On Thu, 20 Jul 2017, Tony Finch wrote:
John R Levine <jo...@taugh.com> wrote:
BULK absolutely requires online DNSSEC signing,
This basically means that BULK is a master-only feature, which implies
that there's no need for BULK to work across zone transfers, which
implies the need to standardize it for interop is almost nonexistent.
I can't speak for the draft's authors, but in previous correspondence I've
gotten the impression that they believe that slaves that serve BULK can
stay in sync via AXFR and IXFR. Perhaps they can clarify how this is
supposed to work.
I could sort of imagine a DNAME like scheme where the server returns the
signed BULK and the generated record and the RRSIGs and NSECs to show that
the name for which it was generated doesn't exist, so the cache that
receives it can unscramble the mess, but wow, would that ever be a poster
child for why this needs DNS versioning.
Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
