"broken trust chain" for non-existing AAAA records
Mark Andrews
marka at isc.org
Fri Nov 19 01:23:12 UTC 2010
In message <20101118131400.37717e5p5tardzm0 at webmail.kwsoft.de>, lst_hoe02 at kwsof
t.de writes:
> We are using Bind 9.7 at the border to resolve DNS queries for a small
> LAN. After moving forward in using IPv6 we discovered many "broken
> trust chain" errors in the bind log for non existing AAAA records. One
> example is
>
> Nov 18 01:18:21 firewall named[27580]: error (broken trust chain)
> resolving 'smtp.g.comcast.net/AAAA/IN': 76.96.53.47#53
> Nov 18 01:18:21 firewall named[27580]: error (broken trust chain)
> resolving 'smtp.g.comcast.net/AAAA/IN': 68.87.66.201#53
> Nov 18 01:18:29 firewall named[27580]: error (broken trust chain)
> resolving 'smtp.g.comcast.net/AAAA/IN': 76.96.53.47#53
> Nov 18 01:18:29 firewall named[27580]: error (broken trust chain)
> resolving 'smtp.g.comcast.net/AAAA/IN': 76.96.53.47#53
>
> From what i can see there is no DNSSEC for comcast.net so this should
> not happen and the A record just resolve fine. Any comment if this
> should worry me?
A broken chain of trust can be *anywhere* in the trust chain.
Remember named has to prove that a answer should be insecure (not
signed) by looking for the absence of a DS RRset at a delegation
point above the name in question.
If validation is working correctly you should be able to get a
validated negative response for DS net. Note the "ad" in the flags
below which indicates that named thinks the answer is secure.
Also please report the *exact* version in future. There is more
than one BIND 9.7 version. The latest is BIND 9.7.2-P2.
Mark
; <<>> DiG 9.6.0-APPLE-P2 <<>> ds net +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56977
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;net. IN DS
;; AUTHORITY SECTION:
. 9027 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2010111801 1800 900 604800 86400
. 9027 IN RRSIG SOA 8 0 86400 20101125000000 20101117230000 40288 . Pn3OPCeNSrFiCAyf306zvUyN8+0YbfpWP4YCzr67lexD9Kw/shkBgN2/ Cfy/t7ikHpR7+DFyNi21EkoN+12jsz/XMi5R2GgG3JZtVxtMJPpRQk0O q4KsIA/hdHD7jWsoXsM/6WY1jDWhvPpkIv3dtJ2H/fhUfOfjcX1miEYY BaY=
net. 9027 IN RRSIG NSEC 8 1 86400 20101125000000 20101117230000 40288 . s4//hXJ69+BcKrB8ln03YGQNSVKCdGDALrhntcgnMU64ueFMTv4cFuzv jZWFdg+dgdQa59VLx2XCG0jMXzXKj27PGPAY1ARRRBxNA4yrJXeF8v8f Pwv3AmshHRufrbwbs8gZyP/WXqszXkrVVYRSMbcTKdkT62DkQNqMH7xP uV0=
net. 9027 IN NSEC nf. NS RRSIG NSEC
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov 19 12:17:15 2010
;; MSG SIZE rcvd: 445
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list