I was able to reproduce maybe the problem. I think the version of named
is bad (it is unsupported). I believe you got it to work because dnssec
validation was disabled. (When enabled the queries did not work.)
> My config file starts out (now that I changed auto to yes):
>
> options {
> directory "/etc/namedb";
> dnssec-enable yes;
> dnssec-validation yes;
> managed-keys-directory "keys";
> bindkeys-file "bind.keys";
> allow-recursion { acl_recursive_query; };
> };
dnssec-validation yes should be using the "bind.keys"
> and dnssec-validation used to be auto. With dnssec-validation yes, I
> think bindkeys-file is ignored.
That is reversed. It is using bindkeys-file. Have a look at
/usr/share/doc/reference/ref8/bind9/arm/Bv9ARM.ch06.html (or see my
extended edited version of it :)
> keys/managed-keys.bind has something that looks current
That is used because your bind.keys is using managed-keys.
Let's verify your named is doing validation:
dig @127.0.0.1 +dnssec . | egrep "flags:|RRSIG"
You should see the "ad" flag.
dig @127.0.0.1 +dnssec www.netbsd.org
You should also see the "ad" flag.
But protonmail.ch does have problems which I see using BIND 9.10.5 on
NetBSD 8.1 using "dnssec-validation auto;"
Mar 20 01:32:11 morden named[292]: validating protonmail.ch/DNSKEY: no
valid signature found (DS)
Mar 20 01:32:11 morden named[292]: no valid RRSIG resolving
'protonmail.ch/DNSKEY/IN': 3.127.12.149#53
Mar 20 01:32:12 morden named[292]: validating protonmail.ch/DNSKEY: no
valid signature found (DS)
Mar 20 01:32:12 morden named[292]: no valid RRSIG resolving
'protonmail.ch/DNSKEY/IN': 18.194.37.70#53
Mar 20 01:32:12 morden named[292]: validating protonmail.ch/DNSKEY: no
valid signature found (DS)
Mar 20 01:32:12 morden named[292]: no valid RRSIG resolving
'protonmail.ch/DNSKEY/IN': 185.70.40.19#53
So it tried all three of their nameservers above.
Mar 20 01:32:12 morden named[292]: broken trust chain resolving
'protonmail.ch/A/IN': 185.70.40.19#53
Mar 20 01:32:12 morden named[292]: query client=0x7f18b31d0800
thread=0x7f18b598f000 (protonmail.ch/A): query_find: unexpected error
after resuming: broken trust chain
I bumped up some debugging
20-Mar-2020 02:04:20.361 validating protonmail.ch/DNSKEY: no DNSKEY
matching DS
20-Mar-2020 02:04:20.361 validating protonmail.ch/DNSKEY: no valid
signature found (DS)
I also looked at v9_10 lib/dns/validator.c code around this.
$ dig +multiline +dnssec @a.nic.ch. protonmail.ch
protonmail.ch. 3600 IN DS 27196 8 4 (
E422EE237DE2FE29190F1BDDC0C0E2469679411F329A
AB2A7BD8DE43575C1C6FAB6B9FFC521996E526F4B5D5
13798D9E )
keyid is 27196
$ dig +multiline +dnssec @ns1.protonmail.ch protonmail.ch -t DNSKEY
...
) ; ZSK; alg = RSASHA256 ; key id = 6753
...
) ; KSK; alg = RSASHA256 ; key id = 27196
So there is one for the same keyid.
I didn't try to use any custom tool to test the DS hash and signatures
themselves.
But using other and newer nameservers validated it fine.
I also use "dnssec-validation yes;" instead of auto. bind.keys in the
NetBSD 8.1 I looked at is out of date. It won't work for DNSSEC. It
falls back to use no DNSSEC.
My recommendation is use newer named.
(I have had similar problems before related to not being built with
correct algorithms support but that resulted in different messages.)
