Which parental-agent to use is up to you. Something you trust.
for the moment, let's say 1.1.1.1
But if you don't have parental-agents set up, the list of keys to check will be empty. Hence the "not found" result.
i added zone "example.com" IN { type master; file "/namedb/master/example.com.zone"; dnssec-policy "pgnd"; key-directory "/keys/dnssec/example.com"; ++ parental-agents { 1.1.1.1; }; update-policy { grant pgnd-external-rndc-key zonesub txt; }; }; but, on restart, still see dnssec: error: zone example.com/IN/external: zone_rekey:dns_zone_getdnsseckeys failed: not found something additional needed? -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users