[dns-operations] Signing of the ARPA zone

Michael Sinatra michael at rancid.berkeley.edu
Sat Mar 27 21:45:28 UTC 2010

On 03/27/10 14:39, Michael Sinatra wrote:
> On 03/26/10 11:55, Simon Leinen wrote:
>> Yes. Apparently if you use BIND (latest& greatest 9.7.0), and
>> install new trusted keys, you are expected to flush some entries from
>> the cache; in particular, you should flush the entries for the names
>> for which trust anchors were added, e.g. "ARPA" for the trusted keys
>> in the March 25 version of the ITAR.
>> Maybe this is common knowledge, and everybody except us has routinely
>> been flushing their caches whenever they install new trust anchors.
>> But I doubt it.
> I have always flushed the cache whenever *manually* adding a trust
> anchor. My vague recollection is that I would sometimes see validation
> failures if I did not.
> Some of the docs that I read on DNSSEC configuration recommend 'rndc
> flush'. E.g.:
> http://www.dnssec-tools.org/docs/step-by-step-dnssec-tools/sbs-dt.pdf
> [page 33]
> http://www.isc.org/files/DNSSEC_in_6_minutes.pdf
> [kinda strange: It tells you do do 'rndc flush' when adding a signed
> zone as an *authoritative* server]
> When updating trust anchors in unbound, I generally restart the server
> (but that's because I don't run unbound in production--sorry!).

Sorry to self-reply, but I just recalled--you may want to have a look at 


I would have been running the latest 9.6.x or so around the time that I 
wrote that message.


More information about the dns-operations mailing list