RE: Broken trust chain presumably due to some zone operators using LetsEncrypt certificates

Ondřej Surý said: > Hi Richard, > this is not the case. > slack.com botched their DS/DNSKEY deployment (there’s a thread on > dns-operations about it). Thanks for the correction, my mistake. Apologies for the list spam! Richard. ___ Please visit https

Re: Broken trust chain presumably due to some zone operators using LetsEncrypt certificates

le my BIND 9.17.18 / Ubuntu 21.04 servers are failing to resolve > {anything}.slack.com at the moment, presumably because Slack have used > LetsEncrypt to sign their zone. BIND is logging the following in my > query-errors.log file: > > (app.slack.com): query failed (bro

Broken trust chain presumably due to some zone operators using LetsEncrypt certificates

their zone file. For example my BIND 9.17.18 / Ubuntu 21.04 servers are failing to resolve {anything}.slack.com at the moment, presumably because Slack have used LetsEncrypt to sign their zone. BIND is logging the following in my query-errors.log file: (app.slack.com): query failed (broken trust

query failed (broken trust chain)

Hi Team, Any clue why this? and I my BIND has stopped resolving 07-Jul-2021 15:59:34.588 client @0x7f1c50b7ea88 192.168.10.174#56213 ( cisco.com): query failed (broken trust chain) for cisco.com/IN/A at query.c:7376 07-Jul-2021 15:59:34.844 client @0x7f1c5d9135a8 192.168.10.174#56214 ( cisco.com

broken trust chain with my DNS setup

https://bridgemode.bounceme.net/DNS%20BIND%20setup2.txt %ProgramFiles%\ISC BIND 9\bin run CMD rndc-confgen -a folder managed-keys in ect file rndc.conf in etc include "C:\Program Files\ISC BIND 9\etc\rndc.key"; options { default-key "rndc-key"; default-server 127.0.0.1; default-por

broken trust chain with my DNS setup

rwards to 192.168.255.56 from 192.168.255.54 Main PC then does the recursion lookup in the given view/ACL *issue* What happens is this after many days of working fine: querylog yes; client @0227150F1FE8 127.0.0.1#55768 (community.zyxel.com): view loopbackPC: query failed (broken trust chai

RE: broken trust chain

Thank you, Andrews. De : Mark Andrews Envoyé : mercredi 29 juillet 2020 02:15:24 À : Youssef Fassi Fihri Cc : bind-users@lists.isc.org Objet : Re: broken trust chain A network link that is dropping packets can trigger EDNS failures in versions of BIND before

Re: broken trust chain

://dnsflagday.net for further details. [GL #150] > On 29 Jul 2020, at 09:10, > wrote: > > Hi All, > > I am using Bind as resolver for end users . > > At various time, bind logs show "broken trust chain" continuously , for > about 20mn ~ 30 mn causing an inc

RE: broken trust chain

What version of BIND are you using? John From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of youssef.fassifi...@inwi.ma Sent: Tuesday, July 28, 2020 6:10 PM To: bind-users@lists.isc.org Subject: broken trust chain Hi All, I am using Bind as resolver for end users

broken trust chain

Hi All, I am using Bind as resolver for end users . At various time, bind logs show "broken trust chain" continuously , for about 20mn ~ 30 mn causing an increase of "recursive clients" shown in "rndc status" and a decrease of "DNS sucess rate KPI&quo

Re: broken trust chain

Hi Cody, please check contents of managed-keys.bind or viewname.mkeys files in bind working directory. It can be redirected somewhere else by managed-keys-directory option. These files contains state of managed keys of BIND. Its contents can be analysed by manually or by perl script in contrib/sc

Re: broken trust chain

Hi Cody, Well, your "managed-keys" section looks almost right. It should *not* have the dlv.isc.org key in there, because the DLV has retired. The root zone keys look right. If you set "dnssec-validation" to "auto" (the recommended setting), then BIND *should* be able to validate. We don't know w

Re: broken trust chain

On 14/10/2018 14:17, Cody Allen wrote: > issue just started on 10/13/2018 both servers impacted at same time, clocks > are correct, version of bind is 9.11.1 impacting recursion on internal view, > authoritative zones work fine, servers have been running for couple of years > or longer with zer

broken trust chain

issue just started on 10/13/2018 both servers impacted at same time, clocks are correct, version of bind is 9.11.1 impacting recursion on internal view, authoritative zones work fine, servers have been running for couple of years or longer with zero problems. most recent version of bind.keys in

Re: broken trust chain on forwarder

/dev/rob0 wrote: > > > 3) Change from a forwarder to a slave and thereby become > > authoritative and no longer have any need of DNSSEC validation on > > this zone. > > Did you try with stub or static-stub? Stub and static-stub just change how BIND finds a zone's nameservers; they don't affect va

Re: broken trust chain on forwarder

Dears, Once I've tried to use stub zone to solve the same kind of problem with no success. John if it works for you tell us what you did. Thanks -- Miguel Mucio Santos Moreira Gerente GSR - Gerência de Serviços de Rede (31)3339-1401 PRODEMGE - Companhia de Tecnologia da Informação do Est

Re: broken trust chain on forwarder

On Fri, Sep 30, 2016 at 01:32:29PM -0400, jratl...@bluemarble.net wrote: > On Fri, 30 Sep 2016 11:37:39 -0500, /dev/rob0 wrote: > >> > >> This seems to indicate that the servers at 10.21.0.100 and 101 > >> are telling me that stc.corp domain is DNSSEC enabled. However, > >> the new server fails

Re: broken trust chain on forwarder

/IN': 10.21.0.100#53 Sep 30 11:25:39 bltn-dns-04 named[2012]: validating @0x7fb51810ac60: inelhqnagios.stc.corp A: bad cache hit (inelhqnagios.stc.corp/DS) Sep 30 11:25:39 bltn-dns-04 named[2012]: error (broken trust chain) resolving 'inelhqnagios.stc.corp/A/IN': 10.21.0.101#53 Thi

Re: broken trust chain on forwarder

On Fri, 30 Sep 2016 11:37:39 -0500, /dev/rob0 wrote: >> >> This seems to indicate that the servers at 10.21.0.100 and 101 are >> telling me that stc.corp domain is DNSSEC enabled. However, the new >> server fails to find any DS or RRSIG records, so validating this >> claim is not possible. Is

Re: broken trust chain on forwarder

fb51810ac60: inelhqnagios.stc.corp A: bad cache hit > > (inelhqnagios.stc.corp/DS) > > Sep 30 11:25:39 bltn-dns-04 named[2012]: error (broken trust chain) > > resolving 'inelhqnagios.stc.corp/A/IN': 10.21.0.101#53 > > > > This seems to indicate that the servers

Re: broken trust chain on forwarder

ng @0x7fb51810ac60: inelhqnagios.stc.corp A: bad cache hit (inelhqnagios.stc.corp/DS) Sep 30 11:25:39 bltn-dns-04 named[2012]: error (broken trust chain) resolving 'inelhqnagios.stc.corp/A/IN': 10.21.0.101#53 This seems to indicate that the servers at 10.21.0.100 and 101 are telling m

Re: broken trust chain on forwarder

[2012]: error (no valid DS) > resolving 'inelhqnagios.stc.corp/A/IN': 10.21.0.100#53 > Sep 30 11:25:39 bltn-dns-04 named[2012]: validating > @0x7fb51810ac60: inelhqnagios.stc.corp A: bad cache hit > (inelhqnagios.stc.corp/DS) > Sep 30 11:25:39 bltn-dns-04 named[2012]: err

broken trust chain on forwarder

2]: validating @0x7fb51810ac60: inelhqnagios.stc.corp A: bad cache hit (inelhqnagios.stc.corp/DS) Sep 30 11:25:39 bltn-dns-04 named[2012]: error (broken trust chain) resolving 'inelhqnagios.stc.corp/A/IN': 10.21.0.101#53 This seems to indicate that the servers at 10.21.0.100 and 101 are telling m

Re: error (broken trust chain) resolving

Hi there, On Thu, 25 Nov 2010 Brian J. Murrell wrote: > I am going to bug report with said distro also as I hate varying from the > "working set" because it just causes possible future problems trying to bug > report with them. "you are not using the version we support, bla, bla, bla". > > So in

Re: "broken trust chain" for non-existing AAAA records

and installed Bind 9.7.2-P2 from source. We still have many "broken trust chain" in the logs, at first glance i would say even more. Is it possible by any means that this error is thrown because of timeout at some stage of processing? Many of the "broken trust chain" erro

Re: "broken trust chain" for non-existing AAAA records

Zitat von Mark Andrews : Is this still with BIND 9.7.0-P1 or something more recent? If it is still BIND 9.7.0-P1 then please upgrade. There really is no point debugging validation failures in BIND 9.7.0-P1 anymore as the validator has had really extensive changes since then. Please remember,

Re: "broken trust chain" for non-existing AAAA records

message <20101118131400.37717e5p5tard...@webmail.kwsoft.de>, > > lst_ho...@kwsof > > t.de writes: > >> We are using Bind 9.7 at the border to resolve DNS queries for a small > >> LAN. After moving forward in using IPv6 we discovered many "broken > >>

Re: "broken trust chain" for non-existing AAAA records

Zitat von Mark Andrews : In message <20101118131400.37717e5p5tard...@webmail.kwsoft.de>, lst_ho...@kwsof t.de writes: We are using Bind 9.7 at the border to resolve DNS queries for a small LAN. After moving forward in using IPv6 we discovered many "broken trust chain" er

Re: error (broken trust chain) resolving

Jeremy C. Reed isc.org> writes: > > I was reading it all along, but could never reproduce. Given the new information I have, I'll hazard to guess that you were trying to reproduce with something newer than 9.7.0-P2. > I thought it was > a temporary issue. > > I see your new bug report. Some

Re: error (broken trust chain) resolving

On Wed, 24 Nov 2010, Brian J. Murrell wrote: > Yeah, I was hoping to have caught the attention of a BIND developer > here with all of this by now. Perhaps they just don't hang out here. > Maybe I will try to find out where to ask questions that they might > see. I was reading it all along, b

Re: error (broken trust chain) resolving

Casey Deccio deccio.net> writes: > > I still don't have the answer to this. Fair enough. I was just looking for clarification on your previous statements. > Perhaps a BIND developer may > have better insight into the log messages and what may be going on. Yeah, I was hoping to have caught th

Re: error (broken trust chain) resolving

On Mon, Nov 22, 2010 at 5:28 AM, Brian J. Murrell wrote: > Casey Deccio deccio.net> writes: >> >> After a review of NSEC3 showed that this particular behavior is >> expected because org has been signed using NSEC3 with the opt-out bit >> set. > > I'm afraid I'm getting a bit lost due to my real l

Re: error (broken trust chain) resolving

Casey Deccio deccio.net> writes: > > After a review of NSEC3 showed that this particular behavior is > expected because org has been signed using NSEC3 with the opt-out bit > set. I'm afraid I'm getting a bit lost due to my real lack of understanding of the details of DNSSEC. I wish I had the

Re: "broken trust chain" for non-existing AAAA records

Zitat von Mark Andrews : In message <20101118131400.37717e5p5tard...@webmail.kwsoft.de>, lst_ho...@kwsof t.de writes: We are using Bind 9.7 at the border to resolve DNS queries for a small LAN. After moving forward in using IPv6 we discovered many "broken trust chain" er

Re: "broken trust chain" for non-existing AAAA records

In message <20101118131400.37717e5p5tard...@webmail.kwsoft.de>, lst_ho...@kwsof t.de writes: > We are using Bind 9.7 at the border to resolve DNS queries for a small > LAN. After moving forward in using IPv6 we discovered many "broken > trust chain" errors in the

"broken trust chain" for non-existing AAAA records

We are using Bind 9.7 at the border to resolve DNS queries for a small LAN. After moving forward in using IPv6 we discovered many "broken trust chain" errors in the bind log for non existing records. One example is Nov 18 01:18:21 firewall named[27580]: error (broken t

Re: error (broken trust chain) resolving

On Mon, Nov 15, 2010 at 6:31 AM, Casey Deccio wrote: > > Well, I'm curious as to why you're not getting the AD bit set for the > negative proof of existence for bondedsender.org/DS. After a review of NSEC3 showed that this particular behavior is expected because org has been signed using NSEC3 wi

Re: error (broken trust chain) resolving

On Mon, Nov 15, 2010 at 6:31 AM, Casey Deccio wrote: > On Mon, Nov 15, 2010 at 3:36 AM, Brian J. Murrell > wrote: >> >> Was any of that information I posted in the previous message useful?  If not, >> I'd be happy to gather some more. >> > > Well, I'm curious as to why you're not getting the AD

Re: error (broken trust chain) resolving

On Mon, Nov 15, 2010 at 3:36 AM, Brian J. Murrell wrote: > > Was any of that information I posted in the previous message useful?  If not, > I'd be happy to gather some more. > Well, I'm curious as to why you're not getting the AD bit set for the negative proof of existence for bondedsender.org/D

Re: error (broken trust chain) resolving

Brian J. Murrell interlinx.bc.ca> writes: > > Casey Deccio deccio.net> writes: > > > > Do you get a NOERROR response with the AD bit set? > > Yup: > ... Was any of that information I posted in the previous message useful? If not, I'd be happy to gather some more. _

Re: error (broken trust chain) resolving

Casey Deccio deccio.net> writes: > > On Tue, Nov 9, 2010 at 8:10 PM, Brian J. Murrell interlinx.bc.ca> wrote: > > $ dig @linux -p 1053 41.70.55.206.sa-trusted.bondedsender.org txt Doh! I forgot the +dnssec. > What happens when you run the following queries: > > dig +dnssec @linux -p 1053 or

Re: error (broken trust chain) resolving

On Tue, Nov 9, 2010 at 8:10 PM, Brian J. Murrell wrote: > The only written to that file when one of those broken chain lookups happen > is: > > dnssec: validating @0x2295e9b0: 41.70.55.206.sa-trusted.bondedsender.org TXT: > starting > dnssec: validating @0x2295e9b0: 41.70.55.206.sa-trusted.bonded

Re: error (broken trust chain) resolving

SIZE rcvd: 58 And the syslog entry: Nov 9 23:08:39 linux named[11040]: error (broken trust chain) resolving '41.70.55.206.sa-trusted.bondedsender.org/TXT/IN': 209.51.221.2#53 So nothing terribly interesting in the debug as far as I can see. Perhaps I don't have enough/the cor

Re: error (broken trust chain) resolving

my "green" DNSSEC skills. > Yes, bondedsender.org is an insecure delegation. So from what I have been able to learn so far, there shouldn't be any legitimate reason why one should be getting broken trust chain errors about a domain that has been insecurely delegated, yes?

Re: error (broken trust chain) resolving

C/NSEC3 records are not provided or are insufficient to prove that no DS records exist for an insecure delegation. If DS RRs do exist, but none correspond to any self-signing DNSKEYs in the child zone. If DNSKEYs are not returned by the resolver. > named error (broken trust chain) resolving '133.1

Re: error (broken trust chain) resolving

Stephane Bortzmeyer nic.fr> writes: > > They are not name servers of sa-trusted.bondedsender.org: Damn. Yes, you are correct. I forgot it was sa-trusted.bondedsender.org. in our example and stopped at bondedsender.org. However going that one more sub- domain deeper and testing it's NSes, the

Re: error (broken trust chain) resolving

On Wed, Nov 03, 2010 at 04:00:48PM +, Brian J. Murrell wrote a message of 19 lines which said: > > Another possibility: sa-trusted.bondedsender.org is badly lame (none > > of the name servers reply), so it may trigger a bad error message from > > BIND. > > Both s0.rpdns.net. and s1.rpdns.

Re: error (broken trust chain) resolving

Stephane Bortzmeyer nic.fr> writes: > > Indeed. Your analysis seems right. May be you have somewhere another > trust anchor (for DLV ISC or directly for bondedsender.org?) Hrm. I'm not sure TBH. I know I didn't install any trust anchor specifically for bondedsender.org, but I do have "dnsse

Re: error (broken trust chain) resolving

On Wed, Nov 03, 2010 at 11:44:18AM +, Brian J. Murrell wrote a message of 46 lines which said: > named error (broken trust chain) resolving '133.168.163.66.sa- > trusted.bondedsender.org/TXT/IN': 173.45.100.146#53 > > Where/why does it break? Who's is breakin

Re: error (broken trust chain) resolving

Casey Deccio deccio.net> writes: > > There is a difference between a "broken" trust chain and a trust chain > that securely "ends" before reaching the name being queried. Ahhh. That makes sense. > However, a broken chain means that the validating resolver

Re: error (broken trust chain) resolving

On Tue, Nov 2, 2010 at 10:21 AM, Brian J. Murrell wrote: > Alan Clegg isc.org> writes: >> >> On 11/2/2010 8:11 AM, Brian J. Murrell wrote: >> > >> > named error (broken trust chain) resolving '133.168.163.66.sa- >> > trusted.bondedsender.org/TXT/

Re: error (broken trust chain) resolving

Alan Clegg isc.org> writes: > > On 11/2/2010 8:11 AM, Brian J. Murrell wrote: > > > > named error (broken trust chain) resolving '133.168.163.66.sa- > > trusted.bondedsender.org/TXT/IN': 173.45.100.146#53 > There isn't a chain of signed DS records

Re: error (broken trust chain) resolving

On 11/2/2010 8:36 AM, Brian J. Murrell wrote: > Alan Clegg isc.org> writes: >> > > Hi Alan, > >> There isn't a chain of signed DS records that lead from a trust anchor >> to the thing that you are trying to resolve. > > I guess I'm going to have to learn a bit more about DNSSEC in order to pars

Re: error (broken trust chain) resolving

Alan Clegg isc.org> writes: > Hi Alan, > There isn't a chain of signed DS records that lead from a trust anchor > to the thing that you are trying to resolve. I guess I'm going to have to learn a bit more about DNSSEC in order to parse that. :-) Are there any good tutorials on the mechanics

Re: error (broken trust chain) resolving

On 11/2/2010 8:11 AM, Brian J. Murrell wrote: > Since enabling DNSSEC on my resolving server I have been seeing various > instances of the following sort of messages: > > named error (broken trust chain) resolving '133.168.163.66.sa- > trusted.bondedsender.org/TXT/IN

error (broken trust chain) resolving

Since enabling DNSSEC on my resolving server I have been seeing various instances of the following sort of messages: named error (broken trust chain) resolving '133.168.163.66.sa- trusted.bondedsender.org/TXT/IN': 173.45.100.146#53 named error (broken trust chain) resolving