[Dnssec-trigger] dnssec-triggerd behaviour when hotspot_signon called

Pavel Simerda psimerda at redhat.com
Thu Dec 5 09:11:44 UTC 2013

----- Original Message -----
> From: "Paul Wouters" <paul at cypherpunks.ca>
> To: "Tomas Hozza" <thozza at redhat.com>
> Cc: dnssec-trigger at NLnetLabs.nl, "Pavel Simerda" <psimerda at redhat.com>
> Sent: Wednesday, December 4, 2013 5:48:17 PM
> Subject: Re: [Dnssec-trigger] dnssec-triggerd behaviour when hotspot_signon called
> On Wed, 4 Dec 2013, Tomas Hozza wrote:
> >>> When going back to the "secure" mode it could just enable
> >>> the validator module and do the reprobing and set forwarders
> >>> based on the probing results.
> >>
> >> No, that would contaminate your cache.
> >
> > Good point. Unfortunately FWIK the validator module can be
> > disabled only by changing the configuration file. For changes
> > to be used you'd need to reload unbound, which would result
> > in flushing the cache completely.
> And for good reason. If you go from a polluted cache to enabling
> DNSSEC, you would have to validate the entire cache contents, or
> just flush it and start from scratch. You could not use any
> content in the cache since it had not been validated.

Actually, when you change configuration at runtime, you should always flush the cache for the respective subtree as well. For example when you remove an insecure forward zone, the cache is polluted as well. I actually think that unbound should flush the cache automatically to avoid that. As a workaround, the cache can be flushed explicitly.



More information about the dnssec-trigger mailing list