On Wed, Mar 28, 2018 at 05:43:15PM +0200, Matthijs Mekking wrote: .... > > One comment, > > > > [3.1] As section 3 states that MIXFR is DNSSEC aware we need text > > regarding NSEC3PARAM update as well. > > > > For that I suggest to change 3.1 section name and include an extra > > paragraph. > > > > 3.1 Implicit DNSSEC deletions > > > > When an NSEC3PARAM is modified, the MIXFR client MUST also remove all > > existing NSEC3 records on the zone. > > I agree that with the current syntax NSEC3 resalting is still a hassle. > But I am not sure if this implicit NSEC3 deletion is the right solution: > One can have multiple chains in the zone, the NSEC3PARAM just signals > that the chain is complete. Signers may have incomplete chains as an > intermediate step of NSEC3 resalting. > > I shall add a GitHub issue for this. Thanks for bringing it up!
This is documented at issue #8 with an updated proposed text after discussion down this thread. https://github.com/matje/mixfr/issues/8 Fred _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
