"broken trust chain" for non-existing AAAA records

Mark Andrews marka at isc.org
Mon Nov 29 21:59:42 UTC 2010 

Is this still with BIND 9.7.0-P1 or something more recent?  If it
is still BIND 9.7.0-P1 then please upgrade.  There really is no
point debugging validation failures in BIND 9.7.0-P1 anymore as the
validator has had really extensive changes since then.

Please remember, that unlike most of the rest of named, the validator
is still very much "new" code that hasn't had millions of users
exercising it in the real world like the rest of the code base has.
As a result it is still changing as we run into real world patterns
that have not been seen in the lab or by those of us that have been
running it in production for several years.  If you are validating
you really need to follow the releases we make.

For the record I can validate the answer in question with current code.

Mark


; <<>> DiG 9.6.0-APPLE-P2 <<>> mail.cdu-freiburg.de aaaa @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56812
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mail.cdu-freiburg.de.		IN	AAAA

;; Query time: 345 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Nov 30 08:55:51 2010
;; MSG SIZE  rcvd: 38

; <<>> DiG 9.6.0-APPLE-P2 <<>> +dnssec de ds @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45413
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;de.				IN	DS

;; AUTHORITY SECTION:
.			7641	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2010112900 1800 900 604800 86400
.			7641	IN	RRSIG	SOA 8 0 86400 20101206000000 20101128230000 40288 . VXdtlcNzXMvVy0QGYYNv8euCsGn9Cb+aM+jhdMM2aABpShc7d8J8vBWS XrnFwmr1AoqV8LhcWYwSP3+Xu2XOs7HW3OY9IXYVoYDW2JLgCef9fYe/ MkwNxTQFuw2EwZFZTkkrxPLhPucuwiCRlBO/w1dl8Qak6F72lFG39UFt h9Q=
de.			7641	IN	RRSIG	NSEC 8 1 86400 20101206000000 20101128230000 40288 . JB4Fz8EGFxg5sY/KY5EK0ebcmLr03LnQSVtddkHxljSydz1RA/OoriNe xwp6GmYz6DpjuoDcBMW/9PDwYTl17SqPFwFQBw/6yRf+oXtHx5u7Q7zx 4Kf/7zDxw8h2L/FeAa1WqLLbmhEBF2RcaV6Rv2OCj1VXIVffBgW/GDDw CD8=
de.			7641	IN	NSEC	dj. NS RRSIG NSEC

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Nov 30 08:56:20 2010
;; MSG SIZE  rcvd: 447

In message <20101129144338.8595771dm36elag4 at webmail.kwsoft.de>, lst_hoe02 at kwsof
t.de writes:
> Zitat von Mark Andrews <marka at isc.org>:
> 
> >
> > In message <20101118131400.37717e5p5tardzm0 at webmail.kwsoft.de>,  
> > lst_hoe02 at kwsof
> > t.de writes:
> >> We are using Bind 9.7 at the border to resolve DNS queries for a small
> >> LAN. After moving forward in using IPv6 we discovered many "broken
> >> trust chain" errors in the bind log for non existing AAAA records. One
> >> example is
> >>
> >> Nov 18 01:18:21 firewall named[27580]: error (broken trust chain)
> >> resolving 'smtp.g.comcast.net/AAAA/IN': 76.96.53.47#53
> >> Nov 18 01:18:21 firewall named[27580]: error (broken trust chain)
> >> resolving 'smtp.g.comcast.net/AAAA/IN': 68.87.66.201#53
> >> Nov 18 01:18:29 firewall named[27580]: error (broken trust chain)
> >> resolving 'smtp.g.comcast.net/AAAA/IN': 76.96.53.47#53
> >> Nov 18 01:18:29 firewall named[27580]: error (broken trust chain)
> >> resolving 'smtp.g.comcast.net/AAAA/IN': 76.96.53.47#53
> >>
> >> From what i can see there is no DNSSEC for comcast.net so this should
> >> not happen and the A record just resolve fine. Any comment if this
> >> should worry me?
> >
> > A broken chain of trust can be *anywhere* in the trust chain.
> >
> > Remember named has to prove that a answer should be insecure (not
> > signed) by looking for the absence of a DS RRset at a delegation
> > point above the name in question.
> 
> 
> Sorry to come up with this again...
> As far as i understand if i get a secure answer from the root-NS that  
> there is no DS for the domain in inquestion (de. net. etc) there  
> should be no "broken trust chain" further on because there is  
> (validated) none?
> 
> 
> > If validation is working correctly you should be able to get a
> > validated negative response for DS net.  Note the "ad" in the flags
> > below which indicates that named thinks the answer is secure.
> 
> 
> This is working, no problem but i still get "broken trust chain" for  
> some non existing AAAA records like for example this one:
> 
> ; <<>> DiG 9.7.0-P1 <<>> +dnssec mail.cdu-freiburg.de AAAA
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54325
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;mail.cdu-freiburg.de.		IN	AAAA
> 
> 
> Nov 29 14:37:01 firewall named[976]: error (broken trust chain)  
> resolving 'mail.cdu-freiburg.de/AAAA/IN': 62.116.129.129#53
> 
> 
> ; <<>> DiG 9.7.0-P1 <<>> +dnssec de. DS
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9033
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;de.				IN	DS
> 
> ;; AUTHORITY SECTION:
> .			3	IN	SOA	a.root-servers.net. nstld.veris
> ign-grs.com. 2010112801  
> 1800 900 604800 86400
> .			3	IN	RRSIG	SOA 8 0 86400 20101205000000 20
> 101127230000 40288 .  
> HxKeNrwFeDxJDKKbBcQJQQ8aXf1sEs93J1rcm647RI3Qw3bpm9Dbs+xj  
> aYki5iRhk0HHjDHm1Kj2gGXFdKlzMAExszF7js1IaCs+EgePqwSqDoHT  
> lSduCn/hqlrklOqrwQkjYJhJkEYLJuhKVHTkilbC/w94RxVK3Uh5qEdJ K44=
> de.			3	IN	RRSIG	NSEC 8 1 86400 20101205000000 2
> 0101127230000 40288 .  
> DfHYLjIgdB3M+ib9Gn6anvtE27UTdZWX9nqvzf7ts4+X2TCVwlPmGtn7  
> 4EXwrDTfYNe5YEWh67MO/7mcUeZ2LcqqyQifIu0hJZf5RBmys0ml39JZ  
> VNcSaWr7N5J3OV2GCJl366w24Eeuuje+xAJAyIfzE68LkMlnypjbrAAT mtA=
> de.			3	IN	NSEC	dj. NS RRSIG NSEC
> 
> 
> So it is validated that the TLD de. has no DS (-> NSEC) but Bind 9.7  
> report a broken trust chain for the IPv6 record of  
> "mail.cdu-freiburg.de". I have not even find something looking like  
> DNSKEY further down the road so why the error is reported?
> 
> Many Thanks
> 
> Andreas
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list