Re: [gtld-tech] [eppext] [provreg] Publishing of the Change Poll EPP Extension IETF Draft
James et al, Has the use case of DNS publishing been considered for the changepoll extension ? Some registries defer publication of a domain to the registry zone until DNS servers respond correctly (authoritative, DNSKEY matches DS etc.), and a poll message could signal that to the sponsoring client. I couldn't find an appropriate operation in changepoll-02... what are your and the group's thoughts on this ? Rubens
Em 30/01/2015, à(s) 11:53:000, Gould, James <JGould@verisign.com> escreveu:
Ulrich,
Thank you for the review of the draft. My feedback is embedded below.
I received private feedback to add an optional caseId element to help capture the UDRP, URS, or other case identifier for the change. The optional caseId element was added with an enumerated “type” attribute, with the enumerated values of “udrp”, “urs”, and “custom”, and with an optional “name” attribute for the “custom” type. Are there any additional case types that should be included in the enumerated list? You can see the latest updates of the draft using the GitHub project https://github.com/james-f-gould/EPP-Change-Poll.git <https://github.com/james-f-gould/EPP-Change-Poll.git>.
—
JG
<BF09FAA4-32D8-46E0-BED0-CD72F43BD6E0[81].png>
James Gould Distinguished Engineer jgould@Verisign.com <x-msg://23/jgould@Verisign.com>
703-948-3271 12061 Bluemont Way Reston, VA 20190
VerisignInc.com <http://verisigninc.com/> On Jan 30, 2015, at 4:08 AM, Ulrich Wisser <ulrich@wisser.se <mailto:ulrich@wisser.se>> wrote:
Hi James and Trung!
You two did a nice job on the extension.
I would prefer the transform command instead of the info response. That would eliminate the need for before/after indicator.
You mean you want to see the full input transform command in the poll message? Most of the server-side operations don’t go through EPP, so it would be a challenge to attempt to present the input prior to executing the operation using an EPP transform command. Another issue with using a transform command is representing the server-side logic that is not reflected in the input parameters like the setting of the expiration date. The client can see the end result of the operation without having to replicate the transform operation logic, along with the meta-data about the operation using the info response.
One question for the list is the value in making the before image of the object available? The after image is required, but the thought is that the before image may be desired.
I have some problems with the operators
- Why is autoRenew a special operation instead of operation renew with op="auto”?
I agree that both are associated with renewing the domain; although I view them as separate first class operations with different characteristics (What drives the operation, how does the operation function, and what is the applicable grace period for the operation).
- What is the difference between delete and delete op="purge”?
Good question. Purge is associated with physically removing the object from the database where the delete could start an RGP lifecycle flow. An immediate delete (e.g. delete within the add grace period) is reflected by a “delete” with the op=“purge”; otherwise it would be just “delete”.
- Why autoPurge / autoDelete?
Another good question. What if for some registries the domain is deleted instead of auto renewed at expiry? That would match the use of the “autoDelete” operation. Now, the “autoDelete” could include the purging of the object which would be reflected by setting op=“purge”. The autoPurge operation is the server batch that physically purges the object (domain) at the end of the pendingDelete period. In this case the domain has been deleted, put through the RGP lifecycle flow, and is being purged from the database. We wanted to handle both types of registries (auto renew and auto delete) as well as be able to identify the event when the object is purged from the database. I hope this makes sense.
Kind regards from Stockholm
Ulrich
2015-01-20 14:49 GMT+01:00 Gould, James <JGould@verisign.com <mailto:JGould@verisign.com>>: The first draft of the Change Poll EPP Extension ( http://tools.ietf.org/html/draft-gould-change-poll-00 <http://tools.ietf.org/html/draft-gould-change-poll-00> ) has been submitted to the IETF. I co-authored this draft with Trung Tran from Neustar to provide a mechanism within EPP to notify clients of any server-side change, including but not limited to regular batch processes, customer support actions, Uniform Domain-Name Dispute-Resolution Policy (UDRP) or Uniform Rapid Suspension (URS) actions, court directed actions, and bulk updates based on customer requests. Since the client is not directly involved or knowledgable of these operations, the extension is used along with an EPP object mapping to provide the resulting state of the post-operation object, and optionally a pre-operation object, with the operation meta-data of what, when, who, and why. We would like this draft to be included in a re-charting of the EPPEXT Working Group.
Please review the draft and provide any feedback.
Thanks,
—
JG
<BF09FAA4-32D8-46E0-BED0-CD72F43BD6E0[81].png>
James Gould Distinguished Engineer jgould@Verisign.com <http://jgould@verisign.com/>
703-948-3271 <tel:703-948-3271> 12061 Bluemont Way Reston, VA 20190
VerisignInc.com <http://verisigninc.com/> “This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is non-public, proprietary, privileged, confidential and exempt from disclosure under applicable law or may be constituted as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this message in error, notify sender immediately and delete this message immediately.”
_______________________________________________ provreg mailing list provreg@ietf.org <mailto:provreg@ietf.org> https://www.ietf.org/mailman/listinfo/provreg <https://www.ietf.org/mailman/listinfo/provreg>
_______________________________________________ EppExt mailing list EppExt@ietf.org <mailto:EppExt@ietf.org> https://www.ietf.org/mailman/listinfo/eppext
_______________________________________________ EppExt mailing list EppExt@ietf.org <mailto:EppExt@ietf.org> https://www.ietf.org/mailman/listinfo/eppext <https://www.ietf.org/mailman/listinfo/eppext>
Rubens, In the use case, do the registries using the pending action flow with the pending action poll message? Will the registry process the command as a non-pending action, waiting for some dependency to be fulfilled, and then publish the action in DNS? Do you believe that all or some (opt in or out) clients would want to be notified of this asynchronous action by the server without going through the pending action flow? I’m not sure whether the deferred action is as much of an operation since it more of a state transition for the originating operation. A custom operation is supported in draft-gould-change-poll to support non-general use cases. The question is whether this is a general use case that deserves a pre-defined operation and if so what should that operation be if it’s different from the originating operation? I would call it something like “deferredPublication”. Thoughts? — JG [cid:77031CC3-BE7A-4188-A95F-D23115A30A4D@vcorp.ad.vrsn.com] James Gould Distinguished Engineer jgould@Verisign.com 703-948-3271 12061 Bluemont Way Reston, VA 20190 VerisignInc.com<http://VerisignInc.com> On Mar 6, 2015, at 12:07 AM, Rubens Kuhl <rubensk@nic.br<mailto:rubensk@nic.br>> wrote: James et al, Has the use case of DNS publishing been considered for the changepoll extension ? Some registries defer publication of a domain to the registry zone until DNS servers respond correctly (authoritative, DNSKEY matches DS etc.), and a poll message could signal that to the sponsoring client. I couldn't find an appropriate operation in changepoll-02... what are your and the group's thoughts on this ? Rubens Em 30/01/2015, à(s) 11:53:000, Gould, James <JGould@verisign.com<mailto:JGould@verisign.com>> escreveu: Ulrich, Thank you for the review of the draft. My feedback is embedded below. I received private feedback to add an optional caseId element to help capture the UDRP, URS, or other case identifier for the change. The optional caseId element was added with an enumerated “type” attribute, with the enumerated values of “udrp”, “urs”, and “custom”, and with an optional “name” attribute for the “custom” type. Are there any additional case types that should be included in the enumerated list? You can see the latest updates of the draft using the GitHub project https://github.com/james-f-gould/EPP-Change-Poll.git. — JG <BF09FAA4-32D8-46E0-BED0-CD72F43BD6E0[81].png> James Gould Distinguished Engineer jgould@Verisign.com<x-msg://23/jgould@Verisign.com> 703-948-3271 12061 Bluemont Way Reston, VA 20190 VerisignInc.com<http://verisigninc.com/> On Jan 30, 2015, at 4:08 AM, Ulrich Wisser <ulrich@wisser.se<mailto:ulrich@wisser.se>> wrote: Hi James and Trung! You two did a nice job on the extension. I would prefer the transform command instead of the info response. That would eliminate the need for before/after indicator. You mean you want to see the full input transform command in the poll message? Most of the server-side operations don’t go through EPP, so it would be a challenge to attempt to present the input prior to executing the operation using an EPP transform command. Another issue with using a transform command is representing the server-side logic that is not reflected in the input parameters like the setting of the expiration date. The client can see the end result of the operation without having to replicate the transform operation logic, along with the meta-data about the operation using the info response. One question for the list is the value in making the before image of the object available? The after image is required, but the thought is that the before image may be desired. I have some problems with the operators - Why is autoRenew a special operation instead of operation renew with op="auto”? I agree that both are associated with renewing the domain; although I view them as separate first class operations with different characteristics (What drives the operation, how does the operation function, and what is the applicable grace period for the operation). - What is the difference between delete and delete op="purge”? Good question. Purge is associated with physically removing the object from the database where the delete could start an RGP lifecycle flow. An immediate delete (e.g. delete within the add grace period) is reflected by a “delete” with the op=“purge”; otherwise it would be just “delete”. - Why autoPurge / autoDelete? Another good question. What if for some registries the domain is deleted instead of auto renewed at expiry? That would match the use of the “autoDelete” operation. Now, the “autoDelete” could include the purging of the object which would be reflected by setting op=“purge”. The autoPurge operation is the server batch that physically purges the object (domain) at the end of the pendingDelete period. In this case the domain has been deleted, put through the RGP lifecycle flow, and is being purged from the database. We wanted to handle both types of registries (auto renew and auto delete) as well as be able to identify the event when the object is purged from the database. I hope this makes sense. Kind regards from Stockholm Ulrich 2015-01-20 14:49 GMT+01:00 Gould, James <JGould@verisign.com<mailto:JGould@verisign.com>>: The first draft of the Change Poll EPP Extension ( http://tools.ietf.org/html/draft-gould-change-poll-00 ) has been submitted to the IETF. I co-authored this draft with Trung Tran from Neustar to provide a mechanism within EPP to notify clients of any server-side change, including but not limited to regular batch processes, customer support actions, Uniform Domain-Name Dispute-Resolution Policy (UDRP) or Uniform Rapid Suspension (URS) actions, court directed actions, and bulk updates based on customer requests. Since the client is not directly involved or knowledgable of these operations, the extension is used along with an EPP object mapping to provide the resulting state of the post-operation object, and optionally a pre-operation object, with the operation meta-data of what, when, who, and why. We would like this draft to be included in a re-charting of the EPPEXT Working Group. Please review the draft and provide any feedback. Thanks, — JG <BF09FAA4-32D8-46E0-BED0-CD72F43BD6E0[81].png> James Gould Distinguished Engineer jgould@Verisign.com<http://jgould@verisign.com/> 703-948-3271<tel:703-948-3271> 12061 Bluemont Way Reston, VA 20190 VerisignInc.com<http://verisigninc.com/> “This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed, and may contain information that is non-public, proprietary, privileged, confidential and exempt from disclosure under applicable law or may be constituted as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this message in error, notify sender immediately and delete this message immediately.” _______________________________________________ provreg mailing list provreg@ietf.org<mailto:provreg@ietf.org> https://www.ietf.org/mailman/listinfo/provreg _______________________________________________ EppExt mailing list EppExt@ietf.org<mailto:EppExt@ietf.org> https://www.ietf.org/mailman/listinfo/eppext _______________________________________________ EppExt mailing list EppExt@ietf.org<mailto:EppExt@ietf.org> https://www.ietf.org/mailman/listinfo/eppext
Le jeudi 05 mars 2015 à 21:07 -0300, Rubens Kuhl a écrit :
Has the use case of DNS publishing been considered for the changepoll extension ? Some registries defer publication of a domain to the registry zone until DNS servers respond correctly (authoritative, DNSKEY matches DS etc.), and a poll message could signal that to the sponsoring client. I couldn't find an appropriate operation in changepoll-02... what are your and the group's thoughts on this ?
I agree that could be very useful, especially if the polling message can carry some information on what tests have been done, which have failed, and courses of action for the registrar (including info to know if the failure is temporary or definitive). However it could be using the operation name "update". But I would recommend to define some kind of extensibility into the list of operation names, making registry able to add some new ones. When AFNIC did include a message for registrars after a DNS check in the the past, here was how the polling message looked like : <msgQ count="1" id="50001"> <qDate>2008-12-25T00:01:00.0Z</qDate> <msg> <resZC type="plain-text"> ZONE : ndd-de-test-0001.fr. NS : ns1.nic.fr. NS : ns2.nic.fr. NS : ns.ndd-de-test-0001.fr. [192.93.0.1, 2001:660:3005:1::1:1] ==> SUCCESS </resZC> </msg> </msgQ> It was using at the time the pure text result of the Zonecheck tool. Today, this tool has been replaced by ZoneMaster. -- Patrick Mevzek
Patrick, We discussed the Change Poll Extension and the use case of DNS deferred publication at the Registration Operations Workshop (ROW) prior to IETF-92. The question was whether the deferred publication was part of pending operations (e.g. pendingCreate, pendingUpdate). No one could speak to the use case. Can you describe the domain operation flow of a registry that supports deferred publication? I see two different flows: 1. Pending Action * Client sends domain create with NS (domain update would work in a similar fashion) * Server puts the domain on pendingCreate status and returns the 1001 “Command completed successfully; action pending” response * Server validates the NS (DNS servers respond correctly ) * If NS validate * Remove the pendingCreate status * Insert pending action (<domain:panData> ) poll message with a positive result ( “paResult=1” ) * else if within validation period * Validate again at the next interval * else * Remove domain ( or reject update ) * Insert pending action (<domain:panData> ) poll message with negative result ( “paResult=0” ). An extension could be added to provide more error detail. 2. Registration Deferred Publication ( My thoughts without any detail previously provided ) * Client sends domain create with NS ( domain update may work in a similar fashion, but I see some added complexity) * Server accepts the domain create for deferred publication and sets the “serverHold” and “ serverUpdateProhibited” statuses pending the validation. * A domain update would be more complex, since I imagine that the update would not add any server statuses to support the deferred validation. I also imagine that the domain would not be removed from the zone based on the update deferred validation by putting the “serverHold” on it. Is update of NS validated via a deferred validation model? * Server validates the NS (DNS servers respond correctly ) * If NS validate * Remove the “serverHold” and “serverUpdate” statuses * Poll message here is in question. Should this be a Change Poll message reflecting the update made by the server to remove the and “ serverUpdateProhibited” statuses based on the successful deferred publication validation? * If so, I see the server operation as “update” and the reason as something like “Deferred publication validation success”. The reason is free-form text. The change poll message (domain info response) should reflect the removal of the “serverHold” and “serverUpdateProhibited” statuses. * else if within validation period * Validate again at the next interval. No poll message required, since the state of the domain has not changed. * else * Remove the “serverUpdateProhibited” status to enable the client to modify the NS * Poll message here is in question. Should this be a Change Poll message reflecting the update made by the server to remove the “serverUpdateProhibited” status based on the failed deferred publication validation? * If so, I see the server operation as “update” and the reason as something like “Deferred publication validation failed”. The reason is free-form text. The change poll message (domain info response) should reflect the removal of the “serverUpdateProhibited” status, and not the “serverHold” status still set. * If additional information is required for this failure, I recommend creating a separate deferred publication failure extension or a generic validation failure extension that is attached to the change poll message. The info response would provide the state of the object (domain in this case), the change poll extension would provide the what, when, why for the server-side change, and the validation failure extension would provide the failure detail. I don’t see the operations done by the server above as being anything other than an “update” with the reason communicating the deferred publication validation result. There are two forms of extensibility of operations defined in the draft that is supported by the <changePoll:operation> “op” attribute, which can be used to define a sub-operation (e.g. <changePoll:operation op=“deferredPublication”>update</changePoll:operation>) or a custom operation (e.g. <changePoll:operation op=“deferredPublication”>custom</changePoll:operation> ), which handles extensibility without the need for a new XML schema and requiring an extension to an extension. Is there any other form of extensibility that you are looking for? Thanks, — JG [cid:77031CC3-BE7A-4188-A95F-D23115A30A4D@vcorp.ad.vrsn.com] James Gould Distinguished Engineer jgould@Verisign.com 703-948-3271 12061 Bluemont Way Reston, VA 20190 VerisignInc.com<http://VerisignInc.com> On Apr 25, 2015, at 10:26 AM, Patrick Mevzek <Patrick.Mevzek@afnic.fr<mailto:Patrick.Mevzek@afnic.fr>> wrote: Le jeudi 05 mars 2015 à 21:07 -0300, Rubens Kuhl a écrit : Has the use case of DNS publishing been considered for the changepoll extension ? Some registries defer publication of a domain to the registry zone until DNS servers respond correctly (authoritative, DNSKEY matches DS etc.), and a poll message could signal that to the sponsoring client. I couldn't find an appropriate operation in changepoll-02... what are your and the group's thoughts on this ? I agree that could be very useful, especially if the polling message can carry some information on what tests have been done, which have failed, and courses of action for the registrar (including info to know if the failure is temporary or definitive). However it could be using the operation name "update". But I would recommend to define some kind of extensibility into the list of operation names, making registry able to add some new ones. When AFNIC did include a message for registrars after a DNS check in the the past, here was how the polling message looked like : <msgQ count="1" id="50001"> <qDate>2008-12-25T00:01:00.0Z</qDate> <msg> <resZC type="plain-text"> ZONE : ndd-de-test-0001.fr<http://ndd-de-test-0001.fr>. NS : ns1.nic.fr<http://ns1.nic.fr>. NS : ns2.nic.fr<http://ns2.nic.fr>. NS : ns.ndd-de-test-0001.fr<http://ns.ndd-de-test-0001.fr>. [192.93.0.1, 2001:660:3005:1::1:1] ==> SUCCESS </resZC> </msg> </msgQ> It was using at the time the pure text result of the Zonecheck tool. Today, this tool has been replaced by ZoneMaster. -- Patrick Mevzek
Hello James, Le lundi 27 avril 2015 à 13:04 +0000, Gould, James a écrit :
We discussed the Change Poll Extension and the use case of DNS deferred publication at the Registration Operations Workshop (ROW) prior to IETF-92. The question was whether the deferred publication was part of pending operations (e.g. pendingCreate, pendingUpdate). No one could speak to the use case. Can you describe the domain operation flow of a registry that supports deferred publication?
Sorry for my delay. I can give you some details on how it was done at the .FR registry in the past (we are not doing it anymore). Basically any DNS change had to be checked against some rules, using the then active tool zonecheck (which also meant that you could only change nameservers in one operation, you could not mix it with other updates at the same time). In our case, at that time, creation was not possible with nameservers. You had to first register the domain, then modify it if you want to add nameservers.
I see two different flows:
1. Pending Action 1. Client sends domain create with NS (domain update would work in a similar fashion) 2. Server puts the domain on pendingCreate status and returns the 1001 “Command completed successfully; action pending” response 3. Server validates the NS (DNS servers respond correctly ) 4. If NS validate 1. Remove the pendingCreate status 2. Insert pending action (<domain:panData> ) poll message with a positive result ( “paResult=1” ) 5. else if within validation period 1. Validate again at the next interval 6. else 1. Remove domain ( or reject update ) 2. Insert pending action (<domain:panData> ) poll message with negative result ( “paResult=0” ). An extension could be added to provide more error detail.
We were basically doing that except for the following points : - no creation with nameservers, hence the above workflow was for updates only - either it valides or not, but in all cases the operation was done at that time, either successfully or not. the registry did not try to validate again, the onus would be on the registrar to send again a domain:update command to trigger a recheck. - for the more details part (basically the validation result), we did not design an extension but just put the error message as a text in the notification. Clearly not as good as the new drafts to convey such kind of information, but at that time, it was good enough.
1. Registration Deferred Publication ( My thoughts without any detail previously provided ) 1. Client sends domain create with NS ( domain update may work in a similar fashion, but I see some added complexity) 2. Server accepts the domain create for deferred publication and sets the “serverHold” and “ serverUpdateProhibited” statuses pending the validation. 1. A domain update would be more complex, since I imagine that the update would not add any server statuses to support the deferred validation. I also imagine that the domain would not be removed from the zone based on the update deferred validation by putting the “serverHold” on it. Is update of NS validated via a deferred validation model? 3. Server validates the NS (DNS servers respond correctly ) 4. If NS validate 1. Remove the “serverHold” and “serverUpdate” statuses 2. Poll message here is in question. Should this be a Change Poll message reflecting the update made by the server to remove the and “ serverUpdateProhibited” statuses based on the successful deferred publication validation? 1. If so, I see the server operation as “update” and the reason as something like “Deferred publication validation success”. The reason is free-form text. The change poll message (domain info response) should reflect the removal of the “serverHold” and “serverUpdateProhibited” statuses. 5. else if within validation period 1. Validate again at the next interval. No poll message required, since the state of the domain has not changed. 6. else 1. Remove the “serverUpdateProhibited” status to enable the client to modify the NS 2. Poll message here is in question. Should this be a Change Poll message reflecting the update made by the server to remove the “serverUpdateProhibited” status based on the failed deferred publication validation? 1. If so, I see the server operation as “update” and the reason as something like “Deferred publication validation failed”. The reason is free-form text. The change poll message (domain info response) should reflect the removal of the “serverUpdateProhibited” status, and not the “serverHold” status still set. 1. If additional information is required for this failure, I recommend creating a separate deferred publication failure extension or a generic validation failure extension that is attached to the change poll message. The info response would provide the state of the object (domain in this case), the change poll extension would provide the what, when, why for the server-side change, and the validation failure extension would provide the failure detail.
This is more complex, and like I said I have past experience only for updates. Using statuses in that way seems to me a problem since they do not "stack". A domain can have a serverHold for various reasons: if it has serverHold before the domain:update for example because of a dispute or something out of band, at the end of the procedure it may have been removed, but wrongly. Also, it breaks the domain: if you put serverHold right at the beginning of the domain:update and if the zonefile data is published in real time or near real time, and if the validation itself takes more time than the average publication delay, then you create a window were the current domain can be published without its (past) nameservers at all, which is for me a no-go. So I would think the first case is simpler for anyone. Also, we may have the same problem for secDNS changes (if the registry wants to validate them before applying them)
I don’t see the operations done by the server above as being anything other than an “update” with the reason communicating the deferred publication validation result. There are two forms of extensibility of operations defined in the draft that is supported by the <changePoll:operation> “op” attribute, which can be used to define a sub-operation (e.g. <changePoll:operation op=“deferredPublication”>update</changePoll:operation>) or a custom operation (e.g. <changePoll:operation op=“deferredPublication”>custom</changePoll:operation> ), which handles extensibility without the need for a new XML schema and requiring an extension to an extension. Is there any other form of extensibility that you are looking for?
No, my fault sorry, I overlooked this possible extension, which indeed solves my question. -- Patrick Mevzek
participants (3)
-
Gould, James -
Patrick Mevzek -
Rubens Kuhl