On Thu, 5 Dec 2013, Pavel Simerda wrote:
And for good reason. If you go from a polluted cache to enabling
DNSSEC, you would have to validate the entire cache contents, or
just flush it and start from scratch. You could not use any
content in the cache since it had not been validated.
Actually, when you change configuration at runtime, you should always flush the
cache for the respective subtree as well. For example when you remove an
insecure forward zone, the cache is polluted as well. I actually think that
unbound should flush the cache automatically to avoid that. As a workaround,
the cache can be flushed explicitly.
The way we implemented runtime forwards, eg from VPNs, we do flush the
particular DNS domain from the cache - no need to flush everything.
Paul
_______________________________________________
dnssec-trigger mailing list
[email protected]
http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger
