Re: [ietf-provreg] Anyone working on 4310-bis?

[Howard Eland <heland@afilias.info>]

The issue I brought up to Andrew involves the transform commands.   
These only require the key tag to perform tasks such as remove, but,  
as mentioned in 4034, the key tag by itself may not be unique.  We are  
seeing much interest in multiple DS records that have the same key tag  
with different digest types from registrants.  If multiple DS records  
are added to the registry with the same key tag, and a subsequent  
transform command is sent with only the key tag, as specified in 4310,  
the result is left to interpretation.

Possible solutions for this are:
1) Force the specification of <key tag, alg ID, digest type> for all  
transform commands (this requires the protocol change to 4310, and is  
where I'm headed).
2) Proceed to transform all DS records with this key tag in the same  
manner (but here too are dragons, as a change or update could result  
in either duplicate DS records, or would force the registry to remove  
the dups, causing a discrepancy between the registrar and the registry).
3) Do not allow multiple DS records with the same key tag (forcing key  
tags to be unique on the domain object - this seems like a non-starter  
to me).
4) Do not allow multiple DS records (also a non-starter).

Thoughts?

-Howard


On Oct 27, 2009, at 3:31 PM, Patrik Fältström wrote:

>
> On 27 okt 2009, at 21.16, Patrick Mevzek wrote:
>
>> Andrew Sullivan <ajs@shinkuro.com> 2009-10-27 21:05
>>> I have of late observed a couple possibly pointy corners in RFC  
>>> 4310,
>>> and Howard Eland just pointed out to me a pretty big operational
>>> problem in it, so I am wondering whether anyone is working on  
>>> updates
>>> to it.
>>
>> I'm not specifically working on it, but I would advise anyone dealing
>> with DNSSEC and EPP to have a look at what .CZ did and what .EU will
>> do soon, as they both created other extensions to handle DNSSEC with
>> EPP. Maybe other registries too. Sorry if you did that already.
>>
>> I'm not judging pro or in favor of any other extension,
>> but I believe that having a look at the currently deployed EPP
>> dealings with DNSSEC would be a good idea in light of future work on
>> 4310.
>
> We use epp and DNSSEC in .SE since a while back. What are the issues  
> you think?
>
>   Patrik
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 
> =-=-=-
> List run by majordomo software.  For (Un-)subscription and similar  
> details
> send "help" to ietf-provreg-request@cafax.se
>


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
List run by majordomo software.  For (Un-)subscription and similar details
send "help" to ietf-provreg-request@cafax.se