On Thu, Oct 11, 2018, at 2:33 PM, Bill Cole wrote: > > Isn't 'hardwired' here afaict. Looking at the ICANN site -- again -- > > is probably best advice. > > Since you're running BIND, https://kb.isc.org/docs/aa-01182 might be > more specifically helpful, although I'm not sure that you can recover > from the key having actually rolled at this point by just setting > "dnssec-validation auto;"
Managed to get it all sorted. manually deleted the existing bind.keys, DL'd and copied over a current/updated copy, made sure all jnl's were synced, switched validation -> auto, and restarted. resolver's up, running & working now, as least as verified with the usual dig @127.0.0.1 dnssec-failed.org a +dnssec not clear if all of that^ was needed, but it apparently did the trick. thanks all.
