Hello Libor,
The block-notify-after-transfer option is very specific and dedicated
to special narrow use-case, I guess some of our users requested it. It
shall prevent "NOTIFY storms" when operating very many zones. The user
is expected to handle triggering downstream zone transfers somehow,
e.g. by relating on SOA timers or calling `knotc zone-notify
<some_zones>` in some batches.
Understood, thank you. I think I'll leave it enabled as it does what I want and
it concerns just a handful of unsigned zones.
Anyway, there seem to be some misunderstanding about the operation of
the bump-in-the-wire signer (i.e. the server that has primaries
configured and DNSSEC signing enabled). When a zone is downloaded (by
AXFR or IXFR), the un-signed zone is never published,
I probably phrased it confusingly, but that is exactly my understanding of how
Knot operates.
Thank you very much for the clarification!
-JP
--
