Is this still with BIND 9.7.0-P1 or something more recent? If it is still BIND 9.7.0-P1 then please upgrade. There really is no point debugging validation failures in BIND 9.7.0-P1 anymore as the validator has had really extensive changes since then.
Please remember, that unlike most of the rest of named, the validator is still very much "new" code that hasn't had millions of users exercising it in the real world like the rest of the code base has. As a result it is still changing as we run into real world patterns that have not been seen in the lab or by those of us that have been running it in production for several years. If you are validating you really need to follow the releases we make. For the record I can validate the answer in question with current code. Mark ; <<>> DiG 9.6.0-APPLE-P2 <<>> mail.cdu-freiburg.de aaaa @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56812 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mail.cdu-freiburg.de. IN AAAA ;; Query time: 345 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Nov 30 08:55:51 2010 ;; MSG SIZE rcvd: 38 ; <<>> DiG 9.6.0-APPLE-P2 <<>> +dnssec de ds @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45413 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;de. IN DS ;; AUTHORITY SECTION: . 7641 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2010112900 1800 900 604800 86400 . 7641 IN RRSIG SOA 8 0 86400 20101206000000 20101128230000 40288 . VXdtlcNzXMvVy0QGYYNv8euCsGn9Cb+aM+jhdMM2aABpShc7d8J8vBWS XrnFwmr1AoqV8LhcWYwSP3+Xu2XOs7HW3OY9IXYVoYDW2JLgCef9fYe/ MkwNxTQFuw2EwZFZTkkrxPLhPucuwiCRlBO/w1dl8Qak6F72lFG39UFt h9Q= de. 7641 IN RRSIG NSEC 8 1 86400 20101206000000 20101128230000 40288 . JB4Fz8EGFxg5sY/KY5EK0ebcmLr03LnQSVtddkHxljSydz1RA/OoriNe xwp6GmYz6DpjuoDcBMW/9PDwYTl17SqPFwFQBw/6yRf+oXtHx5u7Q7zx 4Kf/7zDxw8h2L/FeAa1WqLLbmhEBF2RcaV6Rv2OCj1VXIVffBgW/GDDw CD8= de. 7641 IN NSEC dj. NS RRSIG NSEC ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Nov 30 08:56:20 2010 ;; MSG SIZE rcvd: 447 In message <20101129144338.8595771dm36el...@webmail.kwsoft.de>, lst_ho...@kwsof t.de writes: > Zitat von Mark Andrews <ma...@isc.org>: > > > > > In message <20101118131400.37717e5p5tard...@webmail.kwsoft.de>, > > lst_ho...@kwsof > > t.de writes: > >> We are using Bind 9.7 at the border to resolve DNS queries for a small > >> LAN. After moving forward in using IPv6 we discovered many "broken > >> trust chain" errors in the bind log for non existing AAAA records. One > >> example is > >> > >> Nov 18 01:18:21 firewall named[27580]: error (broken trust chain) > >> resolving 'smtp.g.comcast.net/AAAA/IN': 76.96.53.47#53 > >> Nov 18 01:18:21 firewall named[27580]: error (broken trust chain) > >> resolving 'smtp.g.comcast.net/AAAA/IN': 68.87.66.201#53 > >> Nov 18 01:18:29 firewall named[27580]: error (broken trust chain) > >> resolving 'smtp.g.comcast.net/AAAA/IN': 76.96.53.47#53 > >> Nov 18 01:18:29 firewall named[27580]: error (broken trust chain) > >> resolving 'smtp.g.comcast.net/AAAA/IN': 76.96.53.47#53 > >> > >> From what i can see there is no DNSSEC for comcast.net so this should > >> not happen and the A record just resolve fine. Any comment if this > >> should worry me? > > > > A broken chain of trust can be *anywhere* in the trust chain. > > > > Remember named has to prove that a answer should be insecure (not > > signed) by looking for the absence of a DS RRset at a delegation > > point above the name in question. > > > Sorry to come up with this again... > As far as i understand if i get a secure answer from the root-NS that > there is no DS for the domain in inquestion (de. net. etc) there > should be no "broken trust chain" further on because there is > (validated) none? > > > > If validation is working correctly you should be able to get a > > validated negative response for DS net. Note the "ad" in the flags > > below which indicates that named thinks the answer is secure. > > > This is working, no problem but i still get "broken trust chain" for > some non existing AAAA records like for example this one: > > ; <<>> DiG 9.7.0-P1 <<>> +dnssec mail.cdu-freiburg.de AAAA > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54325 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;mail.cdu-freiburg.de. IN AAAA > > > Nov 29 14:37:01 firewall named[976]: error (broken trust chain) > resolving 'mail.cdu-freiburg.de/AAAA/IN': 62.116.129.129#53 > > > ; <<>> DiG 9.7.0-P1 <<>> +dnssec de. DS > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9033 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;de. IN DS > > ;; AUTHORITY SECTION: > . 3 IN SOA a.root-servers.net. nstld.veris > ign-grs.com. 2010112801 > 1800 900 604800 86400 > . 3 IN RRSIG SOA 8 0 86400 20101205000000 20 > 101127230000 40288 . > HxKeNrwFeDxJDKKbBcQJQQ8aXf1sEs93J1rcm647RI3Qw3bpm9Dbs+xj > aYki5iRhk0HHjDHm1Kj2gGXFdKlzMAExszF7js1IaCs+EgePqwSqDoHT > lSduCn/hqlrklOqrwQkjYJhJkEYLJuhKVHTkilbC/w94RxVK3Uh5qEdJ K44= > de. 3 IN RRSIG NSEC 8 1 86400 20101205000000 2 > 0101127230000 40288 . > DfHYLjIgdB3M+ib9Gn6anvtE27UTdZWX9nqvzf7ts4+X2TCVwlPmGtn7 > 4EXwrDTfYNe5YEWh67MO/7mcUeZ2LcqqyQifIu0hJZf5RBmys0ml39JZ > VNcSaWr7N5J3OV2GCJl366w24Eeuuje+xAJAyIfzE68LkMlnypjbrAAT mtA= > de. 3 IN NSEC dj. NS RRSIG NSEC > > > So it is validated that the TLD de. has no DS (-> NSEC) but Bind 9.7 > report a broken trust chain for the IPv6 record of > "mail.cdu-freiburg.de". I have not even find something looking like > DNSKEY further down the road so why the error is reported? > > Many Thanks > > Andreas -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
