To:
Howard Eland <heland@afilias.info>
CC:
Klaus Malorny <Klaus.Malorny@knipp.de>, EPP Provreg <ietf-provreg@cafax.se>
From:
James Gould <jgould@verisign.com>
Date:
Wed, 28 Oct 2009 18:19:53 -0400
In-Reply-To:
<F4CFE789-F27D-42D5-ACEB-5A005297391E@afilias.info>
Sender:
owner-ietf-provreg@cafax.se
Thread-Index:
AcpYFGCC6AQXgSROQw2BFvdSd+6jSQACGUJF
Thread-Topic:
[ietf-provreg] Anyone working on 4310-bis?
User-Agent:
Microsoft-Entourage/12.20.0.090605
Subject:
Re: [ietf-provreg] Anyone working on 4310-bis?
Howard, I donıt believe that there is a desire to allow wildcard deletion of DS records. That is the existing issue, where the client requests to delete keyTag 12345 and if there are multiple DS records with the same keyTag 1234 for the domain, all of the DS records will be deleted. I believe it is preferable to make the deletions as explicit as possible, where the option of using the dsDataType will address it by requiring all four elements to be passed (keyTag, alg, digestType, and digest) for uniquely identifying the DS record to delete. None of the attributes alone uniquely identify a DS record, so the natural primary key is the combination of all four of them. If clients desire to be able to uniquely identify a DS record by using a subset of the four elements, than a change could be made to make one or more of the elements of dsData optional by defining a new complexType like dsDataType with minOccurs=²0². The selectType meets the need, but it best not to introduce a new element like ³select² under the rem element. My recommendation is for the registry to return an error if the client specifies a DS that does not result in a single DS record being deleted. If we want to make the input elements for the rem flexible to allow the client to decide what uniquely identifies the DS to remove than the schema could look like below (the remType dsData element could be renamed to something like "select" if needed). Specifying no elements for the dsData should result in an error since it won't match anything. <complexType name="updateType"> <choice> <element name="chg" type="secDNS:dsType"/> <sequence> <element name="add" type="secDNS:dsType" minOccurs="0"/> <element name="rem" type="secDNS:remType" minOccurs="0"/> </sequence> </choice> <attribute name="urgent" type="boolean" default="false"/> </complexType> <complexType name="selectType"> <sequence> <element name="keyTag" type="unsignedShort" minOccurs="0"/> <element name="alg" type="unsignedByte" minOccurs="0"/> <element name="digestType" type="unsignedByte" minOccurs="0"/> <element name="digest" type="hexBinary" minOccurs="0"/> </sequence> </complexType> <complexType name="remType"> <choice maxOccurs="unbounded"> <element name="keyTag" type="unsignedShort"/> <element name="dsData" type="secDNS:selectType"/> </choice> </complexType> -- JG ------------------------------------------------------- James F. Gould Principal Software Engineer VeriSign Naming Services jgould@verisign.com Direct: 703.948.3271 Mobile: 703.628.7063 21345 Ridgetop Circle LS2-2-1 Dulles, VA 20166 Notice to Recipient: This e-mail contains confidential, proprietary and/or Registry Sensitive information intended solely for the recipient and, thus may not be retransmitted, reproduced or disclosed without the prior written consent of VeriSign Naming and Directory Services. If you have received this e-mail message in error, please notify the sender immediately by telephone or reply e-mail and destroy the original message without making a copy. Thank you. From: Howard Eland <heland@afilias.info> Date: Wed, 28 Oct 2009 17:19:32 -0400 To: James Gould <jgould@verisign.com> Cc: Klaus Malorny <Klaus.Malorny@knipp.de>, EPP Provreg <ietf-provreg@cafax.se> Subject: Re: [ietf-provreg] Anyone working on 4310-bis? So, thinking about this, plus Ed's comments about being able to use the digest itself led me to add a couple more things. First, I'd think it'd be good to be able to specify which DS records to operate on with as little information as possible, and make it flexible (without having to specify the entire DS record). Second, I could see people wanting to do things like "remove all algorithm ID 5 records". So, I came up with a selectType, that let's you pick from keyTag, alg ID, digest type, or digest itself. For a rem, that's all that is needed. However, to make this consistent, I added it to chg as well (creating "chgType" in the process, so you could specify changing only one of many DS records without repeating the entire set. I made these changes to your last post of "updateType" below, so the simultaneous add/rem is in there as well. I believe we're _mostly_ backwards compatible here (see Caveat 3). A couple of caveats: 1) Both with this and the post below, it looks like the XML would allow for a no-op on updateType (since the second choice contains all elements with minOccurs=0). 2) I did not validate this XML yet - I wanted to explain the concepts before going any further. 3) As written, this allows for selecting _no_ attributes, which, in theory, would allow one to remove all DS records for a domain object. Currently RFC 4310 does not allow this, because the keyTag is required. This adds functionality, but at the expense of a foot-shotgun. (non-validated) XML code below. -Howard <complexType name="updateType"> <choice> <element name="chg" type="secDNS:chgType"/> <sequence> <element name="add" type="secDNS:dsType" minOccurs="0"/> <element name="rem" type="secDNS:remType" minOccurs="0"/> </sequence> </choice> <attribute name="urgent" type="boolean" default="false"/> </complexType> <complexType name="selectType"> <sequence> <element name="keyTag" type="unsignedShort" minOccurs="0" maxOccurs="1"/> <element name="alg" type="unsignedByte" minOccurs="0" maxOccurs="1"/> <element name="digestType" type="unsignedByte" minOccurs="0" maxOccurs="1"/> <element name="digest" type="hexBinary" minOccurs="0" maxOccurs="1"/> </sequence> </complexType> <complexType name="remType"> <element name="select" type="secDNS:selectType" maxOccurs="unbounded"/> </complexType> <complexType name="chgType"> <sequence maxOccurs="unbounded"> <element name="select" type="secDNS:selectType"/> <element name="selectChg" type="secDNS:dsType"/> </sequence> </complexType> On Oct 28, 2009, at 9:32 AM, James Gould wrote: > Klaus, > > Your proposal will work with one small fix of replacing </sequence> in > remType to </choice>. This will be backward compatible, will address the > issue of identifying the DS record to remove, and will support adding and > removing more than one DS record in the same command. I like that the chg > still behaves like a replace, which again is backward compatible. The only > difference is that all four elements need to be provided (keyTag, alg, > digestType, digest) with a rem, which I donıt believe should be a big issue. > Does anyone see an issue with having to specify either the keyTag or all four > elements on a rem? The following is the schema elements with the small fix > that I tested through with various use cases successfully. > > <complexType name="updateType"> <choice> <element > name="chg" type="secDNS:dsType"/> <sequence> <element > name="add" type="secDNS:dsType" minOccurs="0"/> <element name="rem" > type="secDNS:remType" minOccurs="0"/> </sequence> </choice> > <attribute name="urgent" type="boolean" default="false"/> </complexType> > <complexType name="remType"> <choice maxOccurs="unbounded"> > <element name="keyTag" type="unsignedShort"/> <element name="dsData" > type="secDNS:dsDataType"/> </choice> </complexType> > > The following tests worked and passed schema validation: > > > * Passing a single add, chg, or rem with the rem containing just the keyTag. > This is the backward compatible tests. > * Passing multiple dsData elements for both the add and rem elements > * Passing multiple keyTag or dsData elements with the rem element > * > > > > -- > > > JG > > ------------------------------------------------------- > James F. Gould > Principal Software Engineer > VeriSign Naming Services > jgould@verisign.com > Direct: 703.948.3271 > Mobile: 703.628.7063 > > > 21345 Ridgetop Circle > LS2-2-1 > Dulles, VA 20166 > > Notice to Recipient: This e-mail contains confidential, proprietary and/or > Registry Sensitive information intended solely for the recipient and, thus > may not be retransmitted, reproduced or disclosed without the prior written > consent of VeriSign Naming and Directory Services. If you have received > this e-mail message in error, please notify the sender immediately by > telephone or reply e-mail and destroy the original message without making a > copy. Thank you. > > > > From: Klaus Malorny <Klaus.Malorny@knipp.de> > Date: Tue, 27 Oct 2009 19:38:02 -0400 > To: James Gould <jgould@verisign.com> > Cc: Howard Eland <heland@afilias.info>, EPP Provreg <ietf-provreg@cafax.se> > Subject: Re: [ietf-provreg] Anyone working on 4310-bis? > > On 2009-10-27 22:31, James Gould wrote: >> [...] >> >> Updated XML schema: >> <complexType name="remKeyType"> >> <simpleContent> >> <extension base="unsignedShort"> >> <attribute name="alg" type="unsignedByte"/> >> <attribute name="digestType" type="unsignedByte"/> >> <attribute name="digest" type="hexBinary"/> >> </extension> >> </simpleContent> >> </complexType> >> >> <complexType name="remType"> >> <sequence> >> <element name="keyTag" type="secDNS:remKeyType" >> maxOccurs="unbounded"/> >> </sequence> >> </complexType> >> >> [...] > > Hi James, > > instead of adding attributes, one could declare the content of the <rem> > element > to be a choice between the <keyTag> element and the <dsData> element, with > unbounded repetition, e.g. > > <complexType name="remType"> > <choice maxOccurs="unbounded"> > <element name="keyTag" type="unsignedShort"/> > <element name="dsData" type="secDNS:dsDataType"/> > </sequence> > </complexType> > > Also, I propose a change to allow both <add> and <rem> to occur in the same > request, i.e. something like this (may be formally incorrect, haven't checked > the syntax): > > <complexType name="updateType"> > <choice> > <element name="chg" type="secDNS:dsType"/> > <sequence> > <element name="add" type="secDNS:dsType" minOccurs="0"/> > <element name="rem" type="secDNS:remType" minOccurs="0"/> > </sequence> > </choice> > <attribute name="urgent" type="boolean" default="false"/> > </complexType> > > > Regards, > > Klaus > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- List run by majordomo software. For (Un-)subscription and similar details send "help" to ietf-provreg-request@cafax.se