i run, named -v BIND 9.18.7 (Stable Release) <id:>
i've setup dnssec-policy operation for a number of domain. keys are all generated, KSK-derived DS Records are pushed to registrar->root, and all DNSSEC-analyzer tools online report all's good. i can see no functional problems. so far. that i'm aware of. but, in bind logs, locally, I see the following "zone_rekey:dns_zone_getdnsseckeys failed: not found" error, 2022-10-14T08:47:23.569556-04:00 ns named[14285]: 14-Oct-2022 08:47:23.568 dnssec: info: zone example.com/IN/external: generated salt: 82CSA124A1645B0D 2022-10-14T08:47:23.711869-04:00 ns named[14285]: 14-Oct-2022 08:47:23.710 dnssec: info: zone example.com/IN/external: reconfiguring zone keys ?? 2022-10-14T08:47:23.712653-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: error: zone example.com/IN/external: zone_rekey:dns_zone_getdnsseckeys failed: not found 2022-10-14T08:47:23.712663-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: keyring: example.com/ECDSAP256SHA256/62137 (policy pgnd) 2022-10-14T08:47:23.712666-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: keyring: example.com/ECDSAP256SHA256/17296 (policy pgnd) 2022-10-14T08:47:23.712671-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: DNSKEY example.com/ECDSAP256SHA256/17296 (KSK) matches policy pgnd 2022-10-14T08:47:23.712674-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: DNSKEY example.com/ECDSAP256SHA256/17296 (KSK) is active in policy pgnd 2022-10-14T08:47:23.712677-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: DNSKEY example.com/ECDSAP256SHA256/62137 (ZSK) matches policy pgnd 2022-10-14T08:47:23.712680-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: DNSKEY example.com/ECDSAP256SHA256/62137 (ZSK) is active in policy pgnd 2022-10-14T08:47:23.712683-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: new successor needed for DNSKEY example.com/ECDSAP256SHA256/62137 (ZSK) (policy pgnd) in 2445436 seconds 2022-10-14T08:47:23.712686-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: examine ZSK example.com/ECDSAP256SHA256/62137 type DNSKEY in state OMNIPRESENT 2022-10-14T08:47:23.712688-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: ZSK example.com/ECDSAP256SHA256/62137 type DNSKEY in stable state OMNIPRESENT 2022-10-14T08:47:23.712690-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: examine ZSK example.com/ECDSAP256SHA256/62137 type ZRRSIG in state OMNIPRESENT 2022-10-14T08:47:23.712693-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: ZSK example.com/ECDSAP256SHA256/62137 type ZRRSIG in stable state OMNIPRESENT 2022-10-14T08:47:23.712695-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: examine KSK example.com/ECDSAP256SHA256/17296 type DNSKEY in state OMNIPRESENT 2022-10-14T08:47:23.712697-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: KSK example.com/ECDSAP256SHA256/17296 type DNSKEY in stable state OMNIPRESENT 2022-10-14T08:47:23.712699-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: examine KSK example.com/ECDSAP256SHA256/17296 type KRRSIG in state OMNIPRESENT 2022-10-14T08:47:23.712702-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: KSK example.com/ECDSAP256SHA256/17296 type KRRSIG in stable state OMNIPRESENT 2022-10-14T08:47:23.712704-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: examine KSK example.com/ECDSAP256SHA256/17296 type DS in state RUMOURED 2022-10-14T08:47:23.712706-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: can we transition KSK example.com/ECDSAP256SHA256/17296 type DS state RUMOURED to state OMNIPRESENT? 2022-10-14T08:47:23.712712-04:00 ns named[14285]: 14-Oct-2022 08:47:23.711 dnssec: debug 1: keymgr: dnssec evaluation of KSK example.com/ECDSAP256SHA256/17296 record DS: rule1=(~true or true) rule2=(~true or true) rule3=(~true or true) for each/every dnssec-enabled domain where, in my current named.conf, dnssec-policy "pgnd" { keys { ksk key-directory lifetime unlimited algorithm 13; zsk key-directory lifetime P30D algorithm 13; }; dnskey-ttl 3600; publish-safety 1h; retire-safety 1h; signatures-refresh P5D; signatures-validity P2W; signatures-validity-dnskey P2W; max-zone-ttl 86400; zone-propagation-delay 300; parent-ds-ttl 86400; parent-propagation-delay 1h; nsec3param iterations 5 optout no salt-length 8; }; zone "example.com" IN { type master; file "/namedb/master/example.com.zone"; dnssec-policy "pgnd"; key-directory "/keys/dnssec/example.com"; update-policy { grant pgnd-external-rndc-key zonesub txt; }; }; what's the source of the "zone_rekey:dns_zone_getdnsseckeys"? specifically, what's not being found? have i missed/miconfig'd config, omitted a file/dir that current config expects, or is this a bug? -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users