Re: trouble resolving protonmail.ch, dnssec, seems netbsd-specific maybe

[Mike Pumford <mpumford%mudcovered.org.uk@localhost>]

On 25/03/2020 16:58, Havard Eidnes wrote:
> > This has just got a lot worse. As of about 20 minutes ago I've had to
> > completely disable dnssec validation on my NetBSD 8.1-stable servers
> > as I had a complete loss of name resolution. Every domain was failing
> > to resolve (e.g www.google.com). This was with dnssec-validation set
> > to auto. After setting this to off all dns resolution immediately
> > started working again.
>
> I can't fully explain that, I'm afraid.  The /etc/named.conf shipped
> in netbsd-8 also contains the "new" root key which is still in use to
> this day, so that part should be OK.
Auto seems to download new keys that replace the keys distributed. Its 
possible something has gone wrong with the key distribution 
infrastructure and my current keys expired and I wasn't able to get new 
ones. I need it to work for a few hours so I'll have to run with it 
turned off for a few hours at least.

I will experiment with re-enabling auto (and also trying yes) and seeing 
what happens later on once I'm not on the work clock.

> The only similar thing I have experienced is that if your local clock
> is way off you can get similar symptoms (yes, the coin cell keeping my
> RTC running is apparently "out of juice" on at least one of my old
> machines), since DNSSEC signatures have validity intervals which
> relate to "real timestamps", and if your clock is outside of the
> validity interval, DNS name resolution (and in particular DNSSEC
> validation) will fail with SERVFAIL being returned as the error code
> to the client.
Both DNS servers have ntpd running and I would have got a nagios alert 
had either of them dropped out of sync so I can at least eliminate that one.

Mike