<div dir="ltr"><div>Dear Team,</div><div><p>I am running <strong>Unbound 1.13.1</strong> on Ubuntu (arm64).</p>

<p><strong>1. Cache issue:</strong></p>

<ul>

<li>

<p>I want to flush the entire DNS cache or view all cached entries.</p>

</li>

<li>

<p>I tried:</p>

<pre class="gmail-overflow-visible!"><div class="gmail-contain-inline-size gmail-rounded-2xl gmail-relative gmail-bg-token-sidebar-surface-primary"><div class="gmail-sticky gmail-top-9"><div class="gmail-absolute end-0 gmail-bottom-0 gmail-flex gmail-h-9 gmail-items-center gmail-pe-2"><div class="gmail-bg-token-bg-elevated-secondary gmail-text-token-text-secondary gmail-flex gmail-items-center gmail-gap-4 gmail-rounded-sm gmail-px-2 gmail-font-sans gmail-text-xs"><span class="gmail-"></span></div></div></div><div class="gmail-overflow-y-auto gmail-p-4" dir="ltr"><code class="gmail-whitespace-pre! gmail-language-bash">unbound-control flush_zone .

unbound-control flush_requestlist

unbound-control flush_bogus

</code></div></div></pre>

<p>but it doesn’t seem to clear everything (some cached A records still answer after flush).</p>

</li>

<li>

<p>Restarting Unbound clears it, but is there a way to completely flush the cache <strong>without restarting</strong>?</p>

</li>

<li>

<p>Also: is there any way to <strong>list/dump all cached entries</strong>?</p>

</li>

</ul>

<p><strong>2. RPZ NSDNAME issue:</strong></p>

<ul>

<li>

<p>I am trying to block domains by NSDNAME via RPZ. I followed examples like:</p>

<pre class="gmail-overflow-visible!"><div class="gmail-contain-inline-size gmail-rounded-2xl gmail-relative gmail-bg-token-sidebar-surface-primary"><div class="gmail-sticky gmail-top-9"><div class="gmail-absolute end-0 gmail-bottom-0 gmail-flex gmail-h-9 gmail-items-center gmail-pe-2"><div class="gmail-bg-token-bg-elevated-secondary gmail-text-token-text-secondary gmail-flex gmail-items-center gmail-gap-4 gmail-rounded-sm gmail-px-2 gmail-font-sans gmail-text-xs"><span class="gmail-"></span></div></div></div><div class="gmail-overflow-y-auto gmail-p-4" dir="ltr"><code class="gmail-whitespace-pre!">ns1.accessworld.net.rpz-nsdname IN <span class="gmail-hljs-built_in">CNAME</span> .

ns2.accessworld.net.rpz-nsdname IN <span class="gmail-hljs-built_in">CNAME</span> .

</code></div></div></pre>

</li>

<li>

<p>I also tried adding in <code>/etc/unbound/unbound.conf</code>:</p>

<pre class="gmail-overflow-visible!"><div class="gmail-contain-inline-size gmail-rounded-2xl gmail-relative gmail-bg-token-sidebar-surface-primary"><div class="gmail-sticky gmail-top-9"><div class="gmail-absolute end-0 gmail-bottom-0 gmail-flex gmail-h-9 gmail-items-center gmail-pe-2"><div class="gmail-bg-token-bg-elevated-secondary gmail-text-token-text-secondary gmail-flex gmail-items-center gmail-gap-4 gmail-rounded-sm gmail-px-2 gmail-font-sans gmail-text-xs"><span class="gmail-"></span></div></div></div><div class="gmail-overflow-y-auto gmail-p-4" dir="ltr"><code class="gmail-whitespace-pre!"><span class="gmail-hljs-attr">rpz-nsdname-wait-recurse:</span> <span class="gmail-hljs-literal">yes</span>

</code></div></div></pre>

<p>but Unbound fails to start with errors:</p>

<pre class="gmail-overflow-visible!"><div class="gmail-contain-inline-size gmail-rounded-2xl gmail-relative gmail-bg-token-sidebar-surface-primary"><div class="gmail-sticky gmail-top-9"><div class="gmail-absolute end-0 gmail-bottom-0 gmail-flex gmail-h-9 gmail-items-center gmail-pe-2"><div class="gmail-bg-token-bg-elevated-secondary gmail-text-token-text-secondary gmail-flex gmail-items-center gmail-gap-4 gmail-rounded-sm gmail-px-2 gmail-font-sans gmail-text-xs"><span class="gmail-"></span></div></div></div><div class="gmail-overflow-y-auto gmail-p-4" dir="ltr"><code class="gmail-whitespace-pre!">/etc/unbound/unbound.conf:88: error: unknown keyword <span class="gmail-hljs-string">'rpz-nsdname-wait-recurse'</span>

/etc/unbound/unbound.conf:88: error: stray <span class="gmail-hljs-string">':'</span>

/etc/unbound/unbound.conf:88: error: unknown keyword <span class="gmail-hljs-string">'yes'</span>

</code></div></div></pre>

</li>

<li>

<p>It looks like my version (1.13.1) doesn’t recognize this directive.</p>

</li>

</ul>

<p><strong>Questions:</strong></p>

<ol>

<li>

<p>What is the correct way to flush or dump the Unbound DNS cache in 1.13.1?</p>

</li>

<li>

<p>How can I block based on NSDNAME in Unbound 1.13.1 if <code>rpz-nsdname-wait-recurse</code> isn’t available?</p>

</li>

<li>

<p>Do I need to upgrade to a newer Unbound (≥1.16.0) to fully use RPZ NSDNAME rules?</p></li><li><p>Best way to upgrade without disturbing the current version?</p></li></ol></div><div><br></div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><font face="trebuchet ms, sans-serif" color="#0b5394"><b>Kind regards,</b></font></div><div><font face="trebuchet ms, sans-serif" color="#0b5394"><b>Rabin</b></font></div><div><br></div><div><br></div><div style="color:rgb(34,34,34)"></div></div></div></div>