IETF provreg mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: EPP Provreg <ietf-provreg@cafax.se>
From: Ulrich Wisser <liste@publisher.de>
Date: Wed, 28 Oct 2009 12:45:54 +0100
In-Reply-To: <907ABD87-2140-429A-80A8-56624A92D579@cisco.com>
Sender: owner-ietf-provreg@cafax.se
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
Subject: Re: [ietf-provreg] Anyone working on 4310-bis?

Here at .SE we implemented 4310. As pointed out earlier there is 
potential for further development. ;)

The first problem is the update tag as it doesn't allow add and rem in 
the same command. This definition could be changed (with backwards 
compatibility) from <choice> to <sequence>.

The bigger problem is the secDNS:rem tag. As pointed out additional 
information (alg, digestType) is needed. At .SE we use SHA-1 and SHA-256 
by default for all keys. Try "dig @a.ns.se dnssec.se DS" for example.

In the past months I have seen many registrars struggle with the rem tag 
because it works fundamentally different from the rest of EPP.

I would propose several solutions:

A. totally backward compatible
    Add optional attributes to the secDNS:keyTag tag. But this would 
mean that alg and digesttype are attributes to keytag which isn't really 
the case. Backward compatible but not a clean solution.

B. Not backward compatible
Revamp the whole rem tag and insert a new grouping like
<secDNS:rem>
   <secDNS:dsData>
     <secDNS:keytag/>
     <secDNS:alg/>
     <secDNS:digestType/>
   </secDNS:dsData>
   <secDNS:dsData>
     <secDNS:keytag/>
     <secDNS:alg/>
     <secDNS:digestType/>
   </secDNS:dsData>
<secDNS:rem>
This would make the whole thing work more like the rest of EPP.


And while we are at it I would like to propose another change:

The add command (as well as update) uses the secDNS:dsDataType. Which 
makes keytag, alg, digestType and digest mandatory. I know that .SE and 
other registries considered to become a "fat" registry and take in the 
public keys instead of the ds records. The DS records would be computed 
from the public keys according to registry policies.
This case is not covered by 4310.


Kind Regards

Ulrich

-- 
Ulrich Wisser
senior developer
.SE (The Internet Infrastructure Foundation)
PO Box 7399, SE-103 91 Stockholm, Sweden
Visits: Ringvägen 100 A
Switchboard: +46(0)8-452 35 00
Direct: +46(0)8-452 35 58
Mobile: +46(0)732-74 59 00
E-mail: ulrich.wisser@iis.se
Website: http://www.iis.se









-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
List run by majordomo software.  For (Un-)subscription and similar details
send "help" to ietf-provreg-request@cafax.se

Follow-Ups:
- Re: [ietf-provreg] Anyone working on 4310-bis?
  - From: Andrew Sullivan <ajs@shinkuro.com>

References:
- Re: [ietf-provreg] Anyone working on 4310-bis?
  - From: James Gould <jgould@verisign.com>
- Re: [ietf-provreg] Anyone working on 4310-bis?
  - From: Patrik Fältström <paf@cisco.com>

Prev by Date: Re: [ietf-provreg] Anyone working on 4310-bis?
Next by Date: Re: [ietf-provreg] Anyone working on 4310-bis?
Prev by thread: Re: [ietf-provreg] Anyone working on 4310-bis?
Next by thread: Re: [ietf-provreg] Anyone working on 4310-bis?
Index(es):
- Date
- Thread

Home | Date list | Subject list