broken trust chain

Anand Buddhdev anandb at ripe.net
Sun Oct 14 13:43:21 UTC 2018 

Hi Cody,

Well, your "managed-keys" section looks almost right. It should *not*
have the dlv.isc.org key in there, because the DLV has retired. The root
zone keys look right.

If you set "dnssec-validation" to "auto" (the recommended setting), then
BIND *should* be able to validate. We don't know what your previous
setting of "dnssec-validation" was, before you turned it off. If it
still can't, then look at its log for more hints.

Regards,
Anand

On 14/10/2018 15:08, Cody Allen wrote:
> definitely not seeing those keys showing keyid: 19036 when i do rndc managed-keys status but the key file
> shows both 20326 and 19036
> 
> bind.keys managed key section below
> 
> managed-keys {
>         # ISC DLV: See https://www.isc.org/solutions/dlv for details.
>         #
>         # NOTE: The ISC DLV zone is being phased out as of February 2017;
>         # the key will remain in place but the zone will be otherwise empty.
>         # Configuring "dnssec-lookaside auto;" to activate this key is
>         # harmless, but is no longer useful and is not recommended.
>         dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
>                 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
>                 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
>                 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
>                 Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
>                 QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
>                 TDN0YUuWrBNh";
> 
>         # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
>         # for current trust anchor information.
>         #
>         # These keys are activated by setting "dnssec-validation auto;"
>         # in named.conf.
>         #
>         # This key (19036) is to be phased out starting in 2017. It will
>         # remain in the root zone for some time after its successor key
>         # has been added. It will remain this file until it is removed from
>         # the root zone.
>         . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
>                 FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
>                 bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
>                 X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
>                 W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
>                 Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
>                 QxA+Uk1ihz0=";
> 
>         # This key (20326) is to be published in the root zone in 2017.
>         # Servers which were already using the old key (19036) should
>         # roll seamlessly to this new one via RFC 5011 rollover. Servers
>         # being set up for the first time can use the contents of this
>         # file as initializing keys; thereafter, the keys in the
>         # managed key database will be trusted and maintained
>         # automatically.
>         . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
>                 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
>                 ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
>                 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
>                 oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
>                 RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
>                 R1AkUTV74bU=";
> };
> 
> 
> 
> 
>> On Oct 14, 2018, at 8:54 AM, Anand Buddhdev <anandb at ripe.net> wrote:
>>
>> On 14/10/2018 14:17, Cody Allen wrote:
>>
>>> issue just started on 10/13/2018 both servers impacted at same time, clocks are correct, version of bind is 9.11.1 impacting recursion on internal view, authoritative zones work fine, servers have been running for couple of years or longer with zero problems.  most recent version of bind.keys installed. only solution has been to set dnssec-validation to no
>>
>> On 11 October 2018, at 16:00 UTC, the root zone KSK was rolled. You're
>> almost certainly affected by this. But saying that "the most recent
>> version of bind.keys is installed" is meaningless, because I have no
>> idea what your definition of "most recent" is. At the very least,
>> provide the key IDs of the keys in your bind.keys file. If you don't
>> have key ID 20326 in there, you won't be able to do DNSSEC validation.
>>
>> Regards,
>> Anand
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> 
>

More information about the bind-users mailing list