error (broken trust chain) resolving
Brian J. Murrell
brian at interlinx.bc.ca
Wed Nov 10 04:10:44 UTC 2010
Casey Deccio <casey <at> deccio.net> writes:
>
> Reproducing these errors and analyzing the debug-level log messages
> would be helpful since everything looks consistent from a DNSSEC
> perspective, as far as I can see.
Well, I have attempted this. I reproduced my existing bind configuration and
added the following to logging:
category "dnssec" { "debug_log"; };
channel debug_log {
file "/var/tmp/named.debug";
severity debug 100;
print-category yes;
};
The only written to that file when one of those broken chain lookups happen is:
dnssec: validating @0x2295e9b0: 41.70.55.206.sa-trusted.bondedsender.org TXT:
starting
dnssec: validating @0x2295e9b0: 41.70.55.206.sa-trusted.bondedsender.org TXT:
attempting negative response validation
dnssec: validator @0x2295e9b0: dns_validator_destroy
The dig query that produced that:
$ dig @linux -p 1053 41.70.55.206.sa-trusted.bondedsender.org txt
; <<>> DiG 9.7.1-P2 <<>> @linux -p 1053 41.70.55.206.sa-trusted.bondedsender.org
txt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 40957
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;41.70.55.206.sa-trusted.bondedsender.org. IN TXT
;; Query time: 43 msec
;; SERVER: 10.75.22.3#1053(10.75.22.3)
;; WHEN: Tue Nov 9 23:08:39 2010
;; MSG SIZE rcvd: 58
And the syslog entry:
Nov 9 23:08:39 linux named[11040]: error (broken trust chain) resolving
'41.70.55.206.sa-trusted.bondedsender.org/TXT/IN': 209.51.221.2#53
So nothing terribly interesting in the debug as far as I can see. Perhaps I
don't have enough/the correct debugging enabled?
Cheers,
b.
More information about the bind-users
mailing list