BIND 10 #1574: Add support for loading NSEC3 RRsets to in memory data source
BIND 10 Development
do-not-reply at isc.org
Tue Jan 24 16:51:10 UTC 2012
#1574: Add support for loading NSEC3 RRsets to in memory data source
-------------------------------------+-------------------------------------
Reporter: | Owner:
jinmei | Status: new
Type: task | Milestone:
Priority: | Sprint-20120207
critical | Resolution:
Component: data | Sensitive: 0
source | Sub-Project: DNS
Keywords: | Estimated Difficulty: 7
Defect Severity: N/A | Total Hours: 0
Feature Depending on Ticket: NSEC3 |
Add Hours to Ticket: 0 |
Internal?: 0 |
-------------------------------------+-------------------------------------
Comment (by jinmei):
Replying to [comment:3 jelte]:
> Yes; the scenario i have in mind is when you have a large zone, and want
to change the NSEC3 salt for instance. The 'incremental' way to do that
would be to add the newly generated NSEC3s in batches (keeping the old,
and leaving NSEC3PARAM as it is), and when they are all there, replace the
NSEC3PARAM and start removing the old NSEC3 RRs in batches.
>
> I'm not saying we should do that, when we do automatic signing we might
very well replace them all at once, but we should definitely allow the
scenario at some point.
>
> I'm guessing we would have multiple NSEC3 namespaces, one of which is
'active' (as pointed out by the NSEC3PARAM record at the apex).
I think there are a few ways to do that without requiring
fundamentally redesigning everything. Having multiple namespaces is
one way. So I believe we can find a way of evolution without breaking
deployed practices.
--
Ticket URL: <http://bind10.isc.org/ticket/1574#comment:7>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development
More information about the bind10-tickets
mailing list