I'm running BIND 9.16.3-Ubuntu (ISC PPA) on a primary DNS server with a split view setup of an internal and an external view. All zones are signed with inline signing and auto-dnssec maintain. Some weeks ago I did my first ever ZSK and KSK rollover for every zone which was - in my view - carefully planned and executed and went well. After the old keys were unpublished I have deleted them. Now I noticed that bind was complaining about missing keys for a internal zone:
02-Jun-2020 20:00:35.893 general: warning: dns_dnssec_keylistfromrdataset: error reading /etc/bind/keys/Ksomefqdn.com.+008+62538.private: file not found
02-Jun-2020 20:00:35.893 general: warning: dns_dnssec_keylistfromrdataset: error reading /etc/bind/keys/Ksomefqdn.com.+008+21337.private: file not found
02-Jun-2020 20:00:35.893 general: warning: dns_dnssec_findzonekeys2: error reading /etc/bind/keys/Ksomefqdn.com.+008+62538.private: file not found
02-Jun-2020 20:00:35.893 general: warning: dns_dnssec_findzonekeys2: error reading /etc/bind/keys/Ksomefqdn.com.+008+21337.private: file not found
This happens at every key event (hourly) when bind says it is reconfiguring zone keys. When restarting bind I saw that it apparently loads an outdated zone serial for the signed zone. I then bumped the serial in the unsigned zone file, removed all jbk, jnl, signed and signed.jnl files for the zone, flushed the cache with rndc flush (probably unnecessary because I restarted later) and restarted bind.
The problem of the outdated serial is still there:
13-Jun-2020 18:39:31.364 zoneload: info: zone somefqdn.com/IN/internal-view (unsigned): loaded serial 2020061301
13-Jun-2020 18:39:31.364 zoneload: info: zone somefqdn.com/IN/internal-view (signed): loaded serial 2020052919 (DNSSEC signed)
Afterwards bind complains about the missing keys. I did not find other error messages. Is there some other cache I have to empty, a database to flush or another file I have to delete?
