debian11 + bind-9.16.15 + dnssec-policy = lost zonefiles + crashes

raf bind at
Mon Aug 16 09:22:22 UTC 2021

On Mon, Aug 16, 2021 at 10:32:35AM +0200, Matthijs Mekking <matthijs at> wrote:

> Hi,
> On 16-08-2021 04:28, raf via bind-users wrote:
> > On Sun, Aug 15, 2021 at 10:35:27PM +1000, raf <bind at> wrote:
> ...
> > 
> > So it's looking good and I'm happy now. But how long
> > after the zone has been signed can I expect to see
> > CDS/CDNSKEY RRs appear? Why aren't they created at
> > the same time as the DNSKEY RRs? I assume there's
> > a good reason but I can't think what it is.
> First the RRsets with signatures need to be in the zone long enough that any
> cached unsigned RRsets in resolver's caches have expired.
> If you call 'rndc dnssec -status <zone>' you might see that the "zone
> rrsigs" are still in the "rumoured" state. Once they are omnipresent, the DS
> may be submitted and that is the time when the corresponding CDS/CDNSKEY
> records will be published.

Thanks! That makes much sense. I was thinking that it
would be OK to publish the DS sooner when the zone is
signed for the first time. But I get it. I'll trust
bind's sense of timing and be patient. :-)


More information about the bind-users mailing list