dnssec-policy checkds does not seem to work
This is a follow-up on #2488 but for a different problem.
Key 5022 is now published:
# rndc dnssec -status _kage.hq.duckcorp.org
dnssec-policy: generated
current time: Thu Feb 18 18:24:02 2021
key: 43281 (RSASHA512), KSK
published: yes - since Fri Aug 28 00:31:44 2020
key signing: yes - since Fri Aug 28 00:31:44 2020
Rollover is due since Fri Feb 12 00:26:50 2021
- goal: hidden
- dnskey: omnipresent
- ds: unretentive
- key rrsig: omnipresent
key: 20426 (RSASHA512), ZSK
published: yes - since Sat Nov 21 00:31:44 2020
zone signing: yes - since Mon Dec 21 00:31:44 2020
Next rollover scheduled on Sat Mar 20 22:26:44 2021
- goal: omnipresent
- dnskey: omnipresent
- zone rrsig: omnipresent
key: 5022 (RSASHA512), KSK
published: yes - since Tue Feb 16 01:47:35 2021
key signing: yes - since Tue Feb 16 01:47:35 2021
Next rollover scheduled on Wed Feb 16 01:47:35 2022
- goal: omnipresent
- dnskey: omnipresent
- ds: rumoured
- key rrsig: omnipresentI used rndc dnssec -checkds -key 5022 published _kage.hq.duckcorp.org yesterday right after replying to #2488 but his did not produce anything in the logs and the status is the same. The output (forgot to keep it so doing it again): KSK 5022: Marked DS as published since 18-Feb-2021 19:48:06.000. And I can confirm the is nothing in the logs except received control channel command.
I just used rndc loadkeys _kage.hq.duckcorp.org as suggested in #2488, so let's see if that's a similar problem.
\_o<