Re: rfc4310bis 03 AD Feedback

On 29/01/10 16:15, James Gould wrote:
> Is there anyone out there supporting or planning on supporting the
> client specified maxSigLife. In looking into this in more detail if this
> attribute were supported, doesn’t it make more sense for it to be an
> attribute outside the dsData or keyData, since it applies to the
> domain’s RRSIG and not to an individual DS? This means that it’s an
> attribute of the domain and not of the DS. Since we’re not worried about
> backward compatibility any longer with the change in the URI we’re open
> to remove or move this element. Any thoughts to this?
>
> --
>
>
> JG
>

Hi James,

we have implemented this for the puntCAT registry, however I share the concerns 
around this value, so I wouldn't be too unhappy if it would go or would be 
reworked (e.g. adding TTL suggestions as well if it then makes more sense).

Regarding the separation from the key/DS data: I think I had noted earlier 
(probably in a private e-mail exchange) that I support this idea, as it is not 
directly an attribute of key or DS data.

Regards,

Klaus

Re: RE: Last Call: draft-gould-rfc4310bis (Domain Name System(DNS) Security Extensions Mapping for the Extensible ProvisioningProtocol

RE: RE: Last Call: draft-gould-rfc4310bis (Domain Name System(DNS) Security Extensions Mapping for the Extensible ProvisioningProtocol

Re: RE: Last Call: draft-gould-rfc4310bis (Domain Name System(DNS) Security Extensions Mapping for the Extensible ProvisioningProtocol

OK. So we need to:

(a) remind the lawyers who clutter up the Registry Stakeholder Group 
(RySG) that they need to know to tell the technical people (who should 
form the registry operator sharpened stakes and pitchforks group) that 
technical work (on EPP) takes place on ietf-provreg, please bring your 
extensions and other brain-damage or stay home,

(b) remind the lawyers who clutter up the Registrar Stakeholder Group 
(RSG) that technical work (on EPP) takes place on ietf-provreg, and if 
they intend to sell anything other than VGRS inventory, or stay afloat 
in a sea of registry-specific extensions and other brain-damage, its 
come or stay home,

(c) inform the civil administrators who clutter up the CNSO similar to 
(a), above, rinse and repeat for the sharpened stakes and pitchforks 
group, unencumbered by the "contract" problem,

and

(d) inform the ccTLD tech people who attend occasionally, or 
regularly, the Monday ccTLD Tech Day at ICANN meetings that technical 
work (on EPP) takes place on ietf-provreg, again, rinse and repeat for 
the sharpened stakes and pitchforks group.

That covers the ICANN g&c space. Informing the CNNIC c&g's would be 
useful as it is a bother that .cn-ascii and .cn-idn are at different 
pre-1.0 revs. It is their choice, but spec-sync could benefit them as 
well as everyone else benefited by spec-sync.

Are there other registrars, and other registries, which use, or plan 
to use, EPP? Possibly. This gets more real when we look at another XML 
syntax specified data transport issue, the escrow, as escrow is a 
general interest to zone operators, not merely TLD zone operators.

The reason for techies to have "sharpened stakes and pitchforks" is 
that the really important technical and operational issues do not fall 
into the mutually exclusive "have a contract or have a MoU (or less) 
with ICANN" baskets, and specification and/or implementation drift 
caused by differences in legal regimes has no technical necessity 
justification.

Eric

On 2/1/10 7:52 AM, Ray.Bellis <at> nominet.org.uk wrote:
>
>  > All individual submission work that happened after the group closed was
>  > done in complete accordance with IETF procedures, with appropriate
>  > public announcements, using the agreed-upon mailing list. Responsible
>  > "stakeholders" have a responsibility to stay involved, Bernie.
>
> New stakeholders also have to find out how to _get_ involved.
>
> As a relative newbie to the IETF world (and only being employed in the
> registry business since late 2007) I only found out about this group by
> accident when I spotted the earlier EPPbis documents in the "new drafts"
> RSS feed.
>
> kind regards,
>
> Ray
>
>

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
List run by majordomo software.  For (Un-)subscription and similar details
send "help" to ietf-provreg-request <at> cafax.se

Re: rfc4310bis 03 AD Feedback

RE: Last Call: draft-gould-rfc4310bis (Domain Name System(DNS) Security Extensions Mapping for the Extensible ProvisioningProtocol

(Left off the ietf general list)

At 7:24 -0500 2/1/10, Hollenbeck, Scott wrote:

>Even when provreg was a working group the same mailing list, hosted in
>the same place, was used for group discussion.  An explicit decision was
>made to keep the list open for ongoing discussion after the working
>group was closed.  Nothing has changed in terms of the agreed-upon place
>for ongoing work discussion.
>
>All individual submission work that happened after the group closed was
>done in complete accordance with IETF procedures, with appropriate
>public announcements, using the agreed-upon mailing list.  Responsible
>"stakeholders" have a responsibility to stay involved, Bernie.  I know I
>can't have done any more to let people know what's been going on.

Having once been one of the co-chairs of Provreg I want to try to 
explain the situation.  Both Bernie and Scott are right, but that 
doesn't mean there isn't a gap.

What happened is that the PROVREG WG operated during a time when the 
domain name registration function, as well as all other registration 
functions, were understood by just a small community and within a 
constrained framework.  The WG achieved its goal, in 2003 or so 
stopped meeting (it was closed officially once the RFCs were 
published, months later).  The mailing list has remained open since 
then, with little or no publicity beyond those active on it.  I 
wouldn't expect that a responsible party would even know of the list 
if they hadn't been there to participate in the WG.

Since the closing of the WG the documents defining EPP have been 
advanced to Full Standard using the mailing list as the basis for 
communication.  While this meets with IETF processes standards, the 
registration industry/community grew both in population[0] and in 
scope[1] at the same time and this did not feed into the IETF 
process.  Members of this growth had no formal way to know of the 
mailing list as it had no WG to "cover" it, had no chairs or 
advocates to promote it in appropriate venues (like CENTR Tech).

>I know I can't have done any more to let people know what's been going on.

And that's certainly true, but that doesn't mean the message got out 
far enough.

In the past few weeks, recognizing this and a backlog of technical 
issues[2] facing registries, registrars, and all others involved in 
Internet Registration, there has been discussion on the mailing list 
to apply for a new WG (well, first a BoF, etc.).  From the messages 
posted, it appears that an effort to apply for a BoF will proceed, 
hopefully in time for IETF 78 "Maastricht" (as the deadline for IETF 
77 "Disneyland" has passed).

[0] Back then there were 3 or 4 registries and a few registrars; 
according to a stat uttered at .ORG's Public Forum last week, there 
are 14 "major" registry operators now, hundreds of registrars just 
within the ICANN definition, and many other entities involved in 
domain name registration.

[1] The role of registries are better understood today, more 
realization of the differences and similarities of domain name 
registration and RIR's for example.  While RIR's did not actively 
participate in the PROVREG WG, then did participate in CRISP, as one 
sign of growing awareness.

[2] Such as submission of DNSSEC keys (SEP/KSK) into registries not 
using EPP's DNSSEC extension (4310) now defined at PS; and how 
non-EPP client DNS operators send the keys.
--

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

As with IPv6, the problem with the deployment of frictionless surfaces is
that they're not getting traction.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
List run by majordomo software.  For (Un-)subscription and similar details
send "help" to ietf-provreg-request <at> cafax.se

Re: off-list was Re: Revision of 4310

Re: rfc4310bis 03 AD Feedback

Hi James,

We bantered this about internally for a bit now, but came to the conclusion that in order to use maxSigLife at
all we would have to limit the range of accepted values for maxSigLife to be very small, and (more
importantly) change registrar behavior whenever signing policy was modified. For registrars, they
must be in synch with our signing policy, which made this another invitation for pedal removal via firearm.

Our current implementation supports maxSigLife, but an upcoming build of ours will indeed ignore it.

I agree that multiple maxSigLife elements should return an error.  Not specifying maxSigLife should
default to server policy.  As stated, we are moving towards having any MaxSigLife also default to default
server policy.

But, not everyone will agree with our choice here, so let me evaluate the options you suggest:

(1) I'm not sure that either error code you suggest provides a good indication of the problem back to the
client.  2004 is really misleading, and not indicative of the problem.  Perhaps 2308 "Data management
Policy Violation" may be closer (although if this is required via this specification, then it's hardly
server policy)?  

I like the use of the word MUST (be see my option (4) below) for multiple maxSigLife elements in a single
domain object, since one RRSIG will be used across the DS RRset anyway.

(2) I'm not crazy about this at all.  maxSigLife is "metadata" for a DS record, so it belongs there.  If you do
(1) or (4), then it's much cleaner.

(3) No.  This reduces functionality, and although I'm not going to use it, others may. (I'm sure others on the
list will do better than I at recalling the rationale for maxSigLife, but it escapes me for now).

Option 4: If multiple maxSigLife values are requested, the server MAY use the smallest maxSigLife value
received.  This could, of course, be setup as server policy, leaving it open in this specification, but at
least this gives guidance for server implementors.

-Howard

On Jan 31, 2010, at 9:23 AM, James Gould wrote:

> Michael & Howard,
> 
> Do either you have thoughts related to the maxSigLife attribute in RFC 4310?
> In review, the AD had the following comment to the draft:
> 
>>>      An OPTIONAL <secDNS:maxSigLife> element that indicates a child's
>>>      preference for the number of seconds after signature generation
>>>      when the parent's signature on the DS information provided by the
>>>      child will expire.  A client SHOULD specify the same <secDNS:
>>>      maxSigLife> value for all <secDNS:dsData> elements associated with
>>>      a domain.  If the <secDNS:maxSigLife> is not present, or if
>>>      multiple <secDNS:maxSigLife> values are requested, the default
>>>      signature expiration policy of the server operator (as determined
>>>      using an out-of-band mechanism) applies.
>> 
>> I am slightly surprised that the latter is not an error condition.
>> But if this what people have implemented, then Ok.
> 
> 
> I agree that at a minimum the server should return an error instead of
> applying the server default when multiple maxSigLife values are requested.
> To address this I have the following options.  I would like to hear from
> anyone using the maxSigLife attribute or planning on using the maxSigLife
> attribute.
> 
> 1. Keep the maxSigLife as an element of secDNS:dsData or secDNS:keyData.
> Update the text to require the server to return an  2305 “Object association
> prohibits operation” or 2004 “Parameter value range error” error when
> multiple maxSigLife values are requested.  I’m leaning towards the 2004
> error.  I would also recommend that we change “A client SHOULD specify the
> same <secDNS:maxSigLife> value” to “A client MUST specify the same
> <secDNS:maxSigLife> value”, since I don’t know the use case where the value
> could be different per DS.
> 2. Move the maxSigLife element out of the secDNS:dsData and secDNS:keyData,
> so that it can be set as a single value for a domain.  The maxSigLife
> applies to the RRSIG, so it doesn’t make much sense to set it at the DS
> level.  This would mean that maxSigLife would be an optional element
> directly under secDNS:create, secDNS:update, and secDNS:infData.  This
> breaks backward compatibility, but backward compatibility is already broken
> by changing the URI.
> 3. Remove the maxSigLife element all together.  This doesn’t sound like much
> of an option if there are servers using it.   This breaks backward
> compatibility, but backward compatibility is already broken by changing the
> URI. 
> 4. Update the text to allow for different maxSigLife values without the
> server applying the default.  If we allow for multiple maxSigLife values I
> don’t believe it is correct for the server to return a successful response
> and then pretty much ignore the requested values.
> 
> If there are any other options for this or if there are preferences to the
> options I proposed above, please respond to the list or to me privately.
> 
> Thanks,
> 
> -- 
> 
> 
> JG 
> 
> -------------------------------------------------------
> James F. Gould
> Principal Software Engineer
> VeriSign Naming Services
> jgould <at> verisign.com
> Direct: 703.948.3271
> Mobile: 703.628.7063
> 
> 
> 21345 Ridgetop Circle
> LS2-2-1
> Dulles, VA 20166
> 
> Notice to Recipient:  This e-mail contains confidential, proprietary and/or
> Registry  Sensitive information intended solely for the recipient and, thus
> may not be  retransmitted, reproduced or disclosed without the prior written
> consent of  VeriSign Naming and Directory Services.  If you have received
> this e-mail message in error, please notify the sender immediately by
> telephone or reply e-mail and destroy the original message without making a
> copy.  Thank you.
> 
> 
> 
> From: Andrew Sullivan <ajs <at> shinkuro.com>
> Date: Sun, 31 Jan 2010 03:59:29 -0500
> To: EPP Provreg <ietf-provreg <at> cafax.se>
> Subject: Re: [ietf-provreg] rfc4310bis 03 AD Feedback
> 
> On Fri, Jan 29, 2010 at 10:15:13AM -0500, James Gould wrote:
>> Is there anyone out there supporting or planning on supporting the client
>> specified maxSigLife.  In looking into this in more detail if this attribute
> 
> Afilias supports it now, IIRC.
> 
> A
> 
> --
> Andrew Sullivan
> ajs <at> shinkuro.com
> Shinkuro, Inc.
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> List run by majordomo software.  For (Un-)subscription and similar details
> send "help" to ietf-provreg-request <at> cafax.se
> 
> 
> 

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
List run by majordomo software.  For (Un-)subscription and similar details
send "help" to ietf-provreg-request <at> cafax.se

Re: RE: Last Call: draft-gould-rfc4310bis (Domain Name System(DNS) Security Extensions Mapping for the Extensible ProvisioningProtocol

    >Even when provreg was a working group the same mailing list, hosted in
    >the same place, was used for group discussion.  An explicit decision was
    >made to keep the list open for ongoing discussion after the working
    >group was closed.  Nothing has changed in terms of the agreed-upon place
    >for ongoing work discussion.
    >
    >All individual submission work that happened after the group closed was
    >done in complete accordance with IETF procedures, with appropriate
    >public announcements, using the agreed-upon mailing list.  Responsible
    >"stakeholders" have a responsibility to stay involved, Bernie.  I know I
    >can't have done any more to let people know what's been going on.

    Having once been one of the co-chairs of Provreg I want to try to 
    explain the situation.  Both Bernie and Scott are right, but that 
    doesn't mean there isn't a gap.

As the other ex-co-chair I don't have a lot to add to Ed's comments.
I too do see some momentum growing to revive work on EPP in the
IETF.

The ietf-provreg mail list itself is as official as non-WG lists
come. It is listed on the non-WG ietf mail lists pages and I have
maintained it since the closing of the WG, occasionally adapting
it to requests of the secretariat. Currently there are 242 subscribers
to the list (and several hundred spam messages a day).

	jaap
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
List run by majordomo software.  For (Un-)subscription and similar details
send "help" to ietf-provreg-request <at> cafax.se

DBSSEC in CH & LI

The next message mentions EPP in productin use. It might be relevant to discussions on this list.

	jaap
	
________
	
  From: Alexander Gall <gall <at> switch.ch>
  Date: Wed, 3 Feb 2010 09:28:32 +0100
  To: dnssec-deployment <at> dnssec-deployment.org

We're happy to announce that our DNSSEC service for the CH and LI TLDs
has become fully operational as of February 2nd.  After running a
"pioneer phase" for about 5 months, during which we added DS records
manually to the zones for people who took part in the trial, our
registry now fully supports DNSSEC for all direct customers via
<http://www.nic.ch/> as well as for registrars (we call them
"partners", in case you look for information on our website) via the
standard EPP extensions.

We currently have 9 signed delegations (out of about 1.1 million :)

-- 
Alex

--

-- 
SWITCH
Serving Swiss Universities
--------------------------
Alexander Gall, Network Engineer
P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 22, fax +41 44 268 15 68
alexander.gall <at> switch.ch, http://www.switch.ch
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
List run by majordomo software.  For (Un-)subscription and similar details
send "help" to ietf-provreg-request <at> cafax.se