NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: trouble resolving protonmail.ch, dnssec, seems netbsd-specific maybe



>> This has just got a lot worse. As of about 20 minutes ago I've had to
>> completely disable dnssec validation on my NetBSD 8.1-stable servers
>> as I had a complete loss of name resolution. Every domain was failing
>> to resolve (e.g www.google.com). This was with dnssec-validation set
>> to auto. After setting this to off all dns resolution immediately
>> started working again.
> 
> I can't fully explain that, I'm afraid.

On second thought, and also based on a comment I heard...

You don't have "dnssec-looakside auto;" configured, perhaps?
If you do, remove it now and reconfigure your name server.

The dlv.isc.org domain was used as a bootstrap aid early in the
DNSSEC deployment, long before .com, .net, .org or the root was
signed.  That has long ago now been fixed, and the dlv.isc.org
service is or has been phased out.  See

   https://www.isc.org/blogs/dlv/

Best regards,

- Håvard


Home | Main Index | Thread Index | Old Index