new dnssec zone OK, error "zone_rekey:dns_zone_getdnsseckeys failed: not found" only in local bind logs ?
Matthijs Mekking
matthijs at isc.org
Thu Oct 27 07:38:33 UTC 2022
On 26-10-2022 20:21, PGNet Dev wrote:
> hi,
>
>> If there are currently no keys that we have to check the DS for, then
>> you may still see this log line.
>
> all my zones have now toggled rumoured -> omnipresent. i took no
> explicit manual action other than letting an arbitrarily long-ish time
> pass.
> it just happened ... eventually.
It is not arbitrary, as I said in the other thread:
BIND is waiting to make sure the new DS is also known to the validators.
The time being evaluated here is the DS TTL, plus
parent-propagation-delay, plus retire-safety.
> re: your comment "we have to check the DS for", what exec _forces_ a
> (re)check of keys' DS ?
>
> i'd understood
>
> rndc dnssec -checkds published ${zone}
>
> to do exactly that. i.e., check 'NOW'.
> and, since the DS were clearly published and available @ my each/all of
> my parental-agents{}, that the state toggle would happen, similarly,
> 'NOW'. or at least NOW-ish.
>
> is that incorrect?
Yes, because while the check happens immediately, we don't know for how
long the DS has been in the parent. That is why there is a delay of DS
TTL, plus parent-propagation-delay, plus retire-safety.
- Matthijs
More information about the bind-users
mailing list