error (broken trust chain) resolving

Brian J. Murrell brian at
Wed Nov 10 04:10:44 UTC 2010

Casey Deccio <casey <at>> writes:
> Reproducing these errors and analyzing the debug-level log messages
> would be helpful since everything looks consistent from a DNSSEC
> perspective, as far as I can see.

Well, I have attempted this.  I reproduced my existing bind configuration and 
added the following to logging:

        category "dnssec" { "debug_log"; };
        channel debug_log {
                file "/var/tmp/named.debug";
                severity debug 100;
                print-category yes;

The only written to that file when one of those broken chain lookups happen is:

dnssec: validating @0x2295e9b0: TXT: 
dnssec: validating @0x2295e9b0: TXT: 
attempting negative response validation
dnssec: validator @0x2295e9b0: dns_validator_destroy

The dig query that produced that:

$ dig @linux -p 1053 txt

; <<>> DiG 9.7.1-P2 <<>> @linux -p 1053 
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 40957
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0


;; Query time: 43 msec
;; WHEN: Tue Nov  9 23:08:39 2010
;; MSG SIZE  rcvd: 58

And the syslog entry:

Nov  9 23:08:39 linux named[11040]: error (broken trust chain) resolving 

So nothing terribly interesting in the debug as far as I can see.  Perhaps I 
don't have enough/the correct debugging enabled?


More information about the bind-users mailing list