r...@reedmedia.net writes: > On Thu, 19 Mar 2020, Greg Troxel wrote: > >> I changed >> >> dnssec-validation: auto >> >> to >> >> dnssec-validation: yes > > Are you saying this fixed your problem?
Yes, I think it does. However nothing seems 100% reliable so I can't claim that with certainty. >> after finding this hint: >> >> https://kb.isc.org/docs/aa-01547 >> >> dnssec-validation yes; or dnssec-validation auto; (the former requires >> manually-configured trust anchors using trusted-keys or managed-keys; >> the latter will use BIND's built-in managed keys) >> >> it seems that auto uses built-in keys, and yes uses the keys in >> keys/managed-keys.bind. > > That is reverse of your quoted statement above. I don't think so. It seems that "auto", which starts with builtin keys or bind.keys, was failing, and "yes", which would use the managed-keys file (which had been maintained by bind) was working. >> But, I wonder if our keys on the netbsd-8 branch need to be updated. > > "auto" uses managed-keys and should update automatically to get the > trusted keys. See the data pointed to by the bindkeys-file setting (like > /etc/namedb/bind.keys or /etc/bind.keys). There could be a dynamic jnl > file associated with it. I can help analyze these files for you. I am reading it differently. > Try using: > rndc managed-keys status $ rndc managed-keys status rndc: 'managed-keys' failed: unknown command This is named 9.10 as shipped with netbsd-8. It seems I should update to 9 and/or install from pkgsrc. > "yes" would just use the keys you manually defined (with trusted-keys or > your own managed-keys statement). Ah, but I do have managed-keys-directory "keys"; which is in /etc/named.conf in etc.tgz. I generally try hard to have my etc files match the release except for changes that I understand. > Maybe you disabled dnssec-validation since no extra config? no; config to follow > Do you have other dnssec validation problems for other domains? Not that I have noticed. > Maybe problem is with that domain itself? But a quick look at it and it > appears to be good. I suspected the domain, but everything points to my config. My config file starts out (now that I changed auto to yes): options { directory "/etc/namedb"; dnssec-enable yes; dnssec-validation yes; managed-keys-directory "keys"; bindkeys-file "bind.keys"; allow-recursion { acl_recursive_query; }; }; and dnssec-validation used to be auto. With dnssec-validation yes, I think bindkeys-file is ignored. keys/managed-keys.bind has something that looks current $ORIGIN . $TTL 0 ; 0 seconds @ IN SOA . . ( 14050 ; serial 0 ; refresh (0 seconds) 0 ; retry (0 seconds) 0 ; expire (0 seconds) 0 ; minimum (0 seconds) ) KEYDATA 20200320223835 20200319223835 19700101000000 257 3 8 ( AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTO iW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN 7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5 LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8 efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7 pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLY A4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws 9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ) ; KSK; alg = RSASHA256; key id = 20326 ; next refresh: Fri, 20 Mar 2020 22:38:35 GMT ; trusted since: Thu, 19 Mar 2020 22:38:35 GMT and the jnl file is basically empty: ;BIND LOG V9 ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@8^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
