error (broken trust chain) resolving

Brian J. Murrell brian at interlinx.bc.ca
Wed Nov 3 16:00:48 UTC 2010


Stephane Bortzmeyer <bortzmeyer <at> nic.fr> writes:
>  
> Indeed. Your analysis seems right. May be you have somewhere another
> trust anchor (for DLV <at> ISC or directly for bondedsender.org?)

Hrm.  I'm not sure TBH.  I know I didn't install any trust anchor specifically 
for bondedsender.org, but I do have "dnssec-lookaside auto;" configured in my 
bind options.

I don't know how to do the same verification of bondedsender.org given that 
however.

> Another possibility: sa-trusted.bondedsender.org is badly lame (none
> of the name servers reply), so it may trigger a bad error message from
> BIND.

Both s0.rpdns.net. and s1.rpdns.net. seem to be responsive.  The number of high-
profile domains involved seems to reduce the probability of this option.





More information about the bind-users mailing list