unbound-control flush_zone behaviour w.r.t the DS record

Paul Wouters
Wed Sep 16 04:35:09 CEST 2015


Today I ran into an unexpected flush issue. A domain with DS record no
longer signed its zone and became BOGUS. Once the registrar removed the
DS record, I ran an unbound-control flush_zone on the zone, but I still
received a SERVFAIL. Turns out the DS record of a domain is not flushed
because it does not live in the child zone but in the parent zone.

I suggest to change the behaviour of unbound to also flush DS records
of a zone in its parent with the flush_zone command.