From b612e38af165e136a84362b4d2e3dc4d6700a0c7 Mon Sep 17 00:00:00 2001 From: Tony Finch Date: Tue, 15 Oct 2019 15:12:29 +0100 Subject: [PATCH 1/2] Do not flush the cache for `rndc validation status` And add a note to the man page that `rndc validation` flushes the cache when the validation state is changed. (It is necessary to flush the cache when turning on validation, to avoid continuing to use cryptographically invalid data. It is probably wise to flush the cache when turning off validation to recover from lameness problems.) --- bin/named/server.c | 2 +- bin/rndc/rndc.docbook | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/bin/named/server.c b/bin/named/server.c index 452b38945d..2cd6b10d88 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -11081,9 +11081,9 @@ named_server_validation(named_server_t *server, isc_lex_t *lex, if ((ptr != NULL && strcasecmp(ptr, view->name) != 0) || strcasecmp("_bind", view->name) == 0) continue; - CHECK(dns_view_flushcache(view, false)); if (set) { + CHECK(dns_view_flushcache(view, false)); view->enablevalidation = enable; changed = true; } else { diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook index acc14ac2cd..c5c1c4e0a2 100644 --- a/bin/rndc/rndc.docbook +++ b/bin/rndc/rndc.docbook @@ -1078,6 +1078,8 @@ Enable, disable, or check the current status of DNSSEC validation. By default, validation is enabled. + The cache is flushed when validation is turned on or off + to avoid using data that might differ between states. From 9de062ae76bf11e77a2ebcd7bb0d868dd942359c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Thu, 31 Oct 2019 13:00:54 -0500 Subject: [PATCH 2/2] Add CHANGES --- CHANGES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGES b/CHANGES index 5c23a20d1a..aae5dd7c59 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +5312. [bug] Do not flush the cache for `rndc validation status`. + Thanks to Tony Finch. [GL !2462] + 5311. [cleanup] Include all views in output of `rndc validation status`. Thanks to Tony Finch. [GL !2461]