On Fri, Dec 30, 2016 at 11:45:23AM +0000, Vernon Schryver wrote: > Then there is what should happen if a transfer of a policy zone > happens between the time QNAME rules are checked and the generally > later time when NSIP and NSDNAME rules are checked. The draft tries > to pretend that all of the rules in all of the policy zones are > checked instantaneously, and never mind real code or the delays forced > by recursion. Words about these issues are not BIND specific would > probably be good, so please suggest some.
This is also a good point. Perhaps just saying that RPZ zone transfers are not assumed to be atomic for the whole zone, but only at the RR/policy rule level will suffice? Paul mentioned during the RPZ bar/pub meeting that the purpose of this RFC is to document BIND's behavior. BIND is not atomic in handling RPZ updates. So the draft should explicitly state as unknown what happens during a zone transfer when there are QNAME and NSIP triggers, where QNAME comes from a previous revision of the zone and the NSIP comes from the next revision of the zone. Mukund
signature.asc
Description: PGP signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop