Internet DRAFT - draft-kong-epp-cdn-dnssec-mapping

draft-kong-epp-cdn-dnssec-mapping






Internet Engineering Task Force                                   J. Xie
Internet-Draft                                                   N. Kong
Intended status: Informational                                     H. Li
Expires: April 23, 2012                                           X. Lee
                                                                   CNNIC
                                                        October 21, 2011


   Extensible Provisioning Protocol (EPP) Domain Name System Security
         Extensions (DNSSEC) Mapping for  Chinese Domain Names
                  draft-kong-epp-cdn-dnssec-mapping-00

Abstract

   This document describes an extension of Extensible Provisioning
   Protocol (EPP) Domain Name System Security Extensions (DNSSEC)
   mapping for the provisioning and management of Chinese Domain Names
   (CDNs), especially for variant CDNs.  Specified in XML, this extended
   mapping is applied to provide additional features required for the
   provisioning of DNS security extensions for CDNs.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on April 23, 2012.

Copyright Notice

   Copyright (c) 2011 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect



Xie, et al.              Expires April 23, 2012                 [Page 1]

Internet-Draft               EPP CDN Mapping                October 2011


   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

   This document may contain material from IETF Documents or IETF
   Contributions published or made publicly available before November
   10, 2008.  The person(s) controlling the copyright in some of this
   material may not have granted the IETF Trust the right to allow
   modifications of such material outside the IETF Standards Process.
   Without obtaining an adequate license from the person(s) controlling
   the copyright in such materials, this document may not be modified
   outside the IETF Standards Process, and derivative works of it may
   not be created outside the IETF Standards Process, except to format
   it for publication as an RFC or to translate it into languages other
   than English.



































Xie, et al.              Expires April 23, 2012                 [Page 2]

Internet-Draft               EPP CDN Mapping                October 2011


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  5
   3.  Definitions  . . . . . . . . . . . . . . . . . . . . . . . . .  5
   4.  Object Attributes  . . . . . . . . . . . . . . . . . . . . . .  6
     4.1.  Domain Name Information  . . . . . . . . . . . . . . . . .  6
   5.  DS Data Interface and Key Data Interface . . . . . . . . . . .  6
     5.1.  DS Data Interface  . . . . . . . . . . . . . . . . . . . .  6
     5.2.  Key Data Interface . . . . . . . . . . . . . . . . . . . .  6
     5.3.  Example DS Data Interface and Key Data Interface . . . . .  7
   6.  EPP Command Mapping  . . . . . . . . . . . . . . . . . . . . .  7
     6.1.  EPP Query Commands . . . . . . . . . . . . . . . . . . . .  8
       6.1.1.  EPP <check> Command  . . . . . . . . . . . . . . . . .  8
       6.1.2.  EPP <info> Command . . . . . . . . . . . . . . . . . .  8
       6.1.3.  EPP transfer Command . . . . . . . . . . . . . . . . . 11
     6.2.  EPP Transform Commands . . . . . . . . . . . . . . . . . . 11
       6.2.1.  EPP <create> Command . . . . . . . . . . . . . . . . . 12
       6.2.2.  EPP <delete> Command . . . . . . . . . . . . . . . . . 14
       6.2.3.  EPP <renew> Command  . . . . . . . . . . . . . . . . . 15
       6.2.4.  EPP <transfer> Command . . . . . . . . . . . . . . . . 15
       6.2.5.  EPP <update> Command . . . . . . . . . . . . . . . . . 15
   7.  Formal Syntax  . . . . . . . . . . . . . . . . . . . . . . . . 20
   8.  Internationalization Considerations  . . . . . . . . . . . . . 23
   9.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 23
   10. Security considerations  . . . . . . . . . . . . . . . . . . . 24
   11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 24
   12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24
     12.1. Normative References . . . . . . . . . . . . . . . . . . . 24
     12.2. Informative References . . . . . . . . . . . . . . . . . . 25
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 25




















Xie, et al.              Expires April 23, 2012                 [Page 3]

Internet-Draft               EPP CDN Mapping                October 2011


1.  Introduction

   Many Chinese characters in common use have variants in Simplified
   Chinese (SC) form, Traditional Chinese (TC) form or other variant
   forms.  For example, the Chinese character "U+5B81" has 5 variants:
   "U+5B81" (SC form), "U+5BE7" (TC form), "U+21A34", "U+5BDC" and
   "U+5BCD" (other variant forms).  For Chinese users, the variants of a
   Chinese character in SC form, TC form and other variant forms are
   regarded as the same.

   So most of Chinese Domain Names (CDNs) have different variant forms
   (SC form, TC form, and other variant forms) which are also regarded
   as the same by Chinese users.  According to a statistical result of
   CNNIC, 78.6% of registered CDNs have variant forms by the end of May
   2011.  The registration policy of CDNs is that a registrant can apply
   an original CDN in any forms (SC form, TC form, or other variant
   forms), then the corresponding variant CDN in SC form and that in TC
   form will also be delegated to the same registrant.  All the other
   forms for the CDN are reserved and forbidden to be applied by other
   registrants.  Moreover, any reserved variant CDN can be validated by
   the same registrant later.

   On account of above reasons, a registrant who registers a CDN will
   finally get several or more CDNs.  In order to facilitate
   provisioning and management of DNS security extensions for CDNs in a
   shared central repository, this document proposes an extension of
   Extensible Provisioning Protocol (EPP) Domain Name System Security
   Extensions (DNSSEC) mapping [RFC5910] especially for variant CDNs.
   Information exchanged via this extension can be extracted from the
   repository and used to publish DNSSEC Delegation Signer (DS) resource
   records (RRs) for variant CDNs.

   This document is specified using the Extensible Markup Language (XML)
   1.0 as described in [W3C.REC-xml-20040204] and XML Schema notation as
   described in [W3C.REC-xmlschema-1-20041028] and
   [W3C.REC-xmlschema-2-20041028].

   This document uses lots of the concepts of the Internationalized
   Domain Names (IDNs) and unique features of CDN, so a thorough
   understanding of the IDNs for Application (IDNA, described in
   [RFC5890], [RFC5891], and [RFC5892]) and a thorough understanding of
   variant approach discussed in [RFC4290] and specifically for
   documents written in Chinese, Japanese, or Korean (CJK documents), in
   the so-called "JET Guidelines" [RFC3743] is required to understand
   the unique features of CDN described in this document.  On the other
   hand, a thorough understanding of [RFC5910] is necessary to
   understand the extension of mapping described in this document.




Xie, et al.              Expires April 23, 2012                 [Page 4]

Internet-Draft               EPP CDN Mapping                October 2011


2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

   secCDNS-1.0 in this document is used as an abbreviation for
   urn:ietf:params:xml:ns:secCDNS-1.0.

   In examples, "C:" represents lines sent by a protocol client and "S:"
   represents lines returned by a protocol server.  Indentation and
   white space in examples are provided only to illustrate element
   relationships and are not a REQUIRED feature of this specification.

   XML is case sensitive.  Unless stated otherwise, XML specifications
   and examples provided in this document MUST be interpreted in the
   character case presented to develop a conforming implementation.


3.  Definitions

   The following definitions are used in this document:

   o  Chinese Domain Name (CDN), represents the domain's label made up
      by Chinese characters which may be SCs or TCs, or other variants
      (the label may contain ASCII characters).

   o  Simplified Chinese Domain Name (SCDN), represents the domain's
      label solely made up by simplified Chinese characters (the label
      may contain ASCII characters).

   o  Traditional Chinese Characters Domain Name (TCDN), represents the
      domain's label solely made up by traditional Chinese characters
      (the label may contain ASCII characters).

   o  Original Chinese Domain Name (OCDN), represents the CDN that users
      submitted for registration by the first time.

   o  Variant Chinese Domain Name (VCDN) represents the domain's label
      made up by Chinese characters which may be SCs or TCs, or other
      variants (the label may contain ASCII characters, but cannot
      solely made up by simplified Chinese characters nor solely made up
      by traditional Chinese characters).








Xie, et al.              Expires April 23, 2012                 [Page 5]

Internet-Draft               EPP CDN Mapping                October 2011


4.  Object Attributes

   This extension adds an additional element to the EPP domain name
   mapping [RFC5731].  Only this new element is described here.  The
   additional elements added by [RFC5910] are also used by this
   extension.

4.1.  Domain Name Information

   Domain name information provided by a client indicates which domain
   should be created, added, and removed delegation signer information
   or key data information.  The format of this additional element
   should follow the desciption in section 2.1 of [RFC5731].


5.  DS Data Interface and Key Data Interface

   Based on section 4 of [RFC5910], this document proposes the following
   modifications to DS data interface and key data interface for CDNs.
   By these modified interface, a client can create, add, and remove DS
   information or key data information for more than one domain name.

5.1.  DS Data Interface

   The DS Data Interface relies on the use of the <secCDNS:DS> element
   for creates, adds, removes, and <domain:info> responses.

   The <secCDNS:DS> element contains the following child elements:

   o  An <secCDNS:CDN> element that contains a CDN (OCDN, SCDN, TCDN, or
      VCDN) which should be created, added, and removed delegation
      signer information.

   o  A <secCDNS:dsData> element that contains the child elements which
      are described in Section 4.1 of [RFC5910].

5.2.  Key Data Interface

   The Key Data Interface relies on the use of the <secCDNS:KEY> element
   for creates, adds, removes, and <domain:info> responses.

   The <secCDNS:KEY> element contains the associate key data with one or
   more CDNs.  A "type" attribute is used to identify a bundle of CDNs.
   If a VC list form (type="vcset") is provided, elements contain the
   key data for the corresponding VCDNs Set. If a form (type="all") is
   provided, elements contain the key data for the corresponding SCDN,
   TCDN, OCDN and VCDNs Set. If a custom form (type="custom") is
   provided, elements contain the key data for one or more CDNs which



Xie, et al.              Expires April 23, 2012                 [Page 6]

Internet-Draft               EPP CDN Mapping                October 2011


   might be provided by a client.

   The <secCDNS:KEY> element contains the following child elements:

   o  An OPTIONAL <secCDNS:CDN> element that contains a CDN (OCDN, SCDN,
      TCDN, or VCDN) which should be created, added, and removed key
      data information.  If the type="custom",this element MUST be
      present.  If the type="vcset" or "all", this element SHOULD NOT be
      present.

   o  A <secCDNS:keyData> element that contains the child elements which
      are described in Section 4.2 of [RFC5910].

5.3.  Example DS Data Interface and Key Data Interface

   Example use of the secCDNS-1.0 DS Data Interface for a create:

   <secCDNS:DS>
     <secCDNS:CDN>"U+5B9E""U+4f8b"."U+4E2D""U+56FD"</secCDNS:CDN>
     <secCDNS:dsData>
       <secDNS:keyTag>12345</secDNS:keyTag>
       <secDNS:alg>3</secDNS:alg>
       <secDNS:digestType>1</secDNS:digestType>
       <secDNS:digest>49FD46E6C4B45C55D4AC</secDNS:digest>
     </secCDNS:dsData>
   </secCDNS:DS>

   Example use of the secCDNS-1.0 Key Data Interface for a create:

   <secCDNS:KEY type="all">
     <secCDNS:keyData>
       <secDNS:flags>257</secDNS:flags>
       <secDNS:protocol>3</secDNS:protocol>
       <secDNS:alg>1</secDNS:alg>
       <secDNS:pubKey>AQPJ////4Q==</secDNS:pubKey>
     </secCDNS:keyData>
   </secCDNS:KEY>


6.  EPP Command Mapping

   A detailed description of the EPP syntax and semantics can be found
   in the EPP core protocol specification [RFC5730].  The command
   mappings described here are specifically for use in provisioning and
   managing DNS security extensions for CDNs via EPP.






Xie, et al.              Expires April 23, 2012                 [Page 7]

Internet-Draft               EPP CDN Mapping                October 2011


6.1.  EPP Query Commands

   EPP provides three commands to retrieve domain information: <check>
   to determine if a domain object can be provisioned within a
   repository, <info> to retrieve detailed information associated with a
   domain object, and <transfer> to retrieve domain-object transfer
   status information.

6.1.1.  EPP <check> Command

   This extension does not add any elements to the EPP <check> command
   or <check> response described in the EPP domain name mapping
   [RFC5731] and [RFC5910].

6.1.2.  EPP <info> Command

   This extension does not add any element to the EPP <info> command
   described in the EPP domain mapping [RFC5731] and [RFC5910].
   However, additional elements are defined for the <info> response.

   When an <info> command has been processed successfully, the EPP
   <resData> element MUST contain child elements as described in the EPP
   domain mapping [RFC5731].  In addition, the EPP <extension> element
   SHOULD contain a child <secCDNS:infData> element that identifies the
   extension namespace if the domain object has data associated with
   this extension and based on its service policy.  The <secCDNS:
   infData> element contains the following child elements:

   o  An OPTIONAL <secCDNS:maxSigLife> element that indicates a child's
      preference for the number of seconds after signature generation
      when the parent's signature on the DS information provided by the
      child will expire. maxSigLife is described in Section 3.3 of
      [RFC5910].

   o  zero or more <secCDNS:DS> elements.  Child elements of the
      <secCDNS:DS> element are described in Section 5.1.

   o  zero or more <secCDNS:KEY> elements.  Child elements of the
      <secCDNS:KEY> element are described in Section 5.2.

   Example <info> Response for a Secure Delegation Using the DS Data
   Interface:

   S:<?xml version="1.0" encoding="UTF-8" standalone="no"?>
   S:<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
   S:     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   S:  <response>
   S:    <result code="1000">



Xie, et al.              Expires April 23, 2012                 [Page 8]

Internet-Draft               EPP CDN Mapping                October 2011


   S:      <msg>Command completed successfully</msg>
   S:    </result>
   S:    <resData>
   S:      <domain:infData
   S:       xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
   S:        <domain:name>
   S:          "U+5B9E""U+4f8b"."U+4E2D""U+56FD"</domain:name>
   S:        <domain:roid>123456-domain</domain:roid>
   S:        <domain:status s="ok"/>
   S:        <domain:registrant>123CN</domain:registrant>
   S:        <domain:contact type="admin">helloChina</domain:contact>
   S:        <domain:contact type="tech"> helloChina</domain:contact>
   S:        <domain:ns>
   S:          <domain:hostObj>ns1.china </domain:hostObj>
   S:          <domain:hostObj>ns2.china </domain:hostObj>
   S:        </domain:ns>
   S:        <domain:host>
   S:          ns1."U+5B9E""U+4f8b"."U+4E2D""U+56FD"</domain:host>
   S:        <domain:host>
   S:          ns2."U+5B9E""U+4f8b"."U+4E2D""U+56FD"</domain:host>
   S:        <domain:clID>ClientX</domain:clID>
   S:        <domain:crID>ClientY</domain:crID>
   S:        <domain:crDate>2010-04-03T22:00:00.0Z</domain:crDate>
   S:        <domain:upID>ClientX</domain:upID>
   S:        <domain:upDate>2010-12-03T09:00:00.0Z</domain:upDate>
   S:        <domain:exDate>2012-04-03T22:00:00.0Z</domain:exDate>
   S:        <domain:trDate>2011-02-08T09:00:00.0Z</domain:trDate>
   S:        <domain:authInfo>
   S:          <domain:pw>abc123</domain:pw>
   S:        </domain:authInfo>
   S:      </domain:infData>
   S:    </resData>
   S:    <extension>
   S:      <secCDNS:infData
   S:       xmlns:secCDNS="urn:ietf:params:xml:ns:secCDNS-1.0">
   S:           <secCDNS:maxSigLife>604800</secCDNS:maxSigLife>
   S:        <secCDNS:DS>
   S:             <secCDNS:CDN>
   S:            "U+5B9E""U+4f8b"."U+4E2D""U+56FD"</secCDNS:CDN>
   S:          <secCDNS:dsData>
   S:            <secDNS:keyTag>12345</secDNS:keyTag>
   S:            <secDNS:alg>3</secDNS:alg>
   S:            <secDNS:digestType>1</secDNS:digestType>
   S:            <secDNS:digest>49FD46E6C4B45C55D4AC</secDNS:digest>
   S:          </secCDNS:dsData>
   S:        </secCDNS:DS>
   S:             <secCDNS:CDN>
   S:            "U+5B9E""U+4f8b"."U+4E2D""U+56FD"</secCDNS:CDN>



Xie, et al.              Expires April 23, 2012                 [Page 9]

Internet-Draft               EPP CDN Mapping                October 2011


   S:          <secCDNS:dsData>
   S:            <secDNS:keyTag>2765</secDNS:keyTag>
   S:            <secDNS:alg>3</secDNS:alg>
   S:            <secDNS:digestType>1</secDNS:digestType>
   S:            <secDNS:digest>ABCTFAGFHKLOGI34</secDNS:digest>
   S:          </secCDNS:dsData>
   S:          <secCDNS:dsData>
   S:            <secDNS:keyTag>23789</secDNS:keyTag>
   S:            <secDNS:alg>3</secDNS:alg>
   S:            <secDNS:digestType>1</secDNS:digestType>
   S:            <secDNS:digest>VHGKAUGYAIUGUIAGU</secDNS:digest>
   S:          </secCDNS:dsData>
   S:        </secCDNS:DS>
   S:      </secCDNS:infData>
   S:    </extension>
   S:    <trID>
   S:      <clTRID>ABC-12345</clTRID>
   S:      <svTRID>54322-XYZ</svTRID>
   S:    </trID>
   S:  </response>
   S:</epp>

   Example <info> Response for a Secure Delegation Using the Key Data
   Interface:

   S:<?xml version="1.0" encoding="UTF-8" standalone="no"?>
   S:<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
   S:     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   S:  <response>
   S:    <result code="1000">
   S:      <msg>Command completed successfully</msg>
   S:    </result>
   S:    <resData>
   S:      <domain:infData
   S:       xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
   S:        <domain:name>
   S:          "U+5B9E""U+4f8b"."U+4E2D""U+56FD"</domain:name>
   S:        <domain:roid>123456-domain</domain:roid>
   S:        <domain:status s="ok"/>
   S:        <domain:registrant>123CN</domain:registrant>
   S:        <domain:contact type="admin">helloChina</domain:contact>
   S:        <domain:contact type="tech"> helloChina</domain:contact>
   S:        <domain:ns>
   S:          <domain:hostObj>ns1.china </domain:hostObj>
   S:          <domain:hostObj>ns2.china </domain:hostObj>
   S:        </domain:ns>
   S:        <domain:host>
   S:          ns1."U+5B9E""U+4f8b"."U+4E2D""U+56FD"</domain:host>



Xie, et al.              Expires April 23, 2012                [Page 10]

Internet-Draft               EPP CDN Mapping                October 2011


   S:        <domain:host>
   S:          ns2."U+5B9E""U+4f8b"."U+4E2D""U+56FD"</domain:host>
   S:        <domain:clID>ClientX</domain:clID>
   S:        <domain:crID>ClientY</domain:crID>
   S:        <domain:crDate>2010-04-03T22:00:00.0Z</domain:crDate>
   S:        <domain:upID>ClientX</domain:upID>
   S:        <domain:upDate>2010-12-03T09:00:00.0Z</domain:upDate>
   S:        <domain:exDate>2012-04-03T22:00:00.0Z</domain:exDate>
   S:        <domain:trDate>2011-02-08T09:00:00.0Z</domain:trDate>
   S:        <domain:authInfo>
   S:          <domain:pw>abc123</domain:pw>
   S:        </domain:authInfo>
   S:      </domain:infData>
   S:    </resData>
   S:    <extension>
   S:      <secCDNS:infData
   S:       xmlns:secCDNS="urn:ietf:params:xml:ns:secCDNS-1.0">
   S:        <secCDNS:KEY type="all">
   S:          <secCDNS:keyData>
   S:            <secDNS:flags>257</secDNS:flags>
   S:            <secDNS:protocol>3</secDNS:protocol>
   S:            <secDNS:alg>1</secDNS:alg>
   S:            <secDNS:pubKey>AQPJ////4Q==</secDNS:pubKey>
   S:          </secCDNS:keyData>
   S:        </secCDNS:KEY>
   S:      </secCDNS:infData>
   S:    </extension>
   S:    <trID>
   S:      <clTRID>ABC-12345</clTRID>
   S:      <svTRID>54322-XYZ</svTRID>
   S:    </trID>
   S:  </response>
   S:</epp>

   An EPP error response MUST be returned if an <info> command cannot be
   processed for any reason.

6.1.3.  EPP transfer Command

   This extension does not add any elements to the EPP <transfer>
   command or <transfer> response described in the EPP domain name
   mapping [RFC5731] and [RFC5910].

6.2.  EPP Transform Commands

   EPP provides five commands to transform domain objects: <create> to
   create an instance of a domain object, <delete> to delete an instance
   of a domain object, <renew> to extend the validity period of a domain



Xie, et al.              Expires April 23, 2012                [Page 11]

Internet-Draft               EPP CDN Mapping                October 2011


   object, <transfer> to manage domain object sponsorship changes, and
   <update> to change information associated with a domain object.

6.2.1.  EPP <create> Command

   This extension defines additional elements for the EPP <create>
   command described in the EPP domain mapping [RFC5731] and [RFC5910].
   No additional elements are defined for the EPP <create> response.

   The EPP <create> command provides a transform operation that allows a
   client to create a domain object.  In addition to the EPP command
   elements described in the EPP domain mapping [RFC5731], the command
   MUST contain an <extension> element, and the <extension> element MUST
   contain a child <secCDNS:create> element that identifies the
   extension namespace if the client wants to associate data defined in
   this extension to the domain object.  The <secCDNS:create> element
   contains the following child elements:

   o  An OPTIONAL <secCDNS:maxSigLife> element that indicates a child's
      preference for the number of seconds after signature generation
      when the parent's signature on the DS information provided by the
      child will expire. maxSigLife is described in Section 3.3 of
      [RFC5910].  If the server does not support the <secCDNS:
      maxSigLife> element, a 2102 error MUST be returned.

   o  zero or more <secCDNS:DS> elements.  Child elements of the
      <secCDNS:DS> element are described in Section 5.1.

   o  zero or more <secCDNS:KEY> elements.  Child elements of the
      <secCDNS:KEY> element are described in Section 5.2.

   Example <create> Command for a Secure Delegation Using the DS Data
   Interface:


















Xie, et al.              Expires April 23, 2012                [Page 12]

Internet-Draft               EPP CDN Mapping                October 2011


   C:<?xml version="1.0" encoding="UTF-8" standalone="no"?>
   C:<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
   C:  <command>
   C:    <create>
   C:      <domain:create
   C:       xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
   C:        <domain:name>
   C:          "U+5B9E""U+4f8b"."U+4E2D""U+56FD"</domain:name>
   C:        <domain:period unit="y">2</domain:period>
   C:        <domain:registrant>123</domain:registrant>
   C:        <domain:contact type="admin">123</domain:contact>
   C:        <domain:contact type="tech">123</domain:contact>
   C:        <domain:authInfo>
   C:          <domain:pw>2fooBAR</domain:pw>
   C:        </domain:authInfo>
   C:      </domain:create>
   C:    </create>
   C:    <extension>
   C:      <secCDNC:create
   C:       xmlnC:secCDNS="urn:ietf:paramC:xml:nC:secCDNS-1.0">
   C:           <secCDNS:maxSigLife>604800</secCDNS:maxSigLife>
   C:        <secCDNC:DS>
   C:             <secCDNS:CDN>
   C:            "U+5B9E""U+4f8b"."U+4E2D""U+56FD"</secCDNS:CDN>
   C:          <secCDNC:dsData>
   C:            <secDNC:keyTag>12345</secDNC:keyTag>
   C:            <secDNC:alg>3</secDNC:alg>
   C:            <secDNC:digestType>1</secDNC:digestType>
   C:            <secDNC:digest>49FD46E6C4B45C55D4AC</secDNC:digest>
   C:          </secCDNC:dsData>
   C:        </secCDNC:DS>
   C:      </secCDNC:create>
   C:    </extension>
   C:    <trID>
   C:      <clTRID>ABC-12345</clTRID>
   C:      <svTRID>54322-XYZ</svTRID>
   C:    </trID>
   C:  </response>
   C:</epp>

   Example <create> Command for a Secure Delegation Using the Key Data
   Interface:









Xie, et al.              Expires April 23, 2012                [Page 13]

Internet-Draft               EPP CDN Mapping                October 2011


   C:<?xml version="1.0" encoding="UTF-8" standalone="no"?>
   C:<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
   C:  <command>
   C:    <create>
   C:      <domain:create
   C:       xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
   C:        <domain:name>
   C:          "U+5B9E""U+4f8b"."U+4E2D""U+56FD"</domain:name>
   C:        <domain:period unit="y">2</domain:period>
   C:        <domain:registrant>123</domain:registrant>
   C:        <domain:contact type="admin">123</domain:contact>
   C:        <domain:contact type="tech">123</domain:contact>
   C:        <domain:authInfo>
   C:          <domain:pw>2fooBAR</domain:pw>
   C:        </domain:authInfo>
   C:      </domain:create>
   C:    </create>
   C:    <extension>
   C:      <secCDNC:create
   C:       xmlnC:secCDNS="urn:ietf:paramC:xml:nC:secCDNS-1.0">
   C:           <secCDNS:maxSigLife>604800</secCDNS:maxSigLife>
   C:        <secCDNS:KEY type="all">
   C:          <secCDNS:keyData>
   C:            <secDNS:flags>257</secDNS:flags>
   C:            <secDNS:protocol>3</secDNS:protocol>
   C:            <secDNS:alg>1</secDNS:alg>
   C:            <secDNS:pubKey>AQPJ////4Q==</secDNS:pubKey>
   C:          </secCDNS:keyData>
   C:        </secCDNS:KEY>
   C:      </secCDNC:create>
   C:    </extension>
   C:    <trID>
   C:      <clTRID>ABC-12345</clTRID>
   C:      <svTRID>54322-XYZ</svTRID>
   C:    </trID>
   C:  </response>
   C:</epp>

   When a <create> command has been processed successfully, the EPP
   response is as described in the EPP domain mapping [RFC5731].

   An EPP error response MUST be returned if a <create> command cannot
   be processed for any reason.

6.2.2.  EPP <delete> Command

   This extension does not add any elements to the EPP <delete> command
   or <delete> response described in the EPP domain mapping [RFC5731].



Xie, et al.              Expires April 23, 2012                [Page 14]

Internet-Draft               EPP CDN Mapping                October 2011


6.2.3.  EPP <renew> Command

   This extension does not add any elements to the EPP <renew> command
   or <renew> response described in the EPP domain mapping [RFC5731].

6.2.4.  EPP <transfer> Command

   This extension does not add any elements to the EPP <transfer>
   command or <transfer> response described in the EPP domain mapping
   [RFC5731].

6.2.5.  EPP <update> Command

   This extension defines additional elements for the EPP <update>
   command described in the EPP domain mapping [RFC5731].  No additional
   elements are defined for the EPP <update> response.

   The EPP <update> command provides a transform operation that allows a
   client to modify the attributes of a domain object.  In addition to
   the EPP command elements described in the EPP domain mapping, the
   command MUST contain an <extension> element, and the <extension>
   element MUST contain a child <secCDNS:update> element that identifies
   the extension namespace if the client wants to update the domain
   object with data defined in this extension.  The <secCDNS:update>
   element contains a <secCDNS:add> element to add security information
   to a delegation, a <secCDNS:rem> element to remove security
   information from a delegation, or a <secCDNS:chg> element to change
   existing security information.  At least one <secCDNS:add>, <secCDNS:
   rem>, or <secCDNS:chg> element MUST be provided.  The order of the
   <secCDNS:rem> and <secCDNS:add> elements is significant, where the
   server MUST first remove the existing elements prior to adding the
   new elements.

   The <secCDNS:update> element contains the following child elements:

   o  An OPTIONAL <secCDNS:rem> element that contains a <secDNS:all>
      element, or one or more <secCDNS:DS> or <secCDNS:KEY> elements
      that are used to remove security data from a delegation.

      *  The <secDNS:all> element is described in Section 5.2.5 of
         [RFC5910].

      *  The <secCDNS:DS> element is part of the DS Data Interface and
         is used to uniquely define the DS record to be removed, by
         using all four elements -- <secDNS:keyTag>, <secDNS:alg>,
         <secDNS:digestType>, and <secDNS:digest> -- that are guaranteed
         to be unique.




Xie, et al.              Expires April 23, 2012                [Page 15]

Internet-Draft               EPP CDN Mapping                October 2011


      *  The <secCDNS:KEY> element is part of the Key Data Interface and
         is used to uniquely define the key data to be removed, by using
         all four elements -- <secDNS:flags>, <secDNS:protocol>,
         <secDNS:alg>, and <secDNS:pubKey> -- that are guaranteed to be
         unique.  There can be more than one DS record created for each
         key, so removing a key could remove more than one DS record.

   o  An OPTIONAL <secCDNS:add< element that is used to add security
      information to an existing set.  The <secCDNS:add< element MUST
      contain one or more <secCDNS:DS< or <secCDNS:KEY< elements.  Child
      elements of the <secCDNS:DS< element are described in Section 5.1.
      Child elements of the <secCDNS:KEY< element are described in
      Section 5.2.

   o  The OPTIONAL <secCDNS:chg> element has the same meaning as the
      OPTIONAL <secDNS:chg> element described in Section 5.2.5 of
      [RFC5910].

   Example <update> Command, Adding and Removing DS Data Using the DS
   Data Interface:































Xie, et al.              Expires April 23, 2012                [Page 16]

Internet-Draft               EPP CDN Mapping                October 2011


   C:<?xml version="1.0" encoding="UTF-8" standalone="no"?>
   C:<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
   C:     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   C:  <command>
   C:    <update>
   C:      <domain:update
   C:       xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
   C:        <domain:name>
   C:          "U+5B9E""U+4f8b"."U+4E2D""U+56FD"</domain:name>
   C:      </domain:update>
   C:    </update>
   C:    <extension>
   C:      <secCDNS:update
   C:       xmlns:secCDNS="urn:ietf:params:xml:ns:secCDNS-1.0">
   C:        <secCDNS:rem>
   C:          <secCDNS:DS>
   C:               <secCDNS:CDN>
   C:              "U+5B9E""U+4f8b"."U+4E2D""U+56FD"</secCDNS:CDN>
   C:            <secCDNS:dsData>
   C:              <secDNS:keyTag>12345</secDNS:keyTag>
   C:              <secDNS:alg>3</secDNS:alg>
   C:              <secDNS:digestType>1</secDNS:digestType>
   C:              <secDNS:digest>38EC35D5B3A34B33C99B</secDNS:digest>
   C:            </secCDNS:dsData>
   C:          <secCDNS:DS>
   C:        </secCDNS:rem>
   C:        <secCDNS:add>
   C:          <secCDNS:DS>
   C:               <secCDNS:CDN>
   C:              "U+5B9E""U+4f8b"."U+4E2D""U+56FD"</secCDNS:CDN>
   C:            <secCDNS:dsData>
   C:              <secDNS:keyTag>34723</secDNS:keyTag>
   C:              <secDNS:alg>3</secDNS:alg>
   C:              <secDNS:digestType>1</secDNS:digestType>
   C:              <secDNS:digest>FYUGCFIUACVH</secDNS:digest>
   C:            </secCDNS:dsData>
   C:          <secCDNS:DS>
   C:        </secCDNS:add>
   C:      </secCDNS:update>
   C:    </extension>
   C:    <clTRID>ABC-12345</clTRID>
   C:  </command>
   C:</epp>

   Example <update> Command, Updating the maxSigLife:






Xie, et al.              Expires April 23, 2012                [Page 17]

Internet-Draft               EPP CDN Mapping                October 2011


   C:<?xml version="1.0" encoding="UTF-8" standalone="no"?>
   C:<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
   C:     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   C:  <command>
   C:    <update>
   C:      <domain:update
   C:       xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
   C:        <domain:name>
   C:          "U+5B9E""U+4f8b"."U+4E2D""U+56FD"</domain:name>
   C:      </domain:update>
   C:    </update>
   C:    <extension>
   C:      <secCDNS:update
   C:       xmlns:secCDNS="urn:ietf:params:xml:ns:secCDNS-1.0">
   C:        <secCDNS:chg>
   C:            <secDNS:maxSigLife>605900</secDNS:maxSigLife>
   C:        </secCDNS:chg>
   C:      </secCDNS:update>
   C:    </extension>
   C:    <clTRID>ABC-12345</clTRID>
   C:  </command>
   C:</epp>

   Example <update> Command, Adding and Removing Key Data Using the Key
   Data Interface, and Setting maxSigLife:


























Xie, et al.              Expires April 23, 2012                [Page 18]

Internet-Draft               EPP CDN Mapping                October 2011


   C:<?xml version="1.0" encoding="UTF-8" standalone="no"?>
   C:<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
   C:     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   C:  <command>
   C:    <update>
   C:      <domain:update
   C:       xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
   C:        <domain:name>
   C:          "U+5B9E""U+4f8b"."U+4E2D""U+56FD"</domain:name>
   C:      </domain:update>
   C:    </update>
   C:    <extension>
   C:      <secCDNS:update
   C:       xmlns:secCDNS="urn:ietf:params:xml:ns:secCDNS-1.0">
   C:        <secCDNS:rem>
   C:          <secCDNS:KEY type="all">
   C:            <secCDNS:keyData>
   C:              <secDNS:flags>257</secDNS:flags>
   C:              <secDNS:protocol>3</secDNS:protocol>
   C:              <secDNS:alg>1</secDNS:alg>
   C:              <secDNS:pubKey>AQPJ////4Q==</secDNS:pubKey>
   C:            </secCDNS:keyData>
   C:          </secCDNS:KEY>
   C:        </secCDNS:rem>
   C:        <secCDNS:chg>
   C:          <secDNS:maxSigLife>605900</secDNS:maxSigLife>
   C:        </secCDNS:chg>
   C:      </secCDNS:update>
   C:    </extension>
   C:    <clTRID>ABC-12345</clTRID>
   C:  </command>
   C:</epp>

   Example <update> Command, Removing all DS and Key Data Using <secDNS:
   rem> with <secDNS:all>:
















Xie, et al.              Expires April 23, 2012                [Page 19]

Internet-Draft               EPP CDN Mapping                October 2011


   C:<?xml version="1.0" encoding="UTF-8" standalone="no"?>
   C:<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
   C:     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   C:  <command>
   C:    <update>
   C:      <domain:update
   C:       xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
   C:        <domain:name>
   C:          "U+5B9E""U+4f8b"."U+4E2D""U+56FD"</domain:name>
   C:      </domain:update>
   C:    </update>
   C:    <extension>
   C:      <secDNS:update urgent="true"
   C:       xmlns:secCDNS="urn:ietf:params:xml:ns:secDNS-1.0">
   C:        <secCDNS:rem>
   C:          <secCDNS:all>true</secCDNS:all>
   C:        </secCDNS:rem>
   C:      </secCDNS:update>
   C:    </extension>
   C:    <clTRID>ABC-12345</clTRID>
   C:  </command>
   C:</epp>

   When an extended <update> command has been processed successfully,
   the EPP response is as described in the EPP domain name mapping
   [RFC5731].


7.  Formal Syntax

   An EPP object mapping is specified in XML Schema notation.  The
   formal syntax presented here is a complete schema representation of
   the object mapping suitable for automated validation of EPP XML
   instances.  The BEGIN and END tags are not part of the schema; they
   are used to note the beginning and ending of the schema for URI
   registration purposes.

   BEGIN
   <?xml version="1.0" encoding="UTF-8"?>
   <schema
     targetNamespace="urn:ietf:params:xml:ns:secCDNS-1.0"
     xmlns:secCDNS="urn:ietf:params:xml:ns:secCDNS-1.0"
     xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1"
     xmlns:epp="urn:ietf:params:xml:ns:epp-1.0"
     xmlns:eppcom="urn:ietf:params:xml:ns:eppcom-1.0"
     xmlns="http://www.w3.org/2001/XMLSchema"
     elementFormDefault="qualified">




Xie, et al.              Expires April 23, 2012                [Page 20]

Internet-Draft               EPP CDN Mapping                October 2011


     <annotation>
       <documentation>
         Extensible Provisioning Protocol v1.0
         domain name extension schema
         for provisioning DNS security (DNSSEC) extensions for CDNs.
       </documentation>
     </annotation>

     <import namespace="urn:ietf:params:xml:ns:eppcom-1.0"/>
     <import namespace="urn:ietf:params:xml:ns:epp-1.0"/>
     <import namespace="urn:ietf:params:xml:ns:secDNS-1.1"/>

     <!--
     Child elements found in EPP commands.
     -->
     <element name="create" type="secCDNS:createType"/>
     <element name="update" type="secCDNS:updateType"/>

     <!--
     Child elements of the <create> element.
     -->
     <complexType name="createType">
       <element name="maxSigLife" type="secDNS:maxSigLifeType"
       minOccurs="0"/>
       <choice>
         <element name="DS" type="secCDNS:DSType"
         maxOccurs="unbounded"/>
         <element name="KEY" type="secCDNS:KEYType"
         maxOccurs="unbounded"/>
       </choice>
     </complexType>

     <!--
     Child elements of the <update> element.
     -->
     <complexType name="updateType">
       <sequence>
         <element name="rem" type="secCDNS:remType"
         minOccurs="0"/>
         <element name="add" type="secCDNS:createType"
         minOccurs="0"/>
         <element name="chg" type="secDNS:chgType"
         minOccurs="0"/>
       </sequence>
     </complexType>

     <!--
     Child elements of the <update:rem> element.



Xie, et al.              Expires April 23, 2012                [Page 21]

Internet-Draft               EPP CDN Mapping                October 2011


     -->
     <complexType name="remType">
       <choice>
         <element name="all" type="boolean"/>
         <element name="DS" type="secCDNS:DSType"
         maxOccurs="unbounded"/>
         <element name="KEY" type="secCDNS:KEYType"
         maxOccurs="unbounded"/>
       </choice>
     </complexType>

     <!--
     Child elements supporting the dsData interface.
     -->
     <complexType name="DSType">
       <sequence>
         <element name="CDN" type="eppcom:labelType" />
         <element name="dsData" type="secDNS:dsDataType"
         maxOccurs="unbounded"/>
       </sequence>
     </complexType>

     <!--
     Child elements supporting the keyData interface.
     -->
     <complexType name="KEYType">
       <sequence>
         <element name="CDN" type="eppcom:labelType"
         minOccurs="0" maxOccurs="unbounded"/>
         <element name="keyData" type="secDNS:keyDataType"
         maxOccurs="unbounded"/>
       </sequence>
       <attribute name="type" type="secCDNS:dataEnumType"
       use="required"/>
     </complexType>

     <simpleType name="dataEnumType">
       <restriction base="token">
         <enumeration value="custom"/>
         <enumeration value="vcset"/>
         <enumeration value="all"/>
       </restriction>
     </simpleType>

     <!--
     Child response elements.
     -->
     <element name="infData" type="secCDNS:createType"/>



Xie, et al.              Expires April 23, 2012                [Page 22]

Internet-Draft               EPP CDN Mapping                October 2011


   </schema>
   END


8.  Internationalization Considerations

   EPP is represented in XML, which provides native support for encoding
   information using the Unicode character set and its more compact
   representations including UTF-8.  Conformant XML processors recognize
   both UTF-8 and UTF-16.  Though XML includes provisions to identify
   and use other character encodings through use of an "encoding"
   attribute in an <?xml?> declaration, use of UTF-8 is RECOMMENDED.

   As an extension of the EPP domain name mapping, the elements, element
   content described in this document MUST inherit the
   internationalization conventions used to represent higher-layer
   domain and core protocol structures present in an XML instance that
   includes this extension.


9.  IANA Considerations

   This document uses URNs to describe XML namespaces and XML schemas
   conforming to a registry mechanism described in [RFC3688].  IANA is
   requested to assignment the following two URI.

   Registration request for the CDN namespace:

   o  URI: urn:ietf:params:xml:ns:secCDNS-1.0

   o  Registrant Contact: See the "Author's Address" section of this
      document.

   o  XML: None.  Namespace URI does not represent an XML specification.

   Registration request for the CDN XML schema:

   o  URI: urn:ietf:params:xml:schema:secCDNS-1.0

   o  Registrant Contact: See the "Author's Address" section of this
      document.

   o  XML: See the "Formal Syntax" section of this document.








Xie, et al.              Expires April 23, 2012                [Page 23]

Internet-Draft               EPP CDN Mapping                October 2011


10.  Security considerations

   The object mapping extension described in this document does not
   provide any other security services or introduce any additional
   considerations beyond those described by [RFC5730], [RFC5731],
   [RFC5910]or those caused by the protocol layers used by EPP.


11.  Acknowledgements

   The authors especially thank the author of [RFC5730], [RFC5731] and
   [RFC5910].


12.  References

12.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC3688]  Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
              January 2004.

   [RFC5730]  Hollenbeck, S., "Extensible Provisioning Protocol (EPP)",
              STD 69, RFC 5730, August 2009.

   [RFC5731]  Hollenbeck, S., "Extensible Provisioning Protocol (EPP)
              Domain Name Mapping", STD 69, RFC 5731, August 2009.

   [RFC5890]  Klensin, J., "Internationalized Domain Names for
              Applications (IDNA): Definitions and Document Framework",
              RFC 5890, August 2010.

   [RFC5891]  Klensin, J., "Internationalized Domain Names in
              Applications (IDNA): Protocol", RFC 5891, August 2010.

   [RFC5892]  Faltstrom, P., "The Unicode Code Points and
              Internationalized Domain Names for Applications (IDNA)",
              RFC 5892, August 2010.

   [RFC5910]  Gould, J. and S. Hollenbeck, "Domain Name System (DNS)
              Security Extensions Mapping for the Extensible
              Provisioning Protocol (EPP)", RFC 5910, May 2010.

   [W3C.REC-xml-20040204]
              Bray, T., Paoli, J., Sperberg-McQueen, C., Maler, E., and
              F. Yergeau, ""Extensible Markup Language (XML) 1.0 (Third



Xie, et al.              Expires April 23, 2012                [Page 24]

Internet-Draft               EPP CDN Mapping                October 2011


              Edition)",  World Wide Web Consortium FirstEdition REC-
              xml-20040204", February 2004,
              <http://www.w3.org/TR/2004/REC-xml-20040204>.

   [W3C.REC-xmlschema-1-20041028]
              Thompson, H., Beech, D., Maloney, M., and N. Mendelsohn,
              ""XML Schema Part 1: Structures Second Edition", World
              Wide  Web Consortium Recommendation REC-xmlschema-1-
              20041028", October 2004,
              <http://www.w3.org/TR/2004/REC-xmlschema-1-20041028>.

   [W3C.REC-xmlschema-2-20041028]
              Biron, P. and A. Malhotra, ""XML Schema Part 2: Datatypes
              Second Edition", World Wide  Web Consortium Recommendation
              REC-xmlschema-2-20041028", October 2004,
              <http://www.w3.org/TR/2004/REC-xmlschema-2-20041028>.

12.2.  Informative References

   [RFC3743]  Konishi, K., Huang, K., Qian, H., and Y. Ko, "Joint
              Engineering Team (JET) Guidelines for Internationalized
              Domain Names (IDN) Registration and Administration for
              Chinese, Japanese, and Korean", RFC 3743, April 2004.

   [RFC4290]  Klensin, J., "Suggested Practices for Registration of
              Internationalized Domain Names (IDN)", RFC 4290,
              December 2005.


Authors' Addresses

   Jiagui Xie
   CNNIC
   4 South 4th Street,Zhongguancun,Haidian District
   Beijing, Beijing  100190
   China

   Phone: +86 10 5881 2639
   Email: xiejiagui@cnnic.cn












Xie, et al.              Expires April 23, 2012                [Page 25]

Internet-Draft               EPP CDN Mapping                October 2011


   Ning Kong
   CNNIC
   4 South 4th Street,Zhongguancun,Haidian District
   Beijing, Beijing  100190
   China

   Phone: +86 10 5881 3147
   Email: nkong@cnnic.cn


   Hongtao Li
   CNNIC
   4 South 4th Street,Zhongguancun,Haidian District
   Beijing, Beijing  100190
   China

   Phone: +86 10 5881 3164
   Email: lihongtao@cnnic.cn


   Xiaodong Lee
   CNNIC
   4 South 4th Street,Zhongguancun,Haidian District
   Beijing, Beijing  100190
   China

   Phone: +86 10 5881 3020
   Email: lee@cnnic.cn























Xie, et al.              Expires April 23, 2012                [Page 26]