after DS RECORD publish/verify, DSStatus stuck @ "rumoured" after manual `rndc dnssec -checkds` update ?

Fri, 21 Oct 2022 13:29:16 -0700 

with bind 9.18, config'd for dnssec-policy automated signing, I've a dnssec 
signed zone,

        rndc dnssec -status example.com IN external
                dnssec-policy: test
                current time:  Fri Oct 21 16:14:06 2022

                key: 47219 (ECDSAP256SHA256), ZSK
                  published:      yes - since Fri Oct 21 15:22:27 2022
                  zone signing:   yes - since Fri Oct 21 17:27:27 2022

                  Next rollover scheduled on Thu Jan 19 14:22:27 2023
                  - goal:           omnipresent
                  - dnskey:         rumoured
                  - zone rrsig:     rumoured

                key: 63917 (ECDSAP256SHA256), KSK
                  published:      yes - since Sat Oct 15 15:52:05 2022
                  key signing:    yes - since Sat Oct 15 15:52:05 2022

                  No rollover scheduled
                  - goal:           omnipresent
                  - dnskey:         omnipresent
                  - ds:             rumoured
                  - key rrsig:      omnipresent

                key: 43175 (ECDSAP256SHA256), ZSK
                  published:      no
                  zone signing:   no

                  Key has been removed from the zone
                  - goal:           hidden
                  - dnskey:         unretentive
                  - zone rrsig:     unretentive


note for the KSK, it's ds state,

                  - ds:             rumoured

I've verified externally that thhe zone's DS RECORD has been pushed to 
registrar->parent, it's fully propagated, and is passing all the 
external/online checks.

reading @ https://kb.isc.org/docs/dnssec-key-and-signing-policy

        "Note: If you see the DSState stuck in rumoured after the migration, you 
need to run rndc dnssec -checkds published example.com to tell BIND that the DS is 
already published in the parent zone"

I exec

        rndc dnssec -checkds -key 63917 published example.com IN external
                KSK 63917: Marked DS as published since 21-Oct-2022 16:19:36.000

        rndc reload
                server reload successful

and check again,

        rndc dnssec -status example.com IN external
                ...
                key: 63917 (ECDSAP256SHA256), KSK
                  published:      yes - since Sat Oct 15 15:52:05 2022
                  key signing:    yes - since Sat Oct 15 15:52:05 2022

                  No rollover scheduled
                  - goal:           omnipresent
                  - dnskey:         omnipresent
!!                - ds:             rumoured
                  - key rrsig:      omnipresent
                ...

        grep DSState  Kexample.com.+013+63917.state
!!              DSState: rumoured

ds state is still just "rumoured".

What additional steps are needed to update that DSState correctly?
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to