[Dnssec-trigger] dnssec-triggerd behaviour when hotspot_signon called
Paul Wouters
paul at cypherpunks.ca
Thu Dec 5 15:10:53 UTC 2013
On Thu, 5 Dec 2013, Pavel Simerda wrote:
>> And for good reason. If you go from a polluted cache to enabling
>> DNSSEC, you would have to validate the entire cache contents, or
>> just flush it and start from scratch. You could not use any
>> content in the cache since it had not been validated.
>
> Actually, when you change configuration at runtime, you should always flush the cache for the respective subtree as well. For example when you remove an insecure forward zone, the cache is polluted as well. I actually think that unbound should flush the cache automatically to avoid that. As a workaround, the cache can be flushed explicitly.
The way we implemented runtime forwards, eg from VPNs, we do flush the
particular DNS domain from the cache - no need to flush everything.
Paul
More information about the dnssec-trigger
mailing list