On 26-10-2022 20:21, PGNet Dev wrote:
hi,
If there are currently no keys that we have to check the DS for, then
you may still see this log line.
all my zones have now toggled rumoured -> omnipresent. i took no
explicit manual action other than letting an arbitrarily long-ish time
pass.
it just happened ... eventually.
It is not arbitrary, as I said in the other thread:
BIND is waiting to make sure the new DS is also known to the validators.
The time being evaluated here is the DS TTL, plus
parent-propagation-delay, plus retire-safety.
re: your comment "we have to check the DS for", what exec _forces_ a
(re)check of keys' DS ?
i'd understood
rndc dnssec -checkds published ${zone}
to do exactly that. i.e., check 'NOW'.
and, since the DS were clearly published and available @ my each/all of
my parental-agents{}, that the state toggle would happen, similarly,
'NOW'. or at least NOW-ish.
is that incorrect?
Yes, because while the check happens immediately, we don't know for how
long the DS has been in the parent. That is why there is a delay of DS
TTL, plus parent-propagation-delay, plus retire-safety.
- Matthijs
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
