> This has just got a lot worse. As of about 20 minutes ago I've had to > completely disable dnssec validation on my NetBSD 8.1-stable servers > as I had a complete loss of name resolution. Every domain was failing > to resolve (e.g www.google.com). This was with dnssec-validation set > to auto. After setting this to off all dns resolution immediately > started working again.
I can't fully explain that, I'm afraid. The /etc/named.conf shipped in netbsd-8 also contains the "new" root key which is still in use to this day, so that part should be OK. The only similar thing I have experienced is that if your local clock is way off you can get similar symptoms (yes, the coin cell keeping my RTC running is apparently "out of juice" on at least one of my old machines), since DNSSEC signatures have validity intervals which relate to "real timestamps", and if your clock is outside of the validity interval, DNS name resolution (and in particular DNSSEC validation) will fail with SERVFAIL being returned as the error code to the client. Regards, - HÃ¥vard
