dnssec-policy checkds does not seem to work

This is a follow-up on #2488 (closed) but for a different problem.

Key 5022 is now published:

# rndc dnssec -status _kage.hq.duckcorp.org
dnssec-policy: generated
current time:  Thu Feb 18 18:24:02 2021

key: 43281 (RSASHA512), KSK
  published:      yes - since Fri Aug 28 00:31:44 2020
  key signing:    yes - since Fri Aug 28 00:31:44 2020

  Rollover is due since Fri Feb 12 00:26:50 2021
  - goal:           hidden
  - dnskey:         omnipresent
  - ds:             unretentive
  - key rrsig:      omnipresent

key: 20426 (RSASHA512), ZSK
  published:      yes - since Sat Nov 21 00:31:44 2020
  zone signing:   yes - since Mon Dec 21 00:31:44 2020

  Next rollover scheduled on Sat Mar 20 22:26:44 2021
  - goal:           omnipresent
  - dnskey:         omnipresent
  - zone rrsig:     omnipresent

key: 5022 (RSASHA512), KSK
  published:      yes - since Tue Feb 16 01:47:35 2021
  key signing:    yes - since Tue Feb 16 01:47:35 2021

  Next rollover scheduled on Wed Feb 16 01:47:35 2022
  - goal:           omnipresent
  - dnskey:         omnipresent
  - ds:             rumoured
  - key rrsig:      omnipresent

I used rndc dnssec -checkds -key 5022 published _kage.hq.duckcorp.org yesterday right after replying to #2488 (closed) but his did not produce anything in the logs and the status is the same. The output (forgot to keep it so doing it again): KSK 5022: Marked DS as published since 18-Feb-2021 19:48:06.000. And I can confirm the is nothing in the logs except received control channel command.

I just used rndc loadkeys _kage.hq.duckcorp.org as suggested in #2488 (closed), so let's see if that's a similar problem.

\_o<