Hi,
Today I ran into an unexpected flush issue. A domain with DS record no longer signed its zone and became BOGUS. Once the registrar removed the DS record, I ran an unbound-control flush_zone on the zone, but I still received a SERVFAIL. Turns out the DS record of a domain is not flushed because it does not live in the child zone but in the parent zone. I suggest to change the behaviour of unbound to also flush DS records of a zone in its parent with the flush_zone command. Paul
