The good news it is not stuck.
What indicator flags that it IS 'stuck'? Is it explicitly logged?
BIND is waiting to make sure the new DS is also known to the validators. The
time being evaluated here is the DS TTL, plus parent-propagation-delay, plus
retire-safety. All these three values are configurable within dnssec-policy.
my current config has
parent-ds-ttl PT1H;
parent-propagation-delay PT1H;
retire-safety PT1H;
@ parental-agents, the DS is cached; ttl appears spec'd other than my set ttl.
e.g., @ cloudflare, it's 1 day ...
in any case, all of my domains still returned "DSState: rumoured" at < 4 days.
since then, about 1/4 of the domains have flipped from "rumoured" ->
"omnipresent", with no manual intervention; the rest are still unchanged.
again, i've noticed no actual operational problems -- e.g., queries failing,
etc -- other than these delays.
seems, tho, i've still got a likely misconfig somewhere in here.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
