Hi, I just stumbled across the definition of zoneSigned as part of the secureDNS member in RFC7483. There is says: zoneSigned -- true if the zone has been signed, false otherwise. Now I'm wondering whether this relates to the TLD zone (i.e., it always MUST be set to true for ngTLDs) or whether the SLD zone is meant, in which case the registry does not know the value and simply won't publish it. Thanks in advance, Michael -- ____________________________________________________________________ | | | knipp | Knipp Medien und Kommunikation GmbH ------- Technologiepark Martin-Schmeisser-Weg 9 44227 Dortmund Germany Dipl.-Informatiker Fon: +49 231 9703-0 Fax: +49 231 9703-200 Dr. Michael Bauland SIP: Michael.Bauland@knipp.de Software Development E-mail: Michael.Bauland@knipp.de Register Court: Amtsgericht Dortmund, HRB 13728 Chief Executive Officers: Dietmar Knipp, Elmar Knipp
Speaking as one of the authors of RFC 7483: delegationSigned is for the parent and zoneSigned is for the subject domain. If the parent has DS records, we know that the subject domain _should_ be signed. For what it's worth, neither of us authors feels that text is really clear. Scott
-----Original Message----- From: gtld-tech <gtld-tech-bounces@icann.org> On Behalf Of Michael Bauland Sent: Thursday, March 28, 2019 9:57 AM To: gtld-tech@icann.org Subject: [EXTERNAL] [gtld-tech] RDAP zoneSigned flag
Hi,
I just stumbled across the definition of zoneSigned as part of the secureDNS member in RFC7483. There is says:
zoneSigned -- true if the zone has been signed, false otherwise.
Now I'm wondering whether this relates to the TLD zone (i.e., it always MUST be set to true for ngTLDs) or whether the SLD zone is meant, in which case the registry does not know the value and simply won't publish it.
Thanks in advance,
Michael
-- __________________________________________________________ __________ | | | knipp | Knipp Medien und Kommunikation GmbH ------- Technologiepark Martin-Schmeisser-Weg 9 44227 Dortmund Germany
Dipl.-Informatiker Fon: +49 231 9703-0 Fax: +49 231 9703-200 Dr. Michael Bauland SIP: Michael.Bauland@knipp.de Software Development E-mail: Michael.Bauland@knipp.de
Register Court: Amtsgericht Dortmund, HRB 13728
Chief Executive Officers: Dietmar Knipp, Elmar Knipp
Hi Scott, On 28.03.2019 15:35, Hollenbeck, Scott wrote:
Speaking as one of the authors of RFC 7483: delegationSigned is for the parent and zoneSigned is for the subject domain. If the parent has DS records, we know that the subject domain _should_ be signed. For what it's worth, neither of us authors feels that text is really clear.
Thanks for your answer. Let's take an example to make sure I understood you correctly: I'm the registry for .example. The zone test.example is registered and the registrar provided DS records. If someone now uses my RDAP server and inquires test.example, I return delegationSigned = true, because I know that DS records for text.example exist. So far so clear. For zoneSigned I see two possibilities: 1. I also return zoneSigned=true, because I assume that test.example is signed. 2. I don't publish zoneSigned, because I don't know for sure, whether the zone is signed. In Case 1 delegationSigned and zoneSigned will always have the same value, so there's no real benefit in publishing both. As a consequence, as a registry I would say I always ignore zoneSigned and don't publish it. The only real use case for zoneSigned is, if I am a registrar and also run the DNS service for my customer. Only then do I know for sure whether the zone is signed or not. Cheers, Michael -- ____________________________________________________________________ | | | knipp | Knipp Medien und Kommunikation GmbH ------- Technologiepark Martin-Schmeisser-Weg 9 44227 Dortmund Germany Dipl.-Informatiker Fon: +49 231 9703-0 Fax: +49 231 9703-200 Dr. Michael Bauland SIP: Michael.Bauland@knipp.de Software Development E-mail: Michael.Bauland@knipp.de Register Court: Amtsgericht Dortmund, HRB 13728 Chief Executive Officers: Dietmar Knipp, Elmar Knipp
Your clarification certainly sounds reasonable. Scott
-----Original Message----- From: Michael Bauland <Michael.Bauland@knipp.de> Sent: Thursday, March 28, 2019 11:16 AM To: Hollenbeck, Scott <shollenbeck@verisign.com>; gtld-tech@icann.org Subject: [EXTERNAL] Re: [gtld-tech] RDAP zoneSigned flag
Hi Scott,
On 28.03.2019 15:35, Hollenbeck, Scott wrote:
Speaking as one of the authors of RFC 7483: delegationSigned is for the parent and zoneSigned is for the subject domain. If the parent has DS records, we know that the subject domain _should_ be signed. For what it's worth, neither of us authors feels that text is really clear.
Thanks for your answer. Let's take an example to make sure I understood you correctly:
I'm the registry for .example. The zone test.example is registered and the registrar provided DS records.
If someone now uses my RDAP server and inquires test.example, I return delegationSigned = true, because I know that DS records for text.example exist. So far so clear.
For zoneSigned I see two possibilities: 1. I also return zoneSigned=true, because I assume that test.example is signed. 2. I don't publish zoneSigned, because I don't know for sure, whether the zone is signed.
In Case 1 delegationSigned and zoneSigned will always have the same value, so there's no real benefit in publishing both.
As a consequence, as a registry I would say I always ignore zoneSigned and don't publish it.
The only real use case for zoneSigned is, if I am a registrar and also run the DNS service for my customer. Only then do I know for sure whether the zone is signed or not.
Cheers,
Michael
-- __________________________________________________________ __________ | | | knipp | Knipp Medien und Kommunikation GmbH ------- Technologiepark Martin-Schmeisser-Weg 9 44227 Dortmund Germany
Dipl.-Informatiker Fon: +49 231 9703-0 Fax: +49 231 9703-200 Dr. Michael Bauland SIP: Michael.Bauland@knipp.de Software Development E-mail: Michael.Bauland@knipp.de
Register Court: Amtsgericht Dortmund, HRB 13728
Chief Executive Officers: Dietmar Knipp, Elmar Knipp
participants (2)
-
Hollenbeck, Scott -
Michael Bauland