About this blog…

I am employed by Netnod as head of engineering, research and development and am among other things chair of the Security and Stability Advisory Committee at ICANN. You can find CV and photos of me at this page.

As I wear so many hats, I find it being necessary to somewhere express my personal view on things. This is the location where that happens. Postings on this blog, or at Facebook, Twitter etc, falls under this policy.

The views expressed on this post are mine and do not necessarily reflect the views of Netnod or any other of the organisations I have connections to.

epp launched in Sweden

I want to hereby congratulate the .SE registry for a successful move to the epp protocol on March 9. Sure, I have my personal view on what could be done different, but overall, it ended up being a smooth transition.

Some thing to think about for others that make this move (some things .SE did right, some things could have been better etc, so this is not a list of complaints on .SE, just a list…):

  • Ensure that there is a test server that can be used, always. When developing software that uses epp, one really have a need for a server to test against, so that operations one does end up being against the real registry.
  • Think about in detail what objects to do transfer of and not. Specifically the objects that relate to each other such as domain and contact. When a domain is transferred, what happens with the contact object? Unfortunately different registries using epp have chosen different designs, so possibly the RFCs have to be updated and clarified how this is to work.
  • Specify in great detail what requirements there are on attributes for the various objects. And of course give back proper response codes when some attribute values are not according to the requirements. Honestly, the largest problems when creating epp software has to do with more or less guessing how things fit together. It is extremely hard to come up with good examples on data to test on, so many things might fail when testing, but work when doing things for real (believe it or not) simply because syntax for telephone number, social security number might be wrong, or IP addresses tested with are RFC1918 ones etc.
  • The really interesting part have though been to see how epp ties for real in with DNS and specifically DNSSEC. This is where my main interest is. I have rewritten all key management software I have been using to use epp instead of the email interface the registry used before. And it works (not so strange). Next problem of course is that the registries that can use epp are not (always) the same organisations that run DNS. How are DNS operators to communicate with the registrars? Use epp there as well, or something simplified? Dynamic updates I am testing using http as the access mechanism, tying it together with DNSSEC so that the zones are resigned after they are updated.

    But the overall architecture is complicated, and I am happy I have spent so much time thinking about it. And actually doing things. I dislike myself people just talking, and not doing, so having things working make me very happy.

    Now it is time to start working with plain DNS operators, and think about what to do next.

    Comments are closed.