Re: trouble resolving protonmail.ch, dnssec, seems netbsd-specific maybe

[reed%reedmedia.net@localhost]

I was able to reproduce maybe the problem. I think the version of named 
is bad (it is unsupported).  I believe you got it to work because dnssec 
validation was disabled. (When enabled the queries did not work.)

> My config file starts out (now that I changed auto to yes):
> 
> options {
>         directory "/etc/namedb";
>         dnssec-enable yes;
>         dnssec-validation yes;
>         managed-keys-directory "keys";
>         bindkeys-file "bind.keys";
>         allow-recursion { acl_recursive_query; };
> };

dnssec-validation yes should be using the "bind.keys"

> and dnssec-validation used to be auto.  With dnssec-validation yes, I
> think bindkeys-file is ignored.

That is reversed. It is using bindkeys-file.  Have a look at 
/usr/share/doc/reference/ref8/bind9/arm/Bv9ARM.ch06.html  (or see my 
extended edited version of it :)

> keys/managed-keys.bind has something that looks current

That is used because your bind.keys is using managed-keys.

Let's verify your named is doing validation:

dig @127.0.0.1 +dnssec . | egrep "flags:|RRSIG"

You should see the "ad" flag.

dig @127.0.0.1 +dnssec www.netbsd.org

You should also see the "ad" flag.

But protonmail.ch does have problems which I see using BIND 9.10.5 on 
NetBSD 8.1 using "dnssec-validation auto;"

Mar 20 01:32:11 morden named[292]: validating protonmail.ch/DNSKEY: no 
valid signature found (DS)

Mar 20 01:32:11 morden named[292]: no valid RRSIG resolving 
'protonmail.ch/DNSKEY/IN': 3.127.12.149#53

Mar 20 01:32:12 morden named[292]: validating protonmail.ch/DNSKEY: no 
valid signature found (DS)

Mar 20 01:32:12 morden named[292]: no valid RRSIG resolving 
'protonmail.ch/DNSKEY/IN': 18.194.37.70#53

Mar 20 01:32:12 morden named[292]: validating protonmail.ch/DNSKEY: no 
valid signature found (DS)

Mar 20 01:32:12 morden named[292]: no valid RRSIG resolving 
'protonmail.ch/DNSKEY/IN': 185.70.40.19#53

So it tried all three of their nameservers above.

Mar 20 01:32:12 morden named[292]: broken trust chain resolving 
'protonmail.ch/A/IN': 185.70.40.19#53

Mar 20 01:32:12 morden named[292]: query client=0x7f18b31d0800 
thread=0x7f18b598f000 (protonmail.ch/A): query_find: unexpected error 
after resuming: broken trust chain

I bumped up some debugging

20-Mar-2020 02:04:20.361 validating protonmail.ch/DNSKEY: no DNSKEY 
matching DS
20-Mar-2020 02:04:20.361 validating protonmail.ch/DNSKEY: no valid 
signature found (DS)

I also looked at v9_10 lib/dns/validator.c  code around this.
 
$ dig +multiline +dnssec @a.nic.ch. protonmail.ch 

protonmail.ch.          3600 IN DS 27196 8 4 (
E422EE237DE2FE29190F1BDDC0C0E2469679411F329A
AB2A7BD8DE43575C1C6FAB6B9FFC521996E526F4B5D5
                                13798D9E )

keyid is 27196

$ dig +multiline +dnssec @ns1.protonmail.ch protonmail.ch -t DNSKEY

...
                                ) ; ZSK; alg = RSASHA256 ; key id = 6753

...
                                ) ; KSK; alg = RSASHA256 ; key id = 27196

So there is one for the same keyid.
I didn't try to use any custom tool to test the DS hash and signatures 
themselves.
But using other and newer nameservers validated it fine.

I also use "dnssec-validation yes;" instead of auto. bind.keys in the 
NetBSD 8.1 I looked at is out of date. It won't work for DNSSEC. It 
falls back to use no DNSSEC.

My recommendation is use newer named.
(I have had similar problems before related to not being built with 
correct algorithms support but that resulted in different messages.)