Delay trust anchor management until all zones are loaded
If you have a trust anchor that requires a zone to be loaded for the DNSKEY to be fetched you can get spurious
Failed to create fetch for DNSKEY update. logged if the timing is wrong.
Using !7049 (merged) and logging why dns_resolver_createfetch fails we see:
11-Nov-2022 12:38:26.400 fetch: sub.foo/DNSKEY 11-Nov-2022 12:38:26.400 zone 78.100.IN-ADDR.ARPA/IN: loaded; checking validity 11-Nov-2022 12:38:26.400 fctx 0x121eb3010(sub.foo/DNSKEY): create 11-Nov-2022 12:38:26.400 dns_zone_verifydb: zone 74.100.IN-ADDR.ARPA/IN: enter dns_resolver_createfetch(sub.foo, DNSKEY) -> zone not loaded 11-Nov-2022 12:38:26.400 managed-keys-zone: Failed to create fetch for sub.foo DNSKEY update 22 12:38:26.400 managed-keys-zone: Failed to create fetch for DNSKEY update
The serve is authoritative for
foo but it has not loaded at this point in the start up so named can't determine where to send the DNSKEY request.
this should self correct but is not optimal. Waiting for all the zones to load then initiating trust anchor management should avoid errors like this.