error (broken trust chain) resolving

Casey Deccio casey at
Wed Nov 10 05:44:55 UTC 2010

On Tue, Nov 9, 2010 at 8:10 PM, Brian J. Murrell <brian at> wrote:
> The only written to that file when one of those broken chain lookups happen is:
> dnssec: validating @0x2295e9b0: TXT:
> starting
> dnssec: validating @0x2295e9b0: TXT:
> attempting negative response validation
> dnssec: validator @0x2295e9b0: dns_validator_destroy
> The dig query that produced that:
> $ dig @linux -p 1053 txt

What happens when you run the following queries:

dig +dnssec @linux -p 1053 org SOA

Do you get a NOERROR response with the AD bit set?

dig +dnssec @linux -p 1053 DS

Do you get a NOERROR response with AD bit set and NSEC3 RRs and their
covering RRSIGs?


More information about the bind-users mailing list