Maintained by: NLnet Labs

unbound-control flush_zone behaviour w.r.t the DS record

Paul Wouters
Tue Sep 22 17:28:39 CEST 2015


On Tue, 22 Sep 2015, W.C.A. Wijngaards via Unbound-users wrote:

>> Today I ran into an unexpected flush issue. A domain with DS record
>> no longer signed its zone and became BOGUS. Once the registrar
>> removed the DS record, I ran an unbound-control flush_zone on the
>> zone, but I still received a SERVFAIL. Turns out the DS record of a
>> domain is not flushed because it does not live in the child zone
>> but in the parent zone.
>>
>> I suggest to change the behaviour of unbound to also flush DS
>> records of a zone in its parent with the flush_zone command.
>
> The flush_zone command flushes the DS record too.  This works for me
> (eg. lookup a domain, dig DS record, flush it, dig DS record - fresh
> TTL).  But I understand the domain you had did not become non-bogus
> after the flush?  Was something else not flushed that should be?

I'm not sure. It did not become non-bogus for sure. I didn't drop the
cache and the domain is fixed now. So you'll have to create a test
case I guess? :)

Paul