On ke, 03 touko 2023, Rob van Halteren wrote:
Hi Alexander,
Do you mean that forwarding is actually working correct but that
addresses with log entry “broken trust chain resolving ‘addres’ are
most likely sites that have dnssec issues ? I have lots of entry’s
like that in my log.
Correct. DNSSEC support across multiple DNS zones on the Internet is
patchy, so to say. DNSSEC validation is often failing due to this or
that zone intermediaries or misconfigurations. That's why BIND has
separate options to enable/disable DNSSEC validation.
Spotify is simply not providing DNSSEC signatures for its own zone:
https://dnsviz.net/d/spotify.com/dnssec/
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
