Internet DRAFT - draft-carney-regext-domainconnect

draft-carney-regext-domainconnect







Registration Protocols Extensions                               A. Blinn
Internet-Draft                                                 R. Carney
Intended status: Informational                              GoDaddy Inc.
Expires: July 22, 2018                                  January 18, 2018


 Domain Connect API - Communications between DNS Provider and Services
                  draft-carney-regext-domainconnect-03

Abstract

   This document provides information related to the Domain Connect API
   that was built to support communications between DNS Providers and
   Service Providers (hosting, social, email, hardware, etc.).

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on July 22, 2018.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.





Blinn & Carney            Expires July 22, 2018                 [Page 1]

Internet-Draft               Domain Connect                 January 2018


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Definitions . . . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  The API . . . . . . . . . . . . . . . . . . . . . . . . . . .   4
     4.1.  The Synchronous Flow  . . . . . . . . . . . . . . . . . .   5
     4.2.  The Asynchorous Flow  . . . . . . . . . . . . . . . . . .   6
     4.3.  DNS Provider Initiated Flows  . . . . . . . . . . . . . .   6
     4.4.  DNS Provider Discovery  . . . . . . . . . . . . . . . . .   7
     4.5.  Domain Connect Details  . . . . . . . . . . . . . . . . .   8
       4.5.1.  Synchronous Flow  . . . . . . . . . . . . . . . . . .   9
         4.5.1.1.  Query Supported Template  . . . . . . . . . . . .   9
         4.5.1.2.  Apply Template  . . . . . . . . . . . . . . . . .   9
         4.5.1.3.  Security Considerations . . . . . . . . . . . . .  10
       4.5.2.  Asynchronous Flow: OAuth  . . . . . . . . . . . . . .  12
         4.5.2.1.  Getting an Authorization Code . . . . . . . . . .  12
         4.5.2.2.  Requesting an Access Token  . . . . . . . . . . .  13
         4.5.2.3.  Making Requests with Access Tokens  . . . . . . .  14
         4.5.2.4.  Apply Template to Domain  . . . . . . . . . . . .  15
         4.5.2.5.  Revert Template . . . . . . . . . . . . . . . . .  16
         4.5.2.6.  Revoke Access . . . . . . . . . . . . . . . . . .  17
     4.6.  Domain Connect Objects and Templates  . . . . . . . . . .  17
     4.7.  Operational and Implementation Considerations . . . . . .  19
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  23
     5.1.  XML Namespace . . . . . . . . . . . . . . . . . . . . . .  23
   6.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  23
   7.  Change History  . . . . . . . . . . . . . . . . . . . . . . .  23
     7.1.  Change from 02 to 03  . . . . . . . . . . . . . . . . . .  23
     7.2.  Change from 01 to 02  . . . . . . . . . . . . . . . . . .  23
     7.3.  Change from 00 to 01  . . . . . . . . . . . . . . . . . .  23
   8.  Normative References  . . . . . . . . . . . . . . . . . . . .  23
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  24

1.  Introduction

   Configuring a service at a Service Provider to work with a domain has
   historically been a complex task that is difficult for users.

   Typically, a customer would try to configure their service by
   entering their domain name with the Service Provider.  The Service
   Provider then used a number of techniques with mixed reliability to
   discover the DNS Provider.  This might include DNS queries for
   nameservers, queries to whois, and mapping tables to determine the
   registrar or the company providing DNS.

   Once the Service Provider discovered the DNS Provider, they typically
   gave the customer instructions for proper configuration of DNS.  This



Blinn & Carney            Expires July 22, 2018                 [Page 2]

Internet-Draft               Domain Connect                 January 2018


   might include help text, screen shots, or even links to the
   appropriate tools.

   Discovery of the DNS Provider in this manner is unreliable, and
   providing instructions to users would present a number of
   technologies (DNS record types, TTLs, Hostnames, etc.) and processes
   they didn't understand.  These instructions authored by the Service
   Provider often quickly become out of date, further confusing the
   issue for users.

   The goal of this specificatoin is to create a system where Service
   Providers can easily enable their applications/services to work with
   the domain names of their customers.  This includes both discovery of
   the DNS Provider and subsequent modification of DNS.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

   XML is case sensitive.  Unless stated otherwise, XML specifications
   and examples provided in this document MUST be interpreted in the
   character case presented in order to develop a conforming
   implementation.

3.  Definitions

   The following definitions are used in this document:

   o  Service Providers - refers to entities that provide products and
      services attached to domain names.  Examples include web hosting
      providers (such as Wix or SquareSpace), email Service Providers
      (such as Microsoft or Google) and potentially even hardware
      manufacturers with DNS-enabled devices including home routers or
      automation controls (such as Linksys, Nest, and Philips).
   o  DNS Providers - refers to entities that provide DNS services such
      as registrars (e.g.  GoDaddy, 1and1) or standalone DNS services
      (e.g.  CloudFlare).
   o  Customer/User - refers to the end-user of these services.
   o  Templates/Service Templates - refers to a file that describes a
      set of changes to DNS and domain functionality to enable a
      specific service.
   o  Root Domain refers to a registered domain (e.g. example.com or
      example.co.uk) or a delegated zone in DNS.
   o  Sub Domain refers to a sub-domain of a root domain (e.g.
      sub.example.com or sub.example.co.uk).




Blinn & Carney            Expires July 22, 2018                 [Page 3]

Internet-Draft               Domain Connect                 January 2018


4.  The API

   The system will be implemented using simple web based interactions
   and standard authentication protocols.  The creation and modification
   of DNS settings will be done through the application of templates
   instead of direct manipulation of individual DNS records.

   Templates are core to this proposal as they describe a service owned
   by a Service Provider, and contain all of the information necessary
   to to enable and operate/maintain a service.

   The individual records may be identified by a group identifier.  This
   allows for the application of templates in different stages.  For
   example, an email provider might first set a TXT record to verify the
   domain, and later set an MX record to configure email delivery.
   While done separately, both changes are fundamentally part of the
   same service.

   It is important that templates be constrained to an individual
   service, as later removal of a template would remove all associated
   records.

   Templates can also contain variable portions, as often values of data
   in the template change based on the implementation and/or user of the
   Service Provider (e.g. the IP address of a service, a customer id,
   etc).

   Configuration and onboarding of templates between the DNS Provider
   and the Service Provider is seen as a manual process.  The template
   is defined by the Service Provider and given to the DNS Provider.
   Future versions of this specification may allow for an independent
   repository of templates.  For now, the templates are all published at
   http://domainconnect.org.

   By basing the protocol on templates instead of DNS Records, several
   advantages are achieved.  The DNS Provider has very explicit
   knowledge and control on the settings being changed to enable a
   service.  The system is also more secure as templates are tightly
   controlled and contained.

   To attach a domain name to a service provided by a Service Provider,
   the customer would first enter their domain name.

   Instead of relying on examination of the nameservers and mapping
   these to DNS Providers, DNS Provider discovery would be handled
   through simple records in DNS and an API.  The Service Provider can
   query for a specific record in the zone to determine a REST endpoint
   to initiate the protocol.  A Domain Connect compliant DNS Provider



Blinn & Carney            Expires July 22, 2018                 [Page 4]

Internet-Draft               Domain Connect                 January 2018


   would return information about that domain and how to configure it
   using Domain Connect.

   For the application of the changes to DNS, there are two use cases.
   The first is a synchronous web flow, and the second is an
   asynchronous flow using OAuth and an API.

   It should be noted that a DNS Provider may choose to only implement
   one of the flows.  As a matter of practice many Service Providers are
   based on the synchronous flow, with only a handful of them based on
   the asynchronous OAuth flow.  So, many DNS providers may opt to only
   implement the synchronous flow.

   It should also be noted that individual services may work with the
   synchronous flow only, the asynchronous flow only, or with both.

4.1.  The Synchronous Flow

   This flow is tailored for the Service Provider that requires a one-
   time synchronous change to DNS.

   The user would first enter their domain name at the Service Provider
   website.

   After the Service Provider determines the DNS Provider, the Service
   Provider might display a link to the user indicating that they can
   "Connect their Domain" to the service.

   After clicking the link, the user is directed to a browser window on
   the DNS Provider's site.  This is typically in another tab or in a
   new browser window, but can also be in place navigation with a return
   url.  This link would pass the domain name being modified, the
   service provider and template being enabled, and any additional
   parameters needed to configure the service.

   Once at the DNS Provider site, the user would be asked to
   authenticate if necessary.

   After authenticating at the DNS Provider, the DNS Provider would
   verify the domain name is owned by the user.  The DNS Provider would
   also verify other parameters passed in are valid and would prompt the
   user to give consent for making the change to DNS.  The DNS Provider
   could also warn the user of services that would be disabled by
   applying this change to DNS.

   Assuming the user grants this consent, the DNS changes would be
   applied.  Upon successful application of the DNS changes, the popup




Blinn & Carney            Expires July 22, 2018                 [Page 5]

Internet-Draft               Domain Connect                 January 2018


   window or tab would be closed.  If in place the user would be
   redirected back to the service provider.

4.2.  The Asynchorous Flow

   The asynchronous OAuth flow is tailored for the Service Provider that
   wishes to make changes to DNS asynchronously with respect to the user
   interaction, or wishes to make multiple or additional changes to DNS
   over time.

   The OAuth based authentication and authorization flow begins
   similarly to the web based synchronous flow.  The Service Provider
   determines the DNS Provider and links to the consent dialog at the
   DNS Provider where the user signs in, the ownership of the domain is
   verified, and the consent is granted.

   However, instead of applying the DNS changes on user consent, OAuth
   access is granted to the Service Provider.  An OAuth access code is
   generated and handed back to the Service Provider.  The Service
   Provider then requests an access (bearer) token.

   The permission granted in the OAuth token is a right for the Service
   Provider to apply a template to the specific domain owned by a
   specific user.

   The Service Provider would later call an API that applies this
   template to the domain, including any necessary parameters along with
   the access token(s).  As in all OAuth flows, access can be revoked by
   the user at any time.  This would be done on the DNS Provider's user
   experience.

   If the OAuth flow is used, once a Service Provider has an OAuth token
   the Domain Connect API becomes available for use.  The Domain Connect
   API is a simple REST service.

   This REST service allows the application or removal of the changes in
   the template on a domain name.  The domain name, user, and template
   must be authorized through the OAuth token and corresponding access
   token.

   Additional parameters are expected to be passed as name/value pairs
   on the query string of each API call.

4.3.  DNS Provider Initiated Flows

   A DNS Provider may with to expose interesting services that the user
   could attach to their domain.  An example would be suggesting to a




Blinn & Carney            Expires July 22, 2018                 [Page 6]

Internet-Draft               Domain Connect                 January 2018


   user that they might want to connect their domain to a partner
   Service Provider.

   If the template for the service is static, it is possible to simply
   apply the template.

   However, often the template has some dynamic elements.  For this
   scenario, the DNS Provider need simply call a URL at the Service
   Provider.  The Service Provider can then sign the user in, collect
   any necessary information, and call the normal web-based flows
   described above.

4.4.  DNS Provider Discovery

   In order to facilitate discovery of the DNS Provider from a domain
   name, a domain will contain a record in DNS.

   This record will be a simple TXT record containing a URL used as a
   prefix for calling a discovery API.  This record will be named
   domainconnect.

   An example of this record might contain:

   domainconnect.godaddy.com

   As a practical matter of implementation, the DNS Provider need not
   contain a copy of this data in each and every zone.  Instead, the DNS
   Provider needs simply to respond to the DNS query for the
   domainconnect TXT record with the appropriate data.

   How this is implemented is up to the DNS Provider.

   For example, the DNS Provider may not store the data inside a TXT
   record for the domain, opting instead to put a CNAME in the zone and
   have the TXT record in the target of the CNAME.

   Once the URL prefix is discovered, it can be used by the Service
   Provider to determine the additional settings for using Domain
   Connect on this domain at the DNS Provider.  This is done by calling
   a REST API.

      GET
      https://{domainconnect}/v2/{domain}/settings

   This will return a JSON structure containing the settings to use for
   Domain Connect on the domain name (passed in on the path) at the DNS
   Provider.  This JSON structure will contain the following fields:




Blinn & Carney            Expires July 22, 2018                 [Page 7]

Internet-Draft               Domain Connect                 January 2018


   o  providerName: The name of the DNS Provider suitable for display on
      the Service Provider UX.
   o  urlSyncUX: The URL Prefix for linking to the UX elements of Domain
      Connect for the synchronous flow at the DNS Provider.
   o  urlAsyncUX: The URL Prefix for linking to the UX elements of
      Domain Connect for the asynchronous flow at the DNS Provider
   o  urlAPI: This is the URL Prefix for the REST API.
   o  width: This is the width of the popup window for granting consent
      when navigated in a popup.  Default value is 750px.
   o  height: This is the height of the popup window for granting
      consent when navigated in a popup.  Default value is 750px.

   As an example, the JSON returned by this call might contain.

      {
      "providerName": "GoDaddy",
      "urlSyncUX": "https://domainconnect.godaddy.com",
      "urlAsyncUX": "https://domainconnect.godaddy.com",
      "urlAPI" : "https://api.domainconnect.godaddy.com",
      "width" : 750,
      "height" : 750
      }

   If the DNS Provider is not implementing the synchronous flow, the
   urlSyncUX is not required.  Similarly, if the DNS Provider is not
   implementing the asynchronous flow the urlAsyncUX is not required.

4.5.  Domain Connect Details

   Domain Connect contains endpoints in the form of URLs.

   The first set of endpoints are for the UX that the Service Provider
   links to.  These are for the UX which includes the web-based flow
   where the user clicks on the link, and the OAuth flow where the user
   clicks on the link for consent.

   The second set of endpoints are for the API, largely for the
   asynchronous OAuth flow via REST.

   All endpoints begin with a root URL for the DNS Provider such as
   https://connect.dnsprovider.com/

   They may also include any prefix at the discretion of the DNS
   Provider, for example, https://connect.dnsprovider.com/api/

   The root URLs for the UX endpoints and the API endpoints are returned
   in the JSON payload during DNS Provider discovery.




Blinn & Carney            Expires July 22, 2018                 [Page 8]

Internet-Draft               Domain Connect                 January 2018


4.5.1.  Synchronous Flow

4.5.1.1.  Query Supported Template

      GET
      {urlAPI}/v2/domainTemplates/
      providers/{providerId}/services/{serviceId}

   This URL can be used by the Service Provider to determine if the DNS
   Provider supports a specific template through the synchronous flow.

   Returning a status of 200 without a body indicates the template is
   supported.  Returning a status of 404 indicates the template is not
   supported.

4.5.1.2.  Apply Template

      GET
      {urlAPI}/v2/domainTemplates/
      providers/{providerId}/services/{serviceId}/apply?[properties]

   This is the URL used to apply a template to a domain.  It is called
   from the Service Provider to start the Domain Connect Protocol.

   This URL should be called in a new browser tab or in a popup browser
   window.  The DNS Provider would sign the user in, verify domain
   ownership, and ask for confirmation of application of the template.

   It is also likely that the DNS Provider would warn the user of
   existing settings that would change and/or services that would be
   disrupted as part of applying this template.  The fidelity of this
   warning is left to the DNS Provider.

   Upon completion of the application of the template the DNS Provider
   would close this tab or window.

   Parameters/properties passed to this URL include:

   o  domain: This parameter contains the domain name being configured.
   o  name/value pairs: Any variable fields consumed by this template.
      The name portion of this API call corresponds to the variable(s)
      specified in the template and the value corresponds to the value
      that should be used when applying the template.
   o  groupId: This OPTIONAL parameter specifies the group of changes
      from the template to apply.  If no group is specified, all changes
      are applied.  Multiple groups can be specified in comma delimited
      format.




Blinn & Carney            Expires July 22, 2018                 [Page 9]

Internet-Draft               Domain Connect                 January 2018


   o  sig: An optional signature of the query string.  See Security
      Considerations section.

   An example query string is below:

      GET
      https://webconnect.dnsprovider.com/v2/domainTemplates/providers/co
      olprovider.com/services/hosting/
      apply?www=192.168.42.42&m=192.168.42.43&domain=example.com

   This call indicates that the Service Provider wishes to connect the
   domain example.com to the service using the template identified by
   the composite key of the provider (coolprovider.com) and the service
   owned by them (hosting).  In this example, there are two variables in
   this template, "www" and "m" which both require values (in this case
   each requires an IP address).  These variables are passed as name/
   value pairs.

4.5.1.3.  Security Considerations

   By applying a template with parameters, there is a security
   consideration that must be taken into account

   Consider an email template where the IP address of the MX record is a
   passed in variable.  A bad actor could generate a URL with a bad IP.
   If an end user is convinced to click on this URL (say in a phishing
   email), they would land on the DNS Provider site to confirm the
   change.  To the user, this would appear to be a valid request to
   configure the domain.  Yet the IP would be hijacking the service.

   Not all templates have this problem.  But when they do, there are two
   options.

   One option would be to not enable the synchronous flow and use
   asynchronous OAuth.  But as will be seen below, OAuth has both a
   higher implementation burden and requires onboarding between each
   Service and DNS Provider.

   As another option, digitally signing the query string will be
   enabled.  The signature will be appended as an additional query
   string parameter, properly URL encoded and of the form:

   sig=NLOQQm6ikGC2FlFvFZqIFNCZqlaC4B%2FQDwS6iCwIElMWhXMgRnRE17zhLtdLFie
   WkyqKa4I%2FOoFaAgd%2FAl%2ByzDd3sM2X1JVF5ELjTlj84jZ4KOEIdnbgkEeO%2FTkY
   RrPkwcmcHMwc4RuX%2Fqio8vKYxJaKLKeVGpUNSKo7zkq3XIRgyxoLSRKxmlSTHFAz4Lv
   YXPWo6SHDoVcRvElWj18Um13sSXuX4KhtOLym2yImHpboEi4m2Ziigc%2BNHZE0VvHUR7
   wZgDaB01z8hFm5ATF%2B8swjandMRf2Lr4Syv4qTxMNT61r62EWFkt5t9nhxMgss6z4pf
   DVFZ3vYwSJDGuRpEQ%3D%3D



Blinn & Carney            Expires July 22, 2018                [Page 10]

Internet-Draft               Domain Connect                 January 2018


   The Service Provider can generate this signature using a private key.
   The DNS Provider can then verify the signature using the public key.

   key=_dcpubkeyv1

   This example indicates that the public key can be found by doing a
   DNS query for a TXT record called _dcpubkeyv1.

   Since the public key may be greater than 255 characters, multiple TXT
   records may exist for the DNS TXT query.  For a public key of:

   MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1dCqv7JEzUOfbhWKB9mTRsv3O
   9Vzy1Tz3UQlIDGpnVrTPBJDQTXUhxUMREEOBKo+rOjHZqfYnSmlkgu1dnBEO8bsELQL8G
   jS4zsjdA53gRk2SDxuzcB4fK+NCDfnRHut5nG0S3U4cq4DuGrMDFVBwxH1duTsqDNgIOO
   fNTsFcWSVXoSSTqCCMGbj8Vt51umDhWQAj06lf50qP2/
   jMNs2G+KTlk3dBHx3wtqYLvdcop1Tk5xBD64BPJ9uwm8KlDNHe+8O+cC9j04Ji8B2K0/
   PzAj90xnb8XJy/
   EM124hpT9lMgpHKBUvdeurJYweC6oP41gsTf5LrpjnyIy9j5FHPCQIDAQAB

   There would be several TXT records.  The records would be of the
   form:

      p=1,a=RS256,d=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1dCqv7JE
      zUOfbhWKB9mTRsv3O9Vzy1Tz3UQlIDGpnVrTPBJDQTXUhxUMREEOBKo+rOjHZqfYnS
      mlkgu1dn
      p=2,a=RS256,d=BEO8bsELQL8GjS4zsjdA53gRk2SDxuzcB4fK+NCDfnRHut5nG0S3
      U4cq4DuGrMDFVBwxH1duTsqDNgIOOfNTsFcWSVXoSSTqCCMGbj8Vt51umDhWQAj06l
      f5
      p=3,a=RS256,d=NCDfnRHut5nG0S3U4cq4DuGrMDFVBwxH1duTsqDNgIOOfNTsFcWS
      VXoSSTqCCMGbj8Vt51umDhWQAj06lf50qP2/
      jMNs2G+KTlk3dBHx3wtqYLvdcop1Tk5xBD64BPJ9
      p=4,a=RS256,d=uwm8KlDNHe+8O+cC9j04Ji8B2K0/PzAj90xnb8XJy/
      EM124hpT9lMgpHKBUvdeurJYweC6oP41gsTf5LrpjnyIy9j5FHPCQIDAQAB

   Here the public key is broken into four records in DNS, and the data
   also indicates that the signing algorithm is an RSA Signature with
   SHA-256.

   It should be noted that the above data was generated for a query
   string:

   a=1&b=2&ip=10.10.10.10&domain=foobar.com

   Support for signing the query string and verification is optional.
   Not all services require this level of security, and not all DNS
   Providers will support this signing for the synchronous flow.





Blinn & Carney            Expires July 22, 2018                [Page 11]

Internet-Draft               Domain Connect                 January 2018


   There are circumstances where the Service Provider may wish to verify
   that the template was successfully applied.  Without domain connect,
   this typically involved the Service Provider querying DNS to see if
   the settings had been applied.

   This same technique works with Domain Connect, and if necessary can
   be triggered either manually on the Service Provider site or
   automatically upon page/window activation in the browser.

   Automatic notification via callback URLs were considered in earlier
   drafts, and subsequently dropped due to their lack of reliability and
   difficulty in getting a consistent implementation across DNS
   Providers.

4.5.2.  Asynchronous Flow: OAuth

   Using the OAuth flow is a more advanced use case, needed by Service
   Providers that have more complex configurations that may require
   multiple steps and/or are asynchronous from the user's interaction.

   Details of an OAuth implementation are beyond the scope of this
   specification.  Instead, an overview of how OAuth fits with Domain
   Connect is given here.

   Service providers wishing to use the OAuth flow must register as an
   OAuth client with the DNS Provider.  This is envisioned as a manual
   process.

   To register, the Service Provider would provide (in addition to their
   template) one or more callback URLs that specify where the customer
   will be redirected after the provider authorization.  In return, the
   DNS Provider will give the Service Provider a client id and secret
   which will be used when requesting tokens as part of the OAuth
   process flow.

4.5.2.1.  Getting an Authorization Code

      GET
      {urlAsyncUX}/v2/domainTemplates/
      providers/{providerId}/services/{serviceId}

   To initiate the OAuth flow the Service Provider would link to the DNS
   Provider to gain consent.

   This endpoint is similar to the synchronous flow described above, and
   will handle authenticating the user, verification of domain
   ownership, and asking for the user's permission to allow the Service
   Provider to make the specified changes to the domain.  Similarly, the



Blinn & Carney            Expires July 22, 2018                [Page 12]

Internet-Draft               Domain Connect                 January 2018


   DNS Provider will often want to warn the user that (eventual)
   application of this template might change existing records and/or
   disrupt existing services attached to the domain.

   While the variables for the applied template would be provided later,
   the values of some variables are often necessary in the consent flow
   to determine conflicts.  As such, any variables impacting conflicting
   records needs to be provided in the consent flow.  Today this
   includes variables in hosts, and variables in the data portion for
   certain TXT records.  As conflict resolution evolves, this list may
   grow.

   Upon successful authorization, verification, and consent, the DNS
   Provider will direct the end user's browser to the redirect URI
   provided in the request, appending the authorization code as a query
   parameter of "code".

   Upon error, the DNS Provider will direct the end user's browser to
   the redirect URI provided in the request, appending the error code as
   a query parameter "error".

   The following describes the values to be included in the query string
   parameters for the request for the OAuth consent flow.

   o  domain: This parameter contains the domain name being configured.
   o  client_id: This is the client id that was provided by the DNS
      Provider, to the Service Provider during registration.
   o  redirect_uri: The location to direct the client's browser to upon
      successful authorization, or upon error.
   o  response_type: OPTIONAL.  If included should be the string 'code'
      to indicate an authorization code is being requested.
   o  scope: This is the name of the template that is being requested.
   o  state: OPTIONAL but recommended.  This is a random, unique string
      passed along to prevent CSRF.  It will be returned as a parameter
      when redirecting to the redirect_url described above.
   o  name/value pairs: Required for fields that impact the conflict
      detection.  This includes variables used in hosts and data in TXT
      records.

4.5.2.2.  Requesting an Access Token

      POST {urlAPI}/v2/OAuth/access_token

   Once authorization has been granted the Service Provider must use the
   Authorization Code provided to request an Access Token.  The OAuth
   specification recommends that the Authorization Token be a short
   lived token, and a reasonable recommended setting is ten minutes.  As




Blinn & Carney            Expires July 22, 2018                [Page 13]

Internet-Draft               Domain Connect                 January 2018


   such this exchange needs to be completed before that time has expired
   or the process will need to be repeated.

   This token exchange is done via a server to server API call from the
   Service Provider to the DNS Provider.

   The Access Token granted will also have a longer lifespan, but also
   can expire.  To get a new access token, the Refresh Token is used.

   The following describes the POST parameters to be included in the
   request.

   o  code: The authorization code that was provided in the previous
      step when the customer accepted the authorization request, or the
      refresh_token for a subsequent access token.
   o  redirect_uri: OPTIONAL.  If included, needs to be the same
      redirect uri provided in the previous step, simple for
      verification.
   o  grant_type: The type of code in the request.  Usually the string
      'authorization_code' or 'refresh_token'.
   o  client_id: This is the client id that was provided by the DNS
      Provider, to the Service Provider during registration.
   o  client_secret: The secret provided to the Service Provider during
      registration.

   Upon successful token exchange, the DNS Provider will return a
   response with 4 properties in the body of the response.

   o  access_token: The access token to be used when making API
      requests.
   o  token_type: Always the string "bearer".
   o  expires_in: The number of seconds until the access_token expires.
   o  refresh_token: The token that can be used to request new access
      tokens when this one has expired.

4.5.2.3.  Making Requests with Access Tokens

   Once the Service Provider has the access token, they can call the DNS
   Provider's API to make change to DNS on behalf of the user.

   All calls to this API pass the access token in the Authorization
   Header of the request to the call to the API.  More details can be
   found in the OAuth specifications, but as an example:

      GET /resource/1 HTTP/1.1
      Host: example.com
      Authorization: Bearer mF_9.B5f-4.1JqM




Blinn & Carney            Expires July 22, 2018                [Page 14]

Internet-Draft               Domain Connect                 January 2018


4.5.2.4.  Apply Template to Domain

      POST
      {urlAPI}/v2/domainTemplates/
      providers/{providerId}/services/{serviceId}/apply?[properties]

   The primary function of the API is to apply a template to a customer
   domain.

   While the providerId and serviceId are also implied in the
   authorization, these are on the path for consistency with the
   synchronous flows.  If not matching what is in the authorization, an
   error would be returned.

   When applying a template to a domain, it is possible that a conflict
   may exist with previous settings.  While it is recommended that
   conflicts be detected when the user grants consent, because OAuth is
   asynchronous it is possible that a new conflict was introduced by the
   user.

   While it is up to the DNS Provider to determine what constitutes a
   conflict (see section on Conflicts below), when one is detected an
   error will be returned by default.  This error will enumerate the
   conflicting records in a format described below.

   Because the user isn't present at the time of this error, it is up
   the Service Provider to determine how to handle this error.  Some
   providers may decide to notify the user.  Others may decide to apply
   their template anyway using the "force" parameter.  This parameter
   will bypass error checks for conflicts, and after the call the
   service will be in its desired state.

   Calls to apply a template via OAuth require the following parameters:

   o  domain: This contains the domain name being configured.  It must
      match the domain in the authorization token.
   o  name/value pairs: Any variable fields consumed by this template.
      The name portion of this API call corresponds to the variable(s)
      specified in the record and the value corresponds to the value
      that should be used when applying the template as per the
      implementation notes.
   o  groupId: This OPTIONAL parameter specifies the group of changes in
      the template to apply.  If omitted, all changes are applied.  This
      can also be a comma separated list of groupIds.
   o  force: This OPTIONAL parameter specifies that the template should
      be applied independently of any conflicts that may exist on the
      domain.  This can be a value of 0 or 1.




Blinn & Carney            Expires July 22, 2018                [Page 15]

Internet-Draft               Domain Connect                 January 2018


   An example call is below.  In this example, it is contemplated that
   there are two variables in this template, "www" and "m" which both
   require values (in this case each requires an IP address).  These
   variables are passed as name/value pairs.

      POST
      https://connect.dnsprovider.com/v2/domainTemplates/providers/coolp
      rovider.com/services/hosting/
      apply?www=192.168.42.42&m=192.168.42.43&force=1

   The API must validate the access token for the Service Provider and
   that the domain belongs to the customer and is represented by the
   token being presented.  With these checks passing, the template may
   be applied to the domain after verifying that doing so would not
   cause an error condition, either because of problems with required
   variables or the current state of the domain itself (for example,
   already having a conflicting template applied).

   Results of this call can include information indicating success, or
   an error.  Errors will be 400 status codes, with the following codes
   defined.

   o  Success (20*): A response of an http status code of 204 indicates
      that call was successful and the template applied.  Note that any
      200 level code should be considered a success.
   o  Unauthorized (401): A response of a 401 indicates that caller is
      not authorized to make this call.  This can be because the token
      was revoked, or other access issues.
   o  Error (404,422): This indicates something wrong with the request
      itself, such as bad parameters.
   o  Failed (409): This indicates that the call was good, and the
      caller authorized, but the change could not be applied due to a
      conflicting template or a domain state that prevents updates.
      Errors due to conflicts will only be returned when force is not
      equal to 1.

   When a 409 is returned, the body of the response will contain details
   of the error.  This will be JSON containing the error code, a message
   suitable for developers, and an array of tuples containing the
   conflicting records type, host, and data element.

4.5.2.5.  Revert Template

      POST
      {urlAPI}/v2/domainTemplates/
      providers/{providerId}/services/{serviceId}/revert?domain={domain}





Blinn & Carney            Expires July 22, 2018                [Page 16]

Internet-Draft               Domain Connect                 January 2018


   This API allows the removal of a template from a customer domain
   using an OAuth request.

   The provider and service name in the authorizatoin must match the
   values in the URL.  So must the domain name on the query string.

   This call must validate that the template requested exists and has
   been applied to the domain by the Service Provider or a warning must
   be returned that the call would have no effect.  This call must
   validate that there is a valid authorization token for the domain
   passed in or an error condition must be reported.

   An example query string might look like:

      POST
      https://connect.dnsprovider.com/v2/domainTemplates/providers/coolp
      rovider.com/services/hosting/revert?domain=example.com

   Response codes are identical to above.

4.5.2.6.  Revoke Access

   Like all OAuth flows, the user can revoke the access at any time
   using UX at the DNS Provider site.  So the Service Provider needs to
   be aware that their access to the API may be denied.

4.6.  Domain Connect Objects and Templates

   Templates are not versioned.  Instead, if a breaking change is made
   to a template it is recommended that a new template be created.
   While on the surface versioning looks appealing, the reality is that
   the settings in a template rarely change.  This is because a
   successful service will have many customers with settings in their
   DNS, some applied by templates using this protocol, and some manually
   applied.  As such changes to the template need to be done in a manner
   that accounts for existing customers.

   A template is defined as a standard JSON data structure containing
   the following data:

   o  providerId: The unique identifier of the Service Provider that
      created this template.  This is used in the URLs to identify the
      Service Provider.  To ensure non-coordinated uniqueness, this
      would be the domain name of the Service Provider.
   o  providerName: The name of the Service Provider.  This will be
      displayed to the user.
   o  templateId: The name or identifier of the template.  This is used
      in URLs to identify the template.



Blinn & Carney            Expires July 22, 2018                [Page 17]

Internet-Draft               Domain Connect                 January 2018


   o  templateName: The friendly name of this service.  This will be
      displayed to the user.
   o  logoUrl: A graphical logo for use in any web-based flow.  This is
      a URL to a graphical logo sufficient for retrieval.
   o  description: A textual description of what this template attempts
      to do.  This is meant to assist integrators, and therefore should
      not be displayed to the user.
   o  syncBlock: Indicates that the synchronous protocol should not be
      enabled for this template.
   o  synchPubKeyDomain: When present, indicates that calls to apply a
      template synchronously will be digitally signed.  This element
      contains the domain name for querying a TXT record from DNS.
   o  launchUrl: OPTIONAL.  A URL suitable for a DNS Provider to call to
      initiate the execution of this template.  This allows the flow to
      begin with the DNS Provider as described above.
   o  records: A list of records for the template.

   Each template record is an entry that contains a type and several
   optional parameters based on the value.

   For all entries of a record template other than "type" and "groupId",
   the value can contain variables denoted by %<variable name>%. These
   are the values substituted at runtime when writing into DNS.

   It should be noted that as a best practice, the variable should be
   equal to the portion of the values in the template that change as
   little as possible.

   For example, say a Service Provider requires a CNAME of one of three
   values for their users: s01.example.com, s02.example.com, and
   s03.example.com.

   The value in the template could simply contain %servercluster%, and
   the fully qualified string passed in.  Alternatively, the value in
   the template could contain s%var%.example.com.  By placing more fixed
   data into the template, the data is more constrained.

   Each record will contain the following elements:

   o  type: Describes the type of record in DNS, or the operation
      impacting DNS.  Valid values include: A, AAAA, CNAME, MX, TXT,
      SRV, NS, APEXCNAME, REDIR301, or REDIR302.
   o  groupId: This OPTIONAL parameter identifies the group the record
      belongs to when applying changes.
   o  host: The host for A, AAAA, CNAME, TXT, and MX values.  This is
      the hostname in DNS.
   o  pointsTo: The pointsTo location for A, AAAA, CNAME and MX records.




Blinn & Carney            Expires July 22, 2018                [Page 18]

Internet-Draft               Domain Connect                 January 2018


   o  ttl: This is the time-to-live for the record in DNS.  Valid for A,
      AAAA, CNAME, TXT, MX, and SRV records.
   o  data: This is the data for a TXT record in DNS.
   o  priority: This is the priority for an MX or SRV record in DNS.
   o  weight: This is the weight for the SRV record.
   o  port: This is the port for the SRV record.
   o  protocol: This is the protocol for the SRV record.
   o  service: This is the protocol for the SRV record.

4.7.  Operational and Implementation Considerations

   The DNS Provider is responsible for handling of the conflicts with
   records already existing in the DNS Zone.  This includes detection of
   conflicts, removing conflicts when a new template is applied, and
   merging records when appropriate.

   For example, if the application of a template through the web based
   flow would interfere with previously set DNS records (either through
   another template or manual settings), it is envisioned that the user
   would be asked to confirm the clearing of the previously set
   template.  If it would interfere with DNS records accessible through
   a previously issued OAuth flow, the provider could revoke the
   previously issued token.

   Similarly, when granting an OAuth token that interferes with a
   previously issued OAuth token, access to the old token could
   automatically be revoked.

   Manual changes to DNS through the DNS Provider could have appropriate
   warnings in place to prevent unwanted changes; with overrides being
   possible and removing conflicting templates.

   The behavior of these interactions is left to the sophistication of
   the DNS Provider.  However, a general recommendation is to ensure
   that a newly configured service works correctly.

   A proposing handling of records is as follows (if not otherwise
   specified, conflicts occur if the records have the same name):

      Replace records of the same type for A, AAAA, MX, CNAME,
      APEXCNAME, SRV.  If the template specifies an A or AAAA, the
      respective AAAA or A record should be removed to avoid IPv4 and
      IPv6 pointing to different services
      Append to the existing records of the same type for TXT
      Replace any record for CNAME
      Remove any CNAME record existing at the same or parent level to
      any records added by the template




Blinn & Carney            Expires July 22, 2018                [Page 19]

Internet-Draft               Domain Connect                 January 2018


   Additional record types and/or extensions to records in the template
   can be implemented on a per DNS Provider basis.  However, care should
   be taken when defining extensions so as to not conflict with other
   protocols and standards.  Certain record names are reserved for use
   in DNS for protocols like DNSSEC (DNSKEY, RRSIG) at the registry
   level.

   Defining these optional extensions in an open manner as part of this
   specification is highly recommended.  The following are the initial
   optional extensions a DNS Provider/Service Provider may support.

   Some Service Providers desire the behavior of a CNAME record, but in
   the apex record.  This would allow for an A Record at the root of the
   domain but dynamically determined at runtime.

   The recommended record type for DNS Providers that wish to support
   this an APEXCNAME record.  Additional fields included with this
   record would include pointsTo and TTL.

   Defining a standard for such functionality in DNS is beyond the scope
   of this specification.  But for DNS Providers that support this
   functionality, using the same record type name across DNS Providers
   allows template reuse.

   Some Service Providers desire a redirection service associated with
   the A Record.  A typical example is a service that requires a
   redirect of the domain (e.g. example.com) to the www variant
   (www.example.com).  The www would often contain a CNAME.

   Since implementation of a redirection service is typically simple, it
   is recommended that service providers implement redirection on their
   own.  But for DNS Providers that have a redirection service,
   supporting simple templates with this functionality may be desired.

   While technically not a "record" in DNS, when supporting this
   optional functionality, it is recommended that this be implemented
   using two new record types.

   REDIR301 and REDIR302 would implement 301 and 302 redirects
   respectively.  Associated with this record would be a single field
   called the "target", containing the target domain of the redirect.

   Several service providers have asked for functionality supporting an
   update to the nameserver records at the registrar associated with the
   domain.

   This functionality is again deemed as optional and up to the DNS
   Provider to determine if they desire to support this functionality.



Blinn & Carney            Expires July 22, 2018                [Page 20]

Internet-Draft               Domain Connect                 January 2018


   When implementing this, two records will be provided.  NS1 and NS2,
   each containing a pointsTo argument.

   Requests have also been made to allow for updates to the DS record
   for DNSSEC.  This record is required at the registry to enable
   DNSSEC, but can only be written by the registrar.

   Note that the registrar may or may not be the DNS Provider, but in
   this case the implementation of updates of the DS record into the
   registry would be handled exclusively by the registrar.

   For DNS Providers that support this record, the record type should be
   DS.  Values will be keyTag, algorithm, digestType, and digest.

   Variables in templates that are hard-coded host names are the
   responsibility of the DNS Provider to protect.  That is, DNS
   Providers are responsible for ensuring that host names do not
   interfere with known values (such as m. or www. or mail.) or internal
   names that provide critical functionality that is outside the scope
   of this specification.

   This template format is intended for internal use by a DNS Provider
   and there are no codified API endpoints for creation or modification
   of these objects.  API endpoints do not use this object directly.
   Instead, API endpoints reference a template by ID and then provide
   key/value pairs that match any variable values in these record
   objects.

   However, by defining a standard template format it is believed it
   will make it easier for Service Providers to share their provisioning
   across DNS Providers.  Further revisions of this specification may
   include a repository for publishing and consuming these templates.
   For now, templates are maintained at http://domainconnect.org.

   Implementers are responsible for data integrity and should use the
   record type field to validate that variable input meets the criteria
   for each different data type.

   Some considerations are necessary for configuring a domain
   (example.com) vs. a sub-domain (sub.example.com) for a Service.

   The DNS Provider will only implement the _domainconnect record at the
   domain level.  This means that during discovery, the Service Provider
   would need to call the root domain for this information.

   The DNS Provider should support configuring services on domains vs.
   sub-domains.




Blinn & Carney            Expires July 22, 2018                [Page 21]

Internet-Draft               Domain Connect                 January 2018


   If the template is identical for the root and for the sub-domain, the
   Service Provider simply needs to call domain connect with the fully
   qualified domain name.  Here passing in sub.example.com vs.
   example.com to the domain connect flow is all that is necessary.

   If there are differences, two templates would be created and the
   Service Provider would invoke the appropriate version.

   It is also highly recommended that this approach be taken, vs.
   variables for host names passed into the template.

   Example Records: Single static host record

   Consider a template for setting a single host record.  The records
   section of the template would have a single record of type "A" and
   could have a value of:

      [{
      ''type'': ''A'',
      ''host'': ''www'',
      ''pointsTo'': ''192.168.1.1'',
      ''ttl'': 600
      }]

   This would have no variable substitution and the application of this
   template to a domain would simply set the host name "www" to the IP
   address "192.168.1.1"

   Example Records: Single variable host record for A

   In the case of a template for setting a single host record from a
   variable, the template would have a single record of type "A" and
   could have a value of:

      [{
      ''type'': ''A'',
      ''host'': ''@'',
      ''pointsTo'': ''192.168.1.%srv%'',
      ''ttl'': 600
      }]

   A query string with a key/value pair of

   srv=8

   would cause the application of this template to a domain to set the
   host name for the apex A record to the IP address "192.168.1.8" with
   a TTL of 600.



Blinn & Carney            Expires July 22, 2018                [Page 22]

Internet-Draft               Domain Connect                 January 2018


5.  IANA Considerations

5.1.  XML Namespace

   This document uses URNs to describe XML namespaces and XML schemas
   conforming to a registry mechanism described in [RFC3688].  The
   following URI assignment is requested of IANA:

   URI: ietf:params:xml:ns:validate-1.0

   Registrant Contact: See the "Author's Address" section of this
   document.

6.  Acknowledgements

   The authors wish to thank the following persons for their feedback
   and suggestions:

   o  Chris Ambler of GoDaddy Inc.
   o  Jody Kolker of GoDaddy Inc.

7.  Change History

7.1.  Change from 02 to 03

   Added width/height JSON values returned by DNS Provider Discovery.
   Corrected text of GET method for getting the authorization token.
   Added clarifying text to Group ID description parameter of the apply
   template POST method.  Quite a few minor edits and clarifications
   that were found during implementation, especially in the
   Implementation Considerations section.

7.2.  Change from 01 to 02

   Added new GET method for Service Providers to determine if the DNS
   Provider supports a specific template.  Some other minor edits for
   clarification.

7.3.  Change from 00 to 01

   Minor edits and clarifications found during implementation.

8.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.



Blinn & Carney            Expires July 22, 2018                [Page 23]

Internet-Draft               Domain Connect                 January 2018


   [RFC3688]  Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
              DOI 10.17487/RFC3688, January 2004,
              <https://www.rfc-editor.org/info/rfc3688>.

Authors' Addresses

   Arnold Blinn
   GoDaddy Inc.
   14455 N. Hayden Rd. #219
   Scottsdale, AZ  85260
   US

   Email: arnoldb@godaddy.com
   URI:   http://www.godaddy.com


   Roger Carney
   GoDaddy Inc.
   14455 N. Hayden Rd. #219
   Scottsdale, AZ  85260
   US

   Email: rcarney@godaddy.com
   URI:   http://www.godaddy.com



























Blinn & Carney            Expires July 22, 2018                [Page 24]