To:
Ulrich Wisser <liste@publisher.de>, EPP Provreg <ietf-provreg@cafax.se>
From:
James Gould <jgould@verisign.com>
Date:
Mon, 02 Nov 2009 10:03:45 -0400
In-Reply-To:
<4AEEAF83.6030008@publisher.de>
Sender:
owner-ietf-provreg@cafax.se
Thread-Index:
AcpbpwreYbqmwbuxTyq5fx+4a65HiAAJqFnQ
Thread-Topic:
[ietf-provreg] Anyone working on 4310-bis?
User-Agent:
Microsoft-Entourage/12.20.0.090605
Subject:
Re: [ietf-provreg] Anyone working on 4310-bis?
Ulrich, So there are registries out there looking to support a keyData interface for DNSSEC, where the client would pass just the keyData on an add/rem/chg? Would the DS data be returned in the info response? Was providing a keyData interface for DNSSEC requested by the Registrars to ease in the implementation? Iım not sure if having the registries supporting two different models like the hostAttr and hostObj models of the domain specification adds value or causes more complexity for the Registrars. I'm assuming that the Registry should support one model or the other and not both. If there is a compelling reason for supporting two different models, then I believe that a combination of Klausıs and Ulrichıs schema changes makes sense, but I would like to hear from others related to the advantage of supporting two DNSSEC models (dsData and keyData). In summary, below is the XML schema snippet from Klaus: <complexType name="updateType"> <choice> <element name="chg" type="secDNS:dsType"/> <sequence> <element name="add" type="secDNS:dsType" minOccurs="0"/> <element name="rem" type="secDNS:remType" minOccurs="0"/> </sequence> </choice> <attribute name="urgent" type="boolean" default="false"/> </complexType> <complexType name="remType"> <choice maxOccurs="unbounded"> <element name="keyTag" type="unsignedShort"/> <element name="dsData" type="secDNS:dsDataType"/> </choice> </complexType> Below is the XML schema snippet that includes both Klausıs and Ulrichıs proposals: <complexType name="dsDataType"> <sequence> <group minOccurs="0"> <element name="keyTag" type="unsignedShort"/> <element name="alg" type="unsignedByte"/> <element name="digestType" type="unsignedByte"/> <element name="digest" type="hexBinary"/> <element name="maxSigLife" type="secDNS:maxSigLifeType" minOccurs="0"/> </group> <element name="keyData" type="secDNS:keyDataType" minOccurs="0"/> </sequence> </complexType> <complexType name="updateType"> <choice> <element name="chg" type="secDNS:dsType"/> <sequence> <element name="add" type="secDNS:dsType" minOccurs="0"/> <element name="rem" type="secDNS:remType" minOccurs="0"/> </sequence> </choice> <attribute name="urgent" type="boolean" default="false"/> </complexType> <complexType name="remType"> <choice maxOccurs="unbounded"> <element name="keyTag" type="unsignedShort"/> <element name="dsData" type="secDNS:dsDataType"/> </choice> </complexType> I agree that if we're not concerned about backward compatibility that the chg can be removed since supporting add and rem of multiple DS records is consistent with the other EPP specifications and removes the need for chg. I'm on the fence about this since I like backward compatibility but I also like removing confusion around the use of chg if add and rem can be used in its place. -- JG ------------------------------------------------------- James F. Gould Principal Software Engineer VeriSign Naming Services jgould@verisign.com Direct: 703.948.3271 Mobile: 703.628.7063 21345 Ridgetop Circle LS2-2-1 Dulles, VA 20166 Notice to Recipient: This e-mail contains confidential, proprietary and/or Registry Sensitive information intended solely for the recipient and, thus may not be retransmitted, reproduced or disclosed without the prior written consent of VeriSign Naming and Directory Services. If you have received this e-mail message in error, please notify the sender immediately by telephone or reply e-mail and destroy the original message without making a copy. Thank you. From: Ulrich Wisser <liste@publisher.de> Date: Mon, 2 Nov 2009 05:08:03 -0500 To: EPP Provreg <ietf-provreg@cafax.se> Subject: Re: [ietf-provreg] Anyone working on 4310-bis? Andrew Sullivan wrote: > On Wed, Oct 28, 2009 at 12:45:54PM +0100, Ulrich Wisser wrote: > >> The add command (as well as update) uses the secDNS:dsDataType. Which >> makes keytag, alg, digestType and digest mandatory. I know that .SE and >> other registries considered to become a "fat" registry and take in the >> public keys instead of the ds records. The DS records would be computed >> from the public keys according to registry policies. >> This case is not covered by 4310. > > While this is true, 4310 does provide an OPTIONAL <secDNS:keyData> > element. Registry policy could require this. Then you could get the > DS and the DNSKEY at the same time, and you could even check to be > sure the DS they're providing actually matches the DNSKEY they're > providing (and use that as a first-line test to make sure their plan > is sane. If they can't generate the right DS, they are as likely to > have other problems as not, and it could well be that you want to stop > doing anything until it's sorted). No? I agree and this is not a big issue. I just thought that while we are changing the XML schema anyway, this change wouldn't be to troublesome either. I believe <complexType name="dsDataType"> <sequence> <group minOccurs="0"> <element name="keyTag" type="unsignedShort"/> <element name="alg" type="unsignedByte"/> <element name="digestType" type="unsignedByte"/> <element name="digest" type="hexBinary"/> <element name="maxSigLife" type="secDNS:maxSigLifeType" minOccurs="0"/> </group> <element name="keyData" type="secDNS:keyDataType" minOccurs="0"/> </sequence> </complexType> would do the trick and still be backward compatible, wouldn't it? /Ulrich -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- List run by majordomo software. For (Un-)subscription and similar details send "help" to ietf-provreg-request@cafax.se -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- List run by majordomo software. For (Un-)subscription and similar details send "help" to ietf-provreg-request@cafax.se