dnssec-policy checkds does not seem to work
This is a follow-up on #2488 but for a different problem.
Key 5022 is now published:
# rndc dnssec -status _kage.hq.duckcorp.org dnssec-policy: generated current time: Thu Feb 18 18:24:02 2021 key: 43281 (RSASHA512), KSK published: yes - since Fri Aug 28 00:31:44 2020 key signing: yes - since Fri Aug 28 00:31:44 2020 Rollover is due since Fri Feb 12 00:26:50 2021 - goal: hidden - dnskey: omnipresent - ds: unretentive - key rrsig: omnipresent key: 20426 (RSASHA512), ZSK published: yes - since Sat Nov 21 00:31:44 2020 zone signing: yes - since Mon Dec 21 00:31:44 2020 Next rollover scheduled on Sat Mar 20 22:26:44 2021 - goal: omnipresent - dnskey: omnipresent - zone rrsig: omnipresent key: 5022 (RSASHA512), KSK published: yes - since Tue Feb 16 01:47:35 2021 key signing: yes - since Tue Feb 16 01:47:35 2021 Next rollover scheduled on Wed Feb 16 01:47:35 2022 - goal: omnipresent - dnskey: omnipresent - ds: rumoured - key rrsig: omnipresent
rndc dnssec -checkds -key 5022 published _kage.hq.duckcorp.org yesterday right after replying to #2488 but his did not produce anything in the logs and the status is the same. The output (forgot to keep it so doing it again):
KSK 5022: Marked DS as published since 18-Feb-2021 19:48:06.000. And I can confirm the is nothing in the logs except
received control channel command.
I just used
rndc loadkeys _kage.hq.duckcorp.org as suggested in #2488, so let's see if that's a similar problem.