executing the chain of commands below may lead to a [[BR]]
zone transfer with incorrect DNSSEC settings.
transfer of an unsecured zone, repeating notify after[[BR]]
a while a nsec'ed zone is transferd, few seconds later[[BR]]
finally the nsec3'ed zone is delivered.[[BR]]
pdnssec secure-zone DOMAIN[[BR]]
pdnssec set-nsec3 DOMAIN[[BR]]
pdnssec rectify-zone DOMAIN[[BR]]
pdns_control notify-host DOMAIN SLAVE-IP[[BR]]
make sure we clear DNSSEC caches in some relevant places. Fixes #530,…
… patch by Ruben d'Arco
git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@2694 d19b8d6e-7fed-0310-83ef-9ca221ded41b
the whole workflow to reproduce the issue over here is as follows:
the result on the slave is as follows:
similar behaviour can be found using the disable-dnssec process.
not tested yet -> behaviour on key-rollovers
question in context: does it makes sense to use different cache-timeouts for metadata and keys?
Please try this patch and see if it improves the behaviour?
fixes the behaviour on zone transfers.
still on direct requests to a host metadata/key cache is used.
at client: dig +dnssec www.test.com @dns [[BR]]
at dns: secure zone, nsec3 zone, rectify zone [[BR]]
at client: dig +dnssec www.test.com @dns -> no rrsig [[BR]]
equivalent behaviour when going insecure. [[BR]]
Unfortunately pdnssec does not have any control over powerdns's cache.
The earlier associated diff has been updated to make the pdns_control purge command clean the dnssec cache as well. This means that you know have a little control over the cache. The advice here is to run pdns_control purge after all the pdnssec operations have been performed.
patch applied in r2694, closing ticket