Hi Frederico, On 03/29/2018 08:45 PM, Frederico A C Neves wrote:
I was looking at our server to evaluate the MIXFR implementation and it seams to me that the current text covering dnssec aware client logic don't take in account that a posterior record at the addition section, by an MIXFR DNSSEC aware server, will implicitly replace the RRSIG RRset.
I am unclear what case you are covering.
Logic could be simplified only to Deletions of RRs, when they conclude a removal of a RRset, or RRsets by itself.
No, also if there is an RR addition, it means the RRset has changed, so existing RRSIG records can be implicitly removed.
All the other cases, addition or replacement, will be covered automatically by an addition or replace of a RRSIG RRset. There is no need to extra client logic to remove RRSIG, at addition of a RR, and at deletion of a RR if it not remove the RRset.
Note there is no such thing as an RRSIG RRset. I tried to clarify this in the terminology bis document:
https://www.ietf.org/mail-archive/web/dnsop/current/msg22118.html Note that adding an RRSIG is different than replacing an RRSIG.
This is documented as issue #10 and includes proposed text. https://github.com/matje/mixfr/issues/10
I think it makes more sense to keep the text as is, that is when changing an RRset implicitly remove the corresponding RRSIG records. I am opposed to only removing corresponding RRSIG on a RR deletion.
Best regards, Matthijs
Fred _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop