I changed
dnssec-validation: auto to dnssec-validation: yes after finding this hint: https://kb.isc.org/docs/aa-01547 dnssec-validation yes; or dnssec-validation auto; (the former requires manually-configured trust anchors using trusted-keys or managed-keys; the latter will use BIND's built-in managed keys) it seems that auto uses built-in keys, and yes uses the keys in keys/managed-keys.bind. But, I wonder if our keys on the netbsd-8 branch need to be updated.