error (broken trust chain) resolving

[Brian J. Murrell]

Casey Deccio <casey <at> deccio.net> writes:
> 
> Reproducing these errors and analyzing the debug-level log messages
> would be helpful since everything looks consistent from a DNSSEC
> perspective, as far as I can see.

Well, I have attempted this.  I reproduced my existing bind configuration and 
added the following to logging:


        category "dnssec" { "debug_log"; };
        channel debug_log {
                file "/var/tmp/named.debug";
                severity debug 100;
                print-category yes;
        };

The only written to that file when one of those broken chain lookups happen is:

dnssec: validating @0x2295e9b0: 41.70.55.206.sa-trusted.bondedsender.org TXT: 
starting
dnssec: validating @0x2295e9b0: 41.70.55.206.sa-trusted.bondedsender.org TXT: 
attempting negative response validation
dnssec: validator @0x2295e9b0: dns_validator_destroy

The dig query that produced that:

$ dig @linux -p 1053 41.70.55.206.sa-trusted.bondedsender.org txt

; <<>> DiG 9.7.1-P2 <<>> @linux -p 1053 41.70.55.206.sa-trusted.bondedsender.org 
txt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 40957
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;41.70.55.206.sa-trusted.bondedsender.org. IN TXT

;; Query time: 43 msec
;; SERVER: 10.75.22.3#1053(10.75.22.3)
;; WHEN: Tue Nov  9 23:08:39 2010
;; MSG SIZE  rcvd: 58

And the syslog entry:

Nov  9 23:08:39 linux named[11040]: error (broken trust chain) resolving 
'41.70.55.206.sa-trusted.bondedsender.org/TXT/IN': 209.51.221.2#53

So nothing terribly interesting in the debug as far as I can see.  Perhaps I 
don't have enough/the correct debugging enabled?

Cheers,
b.