new dnssec zone OK, error "zone_rekey:dns_zone_getdnsseckeys failed: not found" only in local bind logs ?

PGNet Dev pgnet.dev at gmail.com
Fri Oct 14 13:26:18 UTC 2022 

i run,

	named -v
		BIND 9.18.7 (Stable Release) <id:>


i've setup dnssec-policy operation for a number of domain.

keys are all generated, KSK-derived DS Records are pushed to registrar->root, and all DNSSEC-analyzer tools online report all's good.

i can see no functional problems. so far. that i'm aware of.

but, in bind logs, locally, I see the following "zone_rekey:dns_zone_getdnsseckeys failed: not found" error,

	2022-10-14T08:47:23.569556-04:00 ns named[14285]: 14-Oct-2022 08:47:23.568 dnssec: info: zone example.com/IN/external: generated salt: 82CSA124A1645B0D
	2022-10-14T08:47:23.711869-04:00 ns named[14285]: 14-Oct-2022 08:47:23.710 dnssec: info: zone example.com/IN/external: reconfiguring zone keys
??	2022-10-14T08:47:23.712653-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: error: zone example.com/IN/external: zone_rekey:dns_zone_getdnsseckeys failed: not found
	2022-10-14T08:47:23.712663-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: keyring: example.com/ECDSAP256SHA256/62137 (policy pgnd)
	2022-10-14T08:47:23.712666-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: keyring: example.com/ECDSAP256SHA256/17296 (policy pgnd)
	2022-10-14T08:47:23.712671-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: DNSKEY example.com/ECDSAP256SHA256/17296 (KSK) matches policy pgnd
	2022-10-14T08:47:23.712674-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: DNSKEY example.com/ECDSAP256SHA256/17296 (KSK) is active in policy pgnd
	2022-10-14T08:47:23.712677-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: DNSKEY example.com/ECDSAP256SHA256/62137 (ZSK) matches policy pgnd
	2022-10-14T08:47:23.712680-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: DNSKEY example.com/ECDSAP256SHA256/62137 (ZSK) is active in policy pgnd
	2022-10-14T08:47:23.712683-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: new successor needed for DNSKEY example.com/ECDSAP256SHA256/62137 (ZSK) (policy pgnd) in 2445436 seconds
	2022-10-14T08:47:23.712686-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: examine ZSK example.com/ECDSAP256SHA256/62137 type DNSKEY in state OMNIPRESENT
	2022-10-14T08:47:23.712688-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: ZSK example.com/ECDSAP256SHA256/62137 type DNSKEY in stable state OMNIPRESENT
	2022-10-14T08:47:23.712690-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: examine ZSK example.com/ECDSAP256SHA256/62137 type ZRRSIG in state OMNIPRESENT
	2022-10-14T08:47:23.712693-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: ZSK example.com/ECDSAP256SHA256/62137 type ZRRSIG in stable state OMNIPRESENT
	2022-10-14T08:47:23.712695-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: examine KSK example.com/ECDSAP256SHA256/17296 type DNSKEY in state OMNIPRESENT
	2022-10-14T08:47:23.712697-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: KSK example.com/ECDSAP256SHA256/17296 type DNSKEY in stable state OMNIPRESENT
	2022-10-14T08:47:23.712699-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: examine KSK example.com/ECDSAP256SHA256/17296 type KRRSIG in state OMNIPRESENT
	2022-10-14T08:47:23.712702-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: KSK example.com/ECDSAP256SHA256/17296 type KRRSIG in stable state OMNIPRESENT
	2022-10-14T08:47:23.712704-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: examine KSK example.com/ECDSAP256SHA256/17296 type DS in state RUMOURED
	2022-10-14T08:47:23.712706-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: can we transition KSK example.com/ECDSAP256SHA256/17296 type DS state RUMOURED to state OMNIPRESENT?
	2022-10-14T08:47:23.712712-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: dnssec evaluation of KSK example.com/ECDSAP256SHA256/17296 record DS: rule1=(~true or true) rule2=(~true or true) rule3=(~true or true)

for each/every dnssec-enabled domain

where, in my current named.conf,

	dnssec-policy "pgnd" {
		keys {
			ksk key-directory    lifetime unlimited    algorithm 13;
			zsk key-directory    lifetime P30D         algorithm 13;
		};
		dnskey-ttl                 3600;
		publish-safety             1h;
		retire-safety              1h;
		signatures-refresh         P5D;
		signatures-validity        P2W;
		signatures-validity-dnskey P2W;
		max-zone-ttl               86400;
		zone-propagation-delay     300;
		parent-ds-ttl              86400;
		parent-propagation-delay   1h;
		nsec3param iterations 5 optout no salt-length 8;
	};
	zone "example.com" IN {
		type master; file "/namedb/master/example.com.zone";
		dnssec-policy "pgnd";
		key-directory "/keys/dnssec/example.com";
		update-policy { grant pgnd-external-rndc-key zonesub txt; };
	};

what's the source of the "zone_rekey:dns_zone_getdnsseckeys"?
specifically, what's not being found?
have i missed/miconfig'd config, omitted a file/dir that current config expects, or is this a bug?

More information about the bind-users mailing list