CDNSKEY vs. EPP update prohibited Eric Skoglund
- Re: [regext] CDS/CDNSKEY vs. EPP update prohibited Andrew Newton