IETF Logo Mail Archive

Re: [regext] Poll messages with unhandled namespaces (was Re: I-D Action: draft-ietf-regext-change-poll-07.txt)

Jody Kolker <jkolker@godaddy.com> Mon, 16 July 2018 19:48 UTC

Return-Path: <jkolker@godaddy.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C7F0130DED for <regext@ietfa.amsl.com>; Mon, 16 Jul 2018 12:48:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=secureservernet.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l6lEqg088I7t for <regext@ietfa.amsl.com>; Mon, 16 Jul 2018 12:48:25 -0700 (PDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0118.outbound.protection.outlook.com [104.47.36.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BC981311EA for <regext@ietf.org>; Mon, 16 Jul 2018 12:48:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secureservernet.onmicrosoft.com; s=selector1-godaddy-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CxhCqM4mtkNZ617Mr4eB4b6vsvIPPs14FHwo7FS5bW4=; b=WlAWXGapkLvjgeDrrmZs76M210zQrvR6h717eVXUcHlNZgrgBkegir5ZzjGJPHNwE9548JbGy8danDC35FVOkXMcReTJED3TVucGJMJu0JAlMfmNbRqm4LdYEV74Fd8826nHh+smCn5DcpdlhTY/Ym/vfv6LYh0OmYm5fuzKaOU=
Received: from DM6PR02MB4252.namprd02.prod.outlook.com (20.176.83.33) by DM6PR02MB4556.namprd02.prod.outlook.com (20.176.107.33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.952.17; Mon, 16 Jul 2018 19:48:23 +0000
Received: from DM6PR02MB4252.namprd02.prod.outlook.com ([fe80::f46a:d096:3458:cd4e]) by DM6PR02MB4252.namprd02.prod.outlook.com ([fe80::f46a:d096:3458:cd4e%5]) with mapi id 15.20.0952.021; Mon, 16 Jul 2018 19:48:23 +0000
From: Jody Kolker <jkolker@godaddy.com>
To: Martin Casanova <martin.casanova@switch.ch>, Patrick Mevzek <pm@dotandco.com>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [regext] Poll messages with unhandled namespaces (was Re: I-D Action: draft-ietf-regext-change-poll-07.txt)
Thread-Index: AQHUHS6enyM1Hr/mKE+NYu3v4AdOG6SSLDCAgAAKQYCAAAl/MA==
Date: Mon, 16 Jul 2018 19:48:23 +0000
Message-ID: <DM6PR02MB4252E2E9139017BC4448E077BF5D0@DM6PR02MB4252.namprd02.prod.outlook.com>
References: <1490ED7C-1EB9-4ABB-AA42-508A27FDAF12@verisign.com>, <1531765917.597855.1442619128.1D29C36A@webmail.messagingengine.com> <76E9BFB72652A04F93B1151E087E53380262AB04@MBX117.d.ethz.ch>
In-Reply-To: <76E9BFB72652A04F93B1151E087E53380262AB04@MBX117.d.ethz.ch>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=jkolker@godaddy.com;
x-originating-ip: [173.16.168.49]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM6PR02MB4556; 7:6ZF0qxQe9uwjI2tHXFgQF6NyhuYXcYhuhoZGIyH+5PP4WzCSmEexhgPZjjqUvn0DAtrn+5Fb8i6JwM0+VhnvgjP3nO417jiPy77me3/N1YBSB8N31UXa2YzGKx4tXjjm1LMVWPjt2I0AqOuKxXwdJmVigFs0tzd4MkFTS+48nuq85scjwKCf75FJqDgbzyIUlHeXks12rVWSJ6ME7t4wayAsTpf3AKN4cxIjFcvkgpvmcmoBkpdOggfIA/jFlov3
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 513e1985-0313-437f-9aa5-08d5eb551722
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600053)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(48565401081)(2017052603328)(7153060)(7193020); SRVR:DM6PR02MB4556;
x-ms-traffictypediagnostic: DM6PR02MB4556:
x-microsoft-antispam-prvs: <DM6PR02MB45569F354B99209F8ACD4253BF5D0@DM6PR02MB4556.namprd02.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(93006095)(93001095)(3002001)(3231311)(944501410)(52105095)(10201501046)(6055026)(149027)(150027)(6041310)(20161123562045)(20161123558120)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(6072148)(201708071742011)(7699016); SRVR:DM6PR02MB4556; BCL:0; PCL:0; RULEID:; SRVR:DM6PR02MB4556;
x-forefront-prvs: 073515755F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(346002)(376002)(366004)(396003)(136003)(45074003)(189003)(199004)(13464003)(105586002)(66066001)(53936002)(5660300001)(110136005)(316002)(106356001)(99286004)(5250100002)(97736004)(15650500001)(26005)(8936002)(186003)(2501003)(14444005)(256004)(966005)(7736002)(81156014)(74316002)(305945005)(14454004)(8676002)(6506007)(476003)(11346002)(446003)(6246003)(76176011)(81166006)(102836004)(7696005)(486006)(53546011)(478600001)(2900100001)(25786009)(55016002)(6436002)(6306002)(2906002)(229853002)(9686003)(6116002)(3846002)(68736007)(86362001)(33656002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR02MB4556; H:DM6PR02MB4252.namprd02.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: godaddy.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: prER/9S8gwXOphjvILS4NV7J9M+1BLWWrixpTSEhpgUbfKqlS8f+VFubMXGSb5UXMbtBlCR5Wna89TbRxi/HSujYKBr9S0VS2cGfzpScqSpPQJlR2+Nx02/NtUJ9i0ccvUJJsefk9NodAbIF9wku9FRwWf28SVIHW1ba37pTkFbilwc8GPdtoE/feaA3k8+6u8dO5Qqw+F6bV+IGN7zhBCddPHn9NbIJ9uvvGPCpv/9L2ziseSnHtWr8d1oQjT37uhwefuStQkN6EF6PC2wtfwwvZ6c4fiRyJr13xPBWiTPEg053qfNUIddml7Fc5CGlDrAJlpspxqKTHmYsnMyDIRkRXA8clouLDxIV8mf+rEw=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: godaddy.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 513e1985-0313-437f-9aa5-08d5eb551722
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Jul 2018 19:48:23.4703 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d5f1622b-14a3-45a6-b069-003f8dc4851f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR02MB4556
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/CaybZ1e6aFqwynaDllFcNLuUY5k>
Subject: Re: [regext] Poll messages with unhandled namespaces (was Re: I-D Action: draft-ietf-regext-change-poll-07.txt)
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Jul 2018 19:48:32 -0000

Hi Martin,

<<
As a matter of fact we will have to over think this rule now because with CDS DNSSec Data can be configured by the DNS-Operator of a domain as well (which does not need to be the registrar) . So a domain of a non DNSSec accredited registrar could end up with  DNSSec data. In case he is DNSSec accredited he might be interested to keep his DNSSec Data synchronized with the data at the registry originated by CDS. That is exactly our use case where we want to use the change poll extension.
>>

How does DNSSEC data get configured by the DNS-Operator of a domain if the DNS-Operator is not the registrar?  Is the DNSSEC data set without the registrar knowing it was added?  If so, how?

Thanks,
Jody Kolker


-----Original Message-----
From: regext <regext-bounces@ietf.org> On Behalf Of Martin Casanova
Sent: Monday, July 16, 2018 2:09 PM
To: Patrick Mevzek <pm@dotandco.com>; regext@ietf.org
Subject: Re: [regext] Poll messages with unhandled namespaces (was Re: I-D Action: draft-ietf-regext-change-poll-07.txt)

Patrick

To be clear the domain info response will be sent just without the DNSSec part. Therefore a not DNSSec interested registrar will just not see the DNSSec configuration but all the rest of the domain info resData. I don't see a problem with that.

In our case a registrar currently needs to be accredited by us (DNSEC_ENABLED) in order to successfully login with DNSSec extension configured and he will only be able to transfer a DNSSec domain to him if the configured DNSSec at login. 

In case he is DNSSec enabled but still logs in without this extension he will get a failure with error message similar to  "Not allowed to transfer DNSSec Domain" when trying to transfer a DNSSec domain to him.

So actually there is a way to know why it didn't work for him.

As a matter of fact we will have to over think this rule now because with CDS DNSSec Data can be configured by the DNS-Operator of a domain as well (which does not need to be the registrar) . So a domain of a non DNSSec accredited registrar could end up with  DNSSec data. In case he is DNSSec accredited he might be interested to keep his DNSSec Data synchronized with the data at the registry originated by CDS. That is exactly our use case where we want to use the change poll extension.

Martin
________________________________________
Von: regext [regext-bounces@ietf.org]&quot; im Auftrag von &quot;Patrick Mevzek [pm@dotandco.com]
Gesendet: Montag, 16. Juli 2018 20:31
An: regext@ietf.org
Betreff: Re: [regext] Poll messages with unhandled namespaces (was Re: I-D Action: draft-ietf-regext-change-poll-07.txt)

On Mon, Jul 16, 2018, at 19:58, Gould, James wrote:
> I believe that the login
> services defines what the server can return to the client, so if the 
> client does not support the DNSSEC extension it is completely 
> reasonable for the server not to return it.  If a client wants to see 
> the DNSSEC information returned they should include the URI in their 
> login services.

James, please, again, take into account some real life examples that happen today:

registries restrict the use of secDNS at login for only the registrars having passed a specific accreditation test (trying to login with it without prior registry vetting triggers an authentication error, so the registrar can only do its business if it removes this extension from list at login) thus, in your case (just removing the content), a registrar not wanting to do DNSSEC and not wanting to transfer to him a currently DNSSEC-enabled domain will have no way to know that.

And saying to registrars: "then pass registry accreditation tests to be able to login with secDNS and see **others** domain names with secDNS data while you do not want to do any DNSSEC related stuff", is certainly not going to fly...

As long as we take into account only some cases and not others we will never be able to deliver an extension used by multiple registries.
Also, before anything happen I will be very interested by intention of support (which means deployment) from registries.

Otherwise, like I said, this problem exists since EPP started so it is not new, and it seems the current status quo fits most of the player (due to the number of people having participated here), so we are maybe devoting resources to trying to design something perfect... that noone will then use :-(

--
  Patrick Mevzek

_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext

_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext

v2.23.0 | Report a Bug | By Email