IETF Logo Mail Archive

Re: [regext] CDS/CDNSKEY vs. EPP update prohibited

Eric Skoglund <eric.skoglund@internetstiftelsen.se> Fri, 02 December 2022 14:45 UTC

Return-Path: <eric.skoglund@internetstiftelsen.se>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14064C14F743 for <regext@ietfa.amsl.com>; Fri, 2 Dec 2022 06:45:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=internetstiftelsen.se header.b=fvSFoolT; dkim=pass (1024-bit key) header.d=internetstiftelsenisverige.onmicrosoft.com header.b=K+AWCLGd
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u2rhhyXbUozB for <regext@ietfa.amsl.com>; Fri, 2 Dec 2022 06:45:53 -0800 (PST)
Received: from relay1.iis.se (relay1.iis.se [IPv6:2001:67c:124c:7317::15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0203C14F740 for <regext@ietf.org>; Fri, 2 Dec 2022 06:45:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=internetstiftelsen.se; s=iis2015; h=mime-version:content-type:in-reply-to:references:message-id:date:subject:to: from:from; bh=a2CUNtBoPVss+5al+dd8Kb+siw9D3AgVjzoCiT6IrKg=; b=fvSFoolTPs1dsI+UwvczETmcy7VoPUuJZgn2UVvn2AgcNVhqM2d2jBAJ4qpoL//6juGlEi8N5H3dk b2KX6mFayqpCFME0z8oJnGl70HUrS+7pmj4moG0qkHVIVFYNhSthwHKsA5RwBWtKD/zgl62g/VCqop Gq97ywSZf+9tRDtk=
Received: from GV3P280CU006-vft-obe.outbound.protection.outlook.com (mail-swedencentralazlp170100000.outbound.protection.outlook.com [2a01:111:f403:c202::]) by relay1.iis.se (Halon) with ESMTPS id 011fec52-7250-11ed-a9bd-005056827d92; Fri, 02 Dec 2022 14:45:46 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QhRAFOSu76gsfZ4xdU882qPdVK4iUmlCHuTioeCoRSoeQetgYxNIqOAR0xv8xM0UbbkLGTMf7fje5vGEsgFe+W4xCsxxQ5VKwZlOTlfs3HzSU/nU+sfVGofqhb21WHiZl2TWCqGryIXDI09vNz/5az3gpJRkWA1z835QS2ucyTUfo+TPu0nAmyHxkK8/zRWTzNVy9BOrONWu/bmmKhwxfxP0cV2/P/sOFjryd3048huDX8CYGa0ygo23x0TlNYlxwg9exmGJopwDvGbvwirOO/Sj6X0a0KpjtMTi4q9v3zA3o4HwKc6ka+vZrXFeU9DDYTX6UtxzqcTrGtVym53c3Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=a2CUNtBoPVss+5al+dd8Kb+siw9D3AgVjzoCiT6IrKg=; b=TkTFCo/v6utKEw14FZaF1Td9oCD81pKItOyzXQnikynqJ6k3FKiu170Fo+Cn07gM2nBlJScmb8x0osyPVELwByQ10/l11UJe82JtcQjmLsrnXgsSC5MZs/cmTlE27No5sKE3Fanb4BdnAskJgJeOLKBBJ/4/4yqbpnFi90Q7QTUBcJd3HLCu8CfJEfWjRrpR0cm6f73xVZjVHUIQlDV3GYfUw1q6n4DtZyK+brhuimqcm+kVlf/XPABr5Pxb5jf1wQpYZJkAwfwCVQmwM9KBR7+VnAkgzmwgkrEOA2myVSG17Na20et+sXPPWf4E6CNF929ZfXxjeXjYQu9lGycqPw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=internetstiftelsen.se; dmarc=pass action=none header.from=internetstiftelsen.se; dkim=pass header.d=internetstiftelsen.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=internetstiftelsenisverige.onmicrosoft.com; s=selector1-internetstiftelsenisverige-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=a2CUNtBoPVss+5al+dd8Kb+siw9D3AgVjzoCiT6IrKg=; b=K+AWCLGdMyxBbZaRpRa3+UDa85UN9K5gxY2LtTmNobKgOiVCRJIaqDGIM/JF4T1B0V+QI0rB7R3RuSwQIdI9FJDxljaG1pFlKwRnCfI0Qe4+8PjJJr0iJ/eu++jBm5Hf8G2SgZ4UijNsaVM/mNskibmywLiUcagxvg7h0NpF6i4=
Received: from GVZP280MB0283.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:46::7) by GVZP280MB0896.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:f4::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.10; Fri, 2 Dec 2022 14:45:44 +0000
Received: from GVZP280MB0283.SWEP280.PROD.OUTLOOK.COM ([fe80::1fd2:1d83:a19e:32e7]) by GVZP280MB0283.SWEP280.PROD.OUTLOOK.COM ([fe80::1fd2:1d83:a19e:32e7%7]) with mapi id 15.20.5880.010; Fri, 2 Dec 2022 14:45:44 +0000
From: Eric Skoglund <eric.skoglund@internetstiftelsen.se>
To: "Hollenbeck, Scott" <shollenbeck=40verisign.com@dmarc.ietf.org>, "Michael.Bauland@knipp.de" <Michael.Bauland@knipp.de>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [regext] CDS/CDNSKEY vs. EPP update prohibited
Thread-Index: AQHZBk8FTlYeMo0RJ0KPWpnqvEQh565anpqAgAAFXACAAAeWLQ==
Date: Fri, 02 Dec 2022 14:45:44 +0000
Message-ID: <GVZP280MB02832A4E889F9835FA59CD3AE4179@GVZP280MB0283.SWEP280.PROD.OUTLOOK.COM>
References: <BA12A2A4-E92C-4F3A-BC03-3C879D27AE5B@verisign.com> <03f1b413-60a4-ed38-c709-58c21eb83445@knipp.de> <80fce0b921724d48852fd3b90ac458d2@verisign.com>
In-Reply-To: <80fce0b921724d48852fd3b90ac458d2@verisign.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=internetstiftelsen.se;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVZP280MB0283:EE_|GVZP280MB0896:EE_
x-ms-office365-filtering-correlation-id: 8b4bec4e-55cd-4c7b-02b3-08dad473e44c
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: JRC6/Btt+yAQFJ65B3pXGYwZ3yqXW4Qa7hfN8TlMhRDby16nC4qJ3MC+uKDyzBrc4MEytc4vYlZRMzm92nnFPY2Sha4zodadbCuk6faiO4t3X85Y3FGuY0znQQY54oT3XJoZIaZTcK3wvwQcEYbcvWMqAxzmMx8+45Fyh2lFyGvC4z1pOMqxI0NSV5JqAufsTMY/NhseQeHTCRWgxD1Jpqjv5RIcgcVWHtauQ7dyYabinoo+gUohLBskC9C+Nd6qu7ZPdpQW892szXIDNG20VxacPGcM5U4E1qpYEsPcRMNc5aH4esHt5MuPa4LMcCiiWZA+idVFBkdz1enpf9KU/hEhtUYemJEuY0OLoeZm302Aj3mqGfrvfcOL25cNRr5xB4UwHHrWPsAhDpAd30ppCMPXKaS65dLn1XFx9kUWNGfMaJPiR897WDY6l2gVE/RGh8QDcTVwAy/tzQaVS7QL5PPw6S00IPmJV0StFkJxyuwCAaiGikbw0tSYDMOsJHm9uX1IMHEqtMAiff6yHIVe7drstV6wJjFIWMRMPnu9FdLJPc/DMhA/4DoZKTfDi6TGB2TAI3zLz43DiYIfjzz49Zlb+VflWCvNhvCkttojjAoRHCMCvSYx4jw4L0LolMgjhkyMHrRv3cSjQgrr8WOe78l0uYCVbrZwtQhFSO+IWMzYjjWFNv/V+4l0NnoCOee3CZ5vblpwpxrwi7Pgxr06AAshaz2wF+Xfbn7xUmDmdGQ=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVZP280MB0283.SWEP280.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(4636009)(136003)(39840400004)(376002)(366004)(396003)(346002)(451199015)(6506007)(53546011)(7696005)(19627405001)(966005)(26005)(186003)(316002)(478600001)(110136005)(9686003)(64756008)(8676002)(66476007)(66446008)(66556008)(71200400001)(76116006)(66946007)(41300700001)(5660300002)(8936002)(52536014)(44832011)(66574015)(15650500001)(2906002)(83380400001)(55016003)(86362001)(33656002)(122000001)(38100700002)(166002)(38070700005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ExP1ct3C3sB3QzCRaiw9AKIryiSs2N3NFBLoFuUiANlK7xnR8DjgKydZIvMlIDKPMKweIlseBNwkVWm0K4rGpFFG4f+Kha0mzLHjkxZrle6rZgi48m29x5VHFs5Z8jqasrygx9oNZ3YWCQnZGtcgYL0GPJtHTBiPyti6PW4Yp47AYQ55m/KM11JKcR7CxrVQkk80XFo/rX8tzkbPQWJb7bvtHQvXIg9l9t4ACuU8JYh4UsC3gCFbdGiZ8vAC5XTBSDKkJnki0jtGCRtkqPNkJhInXTtgjKVUAOqOjNXWBXkfGrZtwsQmUEKOXxwvUN+svKgqGSb0sK6xCLp9MHjccrxQtnyb/apkEHnavebaV21jjpUOXWUxaa3Jh2jq89Yzabi0Ab/TZEqMuHyxvFq7suZ9aTPBSI45XHrAodaRrxKR4epbfLBFYrmGpJbdgwVzRZYLcc56iTqg//zT11ar7xwW0+yxXAh0PAmD7kULRq2KKfMzBn6l2bYXYh3/LeUrJmErLXNkMBodh9af7C4vEoYsjyMnAsT3+eLbDgINjONUEfjUP0BEeA+XSMjOxLynY5hQzvU1VCBRlmX7ZLaQVS7gBp8UaKJmZq5odrWhrm8nbNhfTIEmwLmC+105W74oxrHPy4Ifb65WymSGvjv43CB7wNA38p/DoznZhbRcg9t/Pq6MEYXumxMZzQkaZATZnCYJsId08cNnRICuc8S8DQVeu7/Dlc3dj9uc2NrKkxyAU18kxzZrhCMtR9exX9b8+6OOKdT6uurunXZGEY5H1uXL2Axc6/Wd9y/j0kSyL/NT3JoDjvyZ0DKPF5b5Srj2Ve1T1+rCRDa8H3V8AVqPW4vHEsj4Y+aQdmNjIo1CQaTYeEgPFTnWGgrwu1f3XQG35VmhSUSSkBjkJWMN/ZlwKqxG7pRvcLnb8HYl3Lo/g6r/SV5OnDI1IHzAbEqQzHqBQo7OiAdv2QToQSXVtnaa8JbQY+AmJkAtO8idZUn/nFk4qfuy9FrRYCcLvs0HRmIFm3aeRtccBYi2v/sH02ovX4Bqxrb9UFill+KUcH86Eo6eI3wMUBXLG5/qhidGrlJermBYqhTAbLYE4DKU1Dl3Nu0RZc9hd9Oglp1gM+IA1uujqEtzZTL7yQLyw5s3ibPDuGgBSq/QHsukjOGw+zX7NNMYp6lN/YuT0N2VjOHM+Mb6pVAoNWQdgsZvPoxYbWautr0LYaIvGU7NgQ3G2bzSo9VcdO0/qH+Qu8OQZ5MpDsQvVmRtjARyCO8sHPAWGdeePqvpH6WzX3ZeDFMI6rJWU+cVuMBilHOQDjRUg8WUXaXwV41Gdj3HCCpV+iT5Ssp/vWKYrhUJcTivOx0EgOFhWQVDBEM5JD0GqNGT/Aep/AcGucb3vRYy89zPD5v5j5RBHDlIGvUVKVrquMhAQEKfAQA6GJmAfTPl17vxEwYLNqiK4olXcqLZigB5AZJo5tFALtlq5qN/InCD/LaxBcBSgQH9hB5nS2crZ8E8mf7nXLdJMs3xVqCHDgDQh8/g6SYhcWCEN7azsdxOPD7tNiIODgWMo/9TeDJ9rN0E/23zCMtbU9OGjNNc2BDBsKS2iYTgovrKaxyOyrlGe83mPNOI+abELLXrOgTl9T8eGncfKtQ=
Content-Type: multipart/alternative; boundary="_000_GVZP280MB02832A4E889F9835FA59CD3AE4179GVZP280MB0283SWEP_"
MIME-Version: 1.0
X-OriginatorOrg: internetstiftelsen.se
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVZP280MB0283.SWEP280.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 8b4bec4e-55cd-4c7b-02b3-08dad473e44c
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Dec 2022 14:45:44.2548 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c2aa68f8-18f3-48ae-81ba-02301d121d9a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: vrZpGhHQ4xD+WBZUWKiCB1O7o9QW0MIRwJqQE1NDlfLw6gip6cHfOlRKdqtRtP4pxxQxhNLWA4Y2UADNNeL6LDykxvHMfo3YkJkiQjVOqyfp8UPSBf6lu+EYhGcnHYFR
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GVZP280MB0896
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/wSkC06wh1auCnPaesey-dCvsXcQ>
Subject: Re: [regext] CDS/CDNSKEY vs. EPP update prohibited
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Dec 2022 14:45:57 -0000

To add my 2 cents I agree with Scott here given what the spec says. We've (Swedish internet foundation) interpreted it in our implementation to mean that we shouldn't
allow the change to go through.

// Eric Skoglund
________________________________
From: regext <regext-bounces@ietf.org> on behalf of Hollenbeck, Scott <shollenbeck=40verisign.com@dmarc.ietf.org>
Sent: 02 December 2022 15:13
To: Michael.Bauland@knipp.de <Michael.Bauland@knipp.de>; regext@ietf.org <regext@ietf.org>
Subject: Re: [regext] CDS/CDNSKEY vs. EPP update prohibited

> -----Original Message-----
> From: regext <regext-bounces@ietf.org> On Behalf Of Michael Bauland
> Sent: Friday, December 2, 2022 8:55 AM
> To: regext@ietf.org
> Subject: [EXTERNAL] Re: [regext] CDS/CDNSKEY vs. EPP update prohibited
>
> Caution: This email originated from outside the organization. Do not click
> links
> or open attachments unless you recognize the sender and know the content is
> safe.
>
> Hi,
>
> On 02.12.2022 14:07, Gould, James wrote:
> > Michael,
> >
> > The prohibited statuses apply to client requests, which matches Case 2.
> > The
> prohibited statuses can apply to client requests via multiple channels
> (e.g., EPP
> or Web UI).  The prohibited statuses don't apply to server actions (e.g.,
> auto
> renew, transitioning RGP statuses).  Use of CDS/CDNSKEY records to signal a
> server-side change is an interesting case, where does posting CDS/CDNSKEY
> records represent a client request that is processed by the server
> asynchronously?  I view the CDS/CDNSKEY as a new operation (e.g., DNSSEC
> automation update), supported by IETF RFCs, that does not apply to the
> existing
> EPP prohibited statuses.  All domain changes come down to an update, but EPP
> included prohibited statuses on a per operation / command basis.
> >
> > I would then define Case 3, where CDS/CDNSKEY records represent is a new
> client operation that does not apply to the existing EPP prohibited
> statuses.  If
> we did want to prohibit this new operation via EPP, then a new prohibited
> status would be warranted.
>
> I tend to agree. Changing the DNSSEC data here is not an operation
> requested/initiated by the client (i.e., registrar), but it's something the
> server
> (registry) does, because it got triggered via the DNS. For this reason the
> clientUpdateProhibited flag should be ignored.

[SAH] You can't assume that "client" always means "registrar". That's
precisely why you don't see the word "registrar" in the specification. Note,
also, what 5731 actually says about the status (the other RFCs say the same
thing):

"Status values that can be added or removed by a client are prefixed with
"client"."

It's about who can manage the status value. It's not about who can perform the
update.

"Requests to update the object (other than to remove this status) MUST be
rejected."

Again, there's nothing here about *who* is performing the update. This use
case is covered by the existing specification text.

Scott

_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext

v2.23.0 | Report a Bug | By Email