Hi Vernon A couple of items:
1. I sent the following text to Paul, but it has missed making this
revision of the draft. Please add it into the next revision.
> In 4.1.1 (IP address encoding in triggers), I suggest adding:
>
> - The encoded address prefix MUST NOT not have any extra trailing 1s
> (longer address prefix than the prefix length) or the rule will be
> rejected. E.g., the following trigger will be rejected:
>
> 8.1.0.0.10.rpz-client-ip
>
> Some minor nits:
>
> - Include an IPv4 example in 4.1.1 (IP address encoding in triggers)
> - Maybe include that "zz" label in v6 encoding can also appear on
> - either side of the address bits label sequence
2. BIND makes the assumption that a trigger is exclusive within a zone.
So for example, if a zone transfer of an RPZ zone has taken place, and
currently the RPZ summary datastructures are being updated, the
datastructures can contain policy rules partially from an older version
of the zone and partially from a newer version of the zone (from the
transfer). As long as the change to an entire RR of a policy rule is
applied atomically, to BIND this is a consistent set of policy rules
(some of rules from previous version of zone, remaining from newer
version). This behavior is consistent with the RPZ rules so far, but it
would be wise to make a note of it.
(Note that this behavior is different from the old BIND RPZ
implementation and so you may not be familiar with it.)
Mukund
signature.asc
Description: PGP signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
