error (broken trust chain) resolving
Casey Deccio
casey at deccio.net
Wed Nov 10 05:44:55 UTC 2010
On Tue, Nov 9, 2010 at 8:10 PM, Brian J. Murrell <brian at interlinx.bc.ca> wrote:
> The only written to that file when one of those broken chain lookups happen is:
>
> dnssec: validating @0x2295e9b0: 41.70.55.206.sa-trusted.bondedsender.org TXT:
> starting
> dnssec: validating @0x2295e9b0: 41.70.55.206.sa-trusted.bondedsender.org TXT:
> attempting negative response validation
> dnssec: validator @0x2295e9b0: dns_validator_destroy
>
> The dig query that produced that:
>
> $ dig @linux -p 1053 41.70.55.206.sa-trusted.bondedsender.org txt
>
What happens when you run the following queries:
dig +dnssec @linux -p 1053 org SOA
Do you get a NOERROR response with the AD bit set?
dig +dnssec @linux -p 1053 bondedsender.org DS
Do you get a NOERROR response with AD bit set and NSEC3 RRs and their
covering RRSIGs?
Casey
More information about the bind-users
mailing list