Mark,
On 04/04/2018 03:52 PM, Mark Andrews wrote:
Note that implicit RRSIG deletion is idempotent, so it does not matter if two
RRs in the MIXFR trigger it.
Not if you are processing the additions on a RR by RR basis. You can add a new
RRSIG
before you add the covering RR. You need to perform two passes over the
addition section.
1 - to perform implicit deletions.
2 - to perform explicit additions.
If I removed the existing RRSIGs covering "example. A" from the zone,
now process the next "example A" RR in the MIXFR, that triggers removing
the same existing RRSIGs, those are already gone and stay gone. That
seems idempotent to me.
Note that an IXFR client, should only replace an older version with a
newer version after all the differences have been successfully processed
(RFC 1995).
The same will be true for MIXFR.
Note there are some RR deletions / addition pairs that DO NOT change RRSIGs.
e.g. case changes
in domain names that are subject to canonicalisation. There is no requirement
to regenerate
RRSIGs for such changes though most implementations will do so.
It might be good to add some text for that case. Thanks for bringing it up!
Best regards,
Matthijs
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
