Re: trouble resolving protonmail.ch, dnssec, seems netbsd-specific maybe

[reed%reedmedia.net@localhost]

On Thu, 19 Mar 2020, Greg Troxel wrote:

> I changed
> 
>    dnssec-validation: auto
> 
> to
> 
>    dnssec-validation: yes

Are you saying this fixed your problem?

> after finding this hint:
> 
> https://kb.isc.org/docs/aa-01547
> 
>   dnssec-validation yes; or dnssec-validation auto; (the former requires
>   manually-configured trust anchors using trusted-keys or managed-keys;
>   the latter will use BIND's built-in managed keys)
> 
> it seems that auto uses built-in keys, and yes uses the keys in
> keys/managed-keys.bind.

That is reverse of your quoted statement above.

> But, I wonder if our keys on the netbsd-8 branch need to be updated.

"auto" uses managed-keys and should update automatically to get the 
trusted keys. See the data pointed to by the bindkeys-file setting (like 
/etc/namedb/bind.keys or /etc/bind.keys). There could be a dynamic jnl 
file associated with it.  I can help analyze these files for you.

Try using: 
  rndc managed-keys status

"yes" would just use the keys you manually defined (with trusted-keys or 
your own managed-keys statement).

Maybe you disabled dnssec-validation since no extra config?

Do you have other dnssec validation problems for other domains?

Maybe problem is with that domain itself?  But a quick look at it and it 
appears to be good.