dnssec: ds showing hidden 3+ days after key roll

[Matthijs Mekking]

Hi Larry,

This is documented in the DNSSEC RFCs, but AFAICS it is not mentioned in 
our documentation. I created a merge request to add such a note in the 
appropriate places:

https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5823

Best regards,

Matthijs

On 10-02-2022 18:23, Larry Rosenman wrote:
> On 02/10/2022 10:10 am, Matthijs Mekking wrote:
>> Hi,
>>
>> There are several things wrong here. The gist of it is that there is
>> no valid ZSK and since the zone is not properly signed, BIND does not
>> want to publish the DS record (even if outside BIND you already
>> published the DS).
>>
>> You can tell that BIND does not agree because it did not publish a CDS
>> record in your zone.
>>
>> I also noticed two different algorithms. I hadn't noticed it before
>> but your policy says:
>>
>>         keys {
>>                 ksk lifetime unlimited algorithm 8 2048 ;
>>                 zsk lifetime 30d algorithm 13;
>>         };
>>
>> This is a garbage policy because you specify different algorithms for
>> the ksk and the zsk. This can never result in a validly signed zone.
>>
>> Change the algorithm of the keys so that they match.
>>
>> Perhaps we can add a named-checkconf check for this.
>>
>>
>> Best regards,
>>
>> Matthijs
>>
> [snip]
> 
> Thanks!   Is that little nuance documented?  (The need for KSK and ZSK 
> to be aligned on type of key)
>