Maintained by: NLnet Labs

unbound-control flush_zone behaviour w.r.t the DS record

W.C.A. Wijngaards
Tue Sep 22 09:28:21 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Paul,

On 16/09/15 04:35, Paul Wouters via Unbound-users wrote:
> 
> Hi,
> 
> Today I ran into an unexpected flush issue. A domain with DS record
> no longer signed its zone and became BOGUS. Once the registrar
> removed the DS record, I ran an unbound-control flush_zone on the
> zone, but I still received a SERVFAIL. Turns out the DS record of a
> domain is not flushed because it does not live in the child zone
> but in the parent zone.
> 
> I suggest to change the behaviour of unbound to also flush DS
> records of a zone in its parent with the flush_zone command.

The flush_zone command flushes the DS record too.  This works for me
(eg. lookup a domain, dig DS record, flush it, dig DS record - fresh
TTL).  But I understand the domain you had did not become non-bogus
after the flush?  Was something else not flushed that should be?

Best regards, Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWAQMVAAoJEJ9vHC1+BF+NsNsQAIGwBKreLwwaSdCzHHU7J0q9
G9d19RxYNu9dxeUZqKmjzdunPz2w00DhTnii40VLIYVofpz2J/YgwLUy/yUVddg2
uUlJO+ym5tVFiaN9f+qOlNaM+WdtBrZ3xhMgntoP7so+fJSaG0+TxMOoS3KP2LFy
HQERD7RU1RgEaldNjY6cXLr4ghX95og8b8vjCOzoNYhHKAzkjQIpZa/HAvuMsma0
Psp2By8vg2w+JNIzFa5a4tPa4c7Q57IAoQq18ZlJNRUuxCyieuvnfp1aFtlS3xhe
5apwnZRt3ql/fP+AFUv5iIsTwvEj9GicgYluTfa+C5rz8JIGZcHGiPQCH/PNr/yP
OfevbXoadcB0qAm20VOXTrMh5nP2LS4CD9nu+tTo29P1KEuntwszfAjYlbNB6Ph9
M0RavSC84xiwJOLfCxfh4mlNoJKG7wvL8tiI6QgPWShZHX/oFIpGt/SHDGnEnhjs
qChmy7i0VUPDrhmK7mZDl4loBMVIROXGadN9QQD+grtNvczbLkjhdrVFpKJhgywk
1L66Hyrch22KAf3I3k3t5klGv3nJjvYi9YrTIoWMG8Cpj2f1zlbWPEJTqEY53IZ7
fU3w+auBzaXl8AsKOiiLgywUeznkd3t16IpRiEMOQ2Z6O2rcC5mmctBpiRpaddrc
PrsOrnxsc1ygZfWOK+Db
=BVwV
-----END PGP SIGNATURE-----