Question about cache reload

Stanley Weilnau sweilnau at cnri.reston.va.us
Mon Jul 22 20:44:10 UTC 2013


I have just set up DNSSEC on bind 9.9.3.  I had set up the zone and put a DS record out at the registrar.  Several days later I found that I had set up the keys incorrectly using only NSEC verses NSEC3 so i changed the keys.  I deleted the old keys and DS record, and had bind resign everything and put out the new DS record.  I used some testing sites and things looked good.  I then got a message from an administrator at a remote site running bind in strict mode stating my DNSSEC was broken.  It turns out he had cached the old info and it had not updated.  From this I am guessing that bind does not flush cache if there is a problem like this, it just fails to resolve.

The other question I am attempting to research is what is the best way to do the yearly rekeying and updating of the DS records at the registrar to avoid this in the future.

-- 
Stanley Weilnau







More information about the bind-users mailing list