[dns-operations] Signing of the ARPA zone

Michael Sinatra michael at rancid.berkeley.edu
Sat Mar 27 21:39:19 UTC 2010

On 03/26/10 11:55, Simon Leinen wrote:

> Yes.  Apparently if you use BIND (latest&  greatest 9.7.0), and
> install new trusted keys, you are expected to flush some entries from
> the cache; in particular, you should flush the entries for the names
> for which trust anchors were added, e.g. "ARPA" for the trusted keys
> in the March 25 version of the ITAR.
> Maybe this is common knowledge, and everybody except us has routinely
> been flushing their caches whenever they install new trust anchors.
> But I doubt it.

I have always flushed the cache whenever *manually* adding a trust 
anchor.  My vague recollection is that I would sometimes see validation 
failures if I did not.

Some of the docs that I read on DNSSEC configuration recommend 'rndc 
flush'.  E.g.:

[page 33]

[kinda strange: It tells you do do 'rndc flush' when adding a signed 
zone as an *authoritative* server]

When updating trust anchors in unbound, I generally restart the server 
(but that's because I don't run unbound in production--sorry!).

More information about the dns-operations mailing list