error (broken trust chain) resolving

Brian J. Murrell brian at
Wed Nov 3 19:09:53 UTC 2010

Casey Deccio <casey <at>> writes:
> This can happen in a number of different ways:  If any RRSIGs in the
> chain of trust are bogus, expired, or missing.  If NSEC/NSEC3 records
> are not provided or are insufficient to prove that no DS records exist
> for an insecure delegation.  If DS RRs do exist, but none correspond
> to any self-signing DNSKEYs in the child zone.  If DNSKEYs are not
> returned by the resolver.

None of which appear to be the case for this example-case domain "sa-" as far as I have been able to determine with my 
"green" DNSSEC skills.

> Yes, is an insecure delegation.

So from what I have been able to learn so far, there shouldn't be any legitimate 
reason why one should be getting broken trust chain errors about a domain that 
has been insecurely delegated, yes?  I mean there is no security in the 
delegation to be broken, right?

> Reproducing these errors and analyzing the debug-level log messages
> would be helpful since everything looks consistent from a DNSSEC
> perspective, as far as I can see.

I might be able to set up a shadow bind installation that mirrors the 
configuration of primary resolver here to do some debugging.  Do you have any 
suggestions as to which debug flags/levels to set to get some meaningful 
information?  Once set up, simply doing some digs with +dnssec against the 
configured server should suffice, yes?


More information about the bind-users mailing list