> Mark.Andrews@isc.org writes: > > If you never update the child then it is an *administrative* error. > > Changing the serial number too early is also an administrative error. > Here's a summary of our three examples of administrative errors: > > 1. Failing to update the parent serial number after updating the glue > in all the child servers. As you keep pointing out, this error can > cause problems with BIND 8: the data will be inconsistent until > the serial number is updated. > > 2. Failing to update the parent serial number after updating the glue > in the parent master. This error can cause problems with BIND 9 > (and BIND 8, of course): the data will be inconsistent until the > serial number is updated. > > 3. Failing to update the data in the child master. This error can > cause problems with BIND 9 (and BIND 8, of course): the data will > be inconsistent until the child data is updated (and the serial > numbers handled properly). > > In every case, the administrator is violating RFC 1034 (as you have > admitted), and is creating a configuration that does not work properly > with most DNS software deployed in the real world. > > You persist in drawing a completely unjustified line between the first > error and the other two errors. You claim that allowable administrative > action is defined by BIND 9---never mind what RFC 1034 says, and never > mind the rest of the installed base. You cycle endlessly between ``BIND > 9 is doing the Right Thing'' and ``BIND 9 handles that situation'' and > ``that situation is not actually an error,'' attempting to defend each > part of the BIND 9 religion by showing how it fits with the other parts. > The circularity is pathetic. > > In situations where there's a difference between the software and the > spec---for example, actions that are prohibited by RFC 1034 even though > they work in the real world, or vice versa---one can reasonably discuss > whether the actions should be considered errors. But the above actions > do _not_ work and are _not_ allowed by the spec. If you want to support > them in BIND 9, fine, but you have no basis for demanding that the rest > of us support them too. Changing the content of SECONDARY zones is outside of the actions specified by RFC 1034. In fact RFC 1034 demands a "accurate" copy. You can't have a "accurate" copy if it has been changed. There are no timing issues if you have a "accurate" copy. There is no such thing as changing the serial "too early". It is the errors in BIND 4, BIND 8 and tinydns that introduce timing constraints that are not part of RFC 1034 and only affect servers that are serving both parent and child zones. We have heard from at least three other independent developers that they preserve / preserved the copy of the child zone based on RFC 1034 requirement. Maintaining consistancy between parent and child zones is a administrative responsability. Even with automated assistance the changes are required to be applied to the PRIMARY not to the SECONDARY. BIND 4, BIND 8 and tinydns violate the maintance model as a result of applying changes in the incorrect place directly leading to the situation where all the PRIMARY copies of the zones have the correct information but some of the SECONDARY "copies" don't. There is no technical reason not to preserve the contents of the SECONDARY copies of the zone unaltered. There are no negative effects from doing this. There definitely are negative effects caused by changing the contents of SECONDARY copies. All your complaints are based on your interpretation of RFC 1034. Your interpretation introduces timing issues which even your own software cannot meet without violating the requirement to change the serial number when you change the zone contents. In addition to the pure AXFR issues. IXFR depends upon the contents of the zone not being changed unilaterally on the SECONDARY. Failure to preserve the contents will result in deltas not applying that should. This should result in fallback to AXFR to get a upto date copy of the zone. This will result in a AXFR style IXFR to done stream servers. Mark -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org