Zitat von Mark Andrews <ma...@isc.org>:
In message <20101118131400.37717e5p5tard...@webmail.kwsoft.de>, lst_ho...@kwsoft.de writes:We are using Bind 9.7 at the border to resolve DNS queries for a small LAN. After moving forward in using IPv6 we discovered many "broken trust chain" errors in the bind log for non existing AAAA records. One example is Nov 18 01:18:21 firewall named[27580]: error (broken trust chain) resolving 'smtp.g.comcast.net/AAAA/IN': 76.96.53.47#53 Nov 18 01:18:21 firewall named[27580]: error (broken trust chain) resolving 'smtp.g.comcast.net/AAAA/IN': 68.87.66.201#53 Nov 18 01:18:29 firewall named[27580]: error (broken trust chain) resolving 'smtp.g.comcast.net/AAAA/IN': 76.96.53.47#53 Nov 18 01:18:29 firewall named[27580]: error (broken trust chain) resolving 'smtp.g.comcast.net/AAAA/IN': 76.96.53.47#53 From what i can see there is no DNSSEC for comcast.net so this should not happen and the A record just resolve fine. Any comment if this should worry me?A broken chain of trust can be *anywhere* in the trust chain. Remember named has to prove that a answer should be insecure (not signed) by looking for the absence of a DS RRset at a delegation point above the name in question.
Sorry to come up with this again...As far as i understand if i get a secure answer from the root-NS that there is no DS for the domain in inquestion (de. net. etc) there should be no "broken trust chain" further on because there is (validated) none?
If validation is working correctly you should be able to get a validated negative response for DS net. Note the "ad" in the flags below which indicates that named thinks the answer is secure.
This is working, no problem but i still get "broken trust chain" for some non existing AAAA records like for example this one:
; <<>> DiG 9.7.0-P1 <<>> +dnssec mail.cdu-freiburg.de AAAA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54325 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;mail.cdu-freiburg.de. IN AAAANov 29 14:37:01 firewall named[976]: error (broken trust chain) resolving 'mail.cdu-freiburg.de/AAAA/IN': 62.116.129.129#53
; <<>> DiG 9.7.0-P1 <<>> +dnssec de. DS ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9033 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;de. IN DS ;; AUTHORITY SECTION:. 3 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2010112801 1800 900 604800 86400 . 3 IN RRSIG SOA 8 0 86400 20101205000000 20101127230000 40288 . HxKeNrwFeDxJDKKbBcQJQQ8aXf1sEs93J1rcm647RI3Qw3bpm9Dbs+xj aYki5iRhk0HHjDHm1Kj2gGXFdKlzMAExszF7js1IaCs+EgePqwSqDoHT lSduCn/hqlrklOqrwQkjYJhJkEYLJuhKVHTkilbC/w94RxVK3Uh5qEdJ K44= de. 3 IN RRSIG NSEC 8 1 86400 20101205000000 20101127230000 40288 . DfHYLjIgdB3M+ib9Gn6anvtE27UTdZWX9nqvzf7ts4+X2TCVwlPmGtn7 4EXwrDTfYNe5YEWh67MO/7mcUeZ2LcqqyQifIu0hJZf5RBmys0ml39JZ VNcSaWr7N5J3OV2GCJl366w24Eeuuje+xAJAyIfzE68LkMlnypjbrAAT mtA=
de. 3 IN NSEC dj. NS RRSIG NSECSo it is validated that the TLD de. has no DS (-> NSEC) but Bind 9.7 report a broken trust chain for the IPv6 record of "mail.cdu-freiburg.de". I have not even find something looking like DNSKEY further down the road so why the error is reported?
Many Thanks Andreas
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
