Re: trouble resolving protonmail.ch, dnssec, seems netbsd-specific maybe

[Havard Eidnes <he%NetBSD.org@localhost>]

> This has just got a lot worse. As of about 20 minutes ago I've had to
> completely disable dnssec validation on my NetBSD 8.1-stable servers
> as I had a complete loss of name resolution. Every domain was failing
> to resolve (e.g www.google.com). This was with dnssec-validation set
> to auto. After setting this to off all dns resolution immediately
> started working again.

I can't fully explain that, I'm afraid.  The /etc/named.conf shipped
in netbsd-8 also contains the "new" root key which is still in use to
this day, so that part should be OK.

The only similar thing I have experienced is that if your local clock
is way off you can get similar symptoms (yes, the coin cell keeping my
RTC running is apparently "out of juice" on at least one of my old
machines), since DNSSEC signatures have validity intervals which
relate to "real timestamps", and if your clock is outside of the
validity interval, DNS name resolution (and in particular DNSSEC
validation) will fail with SERVFAIL being returned as the error code
to the client.

Regards,

- Håvard