> You can also use delv to see named like behaviour: > delv protonmail.ch > delv -d 99 protonmail.ch
I think this line for the last one is the problem: ;; validating protonmail.ch/DNSKEY: no DNSKEY matching DS and, indeed, re-computing the DS record from the protonmail.ch DNSKEY: % dig protonmail.ch. dnskey | dnssec-dsfromkey -f - -a sha384 protonmail.ch results in protonmail.ch. IN DS 27196 8 4 73D3962080B965B6A3D80AB3097FDA1C561C49FB938C06941D9910DC6B3E21AC0F2C8610BB8F6ADB0279EC726D2C4648 while querying for the protonmail.ch DS record gives protonmail.ch. IN DS 27196 8 4 E422EE237DE2FE29190F1BDDC0C0E2469679411F329AAB2A7BD8DE43 575C1C6FAB6B9FFC521996E526F4B5D513798D9E which doesn't match. Regards, - HÃ¥vard
