Re: trouble resolving protonmail.ch, dnssec, seems netbsd-specific maybe

[Greg Troxel <gdt%lexort.com@localhost>]

Thanks for all the comments and help.

> That is reversed. It is using bindkeys-file.  Have a look at 
> /usr/share/doc/reference/ref8/bind9/arm/Bv9ARM.ch06.html  (or see my 
> extended edited version of it :)

I did, but I am still not following.  It seems there are multiple places
to get root keys from:

  1) compiled in the named binary
  2) bindkeys-file (read, never written)
  3) managed-keys (read and written on rollover)
  4) trusted-keys statement

As I read the html you pointed to, I read it as

  dnssec-validation yes: use trusted-keys or managed-keys

  dnssec-validation auto: use "default trust acnhor" which I take as 3
  or 4, and other docs on the ISC web site say this too.

>> keys/managed-keys.bind has something that looks current
>
> That is used because your bind.keys is using managed-keys.

I thought it was because I have a managed-keys statement:
  managed-keys-directory "keys";
which directs bind to write the rollover root KSK into the keys
directory.


Yes, the bind.keys file uses the managed-keys directive, but the
bind.keys file is unchanged from the release.

> Let's verify your named is doing validation:
>
> dig @127.0.0.1 +dnssec . | egrep "flags:|RRSIG"
>
> You should see the "ad" flag.

yes

> dig @127.0.0.1 +dnssec www.netbsd.org
>
> You should also see the "ad" flag.

yes

[protonmail]

So it seems there is something special about protonmail where the combination
of what they are doing and what bind in netbsd-8 can cope with is bad.

All of this dnssec-validation yes/auto may be a red herring.  After I
said changing to yes fixed things, then I couldn't resolve protonmail
later.

> I also use "dnssec-validation yes;" instead of auto. bind.keys in the 
> NetBSD 8.1 I looked at is out of date. It won't work for DNSSEC. It 
> falls back to use no DNSSEC.

It is really unfortunate that there is not even a clear log message, let
alone a failure exit when it can't do something it's been asked to do.
The docs say "dnssec validation is enabled", not "it might or might not
be enabled".  (I know that's not your fault!)

> My recommendation is use newer named.
> (I have had similar problems before related to not being built with 
> correct algorithms support but that resulted in different messages.)

Indeed, that seems wise.

So the question for NetBSD is whether we should do anything about
netbsd-8 being broken.   I guess that's:

  bind.keys is old (but ISC's website seems to still be publishing it)

  builtin bind.keys is too old to work

but:

  compiled-in trust anchors seem ok
    (With no bindkeys-file statement, and auto, I get ad bit for
    netbsd.org, and a managed-keys file journal is written.)

Still, seems best to maybe pull up newer bind to 8, if someone is game.