As you mentioned in the issue description, "Unable to fetch DNSKEY set '.': failure" is not a fatal error as named is still fully functional.
This is because named comes with the current root zone KSK (key id 20326) compiled in. The error is because it tries to refresh it using RFC5011 mechanism (https://www.rfc-editor.org/rfc/rfc5011.html) but that will be retried so failing to do it on startup isn't a big deal IMHO. Even less worrying since the root zone KSK changes very infrequently.
To double check this, I created a Jammy container and provided it with only an IPv6. There, I can see the error message due to named starting before the IPv6 address is configured. However, named has no problem providing resolution once the IPv6 becomes available:
root@jammy-bind:~# journalctl -n 8 -u named
Mar 23 13:40:36 jammy-bind systemd[1]: Started BIND Domain Name Server.
Mar 23 13:40:36 jammy-bind named[120]: network unreachable resolving './NS/IN': 192.112.36.4#53
Mar 23 13:40:36 jammy-bind named[120]: network unreachable resolving './DNSKEY/IN': 192.33.4.12#53
Mar 23 13:40:36 jammy-bind named[120]: managed-keys-zone: Unable to fetch DNSKEY set '.': failure
Mar 23 13:40:36 jammy-bind named[120]: network unreachable resolving './NS/IN': 192.33.4.12#53
Mar 23 13:40:36 jammy-bind named[120]: resolver priming query complete
Mar 23 13:40:38 jammy-bind named[120]: listening on IPv6 interface eth0, fd42:2192:4f89:5adc:216:3eff:fe19:df84#53
Mar 23 13:40:49 jammy-bind named[120]: resolver priming query complete
Hi Nick,
As you mentioned in the issue description, "Unable to fetch DNSKEY set '.': failure" is not a fatal error as named is still fully functional.
This is because named comes with the current root zone KSK (key id 20326) compiled in. The error is because it tries to refresh it using RFC5011 mechanism (https:/ /www.rfc- editor. org/rfc/ rfc5011. html) but that will be retried so failing to do it on startup isn't a big deal IMHO. Even less worrying since the root zone KSK changes very infrequently.
To double check this, I created a Jammy container and provided it with only an IPv6. There, I can see the error message due to named starting before the IPv6 address is configured. However, named has no problem providing resolution once the IPv6 becomes available:
root@jammy-bind:~# journalctl -n 8 -u named 4f89:5adc: 216:3eff: fe19:df84# 53
Mar 23 13:40:36 jammy-bind systemd[1]: Started BIND Domain Name Server.
Mar 23 13:40:36 jammy-bind named[120]: network unreachable resolving './NS/IN': 192.112.36.4#53
Mar 23 13:40:36 jammy-bind named[120]: network unreachable resolving './DNSKEY/IN': 192.33.4.12#53
Mar 23 13:40:36 jammy-bind named[120]: managed-keys-zone: Unable to fetch DNSKEY set '.': failure
Mar 23 13:40:36 jammy-bind named[120]: network unreachable resolving './NS/IN': 192.33.4.12#53
Mar 23 13:40:36 jammy-bind named[120]: resolver priming query complete
Mar 23 13:40:38 jammy-bind named[120]: listening on IPv6 interface eth0, fd42:2192:
Mar 23 13:40:49 jammy-bind named[120]: resolver priming query complete
root@jammy-bind:~# dig +rrcomments +dnssec -t dnskey . @::1
; <<>> DiG 9.18.0- 2ubuntu3- Ubuntu <<>> +rrcomments +dnssec -t dnskey . @::1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63243
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: e01000000623b23 e881248f1ef945a f75 (good)
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: ae8a685e179cfec
;; QUESTION SECTION:
;. IN DNSKEY
;; ANSWER SECTION: ZU9wDNQD7XTAGTD kn32UR8I6auRDek bGky+yyWKdUHmwA Jv9 0YHCUTib8aVBgNg bxkeeZGRx3W4+ XhMZbfUr5fMwmD3 u9P2yzJpbRtjG NM/XZvzGs9HHNym z3Bp851anHZfNy6 pJud265/ XMKzFlAY8sMJjum 0hv x/DuCDELLyhsvdf OD9rHM93UXO0bcA jvI8tjZsGI+ Pfp9KdxF9vS/ sAz pFXKsldix+ e6xv8rRS6WPg2LA ooxF+eO5DgFSilY mnyCK4VPJ7ntjD/ 8 m0bs128ZT1eY3oX CbojDv59lLAgrdG SbcVxQF2KHoUHDm kOC5BzG/ 1xR tW4v/3y4/H8= ; ZSK; alg = RSASHA256 ; key id = 47671 Al2Mv1izgTyn9sK wgi5eBxpG29bVle fq/r+TGCtmU ElvFyBWHRjvf9mB glIlTBRse22dvzN OI+cYrkjD6LOHux Moc/d4WtXWK dviNmrtWF2GpjmD OI98gLd4BZ0U/ lY847mJP9LypFAB ZcEn3zM3vce4E e1A3upSlFQ2TFyJ SD9HvMnP4XneFex BxV96RpLcy2O+ u2W6ChIiDCjlr owPCcU3zXfXxyWy /VKM6TOa8gNf+ aKaVkcv/ eIh5er8rrsqAi9K T8O5h mhzYLkUOQEXVSRO RV0RMt9l3JSwWxT 1MebEDvtfBag3uo +mZwWSFlpc9 kuzyWBd72Ec= ; ZSK; alg = RSASHA256 ; key id = 9799 tAm8yTn4Mfeh5ey I96WSVexTBAvkMg JzkKTOiW1vkIbzx eF3 +/4RgWOq7HrxRix HlFlExOLAJr5emL vN7SWXgnLh4+ B5xQlNVz8Og8kv ArMtNROxVQuCaSn IDdD5LKyWbRd2n9 WGe2R8PzgCmr3Eg VLrjyBxWezF 0jLHwVN8efS3rCj /EWgvIWgb9tarpV UDK/b58Da+ sqqls3eNbuv7pr+ e oZG+SrDK6nWeL3c 6H5Apxz7LjVc1uT IdsIXxuOLYA4/ ilBmSVIzuDWfd RUfhHdY6+ cn8HFRm+ 2hM8AnXGXws9555 KrUB5qihylGa8su bX2Nn6UwN R1AkUTV74bU= ; KSK; alg = RSASHA256 ; key id = 20326 ezHm7o67VTPmp9E TDJqiTQG9HNK31n Ayp8iXGEcux uviojbobzmjuvjI 9KSOLQX6QD1C/ 4lWovapyZQrEl8L 5Ja0tP9H720mw y5TYgcsE5wmojju gOLAW+avQ1L62J+ dh3wqmuOqS3K7wI zJ6eciOi3cB rlEXJYK5w1b7jM+ qf+sOt5xTUQ3Yhp mYJK94gPYMBrkLE aWKcU2DP6LT HqeFQviBhUb8hN6 0kitd92zHt3qfaC IFrbTm3fGdttu7L YlN3OwSlN21 m0/3iuoA9Q4LNim gqhxKEFzKQ/ 96477E1V9wyjiax Mcp7IL30Ocb8nmQ Ub2FKg==
. 172665 IN DNSKEY 256 3 8 AwEAAak/
. 172665 IN DNSKEY 256 3 8 AwEAAZym4HCWiTA
. 172665 IN DNSKEY 257 3 8 AwEAAaz/
. 172665 IN RRSIG DNSKEY 8 0 172800 20220412000000 20220322000000 20326 . g2Rjm8rCMXEN7BJ
;; Query time: 0 msec
;; SERVER: ::1#53(::1) (UDP)
;; WHEN: Wed Mar 23 13:43:04 UTC 2022
;; MSG SIZE rcvd: 1169
Because named works fine despite the annoying failure message, I'd be reluctant to make things more complicated by trying to delay named's startup.
Please note that I only tested with Jammy/Ubuntu 22.04 so your mileage may vary on Focal/Ubuntu 20.04.