On 11 Oct 2018, at 18:27, pg...@dev-mail.net wrote: > > Changing my local dns (named) config to > > - dnssec-enable yes; > + dnssec-enable no; > dnssec-lookaside no; > - dnssec-validation yes; > + dnssec-validation no; > > gets me back up & running, without DNSSEC of course.
Although switching off DNSSEC validation will keep the mail flowing, it only kludges around the underlying problem. Which might or might not be related to the rollover of the root KSK a few hours ago. It’s hard to tell from the information you’ve provided. That said, you do appear to have a DNS server misconfiguration which is causing DNSSEC validation to fail. Clearly it would be wise to fix that before turning DNSSEC validation on again. The switch to the new KSK seems the most likely cause, assuming DNSSEC validation always worked for you before then. > Is 'ready' simply .... 'wait awhile’ ? Maybe, maybe not. It depends on what is broken in your DNSSEC setup. If you’ve hard-wired the now dead root KSK, waiting a while won’t help. That key will still be dead when you re-enable DNSSEC validation. No matter how long or short you wait. Consult ICANN’s web pages on the root KSK rollover. They have info on how to check that DNS configurations handle the KSK rollover properly and how to troubleshoot them when they don’t.
