Issue with rpz-nsdname-wait-recurse option in Unbound 1.13.1

[Rabin Raj Gautam]

Dear Team,

I am running *Unbound 1.13.1* on Ubuntu (arm64).

*1. Cache issue:*

   -

   I want to flush the entire DNS cache or view all cached entries.
   -

   I tried:

   unbound-control flush_zone .
   unbound-control flush_requestlist
   unbound-control flush_bogus

   but it doesn’t seem to clear everything (some cached A records still
   answer after flush).
   -

   Restarting Unbound clears it, but is there a way to completely flush the
   cache *without restarting*?
   -

   Also: is there any way to *list/dump all cached entries*?

*2. RPZ NSDNAME issue:*

   -

   I am trying to block domains by NSDNAME via RPZ. I followed examples
   like:

   ns1.accessworld.net.rpz-nsdname IN CNAME .
   ns2.accessworld.net.rpz-nsdname IN CNAME .

   -

   I also tried adding in /etc/unbound/unbound.conf:

   rpz-nsdname-wait-recurse: yes

   but Unbound fails to start with errors:

   /etc/unbound/unbound.conf:88: error: unknown keyword
'rpz-nsdname-wait-recurse'
   /etc/unbound/unbound.conf:88: error: stray ':'
   /etc/unbound/unbound.conf:88: error: unknown keyword 'yes'

   -

   It looks like my version (1.13.1) doesn’t recognize this directive.

*Questions:*

   1.

   What is the correct way to flush or dump the Unbound DNS cache in 1.13.1?
   2.

   How can I block based on NSDNAME in Unbound 1.13.1 if
   rpz-nsdname-wait-recurse isn’t available?
   3.

   Do I need to upgrade to a newer Unbound (≥1.16.0) to fully use RPZ
   NSDNAME rules?
   4.

   Best way to upgrade without disturbing the current version?


*Kind regards,*
*Rabin*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20250816/2404ddbb/attachment.htm>