new dnssec zone OK, error "zone_rekey:dns_zone_getdnsseckeys failed: not found" only in local bind logs ?
PGNet Dev
pgnet.dev at gmail.com
Fri Oct 14 14:33:48 UTC 2022
> This is a log level bug. This log happens when BIND want to check the parental-agents if the DS has been published. But if you don't have parental-agents set up, the list of keys to check will be empty. Hence the "not found" result.
>
> Thanks for reporting, this will be fixed in the next release, it should be a debug log level.
+1 o/
i'd completely missed 'parental-agents' :-/
sounds like i likely *should* have it setup in any case; esp if using dnssec-policy key rollovers (i am)
reading
https://bind9.readthedocs.io/en/latest/chapter5.html?highlight=parental-agents#key-rollover
i get the part it plays
unclear though which specific server one should use; in the example txt,
"Here one server, 192.0.2.1, is configured for BIND to send DS queries to, to check the DS RRset for dnssec-example during key rollovers. This needs to be a trusted server, because BIND does not validate the response."
atm, my registrar/TLD don't support CDS/CDNSKEY (for .com, in this case)
so my DS RECORD gets manually entered @ registrar's web portal.
then, record propagates to roots, which -- eventually -- return RRSIG/RRSET data on queries.
for rollover mgmt, what server should be set as parental-agent?
my registrar's?
a root?
something 'big', like cloudflare/1.1.1.1 ?
other?
More information about the bind-users
mailing list