[dns-operations] Signing of the ARPA zone
Michael Sinatra
michael at rancid.berkeley.edu
Sat Mar 27 21:45:28 UTC 2010
On 03/27/10 14:39, Michael Sinatra wrote:
> On 03/26/10 11:55, Simon Leinen wrote:
>
>> Yes. Apparently if you use BIND (latest& greatest 9.7.0), and
>> install new trusted keys, you are expected to flush some entries from
>> the cache; in particular, you should flush the entries for the names
>> for which trust anchors were added, e.g. "ARPA" for the trusted keys
>> in the March 25 version of the ITAR.
>>
>> Maybe this is common knowledge, and everybody except us has routinely
>> been flushing their caches whenever they install new trust anchors.
>> But I doubt it.
>
> I have always flushed the cache whenever *manually* adding a trust
> anchor. My vague recollection is that I would sometimes see validation
> failures if I did not.
>
> Some of the docs that I read on DNSSEC configuration recommend 'rndc
> flush'. E.g.:
>
> http://www.dnssec-tools.org/docs/step-by-step-dnssec-tools/sbs-dt.pdf
> [page 33]
>
> http://www.isc.org/files/DNSSEC_in_6_minutes.pdf
> [kinda strange: It tells you do do 'rndc flush' when adding a signed
> zone as an *authoritative* server]
>
> When updating trust anchors in unbound, I generally restart the server
> (but that's because I don't run unbound in production--sorry!).
Sorry to self-reply, but I just recalled--you may want to have a look at
this:
https://lists.dns-oarc.net/pipermail/dns-operations/2009-May/003867.html
I would have been running the latest 9.6.x or so around the time that I
wrote that message.
michael
More information about the dns-operations
mailing list