Network Working Group                                     K. Crispin

INTERNET-DRAFT                                     D. Crocker

<draft-crispin-srs-00.txt>                                   R. Gaetano

Expires in six months                                     S. Langenbach

                                     November, 1998

 

 

 

               Shared Registry System Protocol (SRSP)

 

 

STATUS OF THIS MEMO

 

    This document is an Internet-Draft.  Internet-Drafts are working

    documents of the Internet Engineering Task Force (IETF), its

    areas, and its working groups.  Note that other groups may also

    distribute working documents as Internet-Drafts.

 

    Internet-Drafts are draft documents valid for a maximum of six

    months and may be updated, replaced, or obsoleted by other

    documents at any time.  It is inappropriate to use

    Internet-Drafts as reference material or to cite them other than

    as "work in progress."

 

    To view the entire list of current Internet-Drafts, please check

    the "1id-abstracts.txt" listing contained in the Internet-Drafts

    Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net

    (Northern Europe), ftp.nis.garr.it (Southern Europe),

    munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or

    ftp.isi.edu (US West Coast).

 

 

ABSTRACT

 

    This specification describes a protocol for a Shared Registry

    System (SRS) that allows multiple registrars to register domain

    names within a single Top Level Domain (TLD).  The protocol is

    high-level, text-based, and can be used over many underlying

    transport mechanisms, including email.  The semantic content of

    the protocol is expressed as a set of keyword-value pairs; the

    semantics and structure of this content is, in this document,

    loosely described as the "payload".

 

    The protocol described herein is essentially identical to the SRS

    version 1.5 protocol, specified by the CORE SRS RFP and developed by

    Curt Meyer of Emergent Corporation.

 

 

 

TABLE OF CONTENTS

 

    1.  ARCHITECTURE FOR A SRS

    1.1.  Communications

    1.1.1.  Failure model

    1.1.2.  Transaction State

    1.1.3.  Trust

    1.1.4.  SRS multiplexing of email and wire protocol

    1.1.5.  Encapsulation

    1.2.  Disaster recovery

    1.3.  Administration

    1.4.  Database Publishing

    1.4.1.  Whois

    1.4.2.  Zone Files

    1.4.3.  Fielded data

 

    2.  SRS PROTOCOL

    2.1.  Generic Syntax

    2.1.1.  Character Set

    2.1.2.  Keyword-value Pairs

    2.1.3.  Overall Composition

    2.2.  Requests

    2.2.1.  Generic Fields

    2.2.2.  Operations-Specific Fields

    2.3.  Responses

    2.3.1.  Generic Fields

    2.3.2. Response-specific fields

    2.4.  Error Conditions

    2.4.1.  Error categories

    2.4.2.  Specific errors

    2.5.  Notes

    2.5.1.  Field checking

    2.5.2.  Remove Contact

    2.5.3.  Policy Decisions

    2.5.4.  More sophisticated syntax

    2.5.5.  Host leaks

    2.5.6.  Handle namespace

    3.  SRS TRANSPORT

    3.1.  SRS over Email

    3.1.1.  Encapsulation and Exchange

    3.1.2.  Errors

    3.1.3.  Notes

    3.2.  SRS over TCP

    Encapsulation and Exchange

    3.2.1.  Connection

    3.2.2.  Errors

 

    4.  SECURITY CONSIDERATIONS

    4.1.  Definitions

    4.1.1.  Contact

    4.1.2.  Key

    4.1.3.  Owner

    4.1.4.  PGP

    4.1.5.  Crypt

    4.2.  Key Management

    4.2.1.  Registrar Keys

    4.2.2.  Registry and Dispute Resolution Agency Keys

    4.2.3.  Master Key Compromise

    4.2.4.  Agent Key Compromise

    4.3.  Authentication Schemes

    4.3.1.  PGP Signatures

    4.3.2.  Crypt Authentication

    4.4.  Notes

 

    5. ACKNOWLEDGEMENTS

 

    6. AUTHORS' ADDRESSES

 

    7. REFERENCES

 

    8. FULL COPYRIGHT STATEMENT

 

 

 

1.  ARCHITECTURE FOR A SRS

 

    This section describes a reference architecture for a shared

    domain name registry system.  Explicit goals of this system

    include having mutually distrustful registrars, simple transfer

    by a domain holder between registrars, extensive use of public

    key signatures for authentication and nonrepudiation, robustness

    in the face of failure of any component, and ease of

    implementation.  Note that this reference model is based on the

    actual CORE implementation, and is therefore more specific than

    is necessary to describe the protocol.

 

    Three entities is party to most SRS operations:

 

        * Domain holders (the customers),

        * Registrars (hereafter referred to as the client), and

        * Shared Registry System (hereafter referred to as the SRS). 

 

    This reference architecture is mostly concerned with the

    interaction between the registrar and the SRS.  Communications,

    billing, authentication, etc., between the domain holder and the

    registrar are beyond the scope of this document, and are expected to

    vary widely, given the variation in registrar business models.

 

    1.1.  Communications

 

        A Shared Registry is assumed to be composed of three tiers of

        machines: client machines, operated by the registrars, and fronted

        and database machines, operated by the registry.  The split

        between fronted and database machines is motivated by two factors

        -- performance and security/integrity of the database.  The

        fronted and the database could be the same machine, especially

        with a small registry.  The front-end/database machine(s) are

        collectively referred to as the SRS.

 

        In a large installation both the fronted machines and the

        database machines may be replicated for performance and

        robustness, as well, with the front ends specialized for

        secure network communications, and the database machines

        specialized database engines.

 

        The client machines interact only with the fronted machines,

        and the database machines interact only with the front-ends

        as well.  The client <-> fronted protocol is the focus of

        this document, and it is what we refer to as the "SRS

        protocol".

 

 

        1.1.1.  Failure model

 

            An end-to-end acknowledgement is generated by both the

            SRS and the client when requests or replies are received. This

            ack allows fault recovery to be very straightforward.

 

            All operations that modify state can be reissued benignly

            given appropriate duplicate detection logic in the database

            machines.  Given this characteristic, a communications failure

            at any point can be recovered by the client retrying the

            operation in question.

 

        1.1.2.  Transaction State

 

            All changes to the SRS initiated by a registrar are

            uniquely identified by a transaction identifier generated by

            the client.  This transaction id will consist of a registrar

            key, a date, and a serial number.

 

            We assume that no state is maintained on the fronted

            machines.  All state is distributed between the database

            servers, and the client machines.  A recovery protocol is used

            to synchronize the client and database server's idea of a

            request's state.  Digital signatures are used to detect forged

            state changes.

 

        1.1.3.  Trust

 

            All requests are signed by the issuing registrar.  A

            transfer request is optionally signed by the domain

            holder.  The registrar's public key was signed by the

            registry, and this certificate was communicated to the

            SRS when the registrar was entered into the system.

 

            Each database object has a registrar of record; only that

            registrar may issue changes to that object.  A transfer

            operation is the operation of changing the registrar of

            record.  A backend process notifies, via email, the previous

            registrar of a transfer of an object to another registrar.

            Each domain and host also has a set of contacts, each of which

            may have an associated key.  A transfer request must be signed

            by one of these contacts.

 

            All replies sent to a client contain the associated

            request body.  This reply body is itself signed by the

            database server.  This reply is a nonrepudiatable

            certificate that the operation actually completed.  The

            SRS database logs all of these certificates.  A wise

            client would keep records of all signed reply bodies

            indefinitely, as they are nonrepudiatable proof of a

            completed transaction.

 

            The SRS private key is stored on each of the database

            servers, and is used to sign all replies, and sign the

            zone files for each TLD.  The database servers also

            verify the signature on all requests.

 

            The fronted machines simply route traffic to client

            machines, send and receive email, and distribute signed

            zone files.  At all times, it is assumed that the fronted

            machines have been compromised, and thus, all successful

            attacks on the front-ends result in at most a denial of

            service.  Since the front-ends have little state, they can be

            reloaded from a known-good root disk image, and restarted.  As

            the front-ends are likely to be replicated, these restarts

            will probably not even be noticed by clients.

 

        1.1.4.  SRS multiplexing of email and wire protocol

 

            The SRS protocol is designed to support both interactive

            and email-based clients.  The fronted machines all may

            receive email, and generate acknowledgement email

            messages when the requests have been accepted by the

            database server.

 

            In the CORE implementation the fronted encapsulates the

            email request into a wrapper identifying the reply to

            address, and sends the request to the database.  When the

            database replies to the request, it then copies the wrapper

            from the request, and sends the reply to the fronted.  The

            fronted strips the wrapper, and generates and sends an email

            message from the reply.

 

            Likewise in the CORE implementation, an interactive

            request has a wrapper identifying which connection the

            reply should be sent on.  As the client will

            automatically retrieve any undelivered replies if the

            connected front-end fails, this wrapper is a hint,

            allowing prompt notification in most cases.

 

        1.1.5.  Encapsulation

 

            All messaging is human-readable, ASCII, using MIME

            multipart message encapsulation and format.  All messages that

            do not have the exact expected number of parts are discarded,

            as are all messages that do not verify signatures.

 

            1.1.5.1.  Signatures

 

                PGP signatures use SHA1/DSS signatures as generated

                by pgp5.0 international.  The signature is packaged

                as the second part of a two part multipart signed

                message.  The signed message is the first part.  The

                mime parameters for the message must include

                micalg=pgp-sha1 and

                protocol=application/pgp-signature.  Multiple

                signatures, which are used to countersign transfer

                requests, are simply implemented as nested signed

                messages.

 

            1.1.5.2.  Replies

 

                Replies, as distinct from acks, are formed as an SRS

                signed message, consisting of a two part,

                multipart/mixed MIME message.  The first part is the

                reply body, and the second is the request that this

                reply responds to.  All signatures in the request are

                intact, and thus replies are a certificate,

                nonrepudiatable in both directions.

 

    1.2.  Disaster recovery

 

        Several failure modes are not recovered from automatically;

        indeed, a gross accident could destroy both fronted machines

        and database servers.  Replicated state offsite is important

        to recover from this class of disaster.  Frequent backups of

        the database servers set an upper bound to the amount of lost

        state in the SRS.  Daily delivery of backup media to offsite

        storage will safeguard against data center destruction, and allow

        a rebuild up to the point of the backup.

 

        As clients have been sent nonrepudiatable certificates of

        request completion, when a client connects to a resurrected

        SRS, the SRS may request a replay of these certificates.

        These will then be used to resync up to the instant of

        failure.  Any unacknowledged requests are re-sent by the

        client as in the communications failure case.  Geographically

        colocated clients could be affected by the same disaster, and in

        this case, data will be lost.

 

        A future, related approach, has all these certificates being

        sent to a set of geographically well-distributed sites.  On

        resurrection, these sites are queried for up-to-the-crash

        certificates, which are replayed.  The advantage of this is

        that no certificates need be kept on the clients.

 

        A final, expensive approach has the database itself

        replicated, with automatic failover.  Oracle has several

        different mechanisms to support this option.

 

    1.3.  Administration

 

        The SRS has an administrative interface, allowing full

        database control from on-site only.  Backups are online, not

        interrupting database access, and zone file generation is

        automatic, placing the zone files on the fronted machines for

        distribution via BIND.

 

        A TLD name server is refreshed frequently from a signed zone

        file; if a signature does not verify, the zone file is not

        loaded, and an alarm triggered, causing an expert to be

        automatically paged.

 

    1.4.  Database Publishing

 

        A periodic extract of all data is performed.  This single

        extract is used to generate whois information, new zone

        files, and fielded data files.

 

        1.4.1.  Whois

 

            As whois is a primitive interface, a read-only database

            optimized for text searching is loaded onto the fronted

            machine designated as the whois server.

 

        1.4.2.  Zone Files

 

            A total count of rows is calculated at extract time for

            each TLD.  A generated zone file must have this many rows

            contained within it.  If this comparison fails, the zone file

            is not signed or distributed.  DNSSEC is expected to be

            deployed during 1998, so complex signing will need to be

            phased in.

 

        1.4.3.  Fielded data

 

            Interested parties may download the entire database, or

            changes since the last download, in a well-defined form,

            to be documented.

 

 

 

 

2.  SRS PROTOCOL

 

    This section specifies the SRS Protocol "payload", or

    request/reply semantic content, for each of the operations the

    SRS will support.  The transport and authentication related

    "wrapper" portions of the protocol are described in later

    sections.

 

    2.1.  Generic Syntax

 

        One of the design goals of the SRS protocol and payload is to

        allow the use of unauthenticated[DHC1] communications paths,

        placing all responsibility for security on a well-controlled

        database backend server.  A variety of communications layers can

        be used as transport for the identical payload, including email.

        Thus, the payload is in a form suitable for manual composition of

        this email by a human operator.  The general form of the payload

        is thus similar to any number of other textual field-based

        protocols.

 

        2.1.1.  Character Set

 

            The payload will be expressed in the 7-bit ASCII

            character set.  ASCII double-quotes ('"'), newlines, and

            backslashes ('\') have special meaning as described in

            2.2, and lack special meaning except in the specific

            contexts described.

 

        2.1.2.  Keyword-value Pairs

 

            A payload consists of successive keyword-value pairs,

            expressed either as in 2.2.1 or 2.2.2.

 

            2.1.2.1.  Unquoted

 

                A keyword-value pair may be expressed as follows:

 

                KEYWORD lwsp ':' lwsp VALUE lwsp newline

 

                Where KEYWORD consists of a sequence of printable,

                non-whitespace ASCII characters excluding colon

                (':').  VALUE consists of a sequence of printable

                ASCII characters, including whitespace.

 

                VALUE will be terminated by an ASCII newline, except

                that a newline immediately preceded by a backslash

                will not terminate VALUE, but will instead cause the

                backslash-newline sequence to be ignored.  Thus,

                backslash-newline will cause the concatenation of

                textual lines of payload into a single value (not

                including the backslash-newlines themselves).

 

                Whitespace ("lwsp") between the delimiting colon and

                the first subsequent non-whitespace character will

                not be considered a part of VALUE, nor will the

                terminating newline, nor will whitespace immediately

                preceding the terminating newline.

 

                Note that a VALUE whose last character is backslash

                may be expressed by the inclusion of one or more

                whitespace characters between the backslash and the

                terminating newline.

 

            2.1.2.2.  Quoted

 

                Alternatively, if the first non-whitespace character

                after the colon is an ASCII double-quote, the

                keyword-value pair is taken to be expressed in quoted

                form:

 

                KEYWORD lwsp ":" lwsp "VALUE" lwsp newline

 

                KEYWORD consists of a sequence of printable,

                non-whitespace ASCII characters excluding colon.

                VALUE is taken to be every character between the

                initial double-quote and the next double-quote in the

                payload, including whitespace and newlines, excluding the

                double-quotes themselves.

 

                However, if the initial double-quote is immediately

                followed by another double-quote, VALUE is considered to

                be unquoted as described in 2.2.1, except that the two

                leading double-quotes will be taken as a single

                double-quote character.

 

                Note that the quoted form does not allow for the

                expression of double quotes anywhere in VALUE.  This

                form is intended to permit the simple inclusion of

                multi-line base-64 PGP signatures in payloads; as

                base-64 encoding does not use the ASCII double-quote

                character, this simple alternative will suffice.

 

        2.1.3.  Overall Composition

 

            The term "field" shall be used hereinafter to refer to a

            keyword-value pair, and a specific field may be referred

            to by its keyword.

 

            No two fields in the same request may contain the same

            keyword.

 

            Unless otherwise specified, field values may be up to 255

            bytes in length.  The entirety of a payload, with attached

            signatures and encapsulations may not exceed 65536 bytes.

 

            Any ill-formed payload in a request will result in the

            failure of the request, resulting in the SRS sending an

            appropriate error message.

 

            2.1.3.1.  Case Sensitivity

 

                Keywords are not case-sensitive.  Unless otherwise

                specified, field values are case-sensitive -- case

                information will be stored in the database as

                supplied, and matching operations will be

                case-sensitive.

 

            2.1.3.2.  Dates

 

                All dates communicated to and from the SRS will be

                UTC dates in the format

 

                YYYYMMDD [HH:MM:SS]

 

                where HH represents the hours on a 24-hour clock.

                Dates without the HH:MM:SS portion shall be

                considered to be midnight at the beginning of the

                specified day.

 

            2.1.3.3.  Localization

 

                It is expected that the Keywords specified herein

                will eventually be translated to multiple human

                languages, with appropriate changes in encapsulation.

                However, character set will still be restricted as in 2.1

                above.

 

 

 

    2.2.  Requests

 

        This section documents the contents of the payload associated with

        an SRS request.

 

        2.2.1.  Generic Fields

 

            The following fields must appear IN ORDER as the first

            fields in a payload.

 

            2.2.1.1.  Payload-Version

 

                This field specifies the version of the SRS protocol

                the remainder of the payload uses.  The remainder of

                the payload must be compliant with the corresponding

                version of this document, and the client is expected

                to be able to appropriately process any reply message

                generated according to the same version of this document.

 

                The only currently defined value for this field is

                the literal "1.0".

 

                This field is mandatory.

 

            2.2.1.2.  Registrar-Id

 

                The previously assigned identifier for this registrar in

                the SRS.  Among other things, this value will be used to

                determine the type and key for cryptographic verification

                of the request.

 

                This field is generally the fully qualified domain

                name of the registrar.

 

                This field is mandatory.

 

            2.2.1.3.  Transaction-ID

 

                This is a single printable word (no whitespace).

 

                This field specifies the identifier to be used to

                denote this transaction.  This identifier must be

                unique across all transactions submitted by a

                particular registrar.  The registrar may use any

                policy to generate a transaction-ID.  It is strongly

                recommended that transaction-IDs begin with the

                registrar-ID as defined in 3.1.2.

 

                In the case of a transaction status inquiry, this

                field should be the Transaction-ID submitted with the

                request for which status is desired.

 

                This field is mandatory for all operations.  While

                the initial implementation of the SRS will respond to

                status and query requests synchronously, this allows

                future implementations to respond asynchronously without

                changes to the protocol.

 

            2.2.1.4.  Request-Type

 

                This field specifies the request type.  All values of this

                field will be stored and treated as lower-case. Currently

                defined values for this field are:

 

                    "create" lwsp "contact"

                    "create" lwsp "host"

                    "create" lwsp "domain"

 

                    "modify" lwsp "contact"

                    "modify" lwsp "host"

                    "modify" lwsp "domain"

 

                    "remove" lwsp "host"

                    "remove" lwsp "domain"

 

                    "transfer" lwsp "host"

                    "transfer" lwsp "domain"

 

                    "inquire" lwsp "domain"

                    "inquire" lwsp "contact"

                    "inquire" lwsp "host"

 

                    "renew" lwsp "domain"

 

                    "status" "query"

 

                Note that we do not currently specify a "remove

                contact" operation.  This is to ease the tracking of

                events associated with a domain; we don't potentially have

                to go through history attempting to recreate contact

                information as well as domain information.

 

                This field is mandatory.

 

            2.2.1.5.  Signer-Handle

 

                The handle of a pre-existing contact whose

                authentication information is used to authenticate

                the request.

 

                This field must exist if and only if the request is

                doubly signed (the other signature being that of the

                registrar) as described in the SRS Architecture

                Specification, or if the request is authenticated

                using a stored secret.

 

                A request will fail if one of the following occurs:

 

                (1) It is required to be doubly signed by the SRS

                Security Policies document, and is not.

 

                (2) The value of this field is not a valid contact

                who is authorized to authenticate this transaction

                according to the SRS Security Policies document.

                This check is made before the application of this

                request.

 

                (3) Authentication, performed according to the

                information in the contact record associated with

                this field, fails.

 

                Note that if a request is doubly signed and one of 2

                or 3 above fail, the request will fail even if it is

                not required by the SRS Security Policies document to be

                doubly signed.

 

 

            2.2.1.6.  Authenticating-Key

 

                The secret key used to authenticate a request.

 

                This field must only exist if the contact specified

                in the mandatory Signer-Handle value uses Crypt

                authentication.

 

 

        2.2.2.  Operations-Specific Fields

 

            This section documents fields that are specific to each

            possible value of the Request-Type field.  Unless

            otherwise specified, these fields may appear in any order

            (after those specified in 3.1)

 

            2.2.2.1.  Create Contact

 

                The create contact operation results in the creation

                of a contact record in the SRS.  In order to support

                the potential exchange of TLD databases,

                functionality to support user-specified handles is

                included.

 

                No checking is performed to prevent the creation of

                duplicate contacts (with different handles).

 

                Handle

 

                    A single printable word (no whitespace), not

                    beginning with '=', case-insensitive.  All values of

                    this field will be stored and treated as upper case.

 

                    This field is optional; if specified, an attempt

                    is made to create the contact with the specified

                    handle.  If the specified handle already exists

                    in the database, the operation fails and no

                    contact information is created.

 

                Name

 

                    A printable string (may include whitespace).  The name

                    of the contact.

 

                    This field is mandatory.

 

                Title

 

                    A printable string (may include whitespace).  The

                    contact's title.

 

                    This field is optional.

 

                Organization

 

                    A printable string (may include whitespace).  The

                    organization to which the contact belongs.

 

                    This field is optional.  (In particular, it is

                    clearly inapplicable to the nominative domain.)

 

                Address-1,

                Address-2,

                City,

                State,

                Postal-Code,

                Country

 

                    All of these fields are printable strings (may

                    include whitespace).

 

                    These contain the contact's postal address

                    information.  No checking is performed to ensure

                    correctness or completeness of the address;

                    specification of an accurate address is strongly

                    encouraged, for obvious reasons.  In particular,

                    unspecified country fields may not be assumed to

                    be the United States.

 

                    All of these fields are optional.

 

                Email

 

                    A printable string (may include whitespace).  The

                    contact's email address.  No checking will be

                    performed to ensure its validity.

 

                    This field is mandatory.

 

                Phone

 

                    A printable string (may include whitespace).  The

                    contact's international telephone number.  No checking

                    will be performed to ensure its validity.

                    Specification of a complete telephone number,

                    including country code, is strongly encouraged;

                    telephone numbers may not be assumed to be in the

                    United States.

 

                    This field is optional.

 

                Auth-Type

 

                    This field specifies the type of authentication

                    to be performed in order to verify this contact's

                    digital signature.  All values of this field will be

                    stored and treated as lower case.  Currently defined

                    values are:

 

                        pgp5

                        crypt

                        none

 

                    This field is mandatory.

 

                Auth-Key

 

                    A printable string of up to 1,023 characters (may

                    include whitespace).  Specifies the key to be used to

                    verify the validity of a request to change this

                    contact.  Its contents are dependent on the value of

                    the Auth-Type field.

 

                    This field is mandatory, unless the value of the

                    Auth-Type field is "none", in which case it must

                    not be specified.

 

                Fax

 

                    A printable string (may include whitespace).  The

                    contact's international fax telephone number.  No

                    checking will be performed to ensure its validity.

                    Specification of a complete telephone number,

                    including country code, is strongly encouraged;

                    telephone numbers may not be assumed to be in the

                    United States.

 

                    This field is optional.

 

            2.2.2.2.  Create Host

 

                The create host operation results in the creation of

                a new host record in the SRS.

 

                This operation may implicitly create contact records

                and other information in the SRS.  If these

                operations fail for any reason, the entire operation

                fails and no change is made to the SRS.

 

                Handle

 

                    A single printable word (no whitespace), not

                    beginning with '=', case-insensitive.  All values of

                    this field will be stored and treated as upper case.

 

                    This field is optional; if specified, an attempt

                    is made to create the host with the specified

                    handle.  If the specified handle already exists

                    in the database, the operation fails and no host

                    information is created.

 

                IP-Address

 

                    This field is a list of 4-octet IP addresses for

                    the nameserver.  IP addresses are expressed in

                    decimal-"dot" format; each of the four octets is

                    represented as decimal ASCII text, separated by

                    '.' (e.g., "140.174.2.181").

 

                    No verification is performed on this field beyond

                    syntactic correctness.  In particular, no duplicate

                    checking is performed, so multiple host records can

                    exist for the same IP address.  This enables a user to

                    administer several different "sets" of domains on one

                    nameserver if so desired.

 

                    This field is mandatory.

 

                Domain-Name

 

                    This field is a valid fully-qualified domain name as

                    specified in RFC 1034 et seq.  It is taken to be the

                    domain name of this host.  All values of this field

                    will be stored and treated as lower case.

 

                Contact Information

 

                    Each host must have contact information

                    associated with it.  This contact may either be

                    supplied as the handle of a pre-existing contact, or

                    it may be created "implicitly" from information

                    supplied as part of the Create Host operation.

 

                    The presence of valid contact information

                    supplied by one of these two methods is

                    mandatory; if an error occurs, the entire create

                    host operation fails and no changes are made to

                    the SRS.

 

                Contact-Handle

 

                    The handle of a pre-existing contact generated by the

                    SRS.  All values of this field will be stored and

                    treated as upper case.

 

                    This contact is associated with the host.  If

                    this contact handle does not exist, the entire

                    create host operation fails and no changes are

                    made to the SRS.

 

                Implicit Contact Creation

 

                    Contacts may be created implicitly by specifying

                    contact information in fields named by prepending the

                    string "Contact-" to the field names specified in

                    3.2.1.2 -- 3.2.1.9.

 

                    Fields are mandatory and subject to validity

                    checking as specified in 3.2.1.2 -- 3.2.1.9.  If

                    an error occurs during implicit contact creation, the

                    operation fails and no changes are made to the SRS.

 

            2.2.2.3.  Create Domain

 

                The create domain operation results in the creation

                of a domain record in the SRS.  This operation may

                also implicitly create contact records and other

                information in the SRS.  If any of these operations

                fail for any reason, the entire operation fails and

                no change is made to the SRS.

 

                TLD

 

                    This field specifies the top-level domain in

                    which the domain should be created.  All values

                    of this field will be stored and treated as lower

                    case.

 

                    This field must match one of the top-level

                    domains being managed by this SRS; otherwise, the

                    operation fails.

 

                    This field is mandatory.

 

                SLD

 

                    A valid second-level domain name, as defined in

                    RFC-1034 et seq.  This field is not

                    case-sensitive, and will be mapped to lower case

                    for storage in the database.  If both the TLD and SLD

                    fields match those attributes of a preexisting domain

                    record, the operation will fail.

 

                    This field is mandatory.

 

                Nameservers

 

                    Each domain has no fewer than two and no more

                    than twelve host records associated with it.

                    These hosts are expected to act as the domain's

                    nameservers.

 

                    This protocol supports both the use of

                    pre-existing hosts by handle and the implicit

                    creation of hosts by the specification of host

                    creation information in a domain creation

                    operation.

 

                    The nameservers for a domain are numbered

                    sequentially, starting from 1.  Each of the

                    nameservers for the domain may be a pre-existing

                    host, referenced by handle, or an

                    implicitly-created host.

 

                    Each nameserver is handled identically.  For the

                    purposes of the remainder of 3.2.3.3 and for

                    3.2.3.7, "<nsnum>" may be replaced with the

                    concatenation of "NS" (case-insensitive) and the

                    decimal ASCII representation of the sequential

                    number of the nameserver.

 

                <nsnum>-Handle

 

                    The handle of a pre-existing host.  If a host

                    with this handle does not already exist in the

                    SRS, the entire domain creation operation fails

                    and no changes are made to the SRS.

 

                    If this field is specified for a nameserver

                    number, implicit host creation may not be

                    specified for that nameserver.

 

                    This field is case-insensitive.

 

                Implicit Host Creation

 

                    Hosts may be created implicitly by prepending the

                    string "<nsnum>-" to the fields specified in 3.2.2.2

                    -- 3.2.2.4.  Implicit contact creation as part of

                    implicit host creation, as described in 3.2.2.4.2, is

                    supported by prepending "<nsnum>-Contact-" to the

                    field names described in 3.2.1.2 -- 3.2.1.9.

 

                    A linked contact specification is supported for

                    the host contact handle

                    ("<nsnum>-Contact-Handle") as specified in

                    3.2.3.7.  If an error occurs during this process, the

                    entire domain creation operation fails and no changes

                    are made to the SRS.

 

                    If implicit creation is used for a nameserver,

                    <nsnum>-Handle may not be specified for that

                    nameserver.  Implicit host creation with a

                    user-supplied handle is not supported.

 

                Contact Information

 

                    Each domain has exactly three contacts associated with

                    it: a technical contact, an administrative contact,

                    and a billing contact.  Any two or more of these may

                    be the same contact.  Each of the three contact types

                    is handled identically, so for the purposes of the

                    remainder of 3.2.3.4, the string "<type>" may be

                    replaced by one of "Admin", "Tech", or "Billing".

 

                    As described below, contact information for each

                    contact type must either be specified as the

                    handle of a preexisting contact, or a contact

                    record must be implicitly created.

 

                    If any operation fails for any contact, the

                    entire domain creation operation fails, and no

                    changes are made to the SRS repository.

 

                <type>-Contact-Handle

 

                    A single printable word (no whitespace),

                    case-insensitive.

 

                    If the value of this field begins with '=', the

                    value of the field is a linked contact

                    specification as described in 3.2.3.7.  If the

                    value of this field does not begin with '=', the

                    value must be a pre-existing contact handle, in

                    which case the contact with that handle is

                    associated with the domain.

 

                    If the contact does not exist, the entire domain

                    creation fails.  If <type>-Contact-Handle is

                    specified, implicit contact creation may not be

                    used for that contact type; specification of any

                    other contact information fields for that contact type

                    causes the operation to fail.  This implies that a

                    specific contact handle may not be requested as part

                    of an implicit contact creation.

 

                Implicit Contact Creation

 

                    Contacts may be created implicitly by specifying

                    contact information in fields named by prepending the

                    string "<type>-Contact-" to the field names specified

                    in 3.2.1.2 -- 3.2.1.9.

 

                    If implicit contact creation is used for a

                    contact type, <type>-Contact-Handle may not be

                    specified for that contact type.

 

                    Fields are mandatory and subject to validity

                    checking as specified in 3.2.1.2 -- 3.2.1.9.

 

                Status

 

                    This field specifies the status of the domain.

                    All values of this field will be stored and

                    treated as lower case.  Currently defined values

                    are:

 

                        reserved

                        production

                        expired

                        hold

 

                    This field is mandatory.  The semantic meanings

                    for these values are defined in the section

                    describing the Dispute Resolution Agent (DRA)

                    interface.

 

 

                Linked Contact Specification

 

                    A domain creation operation can result in the

                    implicit creation of a number of contact records, both

                    as domain and host contacts.  The SRS supports the use

                    of multiple instances of the same implicitly created

                    contact as part of a domain creation; e.g.,

                    "Implicitly create a contact as the domain technical

                    contact, and also use that contact as the domain

                    administrative contact and the host contact for

                    nameserver five."

 

                    This is accomplished by specifying contact

                    handles beginning in '=', followed by one of

                    "admin", "tech", "billing", "ns1", "ns2", "ns3",

                    ...  (case insensitive).  When a contact handle

                    field is specified as one of these equivalences,

                    the contact whose type is the remainder of the

                    field value after the '=' is also used for the

                    specified contact.

 

                    For example, if the line "Admin-Contact-Handle:

                    =ns3" appears in a domain creation, whatever

                    contact is used as the host contact for the third

                    nameserver of the domain will also be used as the

                    administrative contact.  Note that the actual contact

                    handle is stored in the SRS repository; if the host

                    contact for the third nameserver is subsequently

                    changed, the domain's administrative contact will not

                    be.

 

                    Circular references are, of course, not allowed.

 

                    Also note that "<nsnum>-Handle" (3.2.3.3.1) and

                    "<nsnum>-Contact-Handle" (3.2.3.3.2) are NOT

                    equivalent; the former is the handle of a host,

                    while the latter is the handle of the host's

                    contact.

 

                Organization

 

                    The name of the Entity or Organization

                    registering the domain.

 

                    This field is mandatory.

 

            2.2.2.4.  Modify Contact

 

                This operation is used to modify a contact record in

                the SRS.

 

                Handle

 

                    The value of this field must be a pre-existing

                    contact handle.  This field is case-insensitive. There

                    is no facility for modifying a contact's handle.  All

                    other information may be modified, but the handle is

                    considered unique and invariant for the life of the

                    contact.

 

                    This field is mandatory.

 

                Contact Information

 

                    Any of the fields specified in 3.2.1.2 -- 3.2.1.9 may

                    be specified here.

 

                    None of these fields are mandatory in the context of a

                    modify operation, except that Auth-Key must be

                    specified if Auth-Type is specified.

 

                    If specified, the value of a field is subject to

                    the same verification criteria as in 3.2.1, after

                    which its value replaces the previous value for the

                    specified attribute of the contact.

 

                    If any errors occur, the entire operation fails,

                    and no changes are made to the SRS repository.

 

            2.2.2.5.  Modify Host

 

                This operation is used to modify a host record in the SRS.

                 It may also be used to implicitly create a new contact

                record for the host as specified in 3.2.2.4.2.

 

                Handle

 

                    This is the handle of a pre-existing host in the

                    SRS.  This field is case insensitive.

 

                    This field is mandatory, and specifies the host

                    to be modified by this operation.

 

                Host Information

 

                    Any of the fields described in 3.2.2.2 -- 3.2.2.4 may

                    be specified here.  Any or all of these fields may be

                    specified independently, except that the specification

                    of a contact handle and the implicit creation of a new

                    contact are mutually exclusive as specified in

                    3.2.2.4.

 

                    The modification of a contact is not allowed in

                    the context of a host modification.

                    Specification of any Contact field as in

                    3.2.2.4.2 will be considered to be an attempt to

                    associate the host with a different,

                    newly-created contact of the specified type.  The

                    problem of erroneous creation of new contacts due to

                    this is expected to be minimal, as most requests that

                    attempt to implicitly modify a contact as part of a

                    host modification will likely be missing one or more

                    of the fields required for contact creation (such as

                    authentication information fields), causing the entire

                    host modification request to fail.

 

                    If any errors occur, the entire operation fails,

                    and no changes are made to the SRS repository.

 

            2.2.2.6.  Modify Domain

 

                This operation is used to modify a domain record in

                the SRS.  It may also be used to implicitly create

                new contacts or nameserver hosts for the domain, in

                the manner specified in 3.2.3.

 

                TLD, SLD

 

                    Both of these fields must match a pre-existing

                    domain in the SRS.  These fields are

                    case-insensitive.

 

                    There is no facility for renaming a domain.  All

                    other information may be modified, but the domain name

                    is considered unique and invariant for the life of the

                    domain.  It is expected that a "rename domain" be

                    executed as a "create domain" followed by a "remove

                    domain".

 

                    These fields are mandatory.

 

                Domain Information

 

                    Any of the fields specified in 3.2.3.3 -- 3.2.3.6 may

                    be specified here.  With the exceptions documented

                    below, any or all of these fields may be specified

                    independently.  They will be subject to the same

                    verification checks as in 3.2.3, and will then replace

                    the old attributes of the domain that correspond to

                    these fields.

 

                    Implicit contact and host creation may be a part

                    of the domain modification operation, as

                    specified in 3.2.3.3.2 and 3.2.3.4.2, may be a

                    part of the modify domain operation.

 

                    If an error occurs, the entire domain

                    modification operation will fail and no changes

                    will be made to the SRS.

 

                    Fields may be specified independently as

                    described in 3.2.3.3 -- 3.2.3.6, according to the

                    following additional rules:

 

                Nameservers Replaced as a List

 

                    The nameservers associated with a domain must be

                    replaced as a list.  nameservers in a modify

                    domain operation must be specified sequentially

                    starting from 1, and the entire list of

                    nameservers for a domain will be replaced with

                    the list specified in the modify operation.

 

                No Implicit Modification

 

                    The modification of a contact or host record

                    cannot be specified as an implicit part of a

                    domain modification request.

 

                    Specification of any explicit creation fields

                    from 3.2.3.3.2 or 3.2.3.4.2 will be considered to be

                    an attempt to associate the domain with a different,

                    newly-created object of the specified type.  The

                    problem of erroneous creation of new objects due to

                    this is expected to be minimal, as most requests that

                    attempt to implicitly modify an object as part of a

                    domain modification will likely be missing one or more

                    of the fields required for object creation, causing

                    the entire domain modification request to fail.

 

                Linked Contact Specification

 

                    The linked contact specification described in

                    3.2.3.7 is allowed.  Changes are made in order of

                    dependency, such that for a field entry of

                    "<type1>-Contact-Handle: =<type2>", the <type2>

                    contact would be updated before its transitive

                    assignment to the <type1> contact.

 

            2.2.2.7.  Remove Host

 

                This operation removes a host from the SRS

                repository.  Removal of disused host records is

                strongly encouraged.

 

                Handle

 

                    A pre-existing host handle in the SRS, case

                    insensitive.  This host is removed from the

                    repository.

 

                    This field is mandatory.

 

            2.2.2.8.  Remove Domain

 

                This operation removes a domain record from the SRS

                repository.

 

                TLD, SLD

 

                    Both of these fields must match a pre-existing

                    domain in the SRS.  These fields are

                    case-insensitive.  Naturally, these fields

                    specify which domain to remove.

 

                    These fields are mandatory.

 

            2.2.2.9.  Transfer Contact

 

                This operation transfers the registration function of a

                contact from its previous registrar to the requesting

                registrar.

 

                Handle

 

                    A pre-existing contact handle in the SRS

                    repository, case insensitive.  This contact will

                    be transferred to the requesting registrar.

 

                    This field is mandatory.

 

            2.2.2.10.  Transfer Host

 

                This operation transfers the registration function of a

                host from its previous registrar to the requesting

                registrar.

 

                Handle

 

                    A pre-existing host handle in the SRS repository, case

                    insensitive.  This host will be transferred to the

                    requesting registrar.

 

                    This field is mandatory.

 

            2.2.2.11.  Transfer Domain

 

                This operation transfers the registration function of a

                domain from its previous registrar to the requesting

                registrar.

 

                TLD, SLD

 

                    Both of these fields must match a pre-existing

                    domain in the SRS.  These fields are

                    case-insensitive.  These fields specify which

                    domain to transfer.

 

                    These fields are mandatory.

 

            2.2.2.12.  Status

 

                This operation allows a registrar to query the

                database for the status of a transaction previously

                submitted by that registrar.  It is a request to the

                SRS to resend the reply information of a transaction; if

                the request has been completed, it will cause another copy

                of the authenticated reply to the transaction to be

                returned to the user.

 

                Records of old transactions, and thus the information

                required to reconstruct replies, are not guaranteed to

                persist in the SRS database indefinitely.  It is

                anticipated that a registrar can determine the completion

                of an old transaction by determining the status of a

                domain through a mechanism such as whois.

 

                This request is not valid for transaction IDs of

                query requests.

 

                The Transaction ID for which the reply is requested

                is conveyed in the Transaction-ID field (3.1.3).

                Since this operation is a solicitation for a resend

                of a transaction reply, it does not have a

                transaction ID of its own.  Thus, the status

                operation does not have any fields other than those

                documented in 3.1.

 

            2.2.2.13.  Query

 

                This operation allows a registrar to request a list

                of its past requests that satisfy a Boolean

                predicate.  A list of all transaction ID's of

                requests submitted by the querying registrar in the

                SRS database's stored history that satisfy all of the

                specified clauses is returned.

 

                History records will not be preserved online in the

                SRS database indefinitely.  It is expected that a

                registrar can deduce the results of a sufficiently

                old transaction by a mechanism such as whois.

 

                All of the fields documented in below are optional.

                To be included in the returned list of transaction

                ID's, a request must satisfy all predicates

                specified.

 

                Request-State

 

                    This field is a set of one or more

                    case-insensitive keywords separated by

                    whitespace.  Requests whose state matches one of

                    the keywords as of the execution of the query

                    satisfy this clause.

 

                    Valid keywords are the request states listed in

                    4.2.2.1.

 

                Submitted-Since

 

                    This field is a UTC date and time, as specified

                    in 2.3.2.  Requests queued for processing after

                    the specified time satisfy this clause.

 

                Submitted-Before

 

                    This field is a UTC date and time, as specified

                    in 2.3.2.  Requests queued for processing before

                    the specified time satisfy this clause.

 

                Completed-Since

 

                    This field is a UTC date and time, as specified

                    in 2.3.2.  Requests whose processing completed

                    after the specified time satisfy this clause.

 

                Completed-Before

 

                    This field is a UTC date and time, as specified

                    in 2.3.2.  Requests whose processing completed

                    before the specified time satisfy this clause.

 

            2.2.2.14.  Domain Inquiry

 

                Registrars may inquire all the SRS database state of

                a domain.  This is accomplished via the Inquire

                Domain Request.  This is a synchronous request.

 

                TLD, SLD

 

                    Both of these fields must match a pre-existing

                    domain in the SRS.  These fields are

                    case-insensitive and mandatory.

 

            2.2.2.15.  Contact Inquiry

 

                Related to domain inquiry, registrars have the

                ability to resolve contact handles to keyword-value

                pairs defining that contact.

 

                This is a synchronous request.

 

                Handle

 

                    The value of this field must be a pre-existing

                    contact handle.

 

                    This field is case-insensitive and mandatory.

 

            2.2.2.16.  Host Inquiry

 

                Related to the domain inquiry, registrars have the

                ability to resolve host handles to keyword-value

                pairs defining that host.  A Contact-Handle keyword

                is supplied by the registrar and the SRS replies

                accordingly.  This is a synchronous request.

 

                Handle

 

                    This is the handle of a pre-existing host in the

                    SRS.  This field is case-insensitive and

                    mandatory.

 

            2.2.2.17.  Renew Domain

 

                This operation adds a system-defined interval to the

                domain's expiration date in the SRS repository.

 

                TLD, SLD

 

                    Both of these fields must match a pre-existing

                    domain in the SRS.  These fields are

                    case-insensitive.  Naturally, these fields

                    specify which domain to renew.

 

                    These fields are mandatory.

 

                    Any attempt to renew a domain outside of the

                    registries policy-defined threshold for renewal

                    will cause the request to fail.

 

 

    2.3.  Responses

 

        This section documents the various fields that may appear in

        the server's responses to an operation.

 

        2.3.1.  Generic Fields

 

            The following fields appear in order in all responses.

 

            2.3.1.1.  Registrar-ID

 

                This is the registrar ID supplied in the request that

                elicited this response.

 

                This field will not be supplied in the event of a

                request parse error occurring before the registrar ID

                could be determined.  However, if the wireline protocol is

                used to communicate with the SRS, such a "short" reply

                will be synchronous as defined by the wireline protocol.

 

            2.3.1.2.  Transaction-ID

 

                This is the transaction ID supplied in the request

                that elicited this response.

 

                This field will not be supplied in the event of a

                request parse error occurring before the transaction

                ID could be determined.  However, if the wireline

                protocol is used to communicate with the SRS, such a

                "short" reply will be synchronous as defined by the

                wireline protocol.

 

            2.3.1.3.  Response-Type

 

                This field designates the type of response.

                Currently defined values are:

 

                    ack

                    reply

 

 

            2.3.1.4.  Resolver-Sequence

 

                The sequence number of the resolution of this

                request.  Fully explained in the FAIRNESS

                DESCRIPTION document.

 

        2.3.2.  Response-specific fields

 

            This section documents fields that appear in specific

            response types.

 

            2.3.2.1.  Ack

 

                This is an acknowledgement of a request and a

                confirmation that it has been queued for processing.

 

                Estimated-Completion

 

                    This is a UTC date and time, as specified in

                    2.3.2.  It represents an estimate by the SRS as

                    to the completion time of the request.  It is by

                    no means a commitment.

 

                    This field may or may not be returned.

 

            2.3.2.2.  Reply

 

                This is the reply to a request, returned by the SRS

                either on completion of a request or in response to a

                status request by the client.

 

                Request-State

 

                    This describes the current state of the request

                    in the SRS server.  Currently defined values are:

 

                        pending

                        in-process

                        succeeded

                        failed

 

                    The success or failure of the operation is

                    authoritatively described by the content of this

                    field, regardless of the content of any other

                    field in the reply (including the Error-Code

                    field).

 

                    This field will be returned for all replies.

 

                Error-Code

 

                    This is the decimal ASCII representation of a

                    number between -2^31 and 2^31, exclusive, that

                    specifically describes any errors or exceptions

                    that occurred during request processing.

 

                    Defined values for this field are described in

                    section 5 of this document.  Note that an error

                    code may be returned with any value of the

                    Request-State field.

 

                    This field will only be returned in the event of

                    an error or exception.

 

                Error-Text

 

                    This is a single line of ASCII text that more

                    specifically describes any errors that occurred.

 

                    This field will only be returned if there is an

                    error or exception for which the SRS can supply

                    meaningful additional information.

 

                Contact-Handle

 

                    This field is a single printable word (no

                    whitespace).  It specifies the handle of a

                    contact that was created with a Create Contact

                    (3.2.1) request, or the new contact of a host,

                    either implicitly created or explicitly

                    referenced as part of a Create or Modify Host

                    operation (3.2.2 or 3.2.5).

 

                    This field is only returned for a successful

                    Create Contact or Create or Modify Host request.

 

                Host-Handle

 

                    This field is a single printable word (no

                    whitespace).  It specifies the handle of a host

                    that was created with a Create Host request

                    (3.2.2).

 

                    This field is only returned for a successful

                    Create Host request.

 

                <type>-Contact-Handle

 

                    These fields are single printable words (no

                    whitespace).  <type> can be one of:

 

                         admin

                         tech

                         billing

                         ns1

                         ns2

                         ns3

                         etc

 

                    These fields specify the handles of all contacts

                    newly associated with a domain, whether

                    implicitly created or explicitly referenced, as

                    part of a Create or Modify Domain request (3.2.3

                    or 3.2.6).

 

                    Each of these fields is returned in the event of

                    the successful association of a contact with a

                    domain for the corresponding contact type.

 

                <nsnum>-Handle

 

                    These fields are single printable words (no

                    whitespace).  <nsnum> is "NS" concatenated with

                    the ASCII representation of a nameserver's

                    ordinal number in a domain creation or

                    modification.  They specify the handles of any

                    hosts that are newly associated with a domain,

                    whether implicitly created or explicitly

                    referenced, as part of a Create or Modify Domain

                    request.

 

                    Each of these fields is returned in the event of

                    the successful association of the specified host

                    with the domain.

 

                Transaction-IDs

 

                    This field is a list of zero or more Transaction

                    ID's for requests that satisfy the predicate of a

                    Query request (3.2.13), separated by whitespace. The

                    length of the value of this field will exceed neither

                    1,024 transaction ID's nor 30,000 octets. To

                    discourage the submission of large query requests,

                    query requests whose result set violates the size

                    restriction will fail without returning any ID's.

 

                    This field will only be returned for a successful

                    query request.

 

                Expiration-Date

 

                    This field is returned by a successful renew

                    domain request and denotes the new expiration

                    date.

 

    2.4.  Error Conditions

 

        This section enumerates the error conditions that can be

        returned in the Error-Code field.  An error is expressed as

        the ASCII representation of a positive decimal number less

        than 2^31.  The return of an error may not indicate the

        failure of a request; the request-status field is the

        authoritative indicator of a request's success or failure.

 

        2.4.1.  Error categories

 

            SRS-generated error codes are six-digit positive decimal

            numbers.  They are divided into broad categories by their

            leading two digits.  The first digit describes the severity of

            the error, while the second describes its general category:

 

            First digit (10^5):

               1 - Informationals

               2 - Warnings

               3 - Transient errors

               4 - Errors (typically causing operation failure)

            Second digit (10^4):

               1 - Transport errors

               2 - Request syntax errors

               3 - Request semantic errors

               4 - Authentication errors

               9 - SRS internal errors

 

        2.4.2.  Specific errors

 

            [TBD]

 

    2.5.  Notes

 

        2.5.1.  Field checking

 

            Arguably, statements of the form "the following checking

            will not be performed" should not be a part of the

            protocol specification, as they might be taken as a

            guarantee that an incorrect field value will not cause an

            operation to fail.  Rather, they are intended as a warning to

            the SRS client developer that the SRS server will not

            necessarily perform these checks; no _guarantee_ is made that

            more extensive validity checking will not be performed.

 

        2.5.2.  Remove Contact

 

            Do we want to implement a "remove contact" operation?

            Right now, we don't, in order to ease tracking of history --

            to reconstruct the sequence of events associated with a

            domain, we don't have to reconstruct possibly defunct contact

            information as well.  Yes, this does mean the contact table is

            growing monotonically...

 

        2.5.3.  Policy Decisions

 

            Several items in this document reflect policy decisions

            that must be made by the registry, and are specified for

            discussion purposes only.  Specifically:

 

            Limits and defaults on domain expiration

            date are registry policy decisions

 

            Limits on the number of nameservers in a

            domain

 

            Do we want to only allow one handle per

            nameserver IP address? It'd be easy to do...

 

        2.5.4.  More sophisticated syntax

 

            A slightly more sophisticated grammar that expresses the

            relationships between objects might be cleaner.  For

            example, this syntax doesn't express the nesting of

            implicit host and contact creation very well.

 

        2.5.5.  Host leaks

 

            When domains are deleted or hosts modified, it is not

            clear that disused host records will be cleaned up in any more

            than a small minority of cases.

 

        2.5.6.  Handle namespace

 

            In order to ensure transferability of information between

            SRS's, steps should be taken to ensure that the namespaces

            each SRS uses for generated names are disjoint.

 

 

3.  SRS TRANSPORT

 

    3.1.  SRS over Email

 

        This section of the document describes the details of the

        transport of SRS payloads over email.  It is assumed that the

        reader is familiar with MIME messages and the use of PGP within

        the MIME context.  The SRS Payload Specification defines what is

        contained within the email message itself.

 

 

        All SRS communications are encapsulated within multipart MIME

        messages.  Each part of a multipart may in turn contain another

        multi-part, as needed.  The outermost layer is signed by the

        originator of the message using PGP.

 

        3.1.1.  Encapsulation and Exchange

 

            A single SRS request is contained within a single email

            message.

 

            3.1.1.1.  Reply-To

 

                Acks and Replies are sent to the Reply-To: RFC822

                Header of the email request.  If there is no

                Reply-To:, From: is used.

 

            3.1.1.2.  Selecting a server

 

                A destination email address is formed by taking the

                TLD, appending .nic.info, and prepending reg@fe.

                Thus, to register a name in .web, send email to

                reg@fe.web.nic.info.

 

        3.1.2.  Errors

 

            Three interesting failure modes exist: lost requests,

            lost acks, and lost replies.  Most of the error recovery

            hinges on the idempotence of operations.

 

            3.1.2.1.  Lost Requests

 

            [TBD]

 

            3.1.2.2.  Lost Acks

 

            [TBD]

 

            3.1.2.3.  Lost Replies

 

            [TBD]

 

        3.1.3.  Notes

 

            Content-Encoding is currently totally ignored;

            eventually, some localization may be possible.

 

 

 

    3.2.  SRS over TCP

 

 

        A registrar may communicate with the SRS over a persistent

        TCP connection.

 

        Encapsulation and Exchange

 

            A registrar sends a stream of MIME-encapsulated

            independent requests over the connection, and reads

            replies and acks on the reverse channel.

 

            These requests differ from email-based MIME in that

            nothing may follow the trailing delimiter of a message;

            more specifically, the next thing immediately following a

            ending boundary is the Content-Type of the next message. This

            is because MIME encapsulation is used to detect the boundaries

            of requests.

 

            A request is outstanding while it has not been acked by

            the SRS.  If there is an outstanding request, another may not

            be sent.

 

        3.2.1.  Connection

 

            A connection is established on a well-known port on one

            of a collection of fronted machines that serve

            registrations for a TLD.  These machines all have names

            of the form: feXX.TLD.nic.info, where XX is a two digit

            ASCII decimal number, and TLD is the appropriate Top

            Level Domain.

 

            It is guaranteed that XX starts at 00 and there are no

            unresolved names between that and the highest numbered

            host.  This can be used to load balance as follows: look

            up the IP address of each host in turn, starting at 00.

            as soon as the first one fails, the total number of

            fronted machines has been determined.  Select one at

            random, and attempt to connect to it.  Repeat until a

            connection is accepted.

 

            The SRS operator can add fronted machines as needed,

            without notifying any registrar.  The SRS operator need

            only update the TLD.nic.info zone when adding or deleting

            machines.

 

        3.2.2.  Errors

 

            Most server or client errors are handled by

            disconnection, establishing known correction state,

            querying the state of any pending request, reissuing lost

            requests, and soliciting undelivered replies.

 

            Disconnection

 

                A server-initiated disconnection is indicative of a

                fronted failure.  Any unacked requests should be

                resent to a new fronted connection.  All pending

                replies should be solicited by sending a query

                followed by a status command for each completed

                request.

 

                A client-initiated disconnection may result in a

                pending request being processed, with the ack being

                dropped.  The unknown state of the request should be

                resolved by issuing a query operation against the

                transaction id.  If the operation is pending or

                completed, the request should not be reissued.

 

 

 

4.  SECURITY  CONSIDERATIONS

 

    This specification provides for database access and modification.

    Affected data bases are an integral part of Internet infrastructure.

    Hence, misbehavior or compromise of the protocol or its operation can

    have considerable impact on Internet operations.

 

    Other discussions concerning trust and security occur elsewhere

    in the specification.

 

    This section provides mechanisms, to protect against these

    dangers.  In particular, this section specifies the SRS security

    policies as they relate to authentication and object

    modification.

 

    4.1.  Definitions

 

        4.1.1.  Contact

 

            A contact is a person who is associated with one or more

            objects in the SRS.  Each contact has a unique contact

            handle, assigned by the SRS; an authentication type, and

            an Authentication key.

 

        4.1.2.  Key

 

            A key is a pair of data objects, one kept secret by the

            signer, and one widely published, including to the SRS.

            Keys may be of several sizes, the larger keys more

            difficult to crack, and more expensive in time to use.

            It is suggested that default size (1024 DSS/2048

            Diffie-Hellman) keys be used.

 

        4.1.3.  Owner

 

            Every object in the SRS has a set of associated contacts. Any

            of these contacts may initiate modification of the object.

 

        4.1.4.  PGP

 

            Pretty Good Privacy software, version 5.0i.  This

            software is resident outside of the United States, and

            has no export issues.  It is recommended that the SRS not use

            PGP to encrypt, nor should it use the IDEA block cypher.  It

            is expected that each registrar would license PGP5.0 from PGP

            incorporated or it's agents for commercial use.  When using

            PGP authentication, the entire PGP public key is sent to the

            SRS and is stored with the contact.

 

        4.1.5.  Crypt

 

            The US National Bureau of Standards has defined a Data

            Encryption Standard, DES.  Unix systems have used a

            uniform method of scrambling plaintext passwords into a

            non-invertable hash using DES.  This uniform method is

            available both inside and outside the US, and so has no

            export control issues.

 

            When using Crypt authentication, user plaintext is

            encrypted, as for unix crypt(3), using a salt of '00',

            and the cyphertext is sent to the SRS and stored with the

            contact.

 

            Crypt style authentication is only valid for

            non-registrar contacts.

 

    4.2.  Key Management

 

        PGP has no notion of key certifying authorities.  Public keys are

        validated by a web of trust model.

 

        4.2.1.  Registrar Keys

 

            The SRS requires each registrar to have a master key and

            a set of agent keys.  The master registrar key is

            communicated to the SRS by the registry, and agent keys

            are communicated to the SRS by the registrar using the

            master key.

 

 

        4.2.2.  Registry and Dispute Resolution Agency Keys

 

            Registries and Dispute Resolution Agencies have identical key

            infrastructure to registrars.  Both entities may issue modify

            registrar requests to manipulate its set of associated agent

            contacts.  Special handles are defined for these entities.

 

        4.2.3.  Master Key Compromise

 

            It may occur that a registrar loses its master key, or

            some person illicitly acquires the registrar's master

            key.  These are different cases, and have different

            methods of recovery.

 

            4.2.3.1.  Lost Master Key

 

                Typically, this is a lost passphrase.  Without this

                passphrase, the encrypted private key stored on the

                registrar's machine can never be decrypted for use.

                The registrar generates a new key, and communicates

                it to the registry.  The registry validates the new

                key, to prevent human engineering, and sends A modify

                contact request to the SRS, using the master contact

                handle for that registrar.  Operations proceed using the

                new key.  No database recovery is needed.

 

            4.2.3.2.  Stolen Master Key

 

                A stolen key can be used to forge requests to the

                SRS.  When a stolen key is detected, a registrar

                should immediately issue a modify contact request for the

                master contact handle, setting the authentication type to

                none.  This will disable all further operations on that

                registrar object until the registrar is reactivated.  The

                registrar notifies the registry, and the registry notifies

                the SRS that a registrar master key has been stolen.  The

                SRS operator will generate a report showing activity that

                occurred using that key.  All forged requests need to be

                manually identified by the registrar, and the requests

                need to be undone.

 

        4.2.4.  Agent Key Compromise

 

            A registrar agent key may be lost or stolen as well.

 

            4.2.4.1.  Agent Key Loss

 

                Agent contacts may be freely enabled and disabled by

                the registrar without the registry's involvement.

                The registrar should create a new contact, and set

                that contact as a valid agent using a modify

                registrar command.

 

            4.2.4.2.  Agent Key Theft

 

                Stolen Agent keys should be immediately disabled

                using a modify registrar command.  The SRS operator

                must be notified, and any illicit requests issued

                using the stolen key must be rolled back, as for a

                stolen master key.

 

            4.2.4.3.  User Key Compromise

 

                If all user keys associated with a domain are lost,

                the domain must be manually reauthenticated.  This

                can be achieved by using a variety of non-definitive

                credentials to establish domain identity.  Possession of a

                registration certificate, a cancelled check to a

                registrar, a copy successfully responding to the email

                address in a contact, being located at the listed phone

                number, faxing a drivers license to the SRS, etc.  When

                sufficiently authenticated, a domain holder provides a new

                PGP5 key to the SRS, and the SRS manually updates the

                relevant contact.

 

    4.3.  Authentication Schemes

 

        4.3.1.  PGP Signatures

 

            Mime supports message authentication via its

            multipart/signed data type.  A cryptographic hash is made of a

            message, and that hash is encrypted with the signer's private

            key.  The resulting signature is packaged with the message.

            The SRS can detect both message corruption and/or unauthorized

            requests using this signature.

 

        4.3.2.  Crypt Authentication

 

            A request using crypt authentication must have a valid

            Signer-Handle value, and a Authenticating-Key value that

            exactly matches the stored key.

 

            A registrar should not store either the cleartext or the

            cyphertext of the key, as this will allow the registrar

            to forge requests for any objects protected by that

            contact.

 

            Similarly, a third party listening to the communication

            between the user and the registrar can forge requests, so a

            secure communications channel, such as SSL, should be used if

            possible between the user and the registrar.

 

    4.4.  Notes

 

        Mail-from authentication is not supported.  Many attacks on

        mail-from type authentication schemes are known, and offer no

        serious security.

 

        Crypt is basically registrar-based authentication.

 

5. ACKNOWLEDGEMENTS

 

    This draft is heavily dependent on documentation provided by

    Emergent Corporation as part of their contract with CORE.  We

    thank Curt Meyer and his colleagues at Emergent for the clear and

    precise work they have done.  ...

 

6. AUTHORS' ADDRESSES

 

K.  Crispin

Songbird

6064 Skyfarm Drive

Castro Valley, CA 94552 USA

+1 510-886-7410

kent@songbird.com

 

D.  Crocker

Brandenburg Consulting

675 Spruce Drive Sunnyvale, CA 94086 USA

+1 408 246 8253

dcrocker@brandenburg.com

 

R.  Gaetano

roberto.gaetano@etsi.fr

 

S.  Langenbach

svl@nrw.net

 

 

 

7.  REFERENCES

 

...

 

8.  FULL COPYRIGHT STATEMENT

 

    Copyright (C) The Internet Society (1998).  All Rights Reserved.

 

    This document and translations of it may be copied and furnished

    to others, and derivative works that comment on or otherwise

    explain it or assist in its implementation may be prepared,

    copied, published and distributed, in whole or in part, without

    restriction of any kind, provided that the above copyright notice and

    this paragraph are included on all such copies and derivative works.

    However, this document itself may not be modified in any way, such as

    by removing the copyright notice or references to the Internet Society

    or other Internet organizations, except as needed for the purpose of

    developing Internet standards in which case the procedures for

    copyrights defined in the Internet Standards process must be followed,

    or as required to translate it into languages other than English.

 

    The limited permissions granted above are perpetual and will not

    be revoked by the Internet Society or its successors or assigns.

 

    This document and the information contained herein is provided on an

    "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING

    TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT

    NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN

    WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF

    MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

 

 

draft-crispin-srs-00-txt        Shared Registry System Protocol November,

1998

 

Expires in six months