This is a log level bug. This log happens when BIND want to check the parental-agents if
the DS has been published. But if you don't have parental-agents set up, the list of keys
to check will be empty. Hence the "not found" result.
Thanks for reporting, this will be fixed in the next release, it should be a
debug log level.
+1 o/
i'd completely missed 'parental-agents' :-/
sounds like i likely *should* have it setup in any case; esp if using
dnssec-policy key rollovers (i am)
reading
https://bind9.readthedocs.io/en/latest/chapter5.html?highlight=parental-agents#key-rollover
i get the part it plays
unclear though which specific server one should use; in the example txt,
"Here one server, 192.0.2.1, is configured for BIND to send DS queries to,
to check the DS RRset for dnssec-example during key rollovers. This needs to be a trusted
server, because BIND does not validate the response."
atm, my registrar/TLD don't support CDS/CDNSKEY (for .com, in this case)
so my DS RECORD gets manually entered @ registrar's web portal.
then, record propagates to roots, which -- eventually -- return RRSIG/RRSET
data on queries.
for rollover mgmt, what server should be set as parental-agent?
my registrar's?
a root?
something 'big', like cloudflare/1.1.1.1 ?
other?
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users