idnits 2.17.1 draft-ietf-eppext-keyrelay-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 8, 2015) is 3396 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC4034' is defined on line 537, but no explicit reference was found in the text Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 eppext R. Gieben 3 Internet-Draft Google 4 Intended status: Standards Track M. Groeneweg 5 Expires: July 12, 2015 H. Ribbers 6 SIDN Labs 7 A. Verschuren 9 January 8, 2015 11 Relay Extension for the Extensible Provisioning Protocol 12 draft-ietf-eppext-keyrelay-01 14 Abstract 16 This document describes a generic Extensible Provisioning Protocol 17 (EPP) extension for the purpose of relaying data between registrars. 19 Furthermore, this document describes a specific implementation for 20 relaying DNSSEC key material between DNS operators (by means of their 21 respective registrars), to facilitate the change of DNS operator, 22 while keeping the DNSSEC chain of trust intact. 24 This I-D introduces a new generic command and an element 25 . For the specific implementation of relaying DNSSEC key 26 material it introduces an extension of the with a 27 element. 29 Status of This Memo 31 This Internet-Draft is submitted in full conformance with the 32 provisions of BCP 78 and BCP 79. 34 Internet-Drafts are working documents of the Internet Engineering 35 Task Force (IETF). Note that other groups may also distribute 36 working documents as Internet-Drafts. The list of current Internet- 37 Drafts is at http://datatracker.ietf.org/drafts/current/. 39 Internet-Drafts are draft documents valid for a maximum of six months 40 and may be updated, replaced, or obsoleted by other documents at any 41 time. It is inappropriate to use Internet-Drafts as reference 42 material or to cite them other than as "work in progress." 44 This Internet-Draft will expire on July 12, 2015. 46 Copyright Notice 48 Copyright (c) 2015 IETF Trust and the persons identified as the 49 document authors. All rights reserved. 51 This document is subject to BCP 78 and the IETF Trust's Legal 52 Provisions Relating to IETF Documents 53 (http://trustee.ietf.org/license-info) in effect on the date of 54 publication of this document. Please review these documents 55 carefully, as they describe your rights and restrictions with respect 56 to this document. Code Components extracted from this document must 57 include Simplified BSD License text as described in Section 4.e of 58 the Trust Legal Provisions and are provided without warranty as 59 described in the Simplified BSD License. 61 Table of Contents 63 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 64 1.1. Conventions Used in This Document . . . . . . . . . . . . 3 65 1.2. Relaying Data . . . . . . . . . . . . . . . . . . . . . . 3 66 1.2.1. Rationale For a New Command . . . . . . . . . . . . . 4 67 1.2.2. Extending per use case . . . . . . . . . 4 68 1.3. Secure Transfer of DNSSEC Key Material . . . . . . . . . 4 69 2. Object Attributes . . . . . . . . . . . . . . . . . . . . . . 5 70 2.1. DNSSEC Key Material . . . . . . . . . . . . . . . . . . . 5 71 3. EPP Command Mapping . . . . . . . . . . . . . . . . . . . . . 6 72 3.1. EPP Transient Commands . . . . . . . . . . . . . . . . . 6 73 3.1.1. EPP Command . . . . . . . . . . . . . . . . . 6 74 3.2. EPP Query Commands . . . . . . . . . . . . . . . . . . . 7 75 3.2.1. EPP command . . . . . . . . . . . . . . . . . 7 76 4. Formal Syntax . . . . . . . . . . . . . . . . . . . . . . . . 10 77 4.1. Formal Syntax command and POLL response . . . . . 10 78 4.2. Formal Syntax data . . . . . . . . . . . . 11 79 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 80 6. Security Considerations . . . . . . . . . . . . . . . . . . . 12 81 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 82 7.1. Normative References . . . . . . . . . . . . . . . . . . 13 83 7.2. Informative References . . . . . . . . . . . . . . . . . 13 84 Appendix A. Changelog . . . . . . . . . . . . . . . . . . . . . 13 85 A.1. draft-gieben-epp-keyrelay-00 . . . . . . . . . . . . . . 13 86 A.2. draft-gieben-epp-keyrelay-01 . . . . . . . . . . . . . . 13 87 A.3. draft-gieben-epp-keyrelay-02 . . . . . . . . . . . . . . 14 88 A.4. draft-gieben-epp-keyrelay-03 . . . . . . . . . . . . . . 14 89 A.5. draft-ietf-eppext-keyrelay-00 . . . . . . . . . . . . . . 14 90 A.6. draft-ietf-eppext-keyrelay-01 . . . . . . . . . . . . . . 14 91 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 93 1. Introduction 95 There are certain transactions in the lifecycle of a domain name, 96 that require interaction between registrars but need registration 97 data from the registry. Since all registrars involved have a secure 98 channel to the registry for maintaining the delegation, the registry 99 can act as relay for such data to transfer securely and authoritative 100 between the registrars involved. 102 Currently these transactions aren't supported in the Extensible 103 Provisioning Protocol (EPP) [RFC5730]. One example of such a 104 transaction is the exchange of DNSSEC key material to keep the DNSSEC 105 chain of trust intact in case of a change of DNS-operator. 107 In this document we will define: 109 o A protocol extension that implements the relaying of data between 110 registrars through the existing authenticated EPP channel. This 111 protocol extension introduces a new EPP command called 112 with an element . 114 o An extension to the element called that 115 can be used for the relaying DNSSEC key material using the 116 command. 118 1.1. Conventions Used in This Document 120 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 121 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 122 document are to be interpreted as described in BCP 14, RFC 2119 123 [RFC2119]. 125 XML is case sensitive. Unless stated otherwise, XML specifications 126 and examples provided in this document MUST be interpreted in the 127 character case presented in order to develop a conforming 128 implementation. 130 In examples, "C:" represents lines sent by a protocol client, and 131 "S:" represents lines returned by a protocol server. Indentation and 132 white space in examples is provided only to illustrate element 133 relationships and is not a mandatory feature of this protocol. 135 1.2. Relaying Data 137 The command uses the existing authenticated EPP channel 138 between the registrar and the registry. Registrars can use this 139 secure channel for relaying data to other registrars. The registry 140 serves as an intermediary between two registrars (see Figure 1). 142 +-------------+ relayData +-------------+ 143 | registrar X |~~~~~~~~~~~~>| registrar Y | 144 +-------------+ +-------------+ 145 | ^ 146 | EPP relay EPP poll | 147 v | 148 +-----------------------------+ 149 | registry | 150 +-----------------------------+ 152 Figure 1: Registry acting as a relay for secure data exchange between 153 registrars. 155 The command uploads data from a registrar X to the registry. 156 The uploaded data is then pushed onto the message queue of registrar 157 Y by the registry based on the information within the 158 element of the command and the registration data maintained 159 by the registry. 161 The data to be relayed MUST relate to registration data of the 162 registry. The command is not intended to relay data that has 163 no relationship to registration data. We have e-mail for that. 165 If for some reason the registry cannot process the command, 166 an EPP error response MUST be returned. If the registry does process 167 the command it MUST put all elements of on to the 168 message queue of registrar Y. 170 1.2.1. Rationale For a New Command 172 This new command can be best described as a "transient 173 command" as it only facilitates communication of data between two 174 registrars without changing the registration data at the registry. 175 No existing EPP command can be (re)used for this function. This 176 extension of EPP is in accordance to [RFC3735]. 178 1.2.2. Extending per use case 180 One MUST extend the element per use case to define the 181 data to be relayed. In the extension, one MUST make provisions for 182 the registry how to determine the receiving registrar of the 183 command. 185 1.3. Secure Transfer of DNSSEC Key Material 187 Exchanging DNSSEC key material in preparation of a domain name 188 transfer is one of the phases in the lifecycle of a domain name 189 [I-D.koch-dnsop-dnssec-operator-change]. 191 DNS-operators need to exchange (through the gaining registrar) DNSSEC 192 key material before the registration data can be changed. 194 +--------------------+ DNSKEY +---------------------+ 195 |gaining DNS operator| ~~~~~~~~> | losing DNS operator | 196 +--------------------+ +---------------------+ 197 | ^ 198 | | 199 V | 200 +--------------------+ +---------------------+ 201 | gaining registrar | | registrar of record | 202 +--------------------+ +---------------------+ 203 | ^ 204 EPP relay | | EPP poll 205 V | 206 +-----------------------------+ 207 | registry | 208 +-----------------------------+ 210 Figure 2: Transfer of DNSSEC key material. 212 As the command uses a secure channel, it can be used as a 213 method for exchanging this DNSSEC key material securely (see 214 Figure 2). 216 The gaining and losing DNS operators could talk directly to each 217 other (the ~ arrow) to exchange the DNSKEY, but often there is no 218 trusted path between the two. As both can securely interact with the 219 registry over the administrative channel through the registrar, the 220 registry can act as a relay for the key material exchange. 222 This I-D contains an extension of the element for this 223 use case. 225 2. Object Attributes 227 2.1. DNSSEC Key Material 229 To transfer DNSSEC key material with the command the generic 230 is extended with a element that contains 231 the data for relaying the key material. See Section 1.2.2. 233 This element REQUIRES a minimum of three child 234 elements: 236 o A element which contains the domain name for which we 237 upload the key. The registry MUST relay the to the 238 registrar of record of the provided domain name. 240 o One or more elements that contains the DNSSEC key 241 material as described in [RFC5910], Section 4.2. 243 o An element that contains an authorization token 244 ([RFC5731], Section 3.2.1). This indicates that the registrar has 245 authorization from the registrant to change the zone data, and a 246 possible future transfer is authorized. The registry MAY check if 247 the data is correct and if it does, it MUST return an 248 EPP error response if the authorization token is not correct. 250 And an OPTIONAL child element. 252 o An element that describes the expected lifetime of the 253 relayed key(s) in the zone. The losing DNS operator can use this 254 as an indication when to safely remove the inserted key material 255 from the zone. This may be because the transaction that needed 256 the insertion is either completed or has been abandoned if not 257 completed before this expire time. The element MUST 258 contain one of the following child elements: 260 * : The policy is valid from the current date and time 261 until it expires on the specified date and time. 263 * : The policy is valid from the current date and time 264 until the end of the specified duration. 266 3. EPP Command Mapping 268 3.1. EPP Transient Commands 270 3.1.1. EPP Command 272 The EPP command is a generic EPP command used for relaying 273 data between registrars. It contains the data to be relayed and the 274 client transaction identifier. It has been designed to be extensible 275 for usage in other use-cases. 277 The command REQUIRES the following child elements: 279 o One or more elements containing data to be relayed. 281 o An OPTIONAL (client transaction identifier) element that 282 MAY be used to uniquely identify the command to the registrar. 283 See [RFC5730], Section 2.5. 285 Example command: 287 C: 288 C: 292 C: 293 C: 294 C: 295 C: 297 C: example.org 298 C: 299 C: 256 300 C: 3 301 C: 8 302 C: 303 C: cmlraXN0aGViZXN0 304 C: 305 C: 306 C: JnSdBAZSxxzJ 307 C: 308 C: 309 C: P1M13D 310 C: 311 C: 312 C: 313 C: ABC-12345 314 C: 315 C: 316 C: 318 3.2. EPP Query Commands 320 This EPP extension does not change any command other than the EPP 321 command response. 323 3.2.1. EPP command 325 This extension adds elements to the response to a command with 326 the "op" attribute set to "req". Specifically, a element 327 is added to the section of the service message, containing 328 the following elements: 330 o A REQUIRED element that contains the relayed data. 332 o A REQUIRED element that contains the date and time of the 333 submitted command. 335 o A REQUIRED element that contains the identifier of the 336 registrar that requested the data relay. 338 o A REQUIRED element that contains the identifier of the 339 registrar that SHOULD act upon the data relay. 341 Example response: 343 S: 344 S: 347 S: 348 S: 349 S: Command completed successfully; ack to dequeue 350 S: 351 S: 352 S: 1999-04-04T22:01:00.0Z 353 S: Relay action completed successfully. 354 S: 355 S: 356 S: 357 S: 358 S: 360 S: example.org 361 S: 362 S: 256 363 S: 3 364 S: 8 365 S: 366 S: cmlraXN0aGViZXN0 367 S: 368 S: 369 S: JnSdBAZSxxzJ 370 S: 371 S: 372 S: P1M13D 373 S: 374 S: 375 S: 376 S: 1999-04-04T22:01:00.0Z 377 S: ClientX 378 S: ClientY 379 S: 380 S: 381 S: 382 S: BCD-23456 383 S: 65432-WXY 384 S: 385 S: 386 S: 388 4. Formal Syntax 390 4.1. Formal Syntax command and POLL response 392 393 400 401 402 Extensible Provisioning Protocol v1.0 protocol 403 extension schema for relaying data. 404 405 407 409 412 413 415 416 417 418 420 421 423 424 425 426 427 428 429 430 431 433 4.2. Formal Syntax data 435 436 445 446 447 Extensible Provisioning Protocol v1.0 protocol 448 extension schema for relaying DNSSEC key data. 449 450 452 454 456 458 461 463 464 465 466 469 470 472 473 474 475 476 477 478 479 480 482 5. IANA Considerations 484 This document uses URNs to describe XML namespaces and XML schemas 485 conforming to a registry mechanism described in RFC3688 [RFC3688]. 487 Four URI assignments must be completed by the IANA. 489 Registration request for the extension namespaces: 491 URI: urn:ietf:params:xml:ns:keyrelay-1.0 492 URI: urn:ietf:params:xml:ns:relay-1.0 494 Registrant Contact: IESG 496 XML: None. Namespace URIs do not represent an XML specification. 498 Registration request for the extension XML schemas: 500 URI: urn:ietf:params:xml:schema:keyrelay-1.0 501 URI: urn:ietf:params:xml:schema:relay-1.0 503 Registrant Contact: IESG 505 XML: See the "Formal Syntax" section of this document. 507 6. Security Considerations 509 A registry MUST NOT perform any transformation on registration data 510 under registry management when processing a command. 512 Any registrar can use this mechanism to put data on the message queue 513 of another registrar, allowing for the potential of a denial of 514 service attack. However this can, and SHOULD be detected by the 515 registry. A registry MAY set a server policy which limits or rejects 516 messages if it detects the mechanism is being abused. 518 For the data a correct element SHOULD be 519 used as an indication that putting the key material on the 520 registrar's message queue is authorized by the _registrant_ of that 521 domain name. This draft does not specify how this is 522 provided to the registrar. This depends on how the DNS operator is 523 authorised to perform DNS changes on behalf of the registrant through 524 the registrar on record. This authorisation is not covered in this 525 I-D. 527 7. References 529 7.1. Normative References 531 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 532 Requirement Levels", BCP 14, RFC 2119, March 1997. 534 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 535 January 2004. 537 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 538 Rose, "Resource Records for the DNS Security Extensions", 539 RFC 4034, March 2005. 541 [RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)", 542 STD 69, RFC 5730, August 2009. 544 [RFC5731] Hollenbeck, S., "Extensible Provisioning Protocol (EPP) 545 Domain Name Mapping", STD 69, RFC 5731, August 2009. 547 [RFC5910] Gould, J. and S. Hollenbeck, "Domain Name System (DNS) 548 Security Extensions Mapping for the Extensible 549 Provisioning Protocol (EPP)", RFC 5910, May 2010. 551 7.2. Informative References 553 [I-D.koch-dnsop-dnssec-operator-change] 554 Koch, P., Sanz, M., and A. Verschuren, "Changing DNS 555 Operators for DNSSEC signed Zones", draft-koch-dnsop- 556 dnssec-operator-change-06 (work in progress), February 557 2014. 559 [RFC3735] Hollenbeck, S., "Guidelines for Extending the Extensible 560 Provisioning Protocol (EPP)", RFC 3735, March 2004. 562 Appendix A. Changelog 564 [This section should be removed by the RFC editor before publishing] 566 A.1. draft-gieben-epp-keyrelay-00 568 1. Initial document. 570 A.2. draft-gieben-epp-keyrelay-01 572 1. Style and grammar changes; 574 2. Added an expire element as per suggestion by Klaus Malorny; 575 3. Make the authInfo element mandatory and make the registry check 576 it as per feedback by Klaus Malorny and James Gould. 578 A.3. draft-gieben-epp-keyrelay-02 580 1. Added element to identify the relaying EPP client as suggested by 581 Klaus Malorny; 583 2. Corrected XML for missing and excess clTRID as noted by Patrick 584 Mevzek; 586 3. Added clarifications for the examples based on feedback by 587 Patrick Mevzeck; 589 4. Reviewed the consistency of using DNS operator versus registrar 590 after review comments by Patrick Faltstrom and Ed Lewis. 592 A.4. draft-gieben-epp-keyrelay-03 594 1. Style and grammar changes 596 2. Corrected acknowledgement section 598 3. Corrected XML for Expire element to not be mandatory but only 599 occur once. 601 A.5. draft-ietf-eppext-keyrelay-00 603 1. Added feedback from Seth Goldman and put him in the 604 acknowledgement section. 606 2. IDnits formatting ajustments 608 A.6. draft-ietf-eppext-keyrelay-01 610 1. Introducing the command, and thus seperating the data and 611 the command. 613 2. Updated the Introduction, describing the general use of relay vs 614 the intended use-case of relaying DNSSEC key data. 616 3. Restructuring the document to make it more inline with exisiting 617 EPP extensions. 619 Authors' Addresses 621 Miek Gieben 622 Google 624 Email: miek@google.com 626 Marc Groeneweg 627 SIDN Labs 628 Meander 501 629 Arnhem 6825 MD 630 NL 632 Email: marc.groeneweg@sidn.nl 633 URI: https://www.sidn.nl/ 635 Rik Ribbers 636 SIDN Labs 637 Meander 501 638 Arnhem 6825 MD 639 NL 641 Email: rik.ribbers@sidn.nl 642 URI: https://www.sidn.nl/ 644 Antoin Verschuren 646 Email: ietf@antoin.nl