-
Notifications
You must be signed in to change notification settings - Fork 1
/
draft-feher-cds-epp-mapping.txt
280 lines (155 loc) · 8.41 KB
/
draft-feher-cds-epp-mapping.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
TODO Working Group K. Feher
Internet-Draft None
Intended status: Informational July 11, 2021
Expires: January 12, 2022
CDS to EPP Mapping
draft-feher-cds-epp-mapping-latest
Abstract
TODO Abstract
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 12, 2022.
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Feher Expires January 12, 2022 [Page 1]
Internet-Draft cdsEPPMapping July 2021
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions and Definitions . . . . . . . . . . . . . . . . . 2
3. Background . . . . . . . . . . . . . . . . . . . . . . . . . 2
3.1. Registries and Registrars . . . . . . . . . . . . . . . . 2
4. Registrar Initial Trust Models . . . . . . . . . . . . . . . 3
4.1. Accept Policy via Authenticated Channel . . . . . . . . . 3
4.2. Accept with Extra Checks . . . . . . . . . . . . . . . . 3
4.3. Accept after Delay . . . . . . . . . . . . . . . . . . . 3
4.4. Accept with Challenge . . . . . . . . . . . . . . . . . . 3
4.5. Accept from Inception . . . . . . . . . . . . . . . . . . 3
4.6. Enable DNSSEC Validation . . . . . . . . . . . . . . . . 3
4.7. Roll over the KSK . . . . . . . . . . . . . . . . . . . . 4
4.8. Turn off DNSSEC validation . . . . . . . . . . . . . . . 4
5. Security Considerations . . . . . . . . . . . . . . . . . . . 4
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4
7. Normative References . . . . . . . . . . . . . . . . . . . . 4
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 5
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 5
1. Introduction
TODO Introduction
2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. Background
[RFC7344] specifies how DNS trust can be maintained across key
rollovers in-band between parent and child. [RFC8078] added inband
signalling DNSSEC status changes and documented 3 use cases. This
document describes how the parent zone changes required by those use
cases might be implemented via EPP. This document seeks to map the
three use cases found in [RFC8078] section 2, to EPP operations.
3.1. Registries and Registrars
Support for CDS/CDNSKEY amongst Internet Registries is likely to
remain inconsistent for some time. Therefore practices for updating
the parent zone for a registered domain should allow for either the
Registry or the sponsoring Registrar to observe a domain's CDS
Feher Expires January 12, 2022 [Page 2]
Internet-Draft cdsEPPMapping July 2021
records and subsequent state changes. In most TLDs both the
Registrar and Registry are capable of making the changes signaled by
CDS records, to the parent zone.
Some Registrars may support CDS even if the Registry does not.
Some Registries may use EPP as the method by which CDS signals are
applied to the registry system for subsequent entry into the
registered domain's parent zone.
4. Registrar Initial Trust Models
RFC8078 proposes several models that a parent may use for managing
initial trust. These models assume that it is the parent which will
observe any CDS/CDNSKEY signals and it will also be the parent which
manages the initial trust solution.
When a Registry does not support [RFC8078] a Registrar can instead
carry out the operations described in [RFC8078] section 3.
4.1. Accept Policy via Authenticated Channel
The Registrar can use an authenticated channel to receive a notice
that a CDS/CDNSKEY exists. Once the notice is received, the process
documented in [RFC8078] section 3.1 should be followed.
4.2. Accept with Extra Checks
TODO
4.3. Accept after Delay
TODO
4.4. Accept with Challenge
TODO
4.5. Accept from Inception
TODO # EPP Commands for CDS/CDNSKEY Use Cases
4.6. Enable DNSSEC Validation
Regardless of the method used to determine that the initial CDS/
CDNSKEY signal is trustworthy, the Registrar or Registry SHOULD use
the EPP <update> command with the secDNS extension documented in
[RFC5910] in order to add the DS to the parent. A <secDNS:add> sub-
Feher Expires January 12, 2022 [Page 3]
Internet-Draft cdsEPPMapping July 2021
element to <secDNS:update> MUST be used to indicate that security
information is being added. In the case of a CDS RRset the DS Data
Interface MUST be used by including the <secDNS:dsData> child element
to <secDNS:update>. In the case of a CDNSKEY RRset, the Key Data
Interface MUST be used by including the <secDNS:keyData> child
element to <secDNS:update>. If both CDS and CDNSKEY RRsets are
present then a Registrar SHOULD choose the RRset based on the server
policy.
TODO EPP Examples
4.7. Roll over the KSK
TODO
4.8. Turn off DNSSEC validation
TODO
5. Security Considerations
TODO Security
6. IANA Considerations
This document has no IANA actions.
7. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC5910] Gould, J. and S. Hollenbeck, "Domain Name System (DNS)
Security Extensions Mapping for the Extensible
Provisioning Protocol (EPP)", RFC 5910,
DOI 10.17487/RFC5910, May 2010,
<https://www.rfc-editor.org/info/rfc5910>.
[RFC7344] Kumari, W., Gudmundsson, O., and G. Barwood, "Automating
DNSSEC Delegation Trust Maintenance", RFC 7344,
DOI 10.17487/RFC7344, September 2014,
<https://www.rfc-editor.org/info/rfc7344>.
Feher Expires January 12, 2022 [Page 4]
Internet-Draft cdsEPPMapping July 2021
[RFC8078] Gudmundsson, O. and P. Wouters, "Managing DS Records from
the Parent via CDS/CDNSKEY", RFC 8078,
DOI 10.17487/RFC8078, March 2017,
<https://www.rfc-editor.org/info/rfc8078>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
Acknowledgments
TODO acknowledge.
Author's Address
Kal Feher
None
Email: [email protected]
Feher Expires January 12, 2022 [Page 5]