If `dig +dnssec +cd emeraldonion.org mx` will give you answers and `dig +dnssec emeraldonion.org mx` does not, then it’s most probably validation failure.
Then of course based on your logging setup, the validation failures might be visible in BIND 9 log. Ondrej -- Ondřej Surý ond...@isc.org > On 8 Feb 2020, at 02:53, Alessandro Vesely <ves...@tana.it> wrote: > > Hi, > > thank you for your prompt reply! > > On Sat 08/Feb/2020 11:39:05 +0100 Ondřej Surý wrote: >>> How do I fix this issue? >> >> >> You don’t, their DNSSEC is broken: >> >> https://dnsviz.net/d/emeraldonion.org/dnssec/ > > > I see. Is there a command to diagnose that locally? > > >> They have to either start signing again or remove DS record from the parent >> (org). > > > Fine, I'll forward your suggestion direct-to-mx > > > Best > Ale > -- > > > > > > _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users