[dns-operations] Signing of the ARPA zone

Michael Sinatra michael at rancid.berkeley.edu
Sat Mar 27 21:39:19 UTC 2010


On 03/26/10 11:55, Simon Leinen wrote:

> Yes.  Apparently if you use BIND (latest&  greatest 9.7.0), and
> install new trusted keys, you are expected to flush some entries from
> the cache; in particular, you should flush the entries for the names
> for which trust anchors were added, e.g. "ARPA" for the trusted keys
> in the March 25 version of the ITAR.
>
> Maybe this is common knowledge, and everybody except us has routinely
> been flushing their caches whenever they install new trust anchors.
> But I doubt it.

I have always flushed the cache whenever *manually* adding a trust 
anchor.  My vague recollection is that I would sometimes see validation 
failures if I did not.

Some of the docs that I read on DNSSEC configuration recommend 'rndc 
flush'.  E.g.:

http://www.dnssec-tools.org/docs/step-by-step-dnssec-tools/sbs-dt.pdf
[page 33]

http://www.isc.org/files/DNSSEC_in_6_minutes.pdf
[kinda strange: It tells you do do 'rndc flush' when adding a signed 
zone as an *authoritative* server]

When updating trust anchors in unbound, I generally restart the server 
(but that's because I don't run unbound in production--sorry!).




More information about the dns-operations mailing list