> When I tried turning on DNSSEC on the primary name server, it could no- > longer resolve outside my own local network. I think BIND in netbsd-7 > is considered too old to properly support current DNSSEC, so I commented > those options out and it was again able to resolve external domains.
I think (hope!) that's inaccurate; BIND has in general had working DNSSEC validation for a very long time. However, NetBSD 7.0 had a /etc/namedb/bind.keys which only contained the root DNSSEC key which is now expired (was valid until 11 jan 2019 according to https://data.iana.org/root-anchors/root-anchors.xml), so if you start BIND with only the old root key in that file, any attempts at doing DNSSEC validation will predictably fail. An updated /etc/namedb/bind.keys from netbsd-7 contains also the new root key, it was updated on the netbsd-7 branch on 2018-03-10 by the looks of it. If this update isn't applied to your configuration, you'll get the failure described above. There may of course be other problems causing this failure, but this particular issue is easiest to sort out first. Best regards, - HÃ¥vard