Re: [regext] [Ext] [DNSOP] Best Practices for Managing Existing Delegations When Deleting a Domain or Host
James Mitchell <james.mitchell@iana.org> Tue, 25 July 2023 21:39 UTC
Return-Path: <james.mitchell@iana.org>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4DC8C1519B3; Tue, 25 Jul 2023 14:39:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.195
X-Spam-Level:
X-Spam-Status: No, score=-4.195 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7A3NvBWoRacC; Tue, 25 Jul 2023 14:39:46 -0700 (PDT)
Received: from ppa4.dc.icann.org (ppa4.dc.icann.org [192.0.46.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A54EDC151545; Tue, 25 Jul 2023 14:39:46 -0700 (PDT)
Received: from MBX112-W2-CO-2.pexch112.icann.org (out.mail.icann.org [64.78.33.6]) by ppa4.dc.icann.org (8.17.1.19/8.17.1.19) with ESMTPS id 36PLdjYs012533 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 25 Jul 2023 21:39:45 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-2.pexch112.icann.org (10.226.41.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.30; Tue, 25 Jul 2023 14:39:44 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) by MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) with mapi id 15.02.1118.030; Tue, 25 Jul 2023 14:39:44 -0700
From: James Mitchell <james.mitchell@iana.org>
To: "Hollenbeck, Scott" <shollenbeck=40verisign.com@dmarc.ietf.org>
CC: "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [Ext] [DNSOP] Best Practices for Managing Existing Delegations When Deleting a Domain or Host
Thread-Index: Adm0KsKfvYwccH2HTaWQGVmQWRjlNQBVLsoA
Date: Tue, 25 Jul 2023 21:39:44 +0000
Message-ID: <205E819D-ABFA-435C-8C23-1E0BE949AD64@iana.org>
References: <f22489a2b7c14b3bb4d250dabb4b5999@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: True
Content-Type: multipart/alternative; boundary="_000_205E819DABFA435C8C231E0BE949AD64ianaorg_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-07-25_12,2023-07-25_01,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/aE-Ri3zoS5nBk0IiRyn6IS_PxVc>
Subject: Re: [regext] [Ext] [DNSOP] Best Practices for Managing Existing Delegations When Deleting a Domain or Host
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jul 2023 21:39:51 -0000
Feedback my own and not from IANA. If I recall correctly, the approach I took when building an EPP server several years ago was: * allow deletion of domains with linked subordinate hosts – there is no need to prevent this if the registrar can simply rename the subordinate hosts and free themselves of this restriction * when the domain is removed from DNS (deletion, but also client/serverHold) then the delegation and any glue is removed from the DNS – queries for the name result in NXDomain. I believe we left lame delegations from other domains for simplicity, but these lame nameservers could also have been pulled from the DNS. * when the domain is purged, purge all subordinate hosts, including all their nameserver associations, and remove those records from the DNS. At this point there are no NS records with target at or below the deleted domain - no lame delegations. * domains with one remaining name server remain published in the DNS It may be worth noting that we used a narrow glue policy - only publish glue address records for name servers below the delegation. A wide glue policy may require slightly different actions to prevent promoting glue records to authoritative. Host rename always seemed a dangerous operation – we ended up allowing it but restricted to renaming hosts within the same domain, eg ns1.example.com to nsa.example.com, but not to nsa.another-example.com. I was not okay with allowing a third-party registrar to prevent deletion of a domain by creating subordinate hosts, and I was not okay by allowing one registrar to change the delegation for another domain (through a rename outside the existing domain boundary). Best, James Mitchell On Jul 11, 2023, at 12:07 PM, Hollenbeck, Scott <shollenbeck=40verisign.com@dmarc.ietf.org> wrote: Folks, we could really use feedback from people with DNS expertise to help document a set of best practices for managing existing DNS delegations at the TLD level when EPP domain and host objects are deleted. As described in this draft: https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-hollenbeck-regext-epp-delete-bcp/__;!!PtGJab4!41ouVfZv-H-PkXJbxqURrX_y9d7JQb9SgFWJPcgp_h5k9ANClcwQBC_sayAWJb2Vf3GsszmkeckGNdzGeTAzkX7_dChe_p3b2Lnb-bPfrw$ [datatracker[.]ietf[.]org] EPP includes recommendations to not blindly delete objects associated with existing delegations because, among other reasons, doing so can lead to DNS resolution failure. That's led some domain name registrars to implement creative practices that expose domains to risks of both lame delegation [1] and management hijacking. The draft includes descriptions of current known practices and suggests that some should be avoided, some are candidates for "best", and there are others that haven't been used that might also be candidates for "best". The authors would like to learn if others agree with our assessments and/or can suggest improvements. Please help. ICANN's SSAC is also looking at this issue and expert opinions will help us improve DNS resolution resilience. I plan to mention this quickly at IETF-117 given that the WG agenda is already full, but on-list discussion would be extremely valuable. Scott [1] As described in draft-ietf-dnsop-rfc8499bis. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/dnsop__;!!PtGJab4!41ouVfZv-H-PkXJbxqURrX_y9d7JQb9SgFWJPcgp_h5k9ANClcwQBC_sayAWJb2Vf3GsszmkeckGNdzGeTAzkX7_dChe_p3b2Ll6XinPdw$ [ietf[.]org]
- Re: [regext] [DNSOP] Best Practices for Managing … Andrew Newton
- Re: [regext] [DNSOP] Best Practices for Managing … Hollenbeck, Scott
- Re: [regext] [Ext] [DNSOP] Best Practices for Man… James Mitchell
- Re: [regext] [Ext] [DNSOP] Best Practices for Man… Q Misell
- Re: [regext] [Ext] [DNSOP] Best Practices for Man… Peter Thomassen
- Re: [regext] [Ext] [DNSOP] Best Practices for Man… James Mitchell
- Re: [regext] [Ext] [DNSOP] Best Practices for Man… Gould, James
- Re: [regext] [Ext] [DNSOP] Best Practices for Man… Peter Thomassen
- Re: [regext] [Ext] [DNSOP] Best Practices for Man… Gould, James
- Re: [regext] [Ext] [DNSOP] Best Practices for Man… James Mitchell
- Re: [regext] [Ext] [DNSOP] Best Practices for Man… Gould, James