Broken trust chain presumably due to some zone operators using LetsEncrypt certificates
Richard T.A. Neal
richard at richardneal.com
Fri Oct 1 16:46:41 UTC 2021
For those of you facing a curious issue with BIND failing to resolve records for some zones today it’s not necessarily BIND having “a Friday moment” 😊
It looks like the LetsEncrypt root certificate expiry is even impacting some DNSSEC zones that have used a LetsEncrypt certificate to sign their zone file.
For example my BIND 9.17.18 / Ubuntu 21.04 servers are failing to resolve {anything}.slack.com at the moment, presumably because Slack have used LetsEncrypt to sign their zone. BIND is logging the following in my query-errors.log file:
(app.slack.com): query failed (broken trust chain) for app.slack.com/IN/A at query.c:7658
There’s a little more info about the LetsEncrypt issue at the following two links (not my site):
https://scotthelme.co.uk/lets-encrypt-old-root-expiration/
and
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
Richard.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20211001/9e51c488/attachment.htm>
More information about the bind-users
mailing list