Do not flush the cache for `rndc validation status`

And add a note to the man page that `rndc validation` flushes the
cache when the validation state is changed. (It is necessary to flush
the cache when turning on validation, to avoid continuing to use
cryptographically invalid data. It is probably wise to flush the cache
when turning off validation to recover from lameness problems.)

diff --git a/bin/named/server.c b/bin/named/server.c
index 452b38945d8ba4561d0c00cac3a087fb7196f1c7..2cd6b10d88fabfab79734eec1ced745e5abe5905 100644 (file)
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -11081,9 +11081,9 @@ named_server_validation(named_server_t *server, isc_lex_t *lex,
                if ((ptr != NULL && strcasecmp(ptr, view->name) != 0)
                    || strcasecmp("_bind", view->name) == 0)
                        continue;
-               CHECK(dns_view_flushcache(view, false));
 
                if (set) {
+                       CHECK(dns_view_flushcache(view, false));
                        view->enablevalidation = enable;
                        changed = true;
                } else {

diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook
index acc14ac2cda751b32833a56f148d20e4e333c40e..c5c1c4e0a244252d26ddfbe7dd12377e651a16fa 100644 (file)
--- a/bin/rndc/rndc.docbook
+++ b/bin/rndc/rndc.docbook
@@ -1078,6 +1078,8 @@
          <para>
            Enable, disable, or check the current status of
            DNSSEC validation.  By default, validation is enabled.
+           The cache is flushed when validation is turned on or off
+           to avoid using data that might differ between states.
          </para>
        </listitem>
       </varlistentry>