On Wed, 4 Dec 2013, Tomas Hozza wrote:
When going back to the "secure" mode it could just enable
the validator module and do the reprobing and set forwarders
based on the probing results.
No, that would contaminate your cache.
Good point. Unfortunately FWIK the validator module can be
disabled only by changing the configuration file. For changes
to be used you'd need to reload unbound, which would result
in flushing the cache completely.
And for good reason. If you go from a polluted cache to enabling
DNSSEC, you would have to validate the entire cache contents, or
just flush it and start from scratch. You could not use any
content in the cache since it had not been validated.
Paul
_______________________________________________
dnssec-trigger mailing list
[email protected]
http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger
