Re: DNSSEC vs netbsd-8/sparc?

[Mike Pumford <mpumford%mudcovered.org.uk@localhost>]

On 21/04/2020 17:38, John D. Baker wrote:

> I seem to recall the real issue there was "dnssec-lookaside auto" being
> set in "named.conf" and the "dlv.isc.org." key in "bind.keys" being
> expired.  The canned root keys in the file are valid (at least the second
> one).  If one has the latest updates to netbsd-{7,8,9,current}, the
> "bind.keys" file are all up-to-date and identical aside from RCS IDs.
>
> The solution was to comment-out or remove the "dnssec-lookaside" option.
> The latter has been done for netbsd-{8,9,current}.
Yes. That was certainly what blew up my DNSSEC nameservers running on 
8-stable/amd64. Once I took away the lookaside option dnssec resolution 
started working (and I was able to get at the protonmail domain that 
triggered the change).
> > I have no idea if the present problem is related to that or not - just
> > asking if it was a "netbsd-8 on amd64 works, fails on sparc" clear case.
I have 2 DNS servers running netbsd-8/amd64 and DNSEC both wit the 
following DNSSEC options setup:

options {
        directory "/etc/namedb";
        dnssec-enable yes;
        dnssec-validation yes;
        #dnssec-lookaside auto;
        managed-keys-directory "keys";
        bindkeys-file "bind.keys";
}
These are the primary and secondary recursive resolvers for my local 
network and I don't see any problems resolving domains. So it is likely 
to be a architecture specific issue.

Mike