On Wed, Mar 28, 2018 at 06:12:09PM -0300, Frederico A C Neves wrote: > On Thu, Mar 29, 2018 at 07:28:22AM +1100, Mark Andrews wrote: > > No. You can have multiple nsec3 chains in a zone at the same time. Only one > > is active. Some may be incomplete. > > > > Named builds and destroys chains incrementally to avoid large changes. > > > > Timely ness of changes is more important than volume of changes. > > As I stated down on this thread this behaviour is the one that is > already supported by IXFR. For large zones, on large anycast networks, > the volume of changes on the wire is important. The current aproach is > impractical.
Perhaps this text is more specific and address the incremental re-salt scenario and even improve it after the new chain in already in place at the time of the removal of the old one. 3.1 Implicit DNSSEC deletions When an NSEC3PARAM is deleted or replaced, the MIXFR client MUST also remove all existing NSEC3 records on the zone that form the chain related to the deleted or replaced salt. Fred _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
