On Thu, 19 Mar 2020, Greg Troxel wrote: > I changed > > dnssec-validation: auto > > to > > dnssec-validation: yes
Are you saying this fixed your problem? > after finding this hint: > > https://kb.isc.org/docs/aa-01547 > > dnssec-validation yes; or dnssec-validation auto; (the former requires > manually-configured trust anchors using trusted-keys or managed-keys; > the latter will use BIND's built-in managed keys) > > it seems that auto uses built-in keys, and yes uses the keys in > keys/managed-keys.bind. That is reverse of your quoted statement above. > But, I wonder if our keys on the netbsd-8 branch need to be updated. "auto" uses managed-keys and should update automatically to get the trusted keys. See the data pointed to by the bindkeys-file setting (like /etc/namedb/bind.keys or /etc/bind.keys). There could be a dynamic jnl file associated with it. I can help analyze these files for you. Try using: rndc managed-keys status "yes" would just use the keys you manually defined (with trusted-keys or your own managed-keys statement). Maybe you disabled dnssec-validation since no extra config? Do you have other dnssec validation problems for other domains? Maybe problem is with that domain itself? But a quick look at it and it appears to be good.