[dns-operations] Signing of the ARPA zone
Michael Sinatra
michael at rancid.berkeley.edu
Sat Mar 27 21:39:19 UTC 2010
On 03/26/10 11:55, Simon Leinen wrote:
> Yes. Apparently if you use BIND (latest& greatest 9.7.0), and
> install new trusted keys, you are expected to flush some entries from
> the cache; in particular, you should flush the entries for the names
> for which trust anchors were added, e.g. "ARPA" for the trusted keys
> in the March 25 version of the ITAR.
>
> Maybe this is common knowledge, and everybody except us has routinely
> been flushing their caches whenever they install new trust anchors.
> But I doubt it.
I have always flushed the cache whenever *manually* adding a trust
anchor. My vague recollection is that I would sometimes see validation
failures if I did not.
Some of the docs that I read on DNSSEC configuration recommend 'rndc
flush'. E.g.:
http://www.dnssec-tools.org/docs/step-by-step-dnssec-tools/sbs-dt.pdf
[page 33]
http://www.isc.org/files/DNSSEC_in_6_minutes.pdf
[kinda strange: It tells you do do 'rndc flush' when adding a signed
zone as an *authoritative* server]
When updating trust anchors in unbound, I generally restart the server
(but that's because I don't run unbound in production--sorry!).
More information about the dns-operations
mailing list