error (broken trust chain) resolving

Brian J. Murrell brian at
Tue Nov 2 17:21:20 UTC 2010

Alan Clegg <aclegg <at>> writes:
> On 11/2/2010 8:11 AM, Brian J. Murrell wrote:
> > 
> > named error (broken trust chain) resolving '
> >':
> There isn't a chain of signed DS records that lead from a trust anchor
> to the thing that you are trying to resolve.

So basically it just means that one or more zones from . down to the thing I'm 
trying to resolve has not been DNSSECized?  i.e. no zone keys, signing, etc.?

Wouldn't that be the case for the majority of "things" I (or anyone else) would 
be trying to resolve, in these early days of DNSSEC?

It just seems like I'd see way more records (i.e. pretty much everything we try 
to resolve here) of the sort that I posted if that were the case.  Maybe the 
variation in things we try to resolve here is not as much as I'd have thought.

Am I misunderstanding?


More information about the bind-users mailing list