To:
James Gould <jgould@verisign.com>
Cc:
"Hollenbeck, Scott" <shollenbeck@verisign.com>, <Chris.Newman@Sun.COM>, EPP Provreg <ietf-provreg@cafax.se>
From:
Patrik Fältström <paf@cisco.com>
Date:
Thu, 2 Apr 2009 18:55:08 +0200
Authentication-Results:
ams-dkim-2; header.From=paf@cisco.com; dkim=pass (sig from cisco.com/amsdkim2001 verified; );
DKIM-Signature:
v=1; a=rsa-sha256; q=dns/txt; l=4973; t=1238691769; x=1239555769;c=relaxed/simple; s=amsdkim2001;h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version;d=cisco.com; i=paf@cisco.com;z=From:=20=3D?ISO-8859-1?Q?Patrik_F=3DE4ltstr=3DF6m?=3D=20<paf@cisco.com>|Subject:=20Re=3A=20[ietf-provreg]=20RE=3A=20Standards=20Track=20Advancement=20Request=20for=20EPP=20RFCs|Sender:=20;bh=irmHBZ2/J50b5ys+Xe5jj636k8S8ULek5zLKTosRCbE=;b=X87/+Te092oX5Nx6ZMrq7utZGNPFDEu2Ymhjlp2GyozOc3w4tYixeKpRsQCgY2dHKm3gTKoWKmFFzfyjNgu89YaJJOfde7GFqT5Ky2ZjEy728pXO3f/TF0+D4BbSWUNs;
In-Reply-To:
<C5FA396C.31B6A%jgould@verisign.com>
Sender:
owner-ietf-provreg@cafax.se
Subject:
Re: [ietf-provreg] RE: Standards Track Advancement Request for EPP RFCs
On 2 apr 2009, at 15.44, James Gould wrote:
>> Host name changes can have an impact on associated objects that
>> refer to the
>> host object. A host name change SHOULD NOT require additional
>> updates of
>> associated objects to preserve existing associations, with one
>> exception:
>> changing an external host object that has associations with objects
>> that are
>> sponsored by a different client. Attempts to update such hosts
>> directly MUST
>> fail with EPP error code 2305. The change can be provisioned by
>> creating a new
>> external host with a new name and needed new attributes and
>> subsequently
>> updating the other objects sponsored by the client.
>
> Have any Registries implemented to this? We’ve implemented external
> hosts
> in two different ways:
>
> 1. External hosts per Registrar, where an association from domains to
> external hosts of another client (Registrar) is not allowed.
> 2. External hosts per Registry, where updates are allowed to be made
> by the
> sponsoring Registrar independent of the associations to the domains.
In .SE the host object is subordinate the domain object, and therefore
MUST have the same sponsoring client as the domain object. A host
object is transferred with the domain object, and is because of that
not transferrable.
>> On the first, I see differences on how transfers of domains and
>> "attached objects" work. Some registries require explicit transfer of
>> contacts, which imply one (as I think) might as registrar have access
>> to the domain object, but not contact. Other registries do clone the
>> contact object when a domain is transferred, and the clone get a new
>> contact-id (which imply the number of contact objects in the database
>> increase, and the contact-id of holder change in the domain when the
>> transfer happens.
>
> JG - We've treated contacts as first class objects, where a domain
> transfer
> doesn't do anything with the contacts. If the gaining Registrar
> needs to
> make updates to the contact records, new contacts can be assigned
> after the
> transfer or the Registrar can request the transfer of the contacts.
So what I call "cloning" is then something the gaining registrar have
to do manually? Do you separate those changes of holder from a
"normal" change of holder, i.e. restart the payment cycle etc? Do you
keep track of the now two contact records be the "same" contact be
represented by two records? You as registry that is.
>> Maybe some clarification about "contact id" is needed?
>>
>> On the second, I look specifically at the DNSSEC extension, RFC4310,
>> where the update command is inconsistent. This is something that
>> programmers more than myself has missed, and that required some extra
>> hours of debugging.
>>
>> a)
>>
>>> The <secDNS:add> element is used to add DS information to an
>>> existing set. The <secDNS:add> element MUST contain one or more
>>> <secDNS: dsData> elements as described in Section 3.1.2.
>>
>> b)
>>
>>> The <secDNS:rem> element contains one or more <secDNS:keyTag>
>>> elements that are used to remove DS data from a delegation. The
>>> <secDNS:keyTag> element MUST contain a key tag value as described in
>>> section 5.1.1 of RFC 4034 [6]. Removing all DS information can
>>> remove the ability of the parent to secure the delegation to the
>>> child zone.
>>
>> Note that the format inside the <secDNS:add> and <secDNS:rem> is
>> different. The rem element "directly" include the keytag element
>> while
>> the add element include dsData (that in turn include the keytag).
>>
>> Why is there not a dsData wrapper around the keytag element for the
>> rem command?
>
> JG - Since we're discussing RFC 4310, I have to bring up the past
> thread on
> the inability to use a combination of <secDNS:add>, <secDNS:rem>, and
> <secDNS:chg> in a single domain update since updateType is defined
> as a
> choice instead of a sequence with minOccurs="0" for each element.
True, that should be clarified as well. .SE changed and do the rem
first, and then the add. That should be the explicit order to do the
updates in epp I think.
Patrik
This is a digitally signed message part