On Tue, 22 Sep 2015, W.C.A. Wijngaards via Unbound-users wrote:
Today I ran into an unexpected flush issue. A domain with DS record
no longer signed its zone and became BOGUS. Once the registrar
removed the DS record, I ran an unbound-control flush_zone on the
zone, but I still received a SERVFAIL. Turns out the DS record of a
domain is not flushed because it does not live in the child zone
but in the parent zone.
I suggest to change the behaviour of unbound to also flush DS
records of a zone in its parent with the flush_zone command.
The flush_zone command flushes the DS record too. This works for me
(eg. lookup a domain, dig DS record, flush it, dig DS record - fresh
TTL). But I understand the domain you had did not become non-bogus
after the flush? Was something else not flushed that should be?
I'm not sure. It did not become non-bogus for sure. I didn't drop the
cache and the domain is fixed now. So you'll have to create a test
case I guess? :)
Paul
