In article <[email protected]> you write: >On Jan 15, 2020, at 5:28 PM, Michael StJohns <[email protected]> wrote: >> I think its a co-existence issue here. I don't think you should have two >> different (calculation-wise) ZONEMD-like RRSets in the same >zone for the reasons you've mentioned. > >That makes good sense. When someone defines an incremental zone hash RRtype, >that protocol spec should likely either prohibit ZONEMD >RRsets, or state that their interpretation is suppressed. The WG can cross >that bridge when we see a reasonably filled-out proposal for INCZOEMD.
That seems to me overdesigned. If you are able to compute a signature for the whole zone, put a ZONEMD at the apex. If you can't, don't. It includes whatever's in the zone, including INCZONEMD if there happen to be any. If you are updating a signed zone with IXFR, either update the ZONEMD if you are able to recompute a new signature for the zone including any added or changed INCZONEMD, or delete it in the more likely case that if you can't. Why does it have to be more complicated than that? R's, John _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
