Re: [gtld-tech] RDAP zoneSigned flag

March 28, 2019


      Your clarification certainly sounds reasonable.

Scott
...
-----Original Message-----
From: Michael Bauland <Michael.Bauland@knipp.de>
Sent: Thursday, March 28, 2019 11:16 AM
To: Hollenbeck, Scott <shollenbeck@verisign.com>; gtld-tech@icann.org
Subject: [EXTERNAL] Re: [gtld-tech] RDAP zoneSigned flag
Hi Scott,
On 28.03.2019 15:35, Hollenbeck, Scott wrote:
...
Speaking as one of the authors of RFC 7483: delegationSigned is for the
parent and zoneSigned is for the subject domain. If the parent has DS
records, we know that the subject domain _should_ be signed. For what it's
worth, neither of us authors feels that text is really clear.
Thanks for your answer. Let's take an example to make sure I understood
you correctly:
I'm the registry for .example. The zone test.example is registered and the
registrar provided DS records.
If someone now uses my RDAP server and inquires test.example, I return
delegationSigned = true, because I know that DS records for text.example
exist. So far so clear.
For zoneSigned I see two possibilities:
1. I also return zoneSigned=true, because I assume that test.example is
signed.
2. I don't publish zoneSigned, because I don't know for sure, whether the
zone is signed.
In Case 1 delegationSigned and zoneSigned will always have the same value,
so there's no real benefit in publishing both.
As a consequence, as a registry I would say I always ignore zoneSigned and
don't publish it.
The only real use case for zoneSigned is, if I am a registrar and also run the
DNS service for my customer. Only then do I know for sure whether the zone
is signed or not.
Cheers,
Michael
--
__________________________________________________________
__________
     |       |
     | knipp |            Knipp  Medien und Kommunikation GmbH
      -------                    Technologiepark
                                 Martin-Schmeisser-Weg 9
                                 44227 Dortmund
                                 Germany
Dipl.-Informatiker          Fon:    +49 231 9703-0
                                 Fax:    +49 231 9703-200
     Dr. Michael Bauland         SIP:    Michael.Bauland@knipp.de
     Software Development        E-mail: Michael.Bauland@knipp.de
Register Court:
                                 Amtsgericht Dortmund, HRB 13728
Chief Executive Officers:
                                 Dietmar Knipp, Elmar Knipp