On 21/04/2020 17:38, John D. Baker wrote:
I seem to recall the real issue there was "dnssec-lookaside auto" being
set in "named.conf" and the "dlv.isc.org." key in "bind.keys" being
expired. The canned root keys in the file are valid (at least the second
one). If one has the latest updates to netbsd-{7,8,9,current}, the
"bind.keys" file are all up-to-date and identical aside from RCS IDs.
The solution was to comment-out or remove the "dnssec-lookaside" option.
The latter has been done for netbsd-{8,9,current}.
Yes. That was certainly what blew up my DNSSEC nameservers running on
8-stable/amd64. Once I took away the lookaside option dnssec resolution
started working (and I was able to get at the protonmail domain that
triggered the change).
I have no idea if the present problem is related to that or not - just
asking if it was a "netbsd-8 on amd64 works, fails on sparc" clear case.
I have 2 DNS servers running netbsd-8/amd64 and DNSEC both wit the
following DNSSEC options setup:
options {
directory "/etc/namedb";
dnssec-enable yes;
dnssec-validation yes;
#dnssec-lookaside auto;
managed-keys-directory "keys";
bindkeys-file "bind.keys";
}
These are the primary and secondary recursive resolvers for my local
network and I don't see any problems resolving domains. So it is likely
to be a architecture specific issue.
Mike