rfc9803.original   rfc9803.txt 
Registration Protocols Extensions (regext) G. Brown Internet Engineering Task Force (IETF) G. Brown
Internet-Draft ICANN Request for Comments: 9803 ICANN
Intended status: Standards Track 7 January 2025 Category: Standards Track June 2025
Expires: 11 July 2025 ISSN: 2070-1721
Extensible Provisioning Protocol (EPP) mapping for DNS Time-To-Live Extensible Provisioning Protocol (EPP) Mapping for DNS Time-to-Live
(TTL) values (TTL) Values
draft-ietf-regext-epp-ttl-18
Abstract Abstract
This document describes an extension to the Extensible Provisioning This document describes an extension to the Extensible Provisioning
Protocol (EPP) that allows EPP clients to manage the Time-To-Live Protocol (EPP) that allows EPP clients to manage the Time-to-Live
(TTL) value for domain name delegation records. (TTL) value for domain name delegation records.
About this draft
This note is to be removed before publishing as an RFC.
The source for this draft, and an issue tracker, may can be found at
https://github.com/gbxyz/epp-ttl-extension.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
This Internet-Draft will expire on 11 July 2025. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9803.
Copyright Notice Copyright Notice
Copyright (c) 2025 IETF Trust and the persons identified as the Copyright (c) 2025 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
Please review these documents carefully, as they describe your rights carefully, as they describe your rights and restrictions with respect
and restrictions with respect to this document. Code Components to this document. Code Components extracted from this document must
extracted from this document must include Revised BSD License text as include Revised BSD License text as described in Section 4.e of the
described in Section 4.e of the Trust Legal Provisions and are Trust Legal Provisions and are provided without warranty as described
provided without warranty as described in the Revised BSD License. in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction
1.1. Conventions used in this document . . . . . . . . . . . . 4 1.1. Conventions Used in This Document
1.2. Extension elements . . . . . . . . . . . . . . . . . . . 5 1.2. Extension Elements
1.2.1. The <ttl:ttl> element . . . . . . . . . . . . . . . . 5 1.2.1. The <ttl:ttl> Element
1.2.1.1. Element content . . . . . . . . . . . . . . . . . 5 1.2.1.1. Element Content
1.2.1.2. Supported DNS record types . . . . . . . . . . . 6 1.2.1.2. Supported DNS Record Types
1.2.1.3. The <ttl:info> element . . . . . . . . . . . . . 7 1.2.1.3. The <ttl:info> Element
1.2.2. Examples . . . . . . . . . . . . . . . . . . . . . . 7 1.2.2. Examples
1.2.2.1. Explicit TTL value (<create> or <update> 1.2.2.1. Explicit TTL Value (<create> or <update> Command)
command) . . . . . . . . . . . . . . . . . . . . . 7 1.2.2.2. Explicit TTL Value (<info> Policy Mode)
1.2.2.2. Explicit TTL value (<info> policy mode) . . . . . 7 1.2.2.3. Empty Value Indicating Default TTL (<create> or
1.2.2.3. Empty value indicating default TTL (<create> or <update> Command, <info> Default Mode)
<update> command, <info> default mode) . . . . . . 7 1.2.2.4. Custom Record Type (<create> or <update> Command,
1.2.2.4. Custom record type (<create> or <update> command, <info> Default Mode)
<info> default mode) . . . . . . . . . . . . . . . 7 2. EPP Command Mapping
2. EPP command mapping . . . . . . . . . . . . . . . . . . . . . 8 2.1. EPP Query Commands
2.1. EPP query commands . . . . . . . . . . . . . . . . . . . 8 2.1.1. EPP <info> Command
2.1.1. EPP <info> command . . . . . . . . . . . . . . . . . 8 2.1.1.1. Default Mode
2.1.1.1. Default Mode . . . . . . . . . . . . . . . . . . 8 2.1.1.2. Policy Mode
2.1.1.2. Policy Mode . . . . . . . . . . . . . . . . . . . 11 2.2. EPP Transform Commands
2.2. EPP transform commands . . . . . . . . . . . . . . . . . 14 2.2.1. EPP <create> Command
2.2.1. EPP <create> command . . . . . . . . . . . . . . . . 14 2.2.2. EPP <update> Command
2.2.2. EPP <update> command . . . . . . . . . . . . . . . . 16 3. Server Processing of TTL Values
3. Server processing of TTL values . . . . . . . . . . . . . . . 18 3.1. Permitted Record Types
3.1. Permitted record types . . . . . . . . . . . . . . . . . 18 3.2. Use of TTL Values in Delegation Records
3.2. Use of TTL values in delegation records . . . . . . . . . 18 4. Out-of-Band Changes to TTL Values
4. Out-of-band changes to TTL values . . . . . . . . . . . . . . 18 5. Operational Considerations
5. Operational considerations . . . . . . . . . . . . . . . . . 18 5.1. Operational Impact of TTL Values
5.1. Operational impact of TTL values . . . . . . . . . . . . 19 5.2. When TTL Values Should Be Changed
5.2. When TTL values should be changed . . . . . . . . . . . . 19 5.3. Changes to Server Policy
5.3. Changes to server policy . . . . . . . . . . . . . . . . 19 6. Security Considerations
6. Security considerations . . . . . . . . . . . . . . . . . . . 19 6.1. Fast Flux DNS
6.1. Fast-flux DNS . . . . . . . . . . . . . . . . . . . . . . 20 6.2. Compromised User Accounts
6.2. Compromised user accounts . . . . . . . . . . . . . . . . 20 7. IANA Considerations
7. IANA considerations . . . . . . . . . . . . . . . . . . . . . 20 7.1. XML Namespace
7.1. XML namespace . . . . . . . . . . . . . . . . . . . . . . 20 7.2. EPP Extension Registry
7.2. EPP extension registry . . . . . . . . . . . . . . . . . 21 8. Formal Syntax
8. Formal syntax . . . . . . . . . . . . . . . . . . . . . . . . 21 9. References
9. Implementation status . . . . . . . . . . . . . . . . . . . . 24 9.1. Normative References
9.1. Verisign EPP SDK . . . . . . . . . . . . . . . . . . . . 25 9.2. Informative References
9.2. Pepper EPP Client . . . . . . . . . . . . . . . . . . . . 25 Acknowledgments
10. Change log . . . . . . . . . . . . . . . . . . . . . . . . . 25 Author's Address
10.1. Changes from 17 to 18 . . . . . . . . . . . . . . . . . 25
10.2. Changes from 16 to 17 . . . . . . . . . . . . . . . . . 26
10.3. Changes from 15 to 16 . . . . . . . . . . . . . . . . . 26
10.4. Changes from 14 to 15 . . . . . . . . . . . . . . . . . 26
10.5. Changes from 13 to 14 . . . . . . . . . . . . . . . . . 26
10.6. Changes from 12 to 13 . . . . . . . . . . . . . . . . . 26
10.7. Changes from 11 to 12 . . . . . . . . . . . . . . . . . 27
10.8. Changes from 10 to 11 . . . . . . . . . . . . . . . . . 27
10.9. Changes from 09 to 10 . . . . . . . . . . . . . . . . . 27
10.10. Changes from 08 to 09 . . . . . . . . . . . . . . . . . 27
10.11. Changes from 07 to 08 . . . . . . . . . . . . . . . . . 27
10.12. Changes from 06 to 07 . . . . . . . . . . . . . . . . . 27
10.13. Changes from 05 to 06 . . . . . . . . . . . . . . . . . 27
10.14. Changes from 04 to 05 . . . . . . . . . . . . . . . . . 27
10.15. Changes from 04 to 05 . . . . . . . . . . . . . . . . . 27
10.16. Changes from 03 to 04 . . . . . . . . . . . . . . . . . 28
10.17. Changes from 02 to 03 . . . . . . . . . . . . . . . . . 28
10.18. Changes from 01 to 02 . . . . . . . . . . . . . . . . . 28
10.19. Changes from 00 to 01 . . . . . . . . . . . . . . . . . 28
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 29
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 29
12.1. Normative references . . . . . . . . . . . . . . . . . . 29
12.2. Informative references . . . . . . . . . . . . . . . . . 30
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 31
1. Introduction 1. Introduction
The principal output of any domain name registry system is a DNS zone The principal output of any domain name registry system is a DNS zone
file, which contains the delegation record(s) for names registered file, which contains the delegation record(s) for names registered
within a zone (such as a top-level domain). These records typically within a zone (such as a top-level domain). These records typically
include one or more NS records, but may also include DS records for include one or more NS records, but may also include DS records for
domains secured with DNSSEC ([RFC9364]), and DNAME records for IDN domains secured with DNSSEC [RFC9364], and DNAME records for
variants ([RFC6927]). A and/or AAAA records may also be published Internationalized Domain Name (IDN) variants [RFC6927]. A and/or
for nameservers where required by DNS resolvers to avoid an infinite AAAA records may also be published for nameservers where they are
loop. required by DNS resolvers to avoid an infinite loop.
Typically, the Time-To-Live value (TTL, see Section 5 of [RFC9499]) Typically, the Time-to-Live (TTL) value (see Section 5 of [RFC9499])
of these records is determined by the registry operator. However, in of these records is determined by the registry operator. However, in
some circumstances it may be desirable to allow the sponsoring client some circumstances it may be desirable to allow the sponsoring client
of a domain name to change the TTL values used for that domain's of a domain name to change the TTL values used for that domain's
delegation: for example, to reduce the amount of time required to delegation: for example, to reduce the amount of time required to
complete a change of DNS servers, DNSSEC deployment or key rollover, complete a change of DNS servers, DNSSEC deployment or key rollover,
or to allow for fast rollback of such changes. or to allow for fast rollback of such changes.
This document describes an EPP extension to the domain name and host This document describes an EPP extension to the domain name and host
object mappings (described in [RFC5731] and [RFC5732], respectively) object mappings (described in [RFC5731] and [RFC5732], respectively)
which allows the sponsor of a domain name or host object to change that allows the sponsor of a domain name or host object to change the
the TTL values of the resource record(s) associated with that object. TTL values of the resource record(s) associated with that object. It
It also describes how EPP servers should handle TTLs specified by EPP also describes how EPP servers should handle TTLs specified by EPP
clients and how both parties co-ordinate to manage TTL values in clients and how both parties coordinate to manage TTL values in
response to changes in operational or security requirements. response to changes in operational or security requirements.
1.1. Conventions used in this document 1.1. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in
14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
In examples, "C:" represents lines sent by a protocol client and "S:" In this document's examples, "C:" represents lines sent by a protocol
represents lines returned by a protocol server. Indentation and client and "S:" represents lines returned by a protocol server.
white space in examples are provided only to illustrate element Indentation and white space in these examples are provided only to
relationships and are not required features of this protocol. illustrate element relationships and are not required features of
this protocol.
A protocol client that is authorized to manage an existing object is A protocol client that is authorized to manage an existing object is
described as a "sponsoring" client throughout this document. described as a "sponsoring" client throughout this document.
XML is case sensitive. Unless stated otherwise, XML specifications XML is case sensitive. Unless stated otherwise, the XML
and examples provided in this document MUST be interpreted in the specifications and examples provided in this document MUST be
character case presented in order to develop a conforming interpreted in the character case presented in order to develop a
implementation. conforming implementation.
EPP uses XML namespaces to provide an extensible object management EPP uses XML namespaces to provide an extensible object management
framework and to identify schemas required for XML instance parsing framework and to identify schemas required for XML instance parsing
and validation. These namespaces and schema definitions are used to and validation. These namespaces and schema definitions are used to
identify both the base protocol schema and the schemas for managed identify both the base protocol schema and the schemas for managed
objects. objects.
The XML namespace prefixes used in examples (such as the string ttl The XML namespace prefixes used in these examples (such as the string
in ttl:create) are solely for illustrative purposes. A conforming ttl in ttl:create) are solely for illustrative purposes. A
implementation MUST NOT require the use of these or any other conforming implementation MUST NOT require the use of these or any
specific namespace prefixes. other specific namespace prefixes.
In accordance with Section 3.2.2.1 of XML Schema Part 2: Datatypes In accordance with Section 3.2.2.1 of XML Schema Part 2: Datatypes
[XSD-DATATYPES], the allowable lexical representations for the [XSD-DATATYPES], the allowable lexical representations for the
xs:boolean datatype are the strings "0" and "false" for the concept xs:boolean datatype are the strings "0" and "false" for the concept
'false' and the strings "1" and "true" for the concept 'true'. 'false' and the strings "1" and "true" for the concept 'true'.
Implementations MUST support both styles of lexical representation. Implementations MUST support both styles of lexical representation.
1.2. Extension elements 1.2. Extension Elements
This extension adds additional elements to the EPP domain and host This extension adds additional elements to the EPP domain and host
mappings. mappings.
1.2.1. The <ttl:ttl> element 1.2.1. The <ttl:ttl> Element
The <ttl:ttl> element is used to define TTL values for the DNS The <ttl:ttl> element is used to define TTL values for the DNS
resource records associated with domain and host objects. resource records associated with domain and host objects.
<ttl:ttl> elements have the optional following attributes, depending <ttl:ttl> elements have the optional following attributes, depending
on whether they appear in an EPP command or response: on whether they appear in an EPP command or response:
1. "for", which is REQUIRED in both commands and responses, and "for"
which specifies the DNS record type to which the TTL value REQUIRED in both commands and responses, and specifies the DNS
pertains. This attribute MUST have one of the following values: record type to which the TTL value pertains. This attribute MUST
"NS", "DS", "DNAME", "A", "AAAA" or "custom"; have one of the following values: "NS", "DS", "DNAME", "A", "AAAA"
or "custom".
2. If the value of the "for" attribute is "custom", then the "custom"
<ttl:ttl> element MUST also have a "custom" attribute containing If the value of the "for" attribute is "custom", then the
a DNS record type conforming with the regular expression in <ttl:ttl> element MUST also have a "custom" attribute containing a
Section 3.1 of [RFC6895]. Additionally, the record type MUST be DNS record type conforming with the regular expression in
registered with IANA in [IANA-RRTYPES]. Section 3.1 of [RFC6895]. Additionally, the record type MUST be
registered with IANA in [IANA-RRTYPES].
3. "min", which MUST NOT be present in EPP commands but MAY be "min"
present in EPP responses (see Section 2.1.1), and which is used MUST NOT be present in EPP commands but MAY be present in EPP
by the server to indicate the lowest value that may be set; responses (see Section 2.1.1). It is also used by the server to
indicate the lowest value that may be set.
4. "default", which MUST NOT be present in EPP commands but MAY be "default"
present in EPP responses (see Section 2.1.1), and which is used MUST NOT be present in EPP commands but MAY be present in EPP
by the server to indicate the default value; responses (see Section 2.1.1). It is also used by the server to
indicate the default value.
5. "max", which MUST NOT be present in EPP commands but MAY be "max"
present in EPP responses (see Section 2.1.1), and which is used MUST NOT be present in EPP commands but MAY be present in EPP
by the server to indicate the highest value that may be set; responses (see Section 2.1.1). It is also used by the server to
indicate the highest value that may be set.
When present, the value of the "min" attribute MUST be lower than the When present, the value of the "min" attribute MUST be lower than the
value of the "max" attribute. The "default" attribute MUST be value of the "max" attribute. The "default" attribute MUST be
between the "min" and "max" values, inclusively. between the "min" and "max" values, inclusively.
1.2.1.1. Element content 1.2.1.1. Element Content
The XML schema found in Section 8 of this document restricts the The XML schema found in Section 8 of this document restricts the
content of <ttl:ttl> elements to be either: content of <ttl:ttl> elements to be either:
1. a non-negative integer, indicating the value of the TTL in 1. a non-negative integer, indicating the value of the TTL in
seconds, or seconds, or
2. empty, in which case the server's default TTL for the given 2. empty, in which case the server's default TTL for the given
record type is to be applied. record type is to be applied.
1.2.1.2. Supported DNS record types 1.2.1.2. Supported DNS Record Types
To facilitate forward compatibility with future changes to the DNS To facilitate forward compatibility with future changes to the DNS
protocol, this document does not enumerate or restrict the DNS record protocol, this document does not enumerate or restrict the DNS record
types that can be included in the "custom" attribute of the <ttl:ttl> types that can be included in the "custom" attribute of the <ttl:ttl>
element. element.
The regular expression which is used to validate the values of the The regular expression that is used to validate the values of the
"custom" attribute is based on the expression found in Section 3.1 of "custom" attribute is based on the expression found in Section 3.1 of
[RFC6895], and is intended to match both existing and future RRTYPE [RFC6895], and it is intended to match both existing and future
mnemonics. This eliminates the need to update this document in the RRTYPE mnemonics. This eliminates the need to update this document
event that new DNS records that exist above a zone cut (Section 7 of in the event that new DNS records that exist above a zone cut
[RFC9499]) are specified. (Section 7 of [RFC9499]) are specified.
Nevertheless, EPP servers which implement this extension MUST Nevertheless, EPP servers that implement this extension MUST restrict
restrict the DNS record types that are accepted in <create> and the DNS record types that are accepted in <create> and <update>
<update> commands, and included in <info> responses, allowing only commands, and included in <info> responses, allowing only those types
those types that are (a) registered in [IANA-RRTYPES] and (b) that are (a) registered in [IANA-RRTYPES] and (b) appropriate for use
appropriate for use above a zone cut. above a zone cut.
A server that receives a <create> or <update> command that attempts A server that receives a <create> or <update> command that attempts
to set TTL values for inapplicable DNS record types MUST respond with to set TTL values for inapplicable DNS record types MUST respond with
a 2306 "Parameter value policy" error. a 2306 "Parameter value policy" error.
As an illustrative example, a server MAY allow clients to specify TTL As an illustrative example, a server MAY allow clients to specify TTL
values for the following record types for domain objects: values for the following record types for domain objects:
1. NS; 1. NS;
2. DS (if the server also implements [RFC5910]); 2. DS (if the server also implements [RFC5910]);
3. DNAME (if the server implements IDN variants using DNAME 3. DNAME (if the server implements IDN variants using DNAME
records). records).
1.2.1.2.1. Glue records 1.2.1.2.1. Glue Records
Glue records are described in Section 7 of [RFC9499]. Glue records are described in Section 7 of [RFC9499].
Servers which implement host objects ([RFC5732]) MAY allow clients to Servers that implement host objects [RFC5732] MAY allow clients to
specify TTL values for A and AAAA records for host objects. specify TTL values for A and AAAA records for host objects.
A server supporting host objects which receives a command that A server supporting host objects that receives a command that
attempts to set TTL values for A and AAAA records on a domain object attempts to set TTL values for A and AAAA records on a domain object
MUST respond with a 2306 "Parameter value policy" error. MUST respond with a 2306 "Parameter value policy" error.
EPP servers which use the "host attribute" model (described in EPP servers that use the host attribute model (described in
Section 1.1 of [RFC5731]) MAY allow clients to specify TTL values for Section 1.1 of [RFC5731]) MAY allow clients to specify TTL values for
A and AAAA records for domain objects. A and AAAA records for domain objects.
1.2.1.3. The <ttl:info> element 1.2.1.3. The <ttl:info> Element
The <ttl:info> element is used by clients to request that the server The <ttl:info> element is used by clients to request that the server
include additional information in <info> responses for domain and include additional information in <info> responses for domain and
host objects. host objects.
It has a single OPTIONAL policy attribute, which takes a boolean It has a single OPTIONAL "policy" attribute, which takes a boolean
value with a default value of false. value with a default value of "false".
The semantics of this element are described in Section 2.1.1. The semantics of this element are described in Section 2.1.1.
1.2.1.3.1. Example 1.2.1.3.1. Example
<ttl:info policy="true"/> <ttl:info policy="true"/>
1.2.2. Examples 1.2.2. Examples
1.2.2.1. Explicit TTL value (<create> or <update> command) 1.2.2.1. Explicit TTL Value (<create> or <update> Command)
<ttl:ttl for="NS">3600</ttl:ttl> <ttl:ttl for="NS">3600</ttl:ttl>
1.2.2.2. Explicit TTL value (<info> policy mode) 1.2.2.2. Explicit TTL Value (<info> Policy Mode)
<ttl:ttl <ttl:ttl
for="NS" for="NS"
min="60" min="60"
default="86400" default="86400"
max="172800">3600</ttl:ttl> max="172800">3600</ttl:ttl>
1.2.2.3. Empty value indicating default TTL (<create> or <update> 1.2.2.3. Empty Value Indicating Default TTL (<create> or <update>
command, <info> default mode) Command, <info> Default Mode)
<ttl:ttl for="NS"/> <ttl:ttl for="NS"/>
1.2.2.4. Custom record type (<create> or <update> command, <info> 1.2.2.4. Custom Record Type (<create> or <update> Command, <info>
default mode) Default Mode)
<ttl:ttl <ttl:ttl
for="custom" for="custom"
custom="NEWRRTYPE">3600</ttl:ttl> custom="NEWRRTYPE">3600</ttl:ttl>
2. EPP command mapping 2. EPP Command Mapping
2.1. EPP query commands 2.1. EPP Query Commands
2.1.1. EPP <info> command 2.1.1. EPP <info> Command
This extension defines an additional element for EPP <info> commands This extension defines an additional element for EPP <info> commands
and responses for domain and host objects. and responses for domain and host objects.
The EPP <info> command is extended to support two different modes: The EPP <info> command is extended to support two different modes:
1. The Default Mode (Section 2.1.1.1), which requests the inclusion 1. The Default Mode (Section 2.1.1.1), which requests the inclusion
of all non-default TTL values in the response; and of all non-default TTL values in the response; and
2. The Policy Mode (Section 2.1.1.2), which requests the inclusion 2. The Policy Mode (Section 2.1.1.2), which requests the inclusion
of TTL information for all supported DNS record types in the of TTL information for all supported DNS record types in the
response, along with the minimum, default and maximum values for response, along with the minimum, default, and maximum values for
those records. those records.
2.1.1.1. Default Mode 2.1.1.1. Default Mode
If a server receives an <info> command for a domain or host object If a server receives an <info> command for a domain or host object
which includes a <ttl:info> element with a "policy" attribute that is that includes a <ttl:info> element with a "policy" attribute that is
"0" or "false", then the EPP response MUST contain <ttl:ttl> records "0" or "false", then the EPP response MUST contain <ttl:ttl> records
for all DNS record types that have non-default TTL values. These for all DNS record types that have non-default TTL values. These
elements MUST NOT have the "min", "default" and "max" attributes. elements MUST NOT have the "min", "default", and "max" attributes.
Example domain <info> command with a <ttl:info> element with a policy Below is an example domain <info> command with a <ttl:info> element
attribute that is false: with a "policy" attribute that is "false":
C: <?xml version="1.0" encoding="UTF-8" standalone="no"?> C: <?xml version="1.0" encoding="UTF-8" standalone="no"?>
C: <epp xmlns="urn:ietf:params:xml:ns:epp-1.0"> C: <epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
C: <command> C: <command>
C: <info> C: <info>
C: <domain:info C: <domain:info
C: xmlns:domain="urn:ietf:params:xml:ns:domain-1.0"> C: xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
C: <domain:name>example.com</domain:name> C: <domain:name>example.com</domain:name>
C: </domain:info> C: </domain:info>
C: </info> C: </info>
C: <extension> C: <extension>
C: <ttl:info C: <ttl:info
C: xmlns:ttl="urn:ietf:params:xml:ns:epp:ttl-1.0" C: xmlns:ttl="urn:ietf:params:xml:ns:epp:ttl-1.0"
C: policy="false"/> C: policy="false"/>
C: </extension> C: </extension>
C: </command> C: </command>
C: </epp> C: </epp>
Example domain <info> response to a command with a <ttl:info> element
with a policy attribute that is false: Below is an example domain <info> response to a command with a
<ttl:info> element with a "policy" attribute that is "false":
S: <?xml version="1.0" encoding="utf-8" standalone="no"?> S: <?xml version="1.0" encoding="utf-8" standalone="no"?>
S: <epp xmlns="urn:ietf:params:xml:ns:epp-1.0"> S: <epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
S: <response> S: <response>
S: <result code="1000"> S: <result code="1000">
S: <msg>Command completed successfully</msg> S: <msg>Command completed successfully</msg>
S: </result> S: </result>
S: <resData> S: <resData>
S: <domain:infData S: <domain:infData
S: xmlns:domain="urn:ietf:params:xml:ns:domain-1.0"> S: xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
skipping to change at page 10, line 4 skipping to change at line 396
S: <secDNS:digest>49FD46E6C4B45C55D4AC</secDNS:digest> S: <secDNS:digest>49FD46E6C4B45C55D4AC</secDNS:digest>
S: </secDNS:dsData> S: </secDNS:dsData>
S: </secDNS:infData> S: </secDNS:infData>
S: </extension> S: </extension>
S: <trID> S: <trID>
S: <clTRID>ABC-12345</clTRID> S: <clTRID>ABC-12345</clTRID>
S: <svTRID>54322-XYZ</svTRID> S: <svTRID>54322-XYZ</svTRID>
S: </trID> S: </trID>
S: </response> S: </response>
S: </epp> S: </epp>
Example host <info> command with a <ttl:info> element with a policy
attribute that is false: Below is an example host <info> command with a <ttl:info> element
with a "policy" attribute that is "false":
C: <?xml version="1.0" encoding="UTF-8" standalone="no"?> C: <?xml version="1.0" encoding="UTF-8" standalone="no"?>
C: <epp xmlns="urn:ietf:params:xml:ns:epp-1.0"> C: <epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
C: <command> C: <command>
C: <info> C: <info>
C: <host:info C: <host:info
C: xmlns:host="urn:ietf:params:xml:ns:host-1.0"> C: xmlns:host="urn:ietf:params:xml:ns:host-1.0">
C: <host:name>ns1.example.com</host:name> C: <host:name>ns1.example.com</host:name>
C: </host:info> C: </host:info>
C: </info> C: </info>
C: <extension> C: <extension>
C: <ttl:info C: <ttl:info
C: xmlns:ttl="urn:ietf:params:xml:ns:epp:ttl-1.0" C: xmlns:ttl="urn:ietf:params:xml:ns:epp:ttl-1.0"
C: policy="false"/> C: policy="false"/>
C: </extension> C: </extension>
C: </command> C: </command>
C: </epp> C: </epp>
Example host <info> response to a command with a <ttl:info> element Below is an example host <info> response to a command with a
with a policy attribute that is false: <ttl:info> element with a "policy" attribute that is "false":
S: <?xml version="1.0" encoding="UTF-8" standalone="no"?> S: <?xml version="1.0" encoding="UTF-8" standalone="no"?>
S: <epp xmlns="urn:ietf:params:xml:ns:epp-1.0"> S: <epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
S: <response> S: <response>
S: <result code="1000"> S: <result code="1000">
S: <msg>Command completed successfully</msg> S: <msg>Command completed successfully</msg>
S: </result> S: </result>
S: <resData> S: <resData>
S: <host:infData S: <host:infData
S: xmlns:host="urn:ietf:params:xml:ns:host-1.0"> S: xmlns:host="urn:ietf:params:xml:ns:host-1.0">
skipping to change at page 11, line 41 skipping to change at line 456
S: <trID> S: <trID>
S: <clTRID>ABC-12345</clTRID> S: <clTRID>ABC-12345</clTRID>
S: <svTRID>54322-XYZ</svTRID> S: <svTRID>54322-XYZ</svTRID>
S: </trID> S: </trID>
S: </response> S: </response>
S: </epp> S: </epp>
2.1.1.2. Policy Mode 2.1.1.2. Policy Mode
If a server receives an <info> command for a domain or host object If a server receives an <info> command for a domain or host object
which includes a <ttl:info> element with a "policy" attribute is "1" that includes a <ttl:info> element with a "policy" attribute that is
or "true", then the EPP response MUST contain <ttl:ttl> records for "1" or "true", then the EPP response MUST contain <ttl:ttl> records
all supported DNS record types, irrespective of whether those record for all supported DNS record types, irrespective of whether those
types are actually in use by the object in question. These elements record types are actually in use by the object in question. These
MUST have the "min", "default" and "max" attributes. elements MUST have the "min", "default", and "max" attributes.
Example domain <info> command requesting the server policies: Below is an example domain <info> command requesting the server
policies:
C: <?xml version="1.0" encoding="UTF-8" standalone="no"?> C: <?xml version="1.0" encoding="UTF-8" standalone="no"?>
C: <epp xmlns="urn:ietf:params:xml:ns:epp-1.0"> C: <epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
C: <command> C: <command>
C: <info> C: <info>
C: <domain:info C: <domain:info
C: xmlns:domain="urn:ietf:params:xml:ns:domain-1.0"> C: xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
C: <domain:name>example.com</domain:name> C: <domain:name>example.com</domain:name>
C: </domain:info> C: </domain:info>
C: </info> C: </info>
C: <extension> C: <extension>
C: <ttl:info C: <ttl:info
C: xmlns:ttl="urn:ietf:params:xml:ns:epp:ttl-1.0" C: xmlns:ttl="urn:ietf:params:xml:ns:epp:ttl-1.0"
C: policy="true"/> C: policy="true"/>
C: </extension> C: </extension>
C: </command> C: </command>
C: </epp> C: </epp>
Example domain <info> response providing the server policies: Below is an example domain <info> response providing the server
policies:
S: <?xml version="1.0" encoding="utf-8" standalone="no"?> S: <?xml version="1.0" encoding="utf-8" standalone="no"?>
S: <epp xmlns="urn:ietf:params:xml:ns:epp-1.0"> S: <epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
S: <response> S: <response>
S: <result code="1000"> S: <result code="1000">
S: <msg>Command completed successfully</msg> S: <msg>Command completed successfully</msg>
S: </result> S: </result>
S: <resData> S: <resData>
S: <domain:infData S: <domain:infData
S: xmlns:domain="urn:ietf:params:xml:ns:domain-1.0"> S: xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
skipping to change at page 13, line 26 skipping to change at line 536
S: </secDNS:dsData> S: </secDNS:dsData>
S: </secDNS:infData> S: </secDNS:infData>
S: </extension> S: </extension>
S: <trID> S: <trID>
S: <clTRID>ABC-12345</clTRID> S: <clTRID>ABC-12345</clTRID>
S: <svTRID>54322-XYZ</svTRID> S: <svTRID>54322-XYZ</svTRID>
S: </trID> S: </trID>
S: </response> S: </response>
S: </epp> S: </epp>
Example host <info> command requesting the server policies: Below is an example host <info> command requesting the server
policies:
C: <?xml version="1.0" encoding="UTF-8" standalone="no"?> C: <?xml version="1.0" encoding="UTF-8" standalone="no"?>
C: <epp xmlns="urn:ietf:params:xml:ns:epp-1.0"> C: <epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
C: <command> C: <command>
C: <info> C: <info>
C: <host:info C: <host:info
C: xmlns:host="urn:ietf:params:xml:ns:host-1.0"> C: xmlns:host="urn:ietf:params:xml:ns:host-1.0">
C: <host:name>ns1.example.com</host:name> C: <host:name>ns1.example.com</host:name>
C: </host:info> C: </host:info>
C: </info> C: </info>
C: <extension> C: <extension>
C: <ttl:info C: <ttl:info
C: xmlns:ttl="urn:ietf:params:xml:ns:epp:ttl-1.0" C: xmlns:ttl="urn:ietf:params:xml:ns:epp:ttl-1.0"
C: policy="true"/> C: policy="true"/>
C: </extension> C: </extension>
C: </command> C: </command>
C: </epp> C: </epp>
Example host <info> response providing the server policies: Below is an example host <info> response providing the server
policies:
S: <?xml version="1.0" encoding="UTF-8" standalone="no"?> S: <?xml version="1.0" encoding="UTF-8" standalone="no"?>
S: <epp xmlns="urn:ietf:params:xml:ns:epp-1.0"> S: <epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
S: <response> S: <response>
S: <result code="1000"> S: <result code="1000">
S: <msg>Command completed successfully</msg> S: <msg>Command completed successfully</msg>
S: </result> S: </result>
S: <resData> S: <resData>
S: <host:infData S: <host:infData
S: xmlns:host="urn:ietf:params:xml:ns:host-1.0"> S: xmlns:host="urn:ietf:params:xml:ns:host-1.0">
skipping to change at page 14, line 44 skipping to change at line 598
S: max="172800">86400</ttl:ttl> S: max="172800">86400</ttl:ttl>
S: </ttl:infData> S: </ttl:infData>
S: </extension> S: </extension>
S: <trID> S: <trID>
S: <clTRID>ABC-12345</clTRID> S: <clTRID>ABC-12345</clTRID>
S: <svTRID>54322-XYZ</svTRID> S: <svTRID>54322-XYZ</svTRID>
S: </trID> S: </trID>
S: </response> S: </response>
S: </epp> S: </epp>
2.2. EPP transform commands 2.2. EPP Transform Commands
2.2.1. EPP <create> command 2.2.1. EPP <create> Command
This extension defines an additional element for EPP <create> This extension defines an additional element for EPP <create>
commands for domain and host objects. commands for domain and host objects.
The <command> element of the <create> command MAY contain an The <command> element of the <create> command MAY contain an
<extension> element which MAY contain a <ttl:create> element. This <extension> element that MAY contain a <ttl:create> element. This
element MUST contain one or more <ttl:ttl> records as described in element MUST contain one or more <ttl:ttl> records as described in
Section 1.2. Section 1.2.
Example domain <create> command: Below is an example domain <create> command:
C: <?xml version="1.0" encoding="UTF-8" standalone="no"?> C: <?xml version="1.0" encoding="UTF-8" standalone="no"?>
C: <epp xmlns="urn:ietf:params:xml:ns:epp-1.0"> C: <epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
C: <command> C: <command>
C: <create> C: <create>
C: <domain:create C: <domain:create
C: xmlns:domain="urn:ietf:params:xml:ns:domain-1.0"> C: xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
C: <domain:name>example.com</domain:name> C: <domain:name>example.com</domain:name>
C: <domain:period unit="y">1</domain:period> C: <domain:period unit="y">1</domain:period>
C: <domain:ns> C: <domain:ns>
skipping to change at page 15, line 49 skipping to change at line 649
C: <secDNS:alg>13</secDNS:alg> C: <secDNS:alg>13</secDNS:alg>
C: <secDNS:digestType>2</secDNS:digestType> C: <secDNS:digestType>2</secDNS:digestType>
C: <secDNS:digest>49FD46E6C4B45C55D4AC</secDNS:digest> C: <secDNS:digest>49FD46E6C4B45C55D4AC</secDNS:digest>
C: </secDNS:dsData> C: </secDNS:dsData>
C: </secDNS:create> C: </secDNS:create>
C: </extension> C: </extension>
C: <clTRID>ABC-12345</clTRID> C: <clTRID>ABC-12345</clTRID>
C: </command> C: </command>
C: </epp> C: </epp>
Example host <create> command: Below is an example host <create> command:
C: <?xml version="1.0" encoding="UTF-8" standalone="no"?> C: <?xml version="1.0" encoding="UTF-8" standalone="no"?>
C: <epp xmlns="urn:ietf:params:xml:ns:epp-1.0"> C: <epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
C: <command> C: <command>
C: <create> C: <create>
C: <host:create C: <host:create
C: xmlns:host="urn:ietf:params:xml:ns:host-1.0"> C: xmlns:host="urn:ietf:params:xml:ns:host-1.0">
C: <host:name>ns1.example.com</host:name> C: <host:name>ns1.example.com</host:name>
C: <host:addr ip="v4">192.0.2.2</host:addr> C: <host:addr ip="v4">192.0.2.2</host:addr>
C: <host:addr ip="v6">2001:db8::8:800:200c:417a</host:addr> C: <host:addr ip="v6">2001:db8::8:800:200c:417a</host:addr>
skipping to change at page 16, line 31 skipping to change at line 677
C: </ttl:create> C: </ttl:create>
C: </extension> C: </extension>
C: <clTRID>ABC-12345</clTRID> C: <clTRID>ABC-12345</clTRID>
C: </command> C: </command>
C: </epp> C: </epp>
If an EPP server receives a <create> command containing a TTL value If an EPP server receives a <create> command containing a TTL value
that is outside the server's permitted range, it MUST reject the that is outside the server's permitted range, it MUST reject the
command with a 2004 "Parameter value range error" response. command with a 2004 "Parameter value range error" response.
2.2.2. EPP <update> command 2.2.2. EPP <update> Command
This extension defines an additional element for EPP <update> This extension defines an additional element for EPP <update>
commands for domain and host objects. commands for domain and host objects.
The <command> element of the <update> command MAY contain an The <command> element of the <update> command MAY contain an
<extension> element which MAY contain a <ttl:update> element. This <extension> element that MAY contain a <ttl:update> element. This
element MUST contain one or more <ttl:ttl> records as described in element MUST contain one or more <ttl:ttl> records as described in
Section 1.2. Section 1.2.
Example domain <update> command: Below is an example domain <update> command:
C: <?xml version="1.0" encoding="UTF-8" standalone="no"?> C: <?xml version="1.0" encoding="UTF-8" standalone="no"?>
C: <epp xmlns="urn:ietf:params:xml:ns:epp-1.0"> C: <epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
C: <command> C: <command>
C: <update> C: <update>
C: <domain:update C: <domain:update
C: xmlns:domain="urn:ietf:params:xml:ns:domain-1.0"> C: xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
C: <domain:name>example.com</domain:name> C: <domain:name>example.com</domain:name>
C: </domain:update> C: </domain:update>
C: </update> C: </update>
skipping to change at page 17, line 27 skipping to change at line 711
C: <ttl:ttl for="NS"/> C: <ttl:ttl for="NS"/>
C: <ttl:ttl for="custom" C: <ttl:ttl for="custom"
C: custom="DELEG"/> C: custom="DELEG"/>
C: <ttl:ttl for="DS">86400</ttl:ttl> C: <ttl:ttl for="DS">86400</ttl:ttl>
C: </ttl:update> C: </ttl:update>
C: </extension> C: </extension>
C: <clTRID>ABC-12345</clTRID> C: <clTRID>ABC-12345</clTRID>
C: </command> C: </command>
C: </epp> C: </epp>
Example host <update> command: Below is an example host <update> command:
C: <?xml version="1.0" encoding="UTF-8" standalone="no"?> C: <?xml version="1.0" encoding="UTF-8" standalone="no"?>
C: <epp xmlns="urn:ietf:params:xml:ns:epp-1.0"> C: <epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
C: <command> C: <command>
C: <update> C: <update>
C: <host:update C: <host:update
C: xmlns:host="urn:ietf:params:xml:ns:host-1.0"> C: xmlns:host="urn:ietf:params:xml:ns:host-1.0">
C: <host:name>ns1.example.com</host:name> C: <host:name>ns1.example.com</host:name>
C: </host:update> C: </host:update>
C: </update> C: </update>
skipping to change at page 18, line 5 skipping to change at line 737
C: </ttl:update> C: </ttl:update>
C: </extension> C: </extension>
C: <clTRID>ABC-12345</clTRID> C: <clTRID>ABC-12345</clTRID>
C: </command> C: </command>
C: </epp> C: </epp>
If an EPP server receives an <update> command containing a TTL value If an EPP server receives an <update> command containing a TTL value
that is outside the server's permitted range, it MUST reject the that is outside the server's permitted range, it MUST reject the
command with a 2004 "Parameter value range error" response. command with a 2004 "Parameter value range error" response.
3. Server processing of TTL values 3. Server Processing of TTL Values
3.1. Permitted record types 3.1. Permitted Record Types
EPP servers MAY restrict the supported DNS record types. For EPP servers MAY restrict the supported DNS record types. For
example, a server MAY allow clients to specify TTL values for DS example, a server MAY allow clients to specify TTL values for DS
records only. records only.
A server which receives a <create> or <update> command which includes A server that receives a <create> or <update> command that includes a
a restricted record type MUST respond with a 2306 "Parameter value restricted record type MUST respond with a 2306 "Parameter value
policy" error. policy" error.
Clients can discover the DNS record types for which an EPP server Clients can discover the DNS record types for which an EPP server
permits TTL values to be changed by performing a "Policy Mode" <info> permits TTL values to be changed by performing a Policy Mode <info>
command, as outlined in Section 2.1.1.2. command, as outlined in Section 2.1.1.2.
3.2. Use of TTL values in delegation records 3.2. Use of TTL Values in Delegation Records
EPP servers which implement this extension SHOULD use the values EPP servers that implement this extension SHOULD use the values
provided by EPP clients for the TTL values of records published in provided by EPP clients for the TTL values of records published in
the DNS for domain and (if supported) host objects. Server operators the DNS for domain and (if supported) host objects. Server operators
MAY disregard these values in order to address security and stability MAY disregard these values in order to address security and stability
issues, as described in Section 5 and Section 6. issues, as described in Section 5 and Section 6.
EPP servers that use the "host attribute" model SHOULD use any NS, A EPP servers that use the host attribute model SHOULD use any NS, A,
and/or AAAA TTL values specified for the domain object when and/or AAAA TTL values specified for the domain object when
publishing NS, A and/or AAAA records derived from host attributes. publishing NS, A, and/or AAAA records derived from host attributes.
4. Out-of-band changes to TTL values 4. Out-of-Band Changes to TTL Values
EPP server operators MAY, in order to address operational or security In order to address operational or security issues, EPP server
issues, make changes to TTL values out-of-band (that is, not in operators MAY make changes to TTL values out-of-band (that is, not in
response to an <update> command received from the sponsoring client). response to an <update> command received from the sponsoring client).
Server operators MAY also implement automatic reset of TTL values, so Server operators MAY also implement automatic reset of TTL values, so
that they revert to the default value a certain amount of time after that they revert to the default value a certain amount of time after
an update has been made. an update has been made.
If a TTL value is changed out-of-band, EPP server operators MAY If a TTL value is changed out-of-band, EPP server operators MAY
notify the sponsoring client using the EPP Change Poll extension notify the sponsoring client using the EPP Change Poll Extension
([RFC8590]), which provides a generalised method for EPP servers to [RFC8590], which provides a generalized method for EPP servers to
notify clients of changes to objects under their sponsorship. notify clients of changes to objects under their sponsorship.
5. Operational considerations 5. Operational Considerations
5.1. Operational impact of TTL values
5.1. Operational Impact of TTL Values
Registry operators must consider the balance between registrants' Registry operators must consider the balance between registrants'
desire for changes to domains to be visible in the DNS quickly, and desire for changes to domains to be visible in the DNS quickly, and
the increased DNS query traffic that short TTLs can bring. the increased DNS query traffic that short TTLs can bring.
Registry operators SHOULD implement limits on the maximum and minimum Registry operators SHOULD implement limits on the maximum and minimum
accepted TTL values that are narrower than the values permitted in accepted TTL values that are narrower than the values permitted in
the XML schema in the Formal syntax (which were chosen to allow any the XML schema in Section 8 (which were chosen to allow any TTL
TTL permitted in DNS records), in order to prevent scenarios where an permitted in DNS records). This is in order to prevent scenarios
excessively high or low TTL causes operational issues on either side where an excessively high or low TTL causes operational issues on
of the zone cut. either side of the zone cut.
Section 4 describes how server operators MAY unilaterally change TTL Section 4 describes how server operators MAY unilaterally change TTL
values in order to address operational or security issues, or only values in order to address operational or security issues, or only
permit changes for limited time periods (after which TTLs revert to permit changes for limited time periods (after which TTLs revert to
the default). the default).
5.2. When TTL values should be changed 5.2. When TTL Values Should Be Changed
A common operational mistake is changing of DNS record TTLs during or A common operational mistake is changing the DNS record TTLs during
after the planned change to the records themselves. This arises due or after the planned change to the records themselves. This arises
to a misunderstanding about how TTLs work. due to a misunderstanding about how TTLs work.
It is RECOMMENDED that guidance be provided to users so they are It is RECOMMENDED that guidance be provided to users so they are
aware that changes to a TTL are only effective in shortening aware that changes to a TTL are only effective in shortening
transition periods if implemented a period of time — at least equal transition periods if implemented a period of time (at least equal to
to the current TTL — _before_ the planned change. The latency the current TTL) _before_ the planned change. The latency between
between receipt of the <update> command and the actual publication of receipt of the <update> command and the actual publication of the
the changes in the DNS should also be taken into consideration in changes in the DNS should also be taken into consideration in this
this calculation. calculation.
5.3. Changes to server policy 5.3. Changes to Server Policy
Registry operators may change their policies relating to TTL values Registry operators may change their policies relating to TTL values
from time to time. Previously configured TTL values may consequently from time to time. Previously configured TTL values may consequently
fall outside a newly-applied policy. This document places no fall outside a newly applied policy. This document places no
obligation on EPP server operators in respect of these values, and obligation on EPP server operators in respect of these values, and
server operators may, as part of a policy change, change the TTL server operators may, as part of a policy change, change the TTL
values specified by clients for domain and host objects. Section 4 values specified by clients for domain and host objects. Section 4
describes how such out-of-band changes should be carried out. describes how such out-of-band changes should be carried out.
6. Security considerations 6. Security Considerations
6.1. Fast-flux DNS
6.1. Fast Flux DNS
Some malicious actors use a technique called "fast flux DNS" Some malicious actors use a technique called "fast flux DNS"
([SAC-025]) to rapidly change the DNS configuration for a zone in [SAC-025] to rapidly change the DNS configuration for a zone in order
order to evade takedown and law enforcement activity. Server to evade takedown and law enforcement activity. Server operators
operators should take this into consideration when setting the lower should take this into consideration when setting the lower limit on
limit on TTL values, since a short TTL on delegations may enhance the TTL values, since a short TTL on delegations may enhance the
effectiveness of fast flux techniques on evasion. effectiveness of fast flux techniques on evasion.
Client implementations which provide an interface for customers to Client implementations that provide an interface for customers to
configure TTL values for domain names should consider implementing configure TTL values for domain names should consider implementing
controls to deter and mitigate abusive behaviour, such as those controls to deter and mitigate abusive behavior, such as those
outlined in the "Current and Possible Mitigation Alternatives" outlined in the "Current and Possible Mitigation Alternatives"
section of [SAC-025]. section of [SAC-025].
6.2. Compromised user accounts 6.2. Compromised User Accounts
An attacker who obtains access to a customer account at a domain An attacker who obtains access to a customer account at a domain
registrar which supports this extension could make unauthorised registrar that supports this extension could make unauthorized
changes to the NS and/or glue records for a domain, and then increase changes to the NS and/or glue records for a domain, and then increase
the associated TTLs so that the changes persist in caches for a long the associated TTLs so that the changes persist in caches for a long
time after the attack has been detected. time after the attack has been detected.
Client implementations which provide an interface for customers to Client implementations that provide an interface for customers to
configure TTL values for domain names should consider implementing configure TTL values for domain names should consider implementing
upper limits in order to reduce the impact of account compromise, in upper limits in order to reduce the impact of account compromise, in
addition to best practices relating to credential management, multi- addition to best practices relating to credential management, multi-
factor authentication, risk-based access control, and so on. factor authentication, risk-based access control, and so on.
7. IANA considerations 7. IANA Considerations
7.1. XML namespace 7.1. XML Namespace
This document uses URNs to describe XML namespaces and XML schemas This document uses URNs to describe XML namespaces and XML schemas
conforming to a registry mechanism described in [RFC3688]. The conforming to a registry mechanism described in [RFC3688]. The
following URI assignment is requested of IANA: following URI assignments have been made by IANA:
Registration for the TTL namespace: Registration for the TTL namespace:
*URI:* urn:ietf:params:xml:ns:epp:ttl-1.0 *URI:* urn:ietf:params:xml:ns:epp:ttl-1.0
*Registrant Contact:* IESG
*Registrant Contact:* IESG *XML:* None. Namespace URIs do not represent an XML specification.
*XML:* None. Namespace URIs do not represent an XML specification
Registration for the TTL XML schema: Registration for the TTL XML schema:
*URI:* urn:ietf:params:xml:schema:epp:ttl-1.0 *URI:* urn:ietf:params:xml:schema:epp:ttl-1.0
*Registrant Contact:* IESG *Registrant Contact:* IESG
*XML:* See Section 8 of this document.
*XML:* See the "Formal syntax" section of this document
7.2. EPP extension registry 7.2. EPP Extension Registry
The EPP extension described in this document is to be registered by The EPP extension described in this document has been registered by
IANA in the Extensions for the "Extensible Provisioning Protocol IANA in the "Extensions for the Extensible Provisioning Protocol
(EPP)" registry described in [RFC7451]. The details of the (EPP)" registry described in [RFC7451]. The details of the
registration are as follows: registration are as follows:
*Name of Extension:* Extensible Provisioning Protocol (EPP) *Name of Extension:* Extensible Provisioning Protocol (EPP) Mapping
Mapping for DNS Time-To-Live (TTL) values for DNS Time-To-Live (TTL) values
*Document Status:* Standards Track
*Document Status:* Standards Track *Reference:* RFC 9803
*Registrant:* IESG
*Reference:* URL of this document *TLDs:* Any
*IPR Disclosure:* None
*Registrant Name and Email Address:* IESG *Status:* Active
*Notes:* None
*TLDs:* Any
*IPR Disclosure:* None
*Status:* Active
*Notes:* None
8. Formal syntax 8. Formal Syntax
The formal syntax presented here is a complete schema representation The formal syntax presented here is a complete schema representation
of the extension suitable for automated validation of EPP XML of the extension suitable for automated validation of EPP XML
instances. instances.
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<schema <schema
xmlns="http://www.w3.org/2001/XMLSchema" xmlns="http://www.w3.org/2001/XMLSchema"
targetNamespace="urn:ietf:params:xml:ns:epp:ttl-1.0" targetNamespace="urn:ietf:params:xml:ns:epp:ttl-1.0"
xmlns:ttl="urn:ietf:params:xml:ns:epp:ttl-1.0" xmlns:ttl="urn:ietf:params:xml:ns:epp:ttl-1.0"
skipping to change at page 24, line 46 skipping to change at line 1050
</simpleType> </simpleType>
<!-- custom resource record type --> <!-- custom resource record type -->
<simpleType name="customRRType"> <simpleType name="customRRType">
<restriction base="token"> <restriction base="token">
<pattern value="A|[A-Z][A-Z0-9\-]*[A-Z0-9]"/> <pattern value="A|[A-Z][A-Z0-9\-]*[A-Z0-9]"/>
</restriction> </restriction>
</simpleType> </simpleType>
</schema> </schema>
9. Implementation status 9. References
This section is to be removed before publishing as an RFC.
9.1. Verisign EPP SDK
*Organization:* Verisign Inc.
*Name:* Verisign EPP SDK
*Description:* The Verisign EPP SDK includes both a full client
implementation and a full server stub implementation of this
specification.
*Level of maturity:* Development
*Coverage:* All aspects of the protocol are implemented.
*Licensing:* GNU Lesser General Public License
*Contact:* jgould@verisign.com
*URL:* https://www.verisign.com/en_US/channel-resources/domain-
registry-products/epp-sdks
9.2. Pepper EPP Client
*Name:* Pepper EPP Client
*Description:* The Pepper EPP client fully implements this
specification. The underlying Net::EPP:: Perl module also implements
this specification.
*Level of maturity:* Development
*Coverage:* All aspects of the protocol will be implemented.
*Licensing:* Perl Artistic License
*Contact:* The author of this document.
*URL:* https://github.com/gbxyz/pepper
10. Change log
This section is to be removed before publishing as an RFC.
10.1. Changes from 17 to 18
1. Add a space after the C: and S: line prefixes in examples.
2. Fixed the prefixing of lines in the example in Section 2.1.1.2
(thanks Tim Bray).
3. Fixed broken end tags in examples in Section 1.2.2 and the
capitalisation of IPv6 addresses (thanks Erik Kline).
4. Added normative reference to [IANA-RRTYPES].
5. Replaced references to "command/response frames" with "EPP
commands/responses".
6. Minor wording change in paragraph 2 of Section 1.2.1.
7. Clarified wording in Section 1.2.1.2.
8. Wordsmithing of Section 3 due to feedback from the IESG.
10.2. Changes from 16 to 17
1. Further updates as suggested during IESG review.
10.3. Changes from 15 to 16
1. Updates as suggested during IESG review.
10.4. Changes from 14 to 15
1. Updates as suggested during AD review.
2. In the last paragraph of Section 3.2, make both lists of RR types
be the same.
3. Update error codes to be consistent: 2004 (range error) when the
TTL value is outside the permitted range, and 2306 (policy error)
for an invalid record type.
4. Correct section in reference to RFC 6895 (thanks Jasdip Singh).
5. Minor typographic fixes (thanks Jasdip Singh).
10.5. Changes from 13 to 14
1. Resolve remaining nit before IESG submission.
10.6. Changes from 12 to 13
1. Updates as per the document shepherd's suggestions.
10.7. Changes from 11 to 12
1. Updates as per the document shepherd's email to the list of
2024-06-10.
10.8. Changes from 10 to 11
1. Fix double word in Section 3.2.
10.9. Changes from 09 to 10
Changes resulting from the Dnsdir review:
1. Fixed example IPv6 addresses to use the preferred prefix
2001:DB8::.
2. Added paragraph to Section 3.1 describing how clients can use the
Policy Mode <info> command (Section 2.1.1.2) to discover the DNS
record types supported by the server.
10.10. Changes from 08 to 09
1. Some wording changes suggested by James Gould and Tim Wicinski.
10.11. Changes from 07 to 08
1. Some wording changes suggested by Rick Wilhelm.
10.12. Changes from 06 to 07
1. Minor wording changes and nits reported by JG.
10.13. Changes from 05 to 06
1. Changed how <info> commands work so that a <ttl:info> element is
required in order for <ttl:ttl> elements to be included in the
response. Thanks to JG for this feedback.
10.14. Changes from 04 to 05
1. removed the erroneous required="true" attribute from the min,
default and max attributes of the responseTTLType type (thanks
JG).
2. fixed the reference to RFC 6895 (thanks HS).
10.15. Changes from 04 to 05
1. Add the Verisign EPP SDK to Section 9.
2. Add the <ttl:info> element and document how it affects server
<info> responses.
3. Updated examples to exercise more of the schema.
4. Minor schema issue fixed.
10.16. Changes from 03 to 04
1. Changed the for attribute to be an enumeration and added the
custom attribute.
2. Added the min, default and max attributes.
3. Apply feedback from Jim Gould.
10.17. Changes from 02 to 03
1. Rolled back the "straw man" syntax from 02. ttl:ttl now has a for
attribute which can be any DNS record type. Section 1.2.1.2
describes how the set of supported record types may be limited.
2. Removed the global/explicit models and just use the explicit
model.
3. Removed the cascading effect where a TTL set on a domain affects
subordinate hosts.
10.18. Changes from 01 to 02
1. Renamed the ttl:seconds XSD type to ttl:container, and the
ttl:nonNegativeInteger type to ttl:ttlType, to permit multiple
TTL values.
2. Converted XML instances from artwork to source code.
10.19. Changes from 00 to 01
1. Incorporate feedback from Jim Gould.
2. Add wording to describe how TTL values are jointly managed by
both clients and servers.
3. Fix minimum/maximum TTL value and schema namespace (thanks
Patrick Mevzek).
4. Moved text on how the server should handle impermissible TTL
values from the top of Section 4 to Sections 3.2.1 and 3.2.2
(thanks Rick Wilhelm).
5. Namespace changed from urn:ietf:params:xml:ns:ttl-1.0 to
urn:ietf:params:xml:ns:epp:ttl-1.0.
6. Added discussion on EPP servers which use the host attribute
model in Section 3.2 (thanks Hugo Salgado).
7. Added a Change Log (Section 10).
11. Acknowledgements
The author wishes to thank the following people for their advice and
feedback during the development of this document:
1. James Gould
2. Hugo Salgado
3. Patrick Mevzek
4. Rick Wilhelm
5. Marc Groeneweg
6. Ties de Kock
7. Tim Wicinski
8. Jasdip Singh
12. References
12.1. Normative references 9.1. Normative References
[IANA-RRTYPES] [IANA-RRTYPES]
IANA, "Resource Record (RR) TYPEs", IANA, "Resource Record (RR) TYPEs",
<https://www.iana.org/assignments/dns-parameters/dns- <https://www.iana.org/assignments/dns-parameters>.
parameters.xhtml#dns-parameters-4>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>. <https://www.rfc-editor.org/info/rfc3688>.
skipping to change at page 30, line 33 skipping to change at line 1091
[RFC6895] Eastlake 3rd, D., "Domain Name System (DNS) IANA [RFC6895] Eastlake 3rd, D., "Domain Name System (DNS) IANA
Considerations", BCP 42, RFC 6895, DOI 10.17487/RFC6895, Considerations", BCP 42, RFC 6895, DOI 10.17487/RFC6895,
April 2013, <https://www.rfc-editor.org/info/rfc6895>. April 2013, <https://www.rfc-editor.org/info/rfc6895>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[XSD-DATATYPES] [XSD-DATATYPES]
World Wide Web Consortium (W3C), "XML Schema Part 2: Biron, P., Ed. and A. Malhotra, Ed., "XML Schema Part 2:
Datatypes Second Edition", October 2004, Datatypes Second Edition", W3C Recommendation, October
2004,
<https://www.w3.org/TR/2004/REC-xmlschema-2-20041028/>.
Latest version available at
<https://www.w3.org/TR/xmlschema-2/>. <https://www.w3.org/TR/xmlschema-2/>.
12.2. Informative references 9.2. Informative References
[RFC6927] Levine, J. and P. Hoffman, "Variants in Second-Level Names [RFC6927] Levine, J. and P. Hoffman, "Variants in Second-Level Names
Registered in Top-Level Domains", RFC 6927, Registered in Top-Level Domains", RFC 6927,
DOI 10.17487/RFC6927, May 2013, DOI 10.17487/RFC6927, May 2013,
<https://www.rfc-editor.org/info/rfc6927>. <https://www.rfc-editor.org/info/rfc6927>.
[RFC7451] Hollenbeck, S., "Extension Registry for the Extensible [RFC7451] Hollenbeck, S., "Extension Registry for the Extensible
Provisioning Protocol", RFC 7451, DOI 10.17487/RFC7451, Provisioning Protocol", RFC 7451, DOI 10.17487/RFC7451,
February 2015, <https://www.rfc-editor.org/info/rfc7451>. February 2015, <https://www.rfc-editor.org/info/rfc7451>.
skipping to change at page 31, line 14 skipping to change at line 1123
[RFC9364] Hoffman, P., "DNS Security Extensions (DNSSEC)", BCP 237, [RFC9364] Hoffman, P., "DNS Security Extensions (DNSSEC)", BCP 237,
RFC 9364, DOI 10.17487/RFC9364, February 2023, RFC 9364, DOI 10.17487/RFC9364, February 2023,
<https://www.rfc-editor.org/info/rfc9364>. <https://www.rfc-editor.org/info/rfc9364>.
[RFC9499] Hoffman, P. and K. Fujiwara, "DNS Terminology", BCP 219, [RFC9499] Hoffman, P. and K. Fujiwara, "DNS Terminology", BCP 219,
RFC 9499, DOI 10.17487/RFC9499, March 2024, RFC 9499, DOI 10.17487/RFC9499, March 2024,
<https://www.rfc-editor.org/info/rfc9499>. <https://www.rfc-editor.org/info/rfc9499>.
[SAC-025] ICANN Security and Stability Advisory Committee (SSAC), [SAC-025] ICANN Security and Stability Advisory Committee (SSAC),
"SSAC Advisory on Fast Flux Hosting and DNS", SAC 25, "SSAC Advisory on Fast Flux Hosting and DNS", SAC 025,
January 2008, January 2008,
<https://www.icann.org/en/system/files/files/sac- <https://www.icann.org/en/system/files/files/sac-
025-en.pdf>. 025-en.pdf>.
Acknowledgments
The author wishes to thank the following people for their advice and
feedback during the development of this document:
* James Gould
* Hugo Salgado
* Patrick Mevzek
* Rick Wilhelm
* Marc Groeneweg
* Ties de Kock
* Tim Wicinski
* Jasdip Singh
Author's Address Author's Address
Gavin Brown Gavin Brown
ICANN ICANN
12025 Waterfront Drive, Suite 300 12025 Waterfront Drive, Suite 300
Los Angeles, CA 90292 Los Angeles, CA 90292
United States of America United States of America
Email: gavin.brown@icann.org Email: gavin.brown@icann.org
URI: https://www.icann.org/ URI: https://www.icann.org/
 End of changes. 104 change blocks. 
511 lines changed or deleted 276 lines changed or added

This html diff was produced by rfcdiff 1.48.