To:
ietf-provreg@cafax.se
From:
Howard Eland <heland@afilias.info>
Date:
Tue, 27 Oct 2009 15:56:18 -0500
In-Reply-To:
<23CBC376-9C3C-4D37-A67E-FF4214982D06@cisco.com>
Sender:
owner-ietf-provreg@cafax.se
Subject:
Re: [ietf-provreg] Anyone working on 4310-bis?
The issue I brought up to Andrew involves the transform commands. These only require the key tag to perform tasks such as remove, but, as mentioned in 4034, the key tag by itself may not be unique. We are seeing much interest in multiple DS records that have the same key tag with different digest types from registrants. If multiple DS records are added to the registry with the same key tag, and a subsequent transform command is sent with only the key tag, as specified in 4310, the result is left to interpretation. Possible solutions for this are: 1) Force the specification of <key tag, alg ID, digest type> for all transform commands (this requires the protocol change to 4310, and is where I'm headed). 2) Proceed to transform all DS records with this key tag in the same manner (but here too are dragons, as a change or update could result in either duplicate DS records, or would force the registry to remove the dups, causing a discrepancy between the registrar and the registry). 3) Do not allow multiple DS records with the same key tag (forcing key tags to be unique on the domain object - this seems like a non-starter to me). 4) Do not allow multiple DS records (also a non-starter). Thoughts? -Howard On Oct 27, 2009, at 3:31 PM, Patrik Fältström wrote: > > On 27 okt 2009, at 21.16, Patrick Mevzek wrote: > >> Andrew Sullivan <ajs@shinkuro.com> 2009-10-27 21:05 >>> I have of late observed a couple possibly pointy corners in RFC >>> 4310, >>> and Howard Eland just pointed out to me a pretty big operational >>> problem in it, so I am wondering whether anyone is working on >>> updates >>> to it. >> >> I'm not specifically working on it, but I would advise anyone dealing >> with DNSSEC and EPP to have a look at what .CZ did and what .EU will >> do soon, as they both created other extensions to handle DNSSEC with >> EPP. Maybe other registries too. Sorry if you did that already. >> >> I'm not judging pro or in favor of any other extension, >> but I believe that having a look at the currently deployed EPP >> dealings with DNSSEC would be a good idea in light of future work on >> 4310. > > We use epp and DNSSEC in .SE since a while back. What are the issues > you think? > > Patrik > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > =-=-=- > List run by majordomo software. For (Un-)subscription and similar > details > send "help" to ietf-provreg-request@cafax.se > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- List run by majordomo software. For (Un-)subscription and similar details send "help" to ietf-provreg-request@cafax.se