Knowledge

DNS_ERROR_ROLLOVER_NOT_POKEABLE - 9128 (0x23A8)

The specified signing key is not waiting for parental DS update.

Updated: Feb 21, 2026

Technical Meaning

This error code indicates that a specified signing key is not in the state required for a DS (Delegation Signer) rollover operation. Specifically, it suggests that the key does not meet the necessary conditions to proceed with the update.

Error Details

The term 'pokable' in this context refers to the ability of the system to initiate or trigger a specific action or state change. In the case of DNS signing keys, this error implies that the key is not in a state where it can be updated or replaced as part of a DS rollover process.

Usage Context

This error typically occurs during operations related to DNSSEC (Domain Name System Security Extensions) management, specifically when attempting to perform a DS rollover. The DS rollover process involves updating the public key information associated with a domain's delegation in the DNS zone.

Developer Interpretation

Developers should interpret this error as an indication that the specified signing key is not suitable for initiating or completing a DS rollover operation. This could be due to various reasons, such as the key being in use, expired, or not properly configured for the current state of the DNS zone.

Related Errors

  • DNS_ERROR_DS_NOT_AVAILABLE: Indicates that the DS record is not available for update.
  • DNS_ERROR_NO_SUCH_KEY: Suggests that the specified key does not exist.
  • DNS_ERROR_DS_UNAVAILABLE_AT_ROOT: Implies that the root server is unavailable for DS updates.

FAQ

Q: What causes this error?

A: This error typically occurs when the signing key is in a state where it cannot be updated or replaced as part of a DS rollover process. It could be due to the key being in use, expired, or not properly configured for the current state of the DNS zone.

Q: How can I resolve this issue?

A: Ensure that the signing key is correctly configured and available for updates. Check the key's status and expiration date, and make sure it meets the requirements for a DS rollover operation.

Summary

The DNS_ERROR_ROLLOVER_NOT_POKEABLE error code indicates that the specified signing key cannot be updated or replaced as part of a DS rollover process. Developers should ensure that keys are correctly configured and available before attempting such operations.