Broken trust chain presumably due to some zone operators using LetsEncrypt certificates
Ondřej Surý
ondrej at isc.org
Fri Oct 1 16:49:15 UTC 2021
Hi Richard,
this is not the case.
slack.com botched their DS/DNSKEY deployment (there’s a thread on dns-operations about it).
Ondrej
--
Ondřej Surý (He/Him)
ondrej at isc.org
> On 1. 10. 2021, at 18:46, Richard T.A. Neal <richard at richardneal.com> wrote:
>
> For those of you facing a curious issue with BIND failing to resolve records for some zones today it’s not necessarily BIND having “a Friday moment” 😊
>
> It looks like the LetsEncrypt root certificate expiry is even impacting some DNSSEC zones that have used a LetsEncrypt certificate to sign their zone file.
>
> For example my BIND 9.17.18 / Ubuntu 21.04 servers are failing to resolve {anything}.slack.com at the moment, presumably because Slack have used LetsEncrypt to sign their zone. BIND is logging the following in my query-errors.log file:
>
> (app.slack.com): query failed (broken trust chain) for app.slack.com/IN/A at query.c:7658
>
> There’s a little more info about the LetsEncrypt issue at the following two links (not my site):
>
> https://scotthelme.co.uk/lets-encrypt-old-root-expiration/
> and
> https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
>
> Richard.
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list