after DS RECORD publish/verify, DSStatus stuck @ "rumoured" after manual `rndc dnssec -checkds` update ?
PGNet Dev
pgnet.dev at gmail.com
Mon Oct 24 13:14:58 UTC 2022
> The good news it is not stuck.
What indicator flags that it IS 'stuck'? Is it explicitly logged?
> BIND is waiting to make sure the new DS is also known to the validators. The time being evaluated here is the DS TTL, plus parent-propagation-delay, plus retire-safety. All these three values are configurable within dnssec-policy.
my current config has
parent-ds-ttl PT1H;
parent-propagation-delay PT1H;
retire-safety PT1H;
@ parental-agents, the DS is cached; ttl appears spec'd other than my set ttl. e.g., @ cloudflare, it's 1 day ...
in any case, all of my domains still returned "DSState: rumoured" at < 4 days.
since then, about 1/4 of the domains have flipped from "rumoured" -> "omnipresent", with no manual intervention; the rest are still unchanged.
again, i've noticed no actual operational problems -- e.g., queries failing, etc -- other than these delays.
seems, tho, i've still got a likely misconfig somewhere in here.
More information about the bind-users
mailing list