Hi Scott, Thanks for putting this together.
In section 7.1 of your draft there is mention of a special "sacrificial.arpa" to basically park these delegations to something that cannot be hijacked. Instead of creating sacrificial.arpa, could sacrificial.invalid from the invalid TLD as defined by RFC 6761 be used? This would avoid the mechanics of getting sacrificial.arpa blessed plus it has the benefits that DNS SHOULD immediately respond with nxdomain. -andy On Fri, Jun 23, 2023 at 11:18 AM Hollenbeck, Scott <shollenbeck=40verisign....@dmarc.ietf.org> wrote: > > FYI, folks. This draft was written to help describe why RFCs 5731 and 5732 say > that an EPP client (for example, a domain name registrar) SHOULD NOT delete > EPP domain objects without explicitly addressing associations with registered > host objects. It explains how certain operational practices have introduced a > risk of domain management hijacking, and it contains some thoughts on better > practices. I won't call them "best" yet, but with community input that's the > ultimate intention. > > I'm sharing this with both the regext and dnsop working groups because the > issue includes aspects of EPP implementation and DNS delegation management. An > SSAC working group is also looking at the topic. I'll push the xml source and > text files to a GitHub repository shortly; review, feedback, and pull requests > are most welcome. > > https://github.com/verisign/draft-regext-epp-delete-bcp > > Thanks for your attention, > Scott > > > -----Original Message----- > > From: internet-dra...@ietf.org <internet-dra...@ietf.org> > > Sent: Friday, June 23, 2023 10:57 AM > > To: Hollenbeck, Scott <shollenb...@verisign.com>; Carroll, William > > <wicarr...@verisign.com> > > Subject: [EXTERNAL] New Version Notification for > > draft-hollenbeck-regext-epp- > > delete-bcp-00.txt > > > > Caution: This email originated from outside the organization. Do not click > > links > > or open attachments unless you recognize the sender and know the content is > > safe. > > > > A new version of I-D, draft-hollenbeck-regext-epp-delete-bcp-00.txt > > has been successfully submitted by Scott Hollenbeck and posted to the IETF > > repository. > > > > Name: draft-hollenbeck-regext-epp-delete-bcp > > Revision: 00 > > Title: Best Practices for Deletion of Domain and Host > > Objects in the > > Extensible Provisioning Protocol (EPP) > > Document date: 2023-06-23 > > Group: Individual Submission > > Pages: 11 > > URL: > > https://www.ietf.org/archive/id/draft-hollenbeck-regext-epp-delete-bcp-00.txt > > Status: > > https://datatracker.ietf.org/doc/draft-hollenbeck-regext-epp-delete-bcp/ > > Html: > > https://www.ietf.org/archive/id/draft-hollenbeck-regext-epp-delete-bcp-00.html > > Htmlized: [SAH] FYI, > > folks.https://datatracker.ietf.org/doc/html/draft-hollenbeck-regext-epp-delete-bcp > > > > > > Abstract: > > The Extensible Provisioning Protocol (EPP) includes commands for > > clients to delete domain and host objects, both of which are used to > > publish information in the Domain Name System (DNS). EPP includes > > guidance concerning those deletions that is intended to avoid DNS > > resolution disruptions and maintain data consistency. However, > > operational relationships between objects can make that guidance > > difficult to implement. Some EPP clients have developed operational > > practices to delete those objects that have unintended impacts on DNS > > resolution and security. This document describes best practices to > > delete domain and host objects that reduce the risk of DNS resolution > > failure and maintain client-server data consistency. > > > > > > > > > > The IETF Secretariat > > > > _______________________________________________ > DNSOP mailing list > dn...@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
