Created attachment 984150 [details] patch As dnssec-trigger-script cannot rely on a specific on a current version of Unbound, the upstream code attempts to check whether the list of servers for a zone should be changed and skips the action if not. The attached patch makes sure we always rewrite the forward zone as it may be switching between secure and insecure.
Created attachment 984155 [details] patch to fix the two issues Furthermore I realized that there is a problem with switching from insecure mode to secure mode using a single *forward_add* command. While there is a "+i" switch that makes sure the zone is insecure, there's no "-i" switch to make sure the zone is secure (when insecure previously). Therefore it is necessary to fix up the secure state using *insecure_remove* afterwards. Upstream can change this in the future based on unbound-control improvements.
(In reply to Pavel Šimerda (pavlix) from comment #1) > Furthermore I realized that there is a problem with switching from insecure > mode to secure mode using a single *forward_add* command. While there is a > "+i" switch that makes sure the zone is insecure, there's no "-i" switch to > make sure the zone is secure (when insecure previously). Therefore it is > necessary to fix up the secure state using *insecure_remove* afterwards. Yes, basically you can use the 'insecure_remove' OR you could remove the insecure forward zone completely and re-add it as secure. However the final effect should be the same, so I think it is OK to do it the way you've proposed.
Thanks.
dnssec-trigger-0.12-18.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/dnssec-trigger-0.12-18.fc21
Package dnssec-trigger-0.12-18.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing dnssec-trigger-0.12-18.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-1279/dnssec-trigger-0.12-18.fc21 then log in and leave karma (feedback).
dnssec-trigger-0.12-19.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/FEDORA-2015-3864/dnssec-trigger-0.12-19.fc22
dnssec-trigger-0.12-19.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/FEDORA-2015-3843/dnssec-trigger-0.12-19.fc21
dnssec-trigger-0.12-19.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
dnssec-trigger-0.12-20.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.