On Fri, Dec 30, 2016 at 11:45:23AM +0000, Vernon Schryver wrote: > Then there is what should happen if a transfer of a policy zone > happens between the time QNAME rules are checked and the generally > later time when NSIP and NSDNAME rules are checked. The draft tries > to pretend that all of the rules in all of the policy zones are > checked instantaneously, and never mind real code or the delays forced > by recursion. Words about these issues are not BIND specific would > probably be good, so please suggest some.
This is also a good point. Perhaps just saying that RPZ zone transfers
are not assumed to be atomic for the whole zone, but only at the
RR/policy rule level will suffice?
Paul mentioned during the RPZ bar/pub meeting that the purpose of this
RFC is to document BIND's behavior. BIND is not atomic in handling RPZ
updates. So the draft should explicitly state as unknown what happens
during a zone transfer when there are QNAME and NSIP triggers, where
QNAME comes from a previous revision of the zone and the NSIP comes from
the next revision of the zone.
Mukund
signature.asc
Description: PGP signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
