On 25/03/2020 20:56, Havard Eidnes wrote:
Not only that putting dnssec back to auto and removing dnssec-lookaside and everything works:My caching dns failed unexpectedly today, apparently I was not alone: https://www.mail-archive.com/bind-users%lists.isc.org@localhost/msg28624.html From ISC: "We apparently let our signatures on dlv.isc.org expire."Ouch!I fixed this temporarily by adding: dnssec-accept-expired yes; Which feels risky...Yes, I would not do that.Another user on the ISC list suggested setting dnssec-lookaside no; Which also feels risky.No, that's not risky at all!
$ ping6 www.google.com PING6(56=40+8+8 bytes) 2001:8b0:84:1::1 --> 2a00:1450:4009:819::2004 16 bytes from 2a00:1450:4009:819::2004, icmp_seq=0 hlim=58 time=13.812 ms 16 bytes from 2a00:1450:4009:819::2004, icmp_seq=1 hlim=58 time=13.589 ms 16 bytes from 2a00:1450:4009:819::2004, icmp_seq=2 hlim=58 time=13.519 ms And even: $ ping protonmail.ch PING protonmail.ch (185.70.41.32): 56 data bytes 64 bytes from 185.70.41.32: icmp_seq=0 ttl=55 time=34.651610 ms 64 bytes from 185.70.41.32: icmp_seq=1 ttl=55 time=34.876867 ms 64 bytes from 185.70.41.32: icmp_seq=2 ttl=55 time=34.690384 msSo this fixes the protonmail.ch problem as well which I could reproduce as well.
Mike