after DS RECORD publish/verify, DSStatus stuck @ "rumoured" after manual `rndc dnssec -checkds` update ?
PGNet Dev
pgnet.dev at gmail.com
Fri Oct 21 20:28:35 UTC 2022
with bind 9.18, config'd for dnssec-policy automated signing, I've a dnssec signed zone,
rndc dnssec -status example.com IN external
dnssec-policy: test
current time: Fri Oct 21 16:14:06 2022
key: 47219 (ECDSAP256SHA256), ZSK
published: yes - since Fri Oct 21 15:22:27 2022
zone signing: yes - since Fri Oct 21 17:27:27 2022
Next rollover scheduled on Thu Jan 19 14:22:27 2023
- goal: omnipresent
- dnskey: rumoured
- zone rrsig: rumoured
key: 63917 (ECDSAP256SHA256), KSK
published: yes - since Sat Oct 15 15:52:05 2022
key signing: yes - since Sat Oct 15 15:52:05 2022
No rollover scheduled
- goal: omnipresent
- dnskey: omnipresent
- ds: rumoured
- key rrsig: omnipresent
key: 43175 (ECDSAP256SHA256), ZSK
published: no
zone signing: no
Key has been removed from the zone
- goal: hidden
- dnskey: unretentive
- zone rrsig: unretentive
note for the KSK, it's ds state,
- ds: rumoured
I've verified externally that thhe zone's DS RECORD has been pushed to registrar->parent, it's fully propagated, and is passing all the external/online checks.
reading @ https://kb.isc.org/docs/dnssec-key-and-signing-policy
"Note: If you see the DSState stuck in rumoured after the migration, you need to run rndc dnssec -checkds published example.com to tell BIND that the DS is already published in the parent zone"
I exec
rndc dnssec -checkds -key 63917 published example.com IN external
KSK 63917: Marked DS as published since 21-Oct-2022 16:19:36.000
rndc reload
server reload successful
and check again,
rndc dnssec -status example.com IN external
...
key: 63917 (ECDSAP256SHA256), KSK
published: yes - since Sat Oct 15 15:52:05 2022
key signing: yes - since Sat Oct 15 15:52:05 2022
No rollover scheduled
- goal: omnipresent
- dnskey: omnipresent
!! - ds: rumoured
- key rrsig: omnipresent
...
grep DSState Kexample.com.+013+63917.state
!! DSState: rumoured
ds state is still just "rumoured".
What additional steps are needed to update that DSState correctly?
More information about the bind-users
mailing list