epp-client-secdns 0.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,2019 @@
1
+
2
+
3
+
4
+
5
+
6
+
7
+ Internet Engineering Task Force (IETF) J. Gould
8
+ Request for Comments: 5910 S. Hollenbeck
9
+ Obsoletes: 4310 VeriSign, Inc.
10
+ Category: Standards Track May 2010
11
+ ISSN: 2070-1721
12
+
13
+
14
+ Domain Name System (DNS) Security Extensions Mapping
15
+ for the Extensible Provisioning Protocol (EPP)
16
+
17
+ Abstract
18
+
19
+ This document describes an Extensible Provisioning Protocol (EPP)
20
+ extension mapping for the provisioning and management of Domain Name
21
+ System security (DNSSEC) extensions for domain names stored in a
22
+ shared central repository. Specified in XML, this mapping extends
23
+ the EPP domain name mapping to provide additional features required
24
+ for the provisioning of DNS security extensions. This document
25
+ obsoletes RFC 4310.
26
+
27
+ Status of This Memo
28
+
29
+ This is an Internet Standards Track document.
30
+
31
+ This document is a product of the Internet Engineering Task Force
32
+ (IETF). It represents the consensus of the IETF community. It has
33
+ received public review and has been approved for publication by the
34
+ Internet Engineering Steering Group (IESG). Further information on
35
+ Internet Standards is available in Section 2 of RFC 5741.
36
+
37
+ Information about the current status of this document, any errata,
38
+ and how to provide feedback on it may be obtained at
39
+ http://www.rfc-editor.org/info/rfc5910.
40
+
41
+ Copyright Notice
42
+
43
+ Copyright (c) 2010 IETF Trust and the persons identified as the
44
+ document authors. All rights reserved.
45
+
46
+ This document is subject to BCP 78 and the IETF Trust's Legal
47
+ Provisions Relating to IETF Documents
48
+ (http://trustee.ietf.org/license-info) in effect on the date of
49
+ publication of this document. Please review these documents
50
+ carefully, as they describe your rights and restrictions with respect
51
+ to this document. Code Components extracted from this document must
52
+ include Simplified BSD License text as described in Section 4.e of
53
+ the Trust Legal Provisions and are provided without warranty as
54
+ described in the Simplified BSD License.
55
+
56
+
57
+
58
+ Gould & Hollenbeck Standards Track [Page 1]
59
+
60
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
61
+
62
+
63
+ This document may contain material from IETF Documents or IETF
64
+ Contributions published or made publicly available before November
65
+ 10, 2008. The person(s) controlling the copyright in some of this
66
+ material may not have granted the IETF Trust the right to allow
67
+ modifications of such material outside the IETF Standards Process.
68
+ Without obtaining an adequate license from the person(s) controlling
69
+ the copyright in such materials, this document may not be modified
70
+ outside the IETF Standards Process, and derivative works of it may
71
+ not be created outside the IETF Standards Process, except to format
72
+ it for publication as an RFC or to translate it into languages other
73
+ than English.
74
+
75
+ Table of Contents
76
+
77
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
78
+ 1.1. Conventions Used in This Document . . . . . . . . . . . . 4
79
+ 2. Migrating from RFC 4310 . . . . . . . . . . . . . . . . . . . 4
80
+ 3. Object Attributes . . . . . . . . . . . . . . . . . . . . . . 5
81
+ 3.1. Delegation Signer Information . . . . . . . . . . . . . . 5
82
+ 3.1.1. Public Key Information . . . . . . . . . . . . . . . . 5
83
+ 3.2. Booleans . . . . . . . . . . . . . . . . . . . . . . . . . 5
84
+ 3.3. Maximum Signature Lifetime . . . . . . . . . . . . . . . . 5
85
+ 4. DS Data Interface and Key Data Interface . . . . . . . . . . . 6
86
+ 4.1. DS Data Interface . . . . . . . . . . . . . . . . . . . . 7
87
+ 4.2. Key Data Interface . . . . . . . . . . . . . . . . . . . . 7
88
+ 4.3. Example DS Data Interface and Key Data Interface . . . . . 8
89
+ 5. EPP Command Mapping . . . . . . . . . . . . . . . . . . . . . 9
90
+ 5.1. EPP Query Commands . . . . . . . . . . . . . . . . . . . . 9
91
+ 5.1.1. EPP <check> Command . . . . . . . . . . . . . . . . . 9
92
+ 5.1.2. EPP <info> Command . . . . . . . . . . . . . . . . . . 9
93
+ 5.1.3. EPP <transfer> Command . . . . . . . . . . . . . . . . 13
94
+ 5.2. EPP Transform Commands . . . . . . . . . . . . . . . . . . 14
95
+ 5.2.1. EPP <create> Command . . . . . . . . . . . . . . . . . 14
96
+ 5.2.2. EPP <delete> Command . . . . . . . . . . . . . . . . . 17
97
+ 5.2.3. EPP <renew> Command . . . . . . . . . . . . . . . . . 18
98
+ 5.2.4. EPP <transfer> Command . . . . . . . . . . . . . . . . 18
99
+ 5.2.5. EPP <update> Command . . . . . . . . . . . . . . . . . 18
100
+ 6. Formal Syntax . . . . . . . . . . . . . . . . . . . . . . . . 25
101
+ 7. Internationalization Considerations . . . . . . . . . . . . . 29
102
+ 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29
103
+ 9. Security Considerations . . . . . . . . . . . . . . . . . . . 30
104
+ 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 31
105
+ 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 31
106
+ 11.1. Normative References . . . . . . . . . . . . . . . . . . . 31
107
+ 11.2. Informative References . . . . . . . . . . . . . . . . . . 32
108
+ Appendix A. Changes from RFC 4310 . . . . . . . . . . . . . . . . 33
109
+
110
+
111
+
112
+
113
+
114
+ Gould & Hollenbeck Standards Track [Page 2]
115
+
116
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
117
+
118
+
119
+ 1. Introduction
120
+
121
+ This document describes an extension mapping for version 1.0 of the
122
+ Extensible Provisioning Protocol (EPP) described in RFC 5730
123
+ [RFC5730]. This mapping, an extension of the domain name mapping
124
+ described in RFC 5731 [RFC5731], is specified using the Extensible
125
+ Markup Language (XML) 1.0 [W3C.REC-xml-20001006] and XML Schema
126
+ notation ([W3C.REC-xmlschema-1-20010502]
127
+ [W3C.REC-xmlschema-2-20010502]).
128
+
129
+ The EPP core protocol specification [RFC5730] provides a complete
130
+ description of EPP command and response structures. A thorough
131
+ understanding of the base protocol specification is necessary to
132
+ understand the mapping described in this document. Familiarity with
133
+ the Domain Name System (DNS) described in RFC 1034 [RFC1034] and
134
+ RFC 1035 [RFC1035] and with DNS security extensions described in
135
+ RFC 4033 [RFC4033], RFC 4034 [RFC4034], and RFC 4035 [RFC4035] is
136
+ required to understand the DNS security concepts described in this
137
+ document.
138
+
139
+ The EPP mapping described in this document specifies a mechanism for
140
+ the provisioning and management of DNS security extensions in a
141
+ shared central repository. Information exchanged via this mapping
142
+ can be extracted from the repository and used to publish DNSSEC
143
+ Delegation Signer (DS) resource records (RRs) as described in
144
+ RFC 4034 [RFC4034].
145
+
146
+ This document obsoletes RFC 4310 [RFC4310]; thus, secDNS-1.1 as
147
+ defined in this document deprecates secDNS-1.0 [RFC4310]. The
148
+ motivation behind obsoleting RFC 4310 [RFC4310] includes:
149
+
150
+ - Addressing the issue with removing DS data based on the non-unique
151
+ <secDNS:keyTag> element. The client should explicitly specify the
152
+ DS data to be removed, by using all four <secDNS:dsData> elements
153
+ that are guaranteed to be unique.
154
+
155
+ - Adding the ability to add and remove <secDNS:dsData> elements in a
156
+ single command. This makes it consistent with RFC 5731 [RFC5731].
157
+
158
+ - Clarifying and correcting the usage of the <secDNS:chg> element.
159
+ RFC 4310 [RFC4310] defined the <secDNS:chg> element as a
160
+ replacement for the DS data. This is inconsistent with RFC 5731
161
+ [RFC5731], where a <domain:chg> element is used to change the
162
+ values of the domain attributes.
163
+
164
+ - Adding support for the Key Data Interface described in Section 4.2
165
+ for "thick" DNSSEC servers that accept only key data and generate
166
+ the associated DS data.
167
+
168
+
169
+
170
+ Gould & Hollenbeck Standards Track [Page 3]
171
+
172
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
173
+
174
+
175
+ 1.1. Conventions Used in This Document
176
+
177
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
178
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
179
+ document are to be interpreted as described in BCP 14, RFC 2119
180
+ [RFC2119].
181
+
182
+ In examples, "C:" represents lines sent by a protocol client, and
183
+ "S:" represents lines returned by a protocol server. "////" is used
184
+ to note element values that have been shortened to better fit page
185
+ boundaries. Indentation and white space in examples is provided only
186
+ to illustrate element relationships and is not a mandatory feature of
187
+ this protocol.
188
+
189
+ XML is case sensitive. Unless stated otherwise, XML specifications
190
+ and examples provided in this document MUST be interpreted in the
191
+ character case presented in order to develop a conforming
192
+ implementation.
193
+
194
+ secDNS-1.0 is used as an abbreviation for
195
+ urn:ietf:params:xml:ns:secDNS-1.0, and secDNS-1.1 is used as an
196
+ abbreviation for urn:ietf:params:xml:ns:secDNS-1.1.
197
+
198
+ 2. Migrating from RFC 4310
199
+
200
+ This section includes implementation recommendations for clients and
201
+ servers to use in migrating from secDNS-1.0 [RFC4310] to secDNS-1.1.
202
+
203
+ As this document deprecates RFC 4310 [RFC4310], if a server announces
204
+ support for both secDNS-1.0 [RFC4310] and secDNS-1.1 in the EPP
205
+ greeting, clients supporting both versions SHOULD prefer secDNS-1.1.
206
+
207
+ A server SHOULD do the following to help clients migrate from
208
+ secDNS-1.0 [RFC4310] to secDNS-1.1 as defined in this document.
209
+
210
+ 1. A server migrating from secDNS-1.0 [RFC4310] to secDNS-1.1 SHOULD
211
+ support both versions (i.e., secDNS-1.0 and secDNS-1.1) for a
212
+ reasonable migration period.
213
+
214
+ 2. The version of the <secDNS:infData> element to be returned by the
215
+ server in the response to a <domain:info> response SHOULD depend
216
+ on the <extURI> elements (indicating the secDNS extension) the
217
+ client included in the EPP <login> command using the following
218
+ mapping:
219
+
220
+ - Return version secDNS-1.1 of the <secDNS:infData> element if
221
+ urn:ietf:params:xml:ns:secDNS-1.1 was included as an <extURI>
222
+ element in the EPP <login> command, independent of whether
223
+
224
+
225
+
226
+ Gould & Hollenbeck Standards Track [Page 4]
227
+
228
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
229
+
230
+
231
+ urn:ietf:params:xml:ns:secDNS-1.0 is also included as an
232
+ <extURI> element in the EPP <login> command.
233
+
234
+ - Return version secDNS-1.0 of the <secDNS:infData> element if
235
+ urn:ietf:params:xml:ns:secDNS-1.0 but not
236
+ urn:ietf:params:xml:ns:secDNS-1.1 was included as an <extURI>
237
+ element in the EPP <login> command.
238
+
239
+ - Don't return the <secDNS:infData> element if neither
240
+ urn:ietf:params:xml:ns:secDNS-1.0 nor
241
+ urn:ietf:params:xml:ns:secDNS-1.1 was included as an <extURI>
242
+ element in the EPP <login> command.
243
+
244
+ 3. Object Attributes
245
+
246
+ This extension adds additional elements to the EPP domain name
247
+ mapping [RFC5731]. Only those new elements are described here.
248
+
249
+ 3.1. Delegation Signer Information
250
+
251
+ Delegation Signer (DS) information is published by a DNS server to
252
+ indicate that a child zone is digitally signed and that the parent
253
+ zone recognizes the indicated key as a valid zone key for the child
254
+ zone. A DS resource record (RR) contains four fields: a key tag
255
+ field, a key algorithm number octet, an octet identifying a digest
256
+ algorithm, and a digest field. See RFC 4034 [RFC4034] for specific
257
+ field formats.
258
+
259
+ 3.1.1. Public Key Information
260
+
261
+ Public key information provided by a client maps to the DNSKEY RR
262
+ presentation field formats described in Section 2.2 of RFC 4034
263
+ [RFC4034]. A DNSKEY RR contains four fields: flags, a protocol
264
+ octet, an algorithm number octet, and a public key.
265
+
266
+ 3.2. Booleans
267
+
268
+ Boolean values MUST be represented in the XML Schema format described
269
+ in Part 2 of the W3C XML Schema recommendation
270
+ [W3C.REC-xmlschema-2-20010502].
271
+
272
+ 3.3. Maximum Signature Lifetime
273
+
274
+ Maximum signature lifetime (maxSigLife) is an OPTIONAL child
275
+ preference for the number of seconds after signature generation when
276
+ the parent's signature on the DS information provided by the child
277
+ will expire. The maxSigLife value applies to the RRSIG resource
278
+
279
+
280
+
281
+
282
+ Gould & Hollenbeck Standards Track [Page 5]
283
+
284
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
285
+
286
+
287
+ record (RR) over the DS RRset. See Section 3 of RFC 4034 [RFC4034]
288
+ for information on the RRSIG resource record (RR).
289
+
290
+ The maximum signature lifetime is represented using the <secDNS:
291
+ maxSigLife> element. The maxSigLife value MUST be represented in
292
+ seconds, using an extended XML Schema "int" format. The base "int"
293
+ format, which allows negative numbers, is described in Part 2 of the
294
+ W3C XML Schema recommendation [W3C.REC-xmlschema-2-20010502]. This
295
+ format is further restricted to enforce a minimum value of 1.
296
+
297
+ If maxSigLife is not provided by the client, or if the server does
298
+ not support the client-specified maxSigLife value, the default
299
+ signature expiration policy of the server operator (as determined
300
+ using an out-of-band mechanism) applies.
301
+
302
+ 4. DS Data Interface and Key Data Interface
303
+
304
+ This document describes operational scenarios in which a client can
305
+ create, add, and remove Delegation Signer (DS) information or key
306
+ data information for a domain name. There are two different forms of
307
+ interfaces that a server can support. The first is called the "DS
308
+ Data Interface", where the client is responsible for the creation of
309
+ the DS information and is required to pass DS information when
310
+ performing adds and removes. The server is required to pass DS
311
+ information for <domain:info> responses. The second is the "Key Data
312
+ Interface," where the client is responsible for passing the key data
313
+ information when performing adds and removes. The server is
314
+ responsible for passing key data information for <domain:info>
315
+ responses.
316
+
317
+ The server MUST support one form of interface within a single command
318
+ or response, where <secDNS:dsData> and <secDNS:keyData> MUST NOT be
319
+ mixed, except for when <secDNS:keyData> is a child element of
320
+ <secDNS:dsData> for server validation. The server MUST support the
321
+ use of only one form of interface across all <secDNS:create>,
322
+ <secDNS:update>, and <secDNS:infData> elements, except during a
323
+ transition period, during which the server MAY support both. For
324
+ instance, during a transition period, the server MAY support either
325
+ the DS Data Interface or the Key Data Interface on a per-domain basis
326
+ and allow the client to migrate to the target interface. The client
327
+ can replace the interface used by utilizing the <secDNS:rem><secDNS:
328
+ all>true</secDNS:all></secDNS:rem> element to remove all data of the
329
+ old interface, and by utilizing the <secDNS:add> to add data using
330
+ the new interface (<secDNS:dsData> for the DS Data Interface and
331
+ <secDNS:keyData> for the Key Data Interface). The server MUST return
332
+ an EPP error result code of 2306 if the server receives a command
333
+ using an unsupported interface.
334
+
335
+
336
+
337
+
338
+ Gould & Hollenbeck Standards Track [Page 6]
339
+
340
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
341
+
342
+
343
+ 4.1. DS Data Interface
344
+
345
+ The DS Data Interface relies on the use of the <secDNS:dsData>
346
+ element for creates, adds, removes, and <domain:info> responses. The
347
+ key data associated with the DS information MAY be provided by the
348
+ client, but the server is not obligated to use the key data. The
349
+ server operator MAY also issue out-of-band DNS queries to retrieve
350
+ the key data from the registered domain's apex in order to evaluate
351
+ the received DS information. It is RECOMMENDED that the child zone
352
+ operator have this key data online in the DNS tree to allow the
353
+ parent zone administrator to validate the data as necessary. The key
354
+ data SHOULD have the Secure Entry Point (SEP) bit set as described in
355
+ RFC 3757 [RFC3757] and RFC 4034 [RFC4034].
356
+
357
+ The <secDNS:dsData> element contains the following child elements:
358
+
359
+ - A <secDNS:keyTag> element that contains a key tag value as
360
+ described in Section 5.1.1 of RFC 4034 [RFC4034]. The <secDNS:
361
+ keyTag> element is represented as an unsignedShort
362
+ [W3C.REC-xmlschema-2-20010502].
363
+
364
+ - A <secDNS:alg> element that contains an algorithm value as
365
+ described in Section 5.1.2 of RFC 4034 [RFC4034].
366
+
367
+ - A <secDNS:digestType> element that contains a digest type value as
368
+ described in Section 5.1.3 of RFC 4034 [RFC4034].
369
+
370
+ - A <secDNS:digest> element that contains a digest value as
371
+ described in Section 5.1.4 of RFC 4034 [RFC4034]. The <secDNS:
372
+ digest> element is represented as a hexBinary
373
+ [W3C.REC-xmlschema-2-20010502].
374
+
375
+ - An OPTIONAL <secDNS:keyData> element that describes the key data
376
+ used as input in the DS hash calculation for use in server
377
+ validation. The <secDNS:keyData> element contains the child
378
+ elements defined in Section 4.2.
379
+
380
+ 4.2. Key Data Interface
381
+
382
+ The Key Data Interface relies on the use of the <secDNS:keyData>
383
+ element for creates, adds, removes, and <domain:info> responses. The
384
+ DS information is not provided by the client but is generated by the
385
+ server. The attributes used for DS generation are based on server
386
+ policy, where only key data is passed between the client and the
387
+ server.
388
+
389
+
390
+
391
+
392
+
393
+
394
+ Gould & Hollenbeck Standards Track [Page 7]
395
+
396
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
397
+
398
+
399
+ The <secDNS:keyData> element contains the following child elements:
400
+
401
+ - A <secDNS:flags> element that contains a flags field value as
402
+ described in Section 2.1.1 of RFC 4034 [RFC4034].
403
+
404
+ - A <secDNS:protocol> element that contains a protocol field value
405
+ as described in Section 2.1.2 of RFC 4034 [RFC4034].
406
+
407
+ - A <secDNS:alg> element that contains an algorithm number field
408
+ value as described in Section 2.1.3 of RFC 4034 [RFC4034].
409
+
410
+ - A <secDNS:pubKey> element that contains an encoded public key
411
+ field value as described in Section 2.1.4 of RFC 4034 [RFC4034].
412
+ The <secDNS:pubKey> element is represented as a base64Binary
413
+ [W3C.REC-xmlschema-2-20010502] with a minimum length of 1.
414
+
415
+ 4.3. Example DS Data Interface and Key Data Interface
416
+
417
+ Example use of the secDNS-1.1 DS Data Interface for a create:
418
+
419
+ <secDNS:dsData>
420
+ <secDNS:keyTag>12345</secDNS:keyTag>
421
+ <secDNS:alg>3</secDNS:alg>
422
+ <secDNS:digestType>1</secDNS:digestType>
423
+ <secDNS:digest>49FD46E6C4B45C55D4AC</secDNS:digest>
424
+ </secDNS:dsData>
425
+
426
+ Example use of secDNS-1.1 DS Data Interface with option key data for
427
+ a create:
428
+
429
+ <secDNS:dsData>
430
+ <secDNS:keyTag>12345</secDNS:keyTag>
431
+ <secDNS:alg>3</secDNS:alg>
432
+ <secDNS:digestType>1</secDNS:digestType>
433
+ <secDNS:digest>49FD46E6C4B45C55D4AC</secDNS:digest>
434
+ <secDNS:keyData>
435
+ <secDNS:flags>257</secDNS:flags>
436
+ <secDNS:protocol>3</secDNS:protocol>
437
+ <secDNS:alg>1</secDNS:alg>
438
+ <secDNS:pubKey>AQPJ////4Q==</secDNS:pubKey>
439
+ </secDNS:keyData>
440
+ </secDNS:dsData>
441
+
442
+
443
+
444
+
445
+
446
+
447
+
448
+
449
+
450
+ Gould & Hollenbeck Standards Track [Page 8]
451
+
452
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
453
+
454
+
455
+ Example use of the secDNS-1.1 Key Data Interface for a create:
456
+
457
+ <secDNS:keyData>
458
+ <secDNS:flags>257</secDNS:flags>
459
+ <secDNS:protocol>3</secDNS:protocol>
460
+ <secDNS:alg>1</secDNS:alg>
461
+ <secDNS:pubKey>AQPJ////4Q==</secDNS:pubKey>
462
+ </secDNS:keyData>
463
+
464
+ 5. EPP Command Mapping
465
+
466
+ A detailed description of the EPP syntax and semantics can be found
467
+ in the EPP core protocol specification [RFC5730]. The command
468
+ mappings described here are specifically for use in provisioning and
469
+ managing DNS security extensions via EPP.
470
+
471
+ 5.1. EPP Query Commands
472
+
473
+ EPP provides three commands to retrieve object information: <check>
474
+ to determine if an object is known to the server, <info> to retrieve
475
+ detailed information associated with an object, and <transfer> to
476
+ retrieve object transfer status information.
477
+
478
+ 5.1.1. EPP <check> Command
479
+
480
+ This extension does not add any elements to the EPP <check> command
481
+ or <check> response described in the EPP domain mapping [RFC5731].
482
+
483
+ 5.1.2. EPP <info> Command
484
+
485
+ This extension does not add any elements to the EPP <info> command
486
+ described in the EPP domain mapping [RFC5731]. However, additional
487
+ elements are defined for the <info> response.
488
+
489
+ When an <info> command has been processed successfully, the EPP
490
+ <resData> element MUST contain child elements as described in the EPP
491
+ domain mapping [RFC5731]. In addition, the EPP <extension> element
492
+ SHOULD contain a child <secDNS:infData> element that identifies the
493
+ extension namespace if the domain object has data associated with
494
+ this extension and based on server policy. The <secDNS:infData>
495
+ element contains the following child elements:
496
+
497
+ - An OPTIONAL <secDNS:maxSigLife> element that indicates a child's
498
+ preference for the number of seconds after signature generation
499
+ when the parent's signature on the DS information provided by the
500
+ child will expire. maxSigLife is described in Section 3.3.
501
+
502
+
503
+
504
+
505
+
506
+ Gould & Hollenbeck Standards Track [Page 9]
507
+
508
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
509
+
510
+
511
+ - One or more <secDNS:dsData> elements or <secDNS:keyData> elements,
512
+ but not both, as defined in Section 4. The <secDNS:dsData>
513
+ elements describe the Delegation Signer (DS) data provided by the
514
+ client for the domain. The <secDNS:keyData> elements describe the
515
+ key data provided by the client for the domain. Child elements of
516
+ the <secDNS:dsData> element are described in Section 4.1. Child
517
+ elements of the <secDNS:keyData> element are described in
518
+ Section 4.2.
519
+
520
+ Example <info> Response for a Secure Delegation
521
+ Using the DS Data Interface:
522
+
523
+ S:<?xml version="1.0" encoding="UTF-8" standalone="no"?>
524
+ S:<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
525
+ S: xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
526
+ S: <response>
527
+ S: <result code="1000">
528
+ S: <msg>Command completed successfully</msg>
529
+ S: </result>
530
+ S: <resData>
531
+ S: <domain:infData
532
+ S: xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
533
+ S: <domain:name>example.com</domain:name>
534
+ S: <domain:roid>EXAMPLE1-REP</domain:roid>
535
+ S: <domain:status s="ok"/>
536
+ S: <domain:registrant>jd1234</domain:registrant>
537
+ S: <domain:contact type="admin">sh8013</domain:contact>
538
+ S: <domain:contact type="tech">sh8013</domain:contact>
539
+ S: <domain:ns>
540
+ S: <domain:hostObj>ns1.example.com</domain:hostObj>
541
+ S: <domain:hostObj>ns2.example.com</domain:hostObj>
542
+ S: </domain:ns>
543
+ S: <domain:host>ns1.example.com</domain:host>
544
+ S: <domain:host>ns2.example.com</domain:host>
545
+ S: <domain:clID>ClientX</domain:clID>
546
+ S: <domain:crID>ClientY</domain:crID>
547
+ S: <domain:crDate>1999-04-03T22:00:00.0Z</domain:crDate>
548
+ S: <domain:upID>ClientX</domain:upID>
549
+ S: <domain:upDate>1999-12-03T09:00:00.0Z</domain:upDate>
550
+ S: <domain:exDate>2005-04-03T22:00:00.0Z</domain:exDate>
551
+ S: <domain:trDate>2000-04-08T09:00:00.0Z</domain:trDate>
552
+ S: <domain:authInfo>
553
+ S: <domain:pw>2fooBAR</domain:pw>
554
+ S: </domain:authInfo>
555
+ S: </domain:infData>
556
+ S: </resData>
557
+ S: <extension>
558
+ S: <secDNS:infData
559
+
560
+
561
+
562
+ Gould & Hollenbeck Standards Track [Page 10]
563
+
564
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
565
+
566
+
567
+ S: xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1">
568
+ S: <secDNS:dsData>
569
+ S: <secDNS:keyTag>12345</secDNS:keyTag>
570
+ S: <secDNS:alg>3</secDNS:alg>
571
+ S: <secDNS:digestType>1</secDNS:digestType>
572
+ S: <secDNS:digest>49FD46E6C4B45C55D4AC</secDNS:digest>
573
+ S: </secDNS:dsData>
574
+ S: </secDNS:infData>
575
+ S: </extension>
576
+ S: <trID>
577
+ S: <clTRID>ABC-12345</clTRID>
578
+ S: <svTRID>54322-XYZ</svTRID>
579
+ S: </trID>
580
+ S: </response>
581
+ S:</epp>
582
+
583
+ Example <info> Response for a Secure Delegation
584
+ Using the DS Data Interface with OPTIONAL Key Data:
585
+
586
+ S:<?xml version="1.0" encoding="UTF-8" standalone="no"?>
587
+ S:<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
588
+ S: xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
589
+ S: <response>
590
+ S: <result code="1000">
591
+ S: <msg>Command completed successfully</msg>
592
+ S: </result>
593
+ S: <resData>
594
+ S: <domain:infData
595
+ S: xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
596
+ S: <domain:name>example.com</domain:name>
597
+ S: <domain:roid>EXAMPLE1-REP</domain:roid>
598
+ S: <domain:status s="ok"/>
599
+ S: <domain:registrant>jd1234</domain:registrant>
600
+ S: <domain:contact type="admin">sh8013</domain:contact>
601
+ S: <domain:contact type="tech">sh8013</domain:contact>
602
+ S: <domain:ns>
603
+ S: <domain:hostObj>ns1.example.com</domain:hostObj>
604
+ S: <domain:hostObj>ns2.example.com</domain:hostObj>
605
+ S: </domain:ns>
606
+ S: <domain:host>ns1.example.com</domain:host>
607
+ S: <domain:host>ns2.example.com</domain:host>
608
+ S: <domain:clID>ClientX</domain:clID>
609
+ S: <domain:crID>ClientY</domain:crID>
610
+ S: <domain:crDate>1999-04-03T22:00:00.0Z</domain:crDate>
611
+ S: <domain:upID>ClientX</domain:upID>
612
+ S: <domain:upDate>1999-12-03T09:00:00.0Z</domain:upDate>
613
+ S: <domain:exDate>2005-04-03T22:00:00.0Z</domain:exDate>
614
+ S: <domain:trDate>2000-04-08T09:00:00.0Z</domain:trDate>
615
+
616
+
617
+
618
+ Gould & Hollenbeck Standards Track [Page 11]
619
+
620
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
621
+
622
+
623
+ S: <domain:authInfo>
624
+ S: <domain:pw>2fooBAR</domain:pw>
625
+ S: </domain:authInfo>
626
+ S: </domain:infData>
627
+ S: </resData>
628
+ S: <extension>
629
+ S: <secDNS:infData
630
+ S: xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1">
631
+ S: <secDNS:maxSigLife>604800</secDNS:maxSigLife>
632
+ S: <secDNS:dsData>
633
+ S: <secDNS:keyTag>12345</secDNS:keyTag>
634
+ S: <secDNS:alg>3</secDNS:alg>
635
+ S: <secDNS:digestType>1</secDNS:digestType>
636
+ S: <secDNS:digest>49FD46E6C4B45C55D4AC</secDNS:digest>
637
+ S: <secDNS:keyData>
638
+ S: <secDNS:flags>257</secDNS:flags>
639
+ S: <secDNS:protocol>3</secDNS:protocol>
640
+ S: <secDNS:alg>1</secDNS:alg>
641
+ S: <secDNS:pubKey>AQPJ////4Q==</secDNS:pubKey>
642
+ S: </secDNS:keyData>
643
+ S: </secDNS:dsData>
644
+ S: </secDNS:infData>
645
+ S: </extension>
646
+ S: <trID>
647
+ S: <clTRID>ABC-12345</clTRID>
648
+ S: <svTRID>54322-XYZ</svTRID>
649
+ S: </trID>
650
+ S: </response>
651
+ S:</epp>
652
+
653
+ Example <info> Response for a Secure Delegation
654
+ Using the Key Data Interface:
655
+
656
+ S:<?xml version="1.0" encoding="UTF-8" standalone="no"?>
657
+ S:<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
658
+ S: xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
659
+ S: <response>
660
+ S: <result code="1000">
661
+ S: <msg>Command completed successfully</msg>
662
+ S: </result>
663
+ S: <resData>
664
+ S: <domain:infData
665
+ S: xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
666
+ S: <domain:name>example.com</domain:name>
667
+ S: <domain:roid>EXAMPLE1-REP</domain:roid>
668
+ S: <domain:status s="ok"/>
669
+ S: <domain:registrant>jd1234</domain:registrant>
670
+ S: <domain:contact type="admin">sh8013</domain:contact>
671
+
672
+
673
+
674
+ Gould & Hollenbeck Standards Track [Page 12]
675
+
676
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
677
+
678
+
679
+ S: <domain:contact type="tech">sh8013</domain:contact>
680
+ S: <domain:ns>
681
+ S: <domain:hostObj>ns1.example.com</domain:hostObj>
682
+ S: <domain:hostObj>ns2.example.com</domain:hostObj>
683
+ S: </domain:ns>
684
+ S: <domain:host>ns1.example.com</domain:host>
685
+ S: <domain:host>ns2.example.com</domain:host>
686
+ S: <domain:clID>ClientX</domain:clID>
687
+ S: <domain:crID>ClientY</domain:crID>
688
+ S: <domain:crDate>1999-04-03T22:00:00.0Z</domain:crDate>
689
+ S: <domain:upID>ClientX</domain:upID>
690
+ S: <domain:upDate>1999-12-03T09:00:00.0Z</domain:upDate>
691
+ S: <domain:exDate>2005-04-03T22:00:00.0Z</domain:exDate>
692
+ S: <domain:trDate>2000-04-08T09:00:00.0Z</domain:trDate>
693
+ S: <domain:authInfo>
694
+ S: <domain:pw>2fooBAR</domain:pw>
695
+ S: </domain:authInfo>
696
+ S: </domain:infData>
697
+ S: </resData>
698
+ S: <extension>
699
+ S: <secDNS:infData
700
+ S: xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1">
701
+ S: <secDNS:keyData>
702
+ S: <secDNS:flags>257</secDNS:flags>
703
+ S: <secDNS:protocol>3</secDNS:protocol>
704
+ S: <secDNS:alg>1</secDNS:alg>
705
+ S: <secDNS:pubKey>AQPJ////4Q==</secDNS:pubKey>
706
+ S: </secDNS:keyData>
707
+ S: </secDNS:infData>
708
+ S: </extension>
709
+ S: <trID>
710
+ S: <clTRID>ABC-12345</clTRID>
711
+ S: <svTRID>54322-XYZ</svTRID>
712
+ S: </trID>
713
+ S: </response>
714
+ S:</epp>
715
+
716
+ An EPP error response MUST be returned if an <info> command cannot be
717
+ processed for any reason.
718
+
719
+ 5.1.3. EPP <transfer> Command
720
+
721
+ This extension does not add any elements to the EPP <transfer>
722
+ command or <transfer> response described in the EPP domain mapping
723
+ [RFC5731].
724
+
725
+
726
+
727
+
728
+
729
+
730
+ Gould & Hollenbeck Standards Track [Page 13]
731
+
732
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
733
+
734
+
735
+ 5.2. EPP Transform Commands
736
+
737
+ EPP provides five commands to transform objects: <create> to create
738
+ an instance of an object, <delete> to delete an instance of an
739
+ object, <renew> to extend the validity period of an object,
740
+ <transfer> to manage object sponsorship changes, and <update> to
741
+ change information associated with an object.
742
+
743
+ 5.2.1. EPP <create> Command
744
+
745
+ This extension defines additional elements for the EPP <create>
746
+ command described in the EPP domain mapping [RFC5731]. No additional
747
+ elements are defined for the EPP <create> response.
748
+
749
+ The EPP <create> command provides a transform operation that allows a
750
+ client to create a domain object. In addition to the EPP command
751
+ elements described in the EPP domain mapping [RFC5731], the command
752
+ MUST contain an <extension> element, and the <extension> element MUST
753
+ contain a child <secDNS:create> element that identifies the extension
754
+ namespace if the client wants to associate data defined in this
755
+ extension to the domain object. The <secDNS:create> element contains
756
+ the following child elements:
757
+
758
+ - An OPTIONAL <secDNS:maxSigLife> element that indicates a child's
759
+ preference for the number of seconds after signature generation
760
+ when the parent's signature on the DS information provided by the
761
+ child will expire. maxSigLife is described in Section 3.3. If the
762
+ server does not support the <secDNS:maxSigLife> element, a 2102
763
+ error MUST be returned.
764
+
765
+ - Zero or more <secDNS:dsData> elements or <secDNS:keyData>
766
+ elements, but not both, as defined in Section 4. Child elements
767
+ of the <secDNS:dsData> element are described in Section 4.1.
768
+ Child elements of the <secDNS:keyData> element are described in
769
+ Section 4.2.
770
+
771
+
772
+
773
+
774
+
775
+
776
+
777
+
778
+
779
+
780
+
781
+
782
+
783
+
784
+
785
+
786
+ Gould & Hollenbeck Standards Track [Page 14]
787
+
788
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
789
+
790
+
791
+ Example <create> Command for a Secure Delegation
792
+ Using the DS Data Interface:
793
+
794
+ C:<?xml version="1.0" encoding="UTF-8" standalone="no"?>
795
+ C:<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
796
+ C: xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
797
+ C: <command>
798
+ C: <create>
799
+ C: <domain:create
800
+ C: xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
801
+ C: <domain:name>example.com</domain:name>
802
+ C: <domain:period unit="y">2</domain:period>
803
+ C: <domain:ns>
804
+ C: <domain:hostObj>ns1.example.com</domain:hostObj>
805
+ C: <domain:hostObj>ns2.example.com</domain:hostObj>
806
+ C: </domain:ns>
807
+ C: <domain:registrant>jd1234</domain:registrant>
808
+ C: <domain:contact type="admin">sh8013</domain:contact>
809
+ C: <domain:contact type="tech">sh8013</domain:contact>
810
+ C: <domain:authInfo>
811
+ C: <domain:pw>2fooBAR</domain:pw>
812
+ C: </domain:authInfo>
813
+ C: </domain:create>
814
+ C: </create>
815
+ C: <extension>
816
+ C: <secDNS:create
817
+ C: xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1">
818
+ C: <secDNS:maxSigLife>604800</secDNS:maxSigLife>
819
+ C: <secDNS:dsData>
820
+ C: <secDNS:keyTag>12345</secDNS:keyTag>
821
+ C: <secDNS:alg>3</secDNS:alg>
822
+ C: <secDNS:digestType>1</secDNS:digestType>
823
+ C: <secDNS:digest>49FD46E6C4B45C55D4AC</secDNS:digest>
824
+ C: </secDNS:dsData>
825
+ C: </secDNS:create>
826
+ C: </extension>
827
+ C: <clTRID>ABC-12345</clTRID>
828
+ C: </command>
829
+ C:</epp>
830
+
831
+
832
+
833
+
834
+
835
+
836
+
837
+
838
+
839
+
840
+
841
+
842
+ Gould & Hollenbeck Standards Track [Page 15]
843
+
844
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
845
+
846
+
847
+ Example <create> Command for a Secure Delegation
848
+ Using the DS Data Interface with OPTIONAL Key Data:
849
+
850
+ C:<?xml version="1.0" encoding="UTF-8" standalone="no"?>
851
+ C:<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
852
+ C: xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
853
+ C: <command>
854
+ C: <create>
855
+ C: <domain:create
856
+ C: xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
857
+ C: <domain:name>example.com</domain:name>
858
+ C: <domain:period unit="y">2</domain:period>
859
+ C: <domain:ns>
860
+ C: <domain:hostObj>ns1.example.com</domain:hostObj>
861
+ C: <domain:hostObj>ns2.example.com</domain:hostObj>
862
+ C: </domain:ns>
863
+ C: <domain:registrant>jd1234</domain:registrant>
864
+ C: <domain:contact type="admin">sh8013</domain:contact>
865
+ C: <domain:contact type="tech">sh8013</domain:contact>
866
+ C: <domain:authInfo>
867
+ C: <domain:pw>2fooBAR</domain:pw>
868
+ C: </domain:authInfo>
869
+ C: </domain:create>
870
+ C: </create>
871
+ C: <extension>
872
+ C: <secDNS:create
873
+ C: xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1">
874
+ C: <secDNS:maxSigLife>604800</secDNS:maxSigLife>
875
+ C: <secDNS:dsData>
876
+ C: <secDNS:keyTag>12345</secDNS:keyTag>
877
+ C: <secDNS:alg>3</secDNS:alg>
878
+ C: <secDNS:digestType>1</secDNS:digestType>
879
+ C: <secDNS:digest>49FD46E6C4B45C55D4AC</secDNS:digest>
880
+ C: <secDNS:keyData>
881
+ C: <secDNS:flags>257</secDNS:flags>
882
+ C: <secDNS:protocol>3</secDNS:protocol>
883
+ C: <secDNS:alg>1</secDNS:alg>
884
+ C: <secDNS:pubKey>AQPJ////4Q==</secDNS:pubKey>
885
+ C: </secDNS:keyData>
886
+ C: </secDNS:dsData>
887
+ C: </secDNS:create>
888
+ C: </extension>
889
+ C: <clTRID>ABC-12345</clTRID>
890
+ C: </command>
891
+ C:</epp>
892
+
893
+
894
+
895
+
896
+
897
+
898
+ Gould & Hollenbeck Standards Track [Page 16]
899
+
900
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
901
+
902
+
903
+ Example <create> Command for a Secure Delegation
904
+ Using the Key Data Interface:
905
+
906
+ C:<?xml version="1.0" encoding="UTF-8" standalone="no"?>
907
+ C:<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
908
+ C: xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
909
+ C: <command>
910
+ C: <create>
911
+ C: <domain:create
912
+ C: xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
913
+ C: <domain:name>example.com</domain:name>
914
+ C: <domain:period unit="y">2</domain:period>
915
+ C: <domain:ns>
916
+ C: <domain:hostObj>ns1.example.com</domain:hostObj>
917
+ C: <domain:hostObj>ns2.example.com</domain:hostObj>
918
+ C: </domain:ns>
919
+ C: <domain:registrant>jd1234</domain:registrant>
920
+ C: <domain:contact type="admin">sh8013</domain:contact>
921
+ C: <domain:contact type="tech">sh8013</domain:contact>
922
+ C: <domain:authInfo>
923
+ C: <domain:pw>2fooBAR</domain:pw>
924
+ C: </domain:authInfo>
925
+ C: </domain:create>
926
+ C: </create>
927
+ C: <extension>
928
+ C: <secDNS:create
929
+ C: xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1">
930
+ C: <secDNS:keyData>
931
+ C: <secDNS:flags>257</secDNS:flags>
932
+ C: <secDNS:protocol>3</secDNS:protocol>
933
+ C: <secDNS:alg>1</secDNS:alg>
934
+ C: <secDNS:pubKey>AQPJ////4Q==</secDNS:pubKey>
935
+ C: </secDNS:keyData>
936
+ C: </secDNS:create>
937
+ C: </extension>
938
+ C: <clTRID>ABC-12345</clTRID>
939
+ C: </command>
940
+ C:</epp>
941
+
942
+ When a <create> command has been processed successfully, the EPP
943
+ response is as described in the EPP domain mapping [RFC5731].
944
+
945
+ 5.2.2. EPP <delete> Command
946
+
947
+ This extension does not add any elements to the EPP <delete> command
948
+ or <delete> response described in the EPP domain mapping [RFC5731].
949
+
950
+
951
+
952
+
953
+
954
+ Gould & Hollenbeck Standards Track [Page 17]
955
+
956
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
957
+
958
+
959
+ 5.2.3. EPP <renew> Command
960
+
961
+ This extension does not add any elements to the EPP <renew> command
962
+ or <renew> response described in the EPP domain mapping [RFC5731].
963
+
964
+ 5.2.4. EPP <transfer> Command
965
+
966
+ This extension does not add any elements to the EPP <transfer>
967
+ command or <transfer> response described in the EPP domain mapping
968
+ [RFC5731].
969
+
970
+ 5.2.5. EPP <update> Command
971
+
972
+ This extension defines additional elements for the EPP <update>
973
+ command described in the EPP domain mapping [RFC5731]. No additional
974
+ elements are defined for the EPP <update> response.
975
+
976
+ The EPP <update> command provides a transform operation that allows a
977
+ client to modify the attributes of a domain object. In addition to
978
+ the EPP command elements described in the EPP domain mapping, the
979
+ command MUST contain an <extension> element, and the <extension>
980
+ element MUST contain a child <secDNS:update> element that identifies
981
+ the extension namespace if the client wants to update the domain
982
+ object with data defined in this extension. The <secDNS:update>
983
+ element contains a <secDNS:add> element to add security information
984
+ to a delegation, a <secDNS:rem> element to remove security
985
+ information from a delegation, or a <secDNS:chg> element to change
986
+ existing security information. At least one <secDNS:add>, <secDNS:
987
+ rem>, or <secDNS:chg> element MUST be provided. The order of the
988
+ <secDNS:rem> and <secDNS:add> elements is significant, where the
989
+ server MUST first remove the existing elements prior to adding the
990
+ new elements.
991
+
992
+ The <secDNS:update> element also contains an OPTIONAL "urgent"
993
+ attribute that a client can use to ask the server operator to
994
+ complete and implement the update request with high priority. This
995
+ attribute accepts boolean values as described in Section 3.2; the
996
+ default value is boolean false. "High priority" is relative to
997
+ standard server operator policies that are determined using an out-
998
+ of-band mechanism. A server MUST return an EPP error result code of
999
+ 2102 if the "urgent" attribute is specified with a value of boolean
1000
+ true and the server does not support it. A server MUST return an EPP
1001
+ error result code of 2306 if the server supports the "urgent"
1002
+ attribute and an urgent update (noted with an "urgent" attribute
1003
+ value of boolean true) cannot be completed with high priority.
1004
+
1005
+
1006
+
1007
+
1008
+
1009
+
1010
+ Gould & Hollenbeck Standards Track [Page 18]
1011
+
1012
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
1013
+
1014
+
1015
+ The <secDNS:update> element contains the following child elements:
1016
+
1017
+ - An OPTIONAL <secDNS:rem> element that contains a <secDNS:all>
1018
+ element, or one or more <secDNS:dsData> or <secDNS:keyData>
1019
+ elements that are used to remove security data from a delegation.
1020
+
1021
+ The <secDNS:all> element is used to remove all DS and key data
1022
+ with a value of boolean true. A value of boolean false will do
1023
+ nothing. Removing all DS information can remove the ability of
1024
+ the parent to secure the delegation to the child zone.
1025
+
1026
+ The <secDNS:dsData> element is part of the DS Data Interface and
1027
+ is used to uniquely define the DS record to be removed, by using
1028
+ all four elements -- <secDNS:keyTag>, <secDNS:alg>, <secDNS:
1029
+ digestType>, and <secDNS:digest> -- that are guaranteed to be
1030
+ unique.
1031
+
1032
+ The <secDNS:keyData> element is part of the Key Data Interface and
1033
+ is used to uniquely define the key data to be removed, by using
1034
+ all four elements -- <secDNS:flags>, <secDNS:protocol>, <secDNS:
1035
+ alg>, and <secDNS:pubKey> -- that are guaranteed to be unique.
1036
+ There can be more than one DS record created for each key, so
1037
+ removing a key could remove more than one DS record.
1038
+
1039
+ - An OPTIONAL <secDNS:add> element that is used to add security
1040
+ information to an existing set. The <secDNS:add> element MUST
1041
+ contain one or more <secDNS:dsData> or <secDNS:keyData> elements.
1042
+ Child elements of the <secDNS:dsData> element are described in
1043
+ Section 4.1. Child elements of the <secDNS:keyData> element are
1044
+ described in Section 4.2.
1045
+
1046
+ - An OPTIONAL <secDNS:chg> element that contains security
1047
+ information to be changed. A <secDNS:chg> element contains the
1048
+ following child elements:
1049
+
1050
+ - An OPTIONAL <secDNS:maxSigLife> element that indicates a
1051
+ child's preference for the number of seconds after signature
1052
+ generation when the parent's signature on the DS information
1053
+ provided by the child will expire. maxSigLife is described in
1054
+ Section 3.3. If the server does not support the <secDNS:
1055
+ maxSigLife> element, a 2102 error MUST be returned.
1056
+
1057
+
1058
+
1059
+
1060
+
1061
+
1062
+
1063
+
1064
+
1065
+
1066
+ Gould & Hollenbeck Standards Track [Page 19]
1067
+
1068
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
1069
+
1070
+
1071
+ Example <update> Command, Adding and Removing DS
1072
+ Data Using the DS Data Interface:
1073
+
1074
+ C:<?xml version="1.0" encoding="UTF-8" standalone="no"?>
1075
+ C:<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
1076
+ C: xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
1077
+ C: <command>
1078
+ C: <update>
1079
+ C: <domain:update
1080
+ C: xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
1081
+ C: <domain:name>example.com</domain:name>
1082
+ C: </domain:update>
1083
+ C: </update>
1084
+ C: <extension>
1085
+ C: <secDNS:update
1086
+ C: xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1">
1087
+ C: <secDNS:rem>
1088
+ C: <secDNS:dsData>
1089
+ C: <secDNS:keyTag>12345</secDNS:keyTag>
1090
+ C: <secDNS:alg>3</secDNS:alg>
1091
+ C: <secDNS:digestType>1</secDNS:digestType>
1092
+ C: <secDNS:digest>38EC35D5B3A34B33C99B</secDNS:digest>
1093
+ C: </secDNS:dsData>
1094
+ C: </secDNS:rem>
1095
+ C: <secDNS:add>
1096
+ C: <secDNS:dsData>
1097
+ C: <secDNS:keyTag>12346</secDNS:keyTag>
1098
+ C: <secDNS:alg>3</secDNS:alg>
1099
+ C: <secDNS:digestType>1</secDNS:digestType>
1100
+ C: <secDNS:digest>38EC35D5B3A34B44C39B</secDNS:digest>
1101
+ C: </secDNS:dsData>
1102
+ C: </secDNS:add>
1103
+ C: </secDNS:update>
1104
+ C: </extension>
1105
+ C: <clTRID>ABC-12345</clTRID>
1106
+ C: </command>
1107
+ C:</epp>
1108
+
1109
+
1110
+
1111
+
1112
+
1113
+
1114
+
1115
+
1116
+
1117
+
1118
+
1119
+
1120
+
1121
+
1122
+ Gould & Hollenbeck Standards Track [Page 20]
1123
+
1124
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
1125
+
1126
+
1127
+ Example <update> Command,
1128
+ Updating the maxSigLife:
1129
+
1130
+ C:<?xml version="1.0" encoding="UTF-8" standalone="no"?>
1131
+ C:<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
1132
+ C: xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
1133
+ C: <command>
1134
+ C: <update>
1135
+ C: <domain:update
1136
+ C: xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
1137
+ C: <domain:name>example.com</domain:name>
1138
+ C: </domain:update>
1139
+ C: </update>
1140
+ C: <extension>
1141
+ C: <secDNS:update
1142
+ C: xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1">
1143
+ C: <secDNS:chg>
1144
+ C: <secDNS:maxSigLife>605900</secDNS:maxSigLife>
1145
+ C: </secDNS:chg>
1146
+ C: </secDNS:update>
1147
+ C: </extension>
1148
+ C: <clTRID>ABC-12345</clTRID>
1149
+ C: </command>
1150
+ C:</epp>
1151
+
1152
+
1153
+
1154
+
1155
+
1156
+
1157
+
1158
+
1159
+
1160
+
1161
+
1162
+
1163
+
1164
+
1165
+
1166
+
1167
+
1168
+
1169
+
1170
+
1171
+
1172
+
1173
+
1174
+
1175
+
1176
+
1177
+
1178
+ Gould & Hollenbeck Standards Track [Page 21]
1179
+
1180
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
1181
+
1182
+
1183
+ Example <update> Command, Adding and
1184
+ Removing Key Data Using the Key Data Interface, and
1185
+ Setting maxSigLife:
1186
+
1187
+ C:<?xml version="1.0" encoding="UTF-8" standalone="no"?>
1188
+ C:<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
1189
+ C: xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
1190
+ C: <command>
1191
+ C: <update>
1192
+ C: <domain:update
1193
+ C: xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
1194
+ C: <domain:name>example.com</domain:name>
1195
+ C: </domain:update>
1196
+ C: </update>
1197
+ C: <extension>
1198
+ C: <secDNS:update
1199
+ C: xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1">
1200
+ C: <secDNS:rem>
1201
+ C: <secDNS:keyData>
1202
+ C: <secDNS:flags>257</secDNS:flags>
1203
+ C: <secDNS:protocol>3</secDNS:protocol>
1204
+ C: <secDNS:alg>1</secDNS:alg>
1205
+ C: <secDNS:pubKey>AQPJ////4QQQ</secDNS:pubKey>
1206
+ C: </secDNS:keyData>
1207
+ C: </secDNS:rem>
1208
+ C: <secDNS:add>
1209
+ C: <secDNS:keyData>
1210
+ C: <secDNS:flags>257</secDNS:flags>
1211
+ C: <secDNS:protocol>3</secDNS:protocol>
1212
+ C: <secDNS:alg>1</secDNS:alg>
1213
+ C: <secDNS:pubKey>AQPJ////4Q==</secDNS:pubKey>
1214
+ C: </secDNS:keyData>
1215
+ C: </secDNS:add>
1216
+ C: <secDNS:chg>
1217
+ C: <secDNS:maxSigLife>605900</secDNS:maxSigLife>
1218
+ C: </secDNS:chg>
1219
+ C: </secDNS:update>
1220
+ C: </extension>
1221
+ C: <clTRID>ABC-12345</clTRID>
1222
+ C: </command>
1223
+ C:</epp>
1224
+
1225
+
1226
+
1227
+
1228
+
1229
+
1230
+
1231
+
1232
+
1233
+
1234
+ Gould & Hollenbeck Standards Track [Page 22]
1235
+
1236
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
1237
+
1238
+
1239
+ Example <update> Command, Removing DS Data with
1240
+ <secDNS:dsData> Using the DS Data Interface:
1241
+
1242
+ C:<?xml version="1.0" encoding="UTF-8" standalone="no"?>
1243
+ C:<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
1244
+ C: xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
1245
+ C: <command>
1246
+ C: <update>
1247
+ C: <domain:update
1248
+ C: xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
1249
+ C: <domain:name>example.com</domain:name>
1250
+ C: </domain:update>
1251
+ C: </update>
1252
+ C: <extension>
1253
+ C: <secDNS:update
1254
+ C: xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1">
1255
+ C: <secDNS:rem>
1256
+ C: <secDNS:dsData>
1257
+ C: <secDNS:keyTag>12346</secDNS:keyTag>
1258
+ C: <secDNS:alg>3</secDNS:alg>
1259
+ C: <secDNS:digestType>1</secDNS:digestType>
1260
+ C: <secDNS:digest>38EC35D5B3A34B44C39B</secDNS:digest>
1261
+ C: </secDNS:dsData>
1262
+ C: </secDNS:rem>
1263
+ C: </secDNS:update>
1264
+ C: </extension>
1265
+ C: <clTRID>ABC-12345</clTRID>
1266
+ C: </command>
1267
+ C:</epp>
1268
+
1269
+
1270
+
1271
+
1272
+
1273
+
1274
+
1275
+
1276
+
1277
+
1278
+
1279
+
1280
+
1281
+
1282
+
1283
+
1284
+
1285
+
1286
+
1287
+
1288
+
1289
+
1290
+ Gould & Hollenbeck Standards Track [Page 23]
1291
+
1292
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
1293
+
1294
+
1295
+ Example <update> Command,
1296
+ Removing all DS and Key Data Using <secDNS:rem>
1297
+ with <secDNS:all>:
1298
+
1299
+ C:<?xml version="1.0" encoding="UTF-8" standalone="no"?>
1300
+ C:<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
1301
+ C: xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
1302
+ C: <command>
1303
+ C: <update>
1304
+ C: <domain:update
1305
+ C: xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
1306
+ C: <domain:name>example.com</domain:name>
1307
+ C: </domain:update>
1308
+ C: </update>
1309
+ C: <extension>
1310
+ C: <secDNS:update urgent="true"
1311
+ C: xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.0">
1312
+ C: <secDNS:rem>
1313
+ C: <secDNS:all>true</secDNS:all>
1314
+ C: </secDNS:rem>
1315
+ C: </secDNS:update>
1316
+ C: </extension>
1317
+ C: <clTRID>ABC-12345</clTRID>
1318
+ C: </command>
1319
+ C:</epp>
1320
+
1321
+
1322
+
1323
+
1324
+
1325
+
1326
+
1327
+
1328
+
1329
+
1330
+
1331
+
1332
+
1333
+
1334
+
1335
+
1336
+
1337
+
1338
+
1339
+
1340
+
1341
+
1342
+
1343
+
1344
+
1345
+
1346
+ Gould & Hollenbeck Standards Track [Page 24]
1347
+
1348
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
1349
+
1350
+
1351
+ Example Urgent <update> Command,
1352
+ Replacing all DS Data Using the DS Data Interface:
1353
+
1354
+ C:<?xml version="1.0" encoding="UTF-8" standalone="no"?>
1355
+ C:<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
1356
+ C: xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
1357
+ C: <command>
1358
+ C: <update>
1359
+ C: <domain:update
1360
+ C: xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
1361
+ C: <domain:name>example.com</domain:name>
1362
+ C: </domain:update>
1363
+ C: </update>
1364
+ C: <extension>
1365
+ C: <secDNS:update urgent="true"
1366
+ C: xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1">
1367
+ C: <secDNS:rem>
1368
+ C: <secDNS:all>true</secDNS:all>
1369
+ C: </secDNS:rem>
1370
+ C: <secDNS:add>
1371
+ C: <secDNS:dsData>
1372
+ C: <secDNS:keyTag>12346</secDNS:keyTag>
1373
+ C: <secDNS:alg>3</secDNS:alg>
1374
+ C: <secDNS:digestType>1</secDNS:digestType>
1375
+ C: <secDNS:digest>38EC35D5B3A34B44C39B</secDNS:digest>
1376
+ C: </secDNS:dsData>
1377
+ C: </secDNS:add>
1378
+ C: </secDNS:update>
1379
+ C: </extension>
1380
+ C: <clTRID>ABC-12345</clTRID>
1381
+ C: </command>
1382
+ C:</epp>
1383
+
1384
+ When an extended <update> command has been processed successfully,
1385
+ the EPP response is as described in the EPP domain mapping [RFC5731].
1386
+
1387
+ 6. Formal Syntax
1388
+
1389
+ An EPP object mapping is specified in XML Schema notation. The
1390
+ formal syntax presented here is a complete schema representation of
1391
+ the object mapping suitable for automated validation of EPP XML
1392
+ instances. The BEGIN and END tags are not part of the schema; they
1393
+ are used to note the beginning and ending of the schema for URI
1394
+ registration purposes.
1395
+
1396
+ Copyright (c) 2010 IETF Trust and the persons identified as authors
1397
+ of the code. All rights reserved.
1398
+
1399
+
1400
+
1401
+
1402
+ Gould & Hollenbeck Standards Track [Page 25]
1403
+
1404
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
1405
+
1406
+
1407
+ Redistribution and use in source and binary forms, with or without
1408
+ modification, are permitted provided that the following conditions
1409
+ are met:
1410
+
1411
+ - Redistributions of source code must retain the above copyright
1412
+ notice, this list of conditions and the following disclaimer.
1413
+
1414
+ - Redistributions in binary form must reproduce the above copyright
1415
+ notice, this list of conditions and the following disclaimer in
1416
+ the documentation and/or other materials provided with the
1417
+ distribution.
1418
+
1419
+ - Neither the name of Internet Society, IETF or IETF Trust, nor the
1420
+ names of specific contributors, may be used to endorse or promote
1421
+ products derived from this software without specific prior written
1422
+ permission.
1423
+
1424
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
1425
+ "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
1426
+ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
1427
+ A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
1428
+ OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
1429
+ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
1430
+ LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
1431
+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
1432
+ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
1433
+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
1434
+ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1435
+
1436
+ BEGIN
1437
+ <?xml version="1.0" encoding="UTF-8"?>
1438
+ <schema
1439
+ targetNamespace="urn:ietf:params:xml:ns:secDNS-1.1"
1440
+ xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1"
1441
+ xmlns="http://www.w3.org/2001/XMLSchema"
1442
+ elementFormDefault="qualified">
1443
+
1444
+ <annotation>
1445
+ <documentation>
1446
+ Extensible Provisioning Protocol v1.0
1447
+ domain name extension schema
1448
+ for provisioning DNS security (DNSSEC) extensions.
1449
+ </documentation>
1450
+ </annotation>
1451
+
1452
+ <!--
1453
+ Child elements found in EPP commands.
1454
+ -->
1455
+
1456
+
1457
+
1458
+ Gould & Hollenbeck Standards Track [Page 26]
1459
+
1460
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
1461
+
1462
+
1463
+ <element name="create" type="secDNS:dsOrKeyType"/>
1464
+ <element name="update" type="secDNS:updateType"/>
1465
+
1466
+ <!--
1467
+ Child elements supporting either the
1468
+ dsData or the keyData interface.
1469
+ -->
1470
+ <complexType name="dsOrKeyType">
1471
+ <sequence>
1472
+ <element name="maxSigLife" type="secDNS:maxSigLifeType"
1473
+ minOccurs="0"/>
1474
+ <choice>
1475
+ <element name="dsData" type="secDNS:dsDataType"
1476
+ maxOccurs="unbounded"/>
1477
+ <element name="keyData" type="secDNS:keyDataType"
1478
+ maxOccurs="unbounded"/>
1479
+ </choice>
1480
+ </sequence>
1481
+ </complexType>
1482
+
1483
+ <!--
1484
+ Definition for the maximum signature lifetime (maxSigLife)
1485
+ -->
1486
+ <simpleType name="maxSigLifeType">
1487
+ <restriction base="int">
1488
+ <minInclusive value="1"/>
1489
+ </restriction>
1490
+ </simpleType>
1491
+
1492
+ <!--
1493
+ Child elements of dsData used for dsData interface
1494
+ -->
1495
+ <complexType name="dsDataType">
1496
+ <sequence>
1497
+ <element name="keyTag" type="unsignedShort"/>
1498
+ <element name="alg" type="unsignedByte"/>
1499
+ <element name="digestType" type="unsignedByte"/>
1500
+ <element name="digest" type="hexBinary"/>
1501
+ <element name="keyData" type="secDNS:keyDataType"
1502
+ minOccurs="0"/>
1503
+ </sequence>
1504
+ </complexType>
1505
+
1506
+ <!--
1507
+ Child elements of keyData used for keyData interface
1508
+ and optionally with dsData interface
1509
+ -->
1510
+ <complexType name="keyDataType">
1511
+
1512
+
1513
+
1514
+ Gould & Hollenbeck Standards Track [Page 27]
1515
+
1516
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
1517
+
1518
+
1519
+ <sequence>
1520
+ <element name="flags" type="unsignedShort"/>
1521
+ <element name="protocol" type="unsignedByte"/>
1522
+ <element name="alg" type="unsignedByte"/>
1523
+ <element name="pubKey" type="secDNS:keyType"/>
1524
+ </sequence>
1525
+ </complexType>
1526
+
1527
+ <!--
1528
+ Definition for the public key
1529
+ -->
1530
+ <simpleType name="keyType">
1531
+ <restriction base="base64Binary">
1532
+ <minLength value="1"/>
1533
+ </restriction>
1534
+ </simpleType>
1535
+
1536
+ <!--
1537
+ Child elements of the <update> element.
1538
+ -->
1539
+ <complexType name="updateType">
1540
+ <sequence>
1541
+ <element name="rem" type="secDNS:remType"
1542
+ minOccurs="0"/>
1543
+ <element name="add" type="secDNS:dsOrKeyType"
1544
+ minOccurs="0"/>
1545
+ <element name="chg" type="secDNS:chgType"
1546
+ minOccurs="0"/>
1547
+ </sequence>
1548
+ <attribute name="urgent" type="boolean" default="false"/>
1549
+ </complexType>
1550
+
1551
+ <!--
1552
+ Child elements of the <rem> command.
1553
+ -->
1554
+ <complexType name="remType">
1555
+ <choice>
1556
+ <element name="all" type="boolean"/>
1557
+ <element name="dsData" type="secDNS:dsDataType"
1558
+ maxOccurs="unbounded"/>
1559
+ <element name="keyData" type="secDNS:keyDataType"
1560
+ maxOccurs="unbounded"/>
1561
+ </choice>
1562
+ </complexType>
1563
+
1564
+ <!--
1565
+ Child elements supporting the <chg> element.
1566
+ -->
1567
+
1568
+
1569
+
1570
+ Gould & Hollenbeck Standards Track [Page 28]
1571
+
1572
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
1573
+
1574
+
1575
+ <complexType name="chgType">
1576
+ <sequence>
1577
+ <element name="maxSigLife" type="secDNS:maxSigLifeType"
1578
+ minOccurs="0"/>
1579
+ </sequence>
1580
+ </complexType>
1581
+
1582
+ <!--
1583
+ Child response elements.
1584
+ -->
1585
+ <element name="infData" type="secDNS:dsOrKeyType"/>
1586
+
1587
+ </schema>
1588
+ END
1589
+
1590
+ 7. Internationalization Considerations
1591
+
1592
+ EPP is represented in XML, which provides native support for encoding
1593
+ information using the Unicode character set and its more compact
1594
+ representations including UTF-8 [RFC3629]. Conformant XML processors
1595
+ recognize both UTF-8 and UTF-16 [RFC2781]. Though XML includes
1596
+ provisions to identify and use other character encodings through use
1597
+ of an "encoding" attribute in an <?xml?> declaration, use of UTF-8 is
1598
+ RECOMMENDED in environments where parser encoding support
1599
+ incompatibility exists.
1600
+
1601
+ As an extension of the EPP domain mapping [RFC5731], the
1602
+ internationalization requirements in the EPP domain mapping [RFC5731]
1603
+ are followed by this extension. This extension does not override any
1604
+ of the EPP domain mapping [RFC5731] internationalization features.
1605
+
1606
+ 8. IANA Considerations
1607
+
1608
+ This document uses URNs to describe XML namespaces and XML schemas
1609
+ conforming to a registry mechanism described in RFC 3688 [RFC3688].
1610
+ Two URI assignments have been completed by the IANA.
1611
+
1612
+ Registration request for the extension namespace:
1613
+
1614
+ URI: urn:ietf:params:xml:ns:secDNS-1.1
1615
+
1616
+ Registrant Contact: IESG
1617
+
1618
+ XML: None. Namespace URIs do not represent an XML specification.
1619
+
1620
+ Registration request for the extension XML schema:
1621
+
1622
+ URI: urn:ietf:params:xml:schema:secDNS-1.1
1623
+
1624
+
1625
+
1626
+ Gould & Hollenbeck Standards Track [Page 29]
1627
+
1628
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
1629
+
1630
+
1631
+ Registrant Contact: IESG
1632
+
1633
+ XML: See the "Formal Syntax" section of this document.
1634
+
1635
+ 9. Security Considerations
1636
+
1637
+ The mapping extensions described in this document do not provide any
1638
+ security services beyond those described by EPP [RFC5730], the EPP
1639
+ domain name mapping [RFC5731], and protocol layers used by EPP. The
1640
+ security considerations described in these other specifications apply
1641
+ to this specification as well.
1642
+
1643
+ As with other domain object transforms, the EPP transform operations
1644
+ described in this document MUST be restricted to the sponsoring
1645
+ client as authenticated using the mechanisms described in
1646
+ Sections 2.9.1.1 and 7 of RFC 5730 [RFC5730]. Any attempt to perform
1647
+ a transform operation on a domain object by any client other than the
1648
+ sponsoring client MUST be rejected with an appropriate EPP
1649
+ authorization error.
1650
+
1651
+ The provisioning service described in this document involves the
1652
+ exchange of information that can have an operational impact on the
1653
+ DNS. A trust relationship MUST exist between the EPP client and
1654
+ server, and provisioning of public key information MUST only be done
1655
+ after the identities of both parties have been confirmed using a
1656
+ strong authentication mechanism.
1657
+
1658
+ An EPP client might be acting as an agent for a zone administrator
1659
+ who wants to send delegation information to be signed and published
1660
+ by the server operator. Man-in-the-middle attacks are thus possible
1661
+ as a result of direct client activity or inadvertent client data
1662
+ manipulation.
1663
+
1664
+ Acceptance of a false key by a server operator can produce
1665
+ significant operational consequences. The child and parent zones
1666
+ MUST be consistent to secure the delegation properly. In the absence
1667
+ of consistent signatures, the delegation will not appear in the
1668
+ secure namespace, yielding untrustworthy query responses. If a key
1669
+ is compromised, a client can either remove the compromised
1670
+ information or update the delegation information via EPP commands
1671
+ using the "urgent" attribute.
1672
+
1673
+ Operational scenarios requiring quick removal of a secure domain
1674
+ delegation can be implemented using a two-step process. First,
1675
+ security credentials can be removed using an "urgent" update as just
1676
+ described. The domain can then be removed from the parent zone by
1677
+ changing the status of the domain to either of the EPP "clientHold"
1678
+ or "serverHold" domain status values. The domain can also be removed
1679
+
1680
+
1681
+
1682
+ Gould & Hollenbeck Standards Track [Page 30]
1683
+
1684
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
1685
+
1686
+
1687
+ from the zone using the EPP <delete> command, but this is a more
1688
+ drastic step that needs to be considered carefully before use.
1689
+
1690
+ Data validity checking and Delegation Signer record creation at the
1691
+ server require computational resources. A purposeful or inadvertent
1692
+ denial-of-service attack is possible if a client requests some number
1693
+ of update operations that exceed a server's processing capabilities.
1694
+ Server operators SHOULD take steps to manage command load and command
1695
+ processing requirements to minimize the risk of a denial-of-service
1696
+ attack.
1697
+
1698
+ The signature lifetime values provided by clients are requests that
1699
+ can be rejected. Blind acceptance by a server operator can have an
1700
+ adverse impact on a server's processing capabilities. Server
1701
+ operators SHOULD seriously consider adopting implementation rules to
1702
+ limit the range of acceptable signature lifetime values to counter
1703
+ potential adverse situations.
1704
+
1705
+ 10. Acknowledgements
1706
+
1707
+ The authors would like to thank the following people who have
1708
+ provided significant contributions to the development of this
1709
+ document:
1710
+
1711
+ David Blacka, Howard Eland, Patrik Faltstrom, Olafur Gudmundsson,
1712
+ Bernie Hoeneisen, Ed Lewis, Klaus Malorny, Alexander Mayrhofer,
1713
+ Patrick Mevzek, David Smith, Andrew Sullivan, and
1714
+ Srikanth Veeramachaneni.
1715
+
1716
+ This document replaces RFC 4310 [RFC4310]. Please see the
1717
+ Acknowledgements section in that RFC for additional acknowledgements.
1718
+
1719
+ This document incorporates feedback from early implementers on the
1720
+ PROVREG mailing list and users.
1721
+
1722
+ 11. References
1723
+
1724
+ 11.1. Normative References
1725
+
1726
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1727
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
1728
+
1729
+ [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
1730
+ January 2004.
1731
+
1732
+ [RFC3757] Kolkman, O., Schlyter, J., and E. Lewis, "Domain Name
1733
+ System KEY (DNSKEY) Resource Record (RR) Secure Entry
1734
+ Point (SEP) Flag", RFC 3757, April 2004.
1735
+
1736
+
1737
+
1738
+ Gould & Hollenbeck Standards Track [Page 31]
1739
+
1740
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
1741
+
1742
+
1743
+ [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
1744
+ Rose, "Resource Records for the DNS Security Extensions",
1745
+ RFC 4034, March 2005.
1746
+
1747
+ [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
1748
+ Rose, "Protocol Modifications for the DNS Security
1749
+ Extensions", RFC 4035, March 2005.
1750
+
1751
+ [RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)",
1752
+ STD 69, RFC 5730, August 2009.
1753
+
1754
+ [RFC5731] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)
1755
+ Domain Name Mapping", STD 69, RFC 5731, August 2009.
1756
+
1757
+ [W3C.REC-xml-20001006]
1758
+ Maler, E., Sperberg-McQueen, C., Bray, T., and J. Paoli,
1759
+ "Extensible Markup Language (XML) 1.0 (Second Edition)",
1760
+ World Wide Web Consortium FirstEdition REC-xml-20001006,
1761
+ October 2000,
1762
+ <http://www.w3.org/TR/2000/REC-xml-20001006>.
1763
+
1764
+ [W3C.REC-xmlschema-1-20010502]
1765
+ Beech, D., Thompson, H., Mendelsohn, N., and M. Maloney,
1766
+ "XML Schema Part 1: Structures", World Wide Web Consortium
1767
+ FirstEdition REC-xmlschema-1-20010502, May 2001,
1768
+ <http://www.w3.org/TR/2001/REC-xmlschema-1-20010502>.
1769
+
1770
+ [W3C.REC-xmlschema-2-20010502]
1771
+ Malhotra, A. and P. Biron, "XML Schema Part 2: Datatypes",
1772
+ World Wide Web Consortium FirstEdition REC-xmlschema-2-
1773
+ 20010502, May 2001,
1774
+ <http://www.w3.org/TR/2001/REC-xmlschema-2-20010502>.
1775
+
1776
+ 11.2. Informative References
1777
+
1778
+ [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
1779
+ STD 13, RFC 1034, November 1987.
1780
+
1781
+ [RFC1035] Mockapetris, P., "Domain names - implementation and
1782
+ specification", STD 13, RFC 1035, November 1987.
1783
+
1784
+ [RFC2781] Hoffman, P. and F. Yergeau, "UTF-16, an encoding of ISO
1785
+ 10646", RFC 2781, February 2000.
1786
+
1787
+ [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
1788
+ 10646", STD 63, RFC 3629, November 2003.
1789
+
1790
+
1791
+
1792
+
1793
+
1794
+ Gould & Hollenbeck Standards Track [Page 32]
1795
+
1796
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
1797
+
1798
+
1799
+ [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
1800
+ Rose, "DNS Security Introduction and Requirements",
1801
+ RFC 4033, March 2005.
1802
+
1803
+ [RFC4310] Hollenbeck, S., "Domain Name System (DNS) Security
1804
+ Extensions Mapping for the Extensible Provisioning
1805
+ Protocol (EPP)", RFC 4310, December 2005.
1806
+
1807
+
1808
+
1809
+
1810
+
1811
+
1812
+
1813
+
1814
+
1815
+
1816
+
1817
+
1818
+
1819
+
1820
+
1821
+
1822
+
1823
+
1824
+
1825
+
1826
+
1827
+
1828
+
1829
+
1830
+
1831
+
1832
+
1833
+
1834
+
1835
+
1836
+
1837
+
1838
+
1839
+
1840
+
1841
+
1842
+
1843
+
1844
+
1845
+
1846
+
1847
+
1848
+
1849
+
1850
+ Gould & Hollenbeck Standards Track [Page 33]
1851
+
1852
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
1853
+
1854
+
1855
+ Appendix A. Changes from RFC 4310
1856
+
1857
+ 1. Added the motivation in obsoleting RFC 4310 [RFC4310] to
1858
+ Section 1.
1859
+
1860
+ 2. Updated Section 1 to add an explicit statement about deprecation
1861
+ of RFC 4310.
1862
+
1863
+ 3. Added secDNS-1.0 and secDNS-1.1 abbreviation definitions in
1864
+ Section 1.1.
1865
+
1866
+ 4. Updated "Data validity checking at the server..." to "Data
1867
+ validity checking and Delegation Signer record creation at the
1868
+ server..." in Section 9.
1869
+
1870
+ 5. Added Section 2.
1871
+
1872
+ 6. Updated the second paragraph of Section 7 to clarify that the
1873
+ internationalization features of [RFC5731] are followed.
1874
+
1875
+ 7. Moved <secDNS:rem> prior to <secDNS:add> to conform to the EPP
1876
+ order semantics for supporting <secDNS:all> with <secDNS:rem> to
1877
+ remove all data, and for supporting the replace semantics
1878
+ previously supported by <secDNS:chg>.
1879
+
1880
+ 8. Added support for the use of the <secDNS:all> boolean element
1881
+ under <secDNS:rem> to remove all DS or key data in place of
1882
+ using <secDNS:chg/>.
1883
+
1884
+ 9. Updated <secDNS:add>, <secDNS:rem>, and <secDNS:chg> to function
1885
+ in a consistent way to the other EPP RFCs.
1886
+
1887
+ 10. Removed support for <secDNS:rem> using just <secDNS:keyTag>.
1888
+
1889
+ 11. Moved the <secDNS:maxSigLife> element out of the <secDNS:dsData>
1890
+ and <secDNS:keyData> elements and directly under the <secDNS:
1891
+ create> element, under the <secDNS:chg> element of the <secDNS:
1892
+ update> element, and under the <secDNS:infData> element.
1893
+ Section 3.3 element was updated to better describe the <secDNS:
1894
+ maxSigLife> element, and references to the <secDNS:maxSigLife>
1895
+ element were updated throughout the document.
1896
+
1897
+ 12. Replaced references to urn:ietf:params:xml:schema:secDNS-1.0
1898
+ with urn:ietf:params:xml:schema:secDNS-1.1, and replaced "Two
1899
+ URI assignments have been completed by the IANA" with "Two URI
1900
+ assignments have been completed by the IANA" in Section 8.
1901
+
1902
+
1903
+
1904
+
1905
+
1906
+ Gould & Hollenbeck Standards Track [Page 34]
1907
+
1908
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
1909
+
1910
+
1911
+ 13. Added "The <secDNS:keyTag> element is represented as an
1912
+ unsignedShort [W3C.REC-xmlschema-2-20010502]" in Section 4.1.
1913
+
1914
+ 14. Added "The <secDNS:digest> element is represented as a hexBinary
1915
+ [W3C.REC-xmlschema-2-20010502]" in Section 4.1.
1916
+
1917
+ 15. Added "The <secDNS:pubKey> element is represented as a
1918
+ base64Binary [W3C.REC-xmlschema-2-20010502] with a minimum
1919
+ length of 1" in Section 4.2.
1920
+
1921
+ 16. Combined "the command MUST contain an <extension> element" with
1922
+ the following sentence in Section 5.2.1 and Section 5.2.5.
1923
+
1924
+ 17. Added sentence "If the server does not support the <secDNS:
1925
+ maxSigLife> element, a 2102 error MUST be returned" to
1926
+ Section 5.2.1 and Section 5.2.5.
1927
+
1928
+ 18. Added sentence "This document replaces RFC 4310. Please see the
1929
+ Acknowledgements section in that RFC for additional
1930
+ acknowledgements" in Section 10.
1931
+
1932
+ 19. Added "This document incorporates feedback from implementers on
1933
+ the PROVREG mail list and users" as well as "This document
1934
+ obsoletes RFC 4310" in the Abstract.
1935
+
1936
+ 20. Removed all references to xsi:schemaLocation to be consistent
1937
+ with the other EPP RFCs.
1938
+
1939
+ 21. Added the "DS Data Interface and Key Data Interface" section.
1940
+
1941
+ 22. Moved the "create, add, remove, and replace Delegation Signer
1942
+ (DS) information" paragraph from the "Object Attributes" section
1943
+ to the "DS Data Interface" section.
1944
+
1945
+ 23. Replaced the element descriptions in the "EPP <info> Command"
1946
+ section with a reference to the <secDNS:dsData> and <secDNS:
1947
+ keyData> elements described in the "DS Data Interface" and "Key
1948
+ Data Interface" sections, respectively.
1949
+
1950
+ 24. Updated the "EPP <info> Command" section examples to include
1951
+ both the DS Data Interface and the Key Data Interface.
1952
+
1953
+ 25. Updated the "EPP <create> Command" section to refer to both the
1954
+ use of <secDNS:dsData> and <secDNS:keyData> described in the "DS
1955
+ Data Interface" and "Key Data Interface" sections, respectively.
1956
+
1957
+ 26. Updated the "EPP <create> Command" section examples to include
1958
+ both the DS Data Interface and the Key Data Interface.
1959
+
1960
+
1961
+
1962
+ Gould & Hollenbeck Standards Track [Page 35]
1963
+
1964
+ RFC 5910 EPP DNS Security Extensions Mapping May 2010
1965
+
1966
+
1967
+ 27. Updated the "EPP <update> Command" section to describe the use
1968
+ of <secDNS:add>, <secDNS:rem>, and <secDNS:chg> together.
1969
+
1970
+ 28. Updated the "EPP <update> Command" section examples to include
1971
+ both the DS Data Interface and the Key Data Interface. Also
1972
+ included additional examples of adding and removing DS data or
1973
+ key data.
1974
+
1975
+ 29. Updated the "Formal Syntax" section with the updated XML schema.
1976
+
1977
+ 30. Updated the Acknowledgements section with a new list of
1978
+ contributors.
1979
+
1980
+ 31. Replaced references to RFC 3730 with references to RFC 5730.
1981
+
1982
+ 32. Replaced references to RFC 3731 with references to RFC 5731.
1983
+
1984
+ 33. Added clarification on when the extension MUST be included for
1985
+ each of the commands and responses (<secDNS:create>, <secDNS:
1986
+ update>, <secDNS:infData>).
1987
+
1988
+ 34. Changed "In addition, the EPP <extension> element MUST contain a
1989
+ child <secDNS:infData> element" to "In addition, the EPP
1990
+ <extension> element SHOULD contain a child <secDNS:infData>
1991
+ element" and added "and based on server policy".
1992
+
1993
+ Authors' Addresses
1994
+
1995
+ James Gould
1996
+ VeriSign, Inc.
1997
+ 21345 Ridgetop Circle
1998
+ Dulles, VA 20166-6503
1999
+ US
2000
+
2001
+ EMail: jgould@verisign.com
2002
+
2003
+
2004
+ Scott Hollenbeck
2005
+ VeriSign, Inc.
2006
+ 21345 Ridgetop Circle
2007
+ Dulles, VA 20166-6503
2008
+ US
2009
+
2010
+ EMail: shollenbeck@verisign.com
2011
+
2012
+
2013
+
2014
+
2015
+
2016
+
2017
+
2018
+ Gould & Hollenbeck Standards Track [Page 36]
2019
+