after DS RECORD publish/verify, DSStatus stuck @ "rumoured" after manual `rndc dnssec -checkds` update ?

PGNet Dev pgnet.dev at gmail.com
Fri Oct 21 20:28:35 UTC 2022 

with bind 9.18, config'd for dnssec-policy automated signing, I've a dnssec signed zone,

	rndc dnssec -status example.com IN external
		dnssec-policy: test
		current time:  Fri Oct 21 16:14:06 2022

		key: 47219 (ECDSAP256SHA256), ZSK
		  published:      yes - since Fri Oct 21 15:22:27 2022
		  zone signing:   yes - since Fri Oct 21 17:27:27 2022

		  Next rollover scheduled on Thu Jan 19 14:22:27 2023
		  - goal:           omnipresent
		  - dnskey:         rumoured
		  - zone rrsig:     rumoured

		key: 63917 (ECDSAP256SHA256), KSK
		  published:      yes - since Sat Oct 15 15:52:05 2022
		  key signing:    yes - since Sat Oct 15 15:52:05 2022

		  No rollover scheduled
		  - goal:           omnipresent
		  - dnskey:         omnipresent
		  - ds:             rumoured
		  - key rrsig:      omnipresent

		key: 43175 (ECDSAP256SHA256), ZSK
		  published:      no
		  zone signing:   no

		  Key has been removed from the zone
		  - goal:           hidden
		  - dnskey:         unretentive
		  - zone rrsig:     unretentive


note for the KSK, it's ds state,

		  - ds:             rumoured

I've verified externally that thhe zone's DS RECORD has been pushed to registrar->parent, it's fully propagated, and is passing all the external/online checks.

reading @ https://kb.isc.org/docs/dnssec-key-and-signing-policy

	"Note: If you see the DSState stuck in rumoured after the migration, you need to run rndc dnssec -checkds published example.com to tell BIND that the DS is already published in the parent zone"

I exec

	rndc dnssec -checkds -key 63917 published example.com IN external
		KSK 63917: Marked DS as published since 21-Oct-2022 16:19:36.000

	rndc reload
		server reload successful

and check again,

	rndc dnssec -status example.com IN external
		...
		key: 63917 (ECDSAP256SHA256), KSK
		  published:      yes - since Sat Oct 15 15:52:05 2022
		  key signing:    yes - since Sat Oct 15 15:52:05 2022

		  No rollover scheduled
		  - goal:           omnipresent
		  - dnskey:         omnipresent
!!		  - ds:             rumoured
		  - key rrsig:      omnipresent
		...

	grep DSState  Kexample.com.+013+63917.state
!!		DSState: rumoured

ds state is still just "rumoured".

What additional steps are needed to update that DSState correctly?

More information about the bind-users mailing list