debian11 + bind-9.16.15 + dnssec-policy = lost zonefiles + crashes

Matthijs Mekking matthijs at
Mon Aug 16 09:59:30 UTC 2021

On 16-08-2021 11:22, raf via bind-users wrote:
> On Mon, Aug 16, 2021 at 10:32:35AM +0200, Matthijs Mekking <matthijs at> wrote:
>> Hi,
>> On 16-08-2021 04:28, raf via bind-users wrote:
>>> On Sun, Aug 15, 2021 at 10:35:27PM +1000, raf <bind at> wrote:
>> ...
>>> So it's looking good and I'm happy now. But how long
>>> after the zone has been signed can I expect to see
>>> CDS/CDNSKEY RRs appear? Why aren't they created at
>>> the same time as the DNSKEY RRs? I assume there's
>>> a good reason but I can't think what it is.
>> First the RRsets with signatures need to be in the zone long enough that any
>> cached unsigned RRsets in resolver's caches have expired.
>> If you call 'rndc dnssec -status <zone>' you might see that the "zone
>> rrsigs" are still in the "rumoured" state. Once they are omnipresent, the DS
>> may be submitted and that is the time when the corresponding CDS/CDNSKEY
>> records will be published.
> Thanks! That makes much sense. I was thinking that it
> would be OK to publish the DS sooner when the zone is
> signed for the first time. But I get it. I'll trust
> bind's sense of timing and be patient. :-)

It is 99% of the time, but there will be corner cases (and dragons).

More information about the bind-users mailing list