Question about cache reload
sweilnau at cnri.reston.va.us
Mon Jul 22 20:44:10 UTC 2013
I have just set up DNSSEC on bind 9.9.3. I had set up the zone and put a DS record out at the registrar. Several days later I found that I had set up the keys incorrectly using only NSEC verses NSEC3 so i changed the keys. I deleted the old keys and DS record, and had bind resign everything and put out the new DS record. I used some testing sites and things looked good. I then got a message from an administrator at a remote site running bind in strict mode stating my DNSSEC was broken. It turns out he had cached the old info and it had not updated. From this I am guessing that bind does not flush cache if there is a problem like this, it just fails to resolve.
The other question I am attempting to research is what is the best way to do the yearly rekeying and updating of the DS records at the registrar to avoid this in the future.
More information about the bind-users