"broken trust chain" for non-existing AAAA records

Mark Andrews marka at isc.org
Fri Nov 19 01:23:12 UTC 2010 

In message <20101118131400.37717e5p5tardzm0 at webmail.kwsoft.de>, lst_hoe02 at kwsof
t.de writes:
> We are using Bind 9.7 at the border to resolve DNS queries for a small  
> LAN. After moving forward in using IPv6 we discovered many "broken  
> trust chain" errors in the bind log for non existing AAAA records. One  
> example is
> 
> Nov 18 01:18:21 firewall named[27580]: error (broken trust chain)  
> resolving 'smtp.g.comcast.net/AAAA/IN': 76.96.53.47#53
> Nov 18 01:18:21 firewall named[27580]: error (broken trust chain)  
> resolving 'smtp.g.comcast.net/AAAA/IN': 68.87.66.201#53
> Nov 18 01:18:29 firewall named[27580]: error (broken trust chain)  
> resolving 'smtp.g.comcast.net/AAAA/IN': 76.96.53.47#53
> Nov 18 01:18:29 firewall named[27580]: error (broken trust chain)  
> resolving 'smtp.g.comcast.net/AAAA/IN': 76.96.53.47#53
> 
> From what i can see there is no DNSSEC for comcast.net so this should  
> not happen and the A record just resolve fine. Any comment if this  
> should worry me?

A broken chain of trust can be *anywhere* in the trust chain.

Remember named has to prove that a answer should be insecure (not
signed) by looking for the absence of a DS RRset at a delegation
point above the name in question.

If validation is working correctly you should be able to get a
validated negative response for DS net.  Note the "ad" in the flags
below which indicates that named thinks the answer is secure.

Also please report the *exact* version in future.  There is more
than one BIND 9.7 version.  The latest is BIND 9.7.2-P2.

Mark

; <<>> DiG 9.6.0-APPLE-P2 <<>> ds net +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56977
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;net.				IN	DS

;; AUTHORITY SECTION:
.			9027	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2010111801 1800 900 604800 86400
.			9027	IN	RRSIG	SOA 8 0 86400 20101125000000 20101117230000 40288 . Pn3OPCeNSrFiCAyf306zvUyN8+0YbfpWP4YCzr67lexD9Kw/shkBgN2/ Cfy/t7ikHpR7+DFyNi21EkoN+12jsz/XMi5R2GgG3JZtVxtMJPpRQk0O q4KsIA/hdHD7jWsoXsM/6WY1jDWhvPpkIv3dtJ2H/fhUfOfjcX1miEYY BaY=
net.			9027	IN	RRSIG	NSEC 8 1 86400 20101125000000 20101117230000 40288 . s4//hXJ69+BcKrB8ln03YGQNSVKCdGDALrhntcgnMU64ueFMTv4cFuzv jZWFdg+dgdQa59VLx2XCG0jMXzXKj27PGPAY1ARRRBxNA4yrJXeF8v8f Pwv3AmshHRufrbwbs8gZyP/WXqszXkrVVYRSMbcTKdkT62DkQNqMH7xP uV0=
net.			9027	IN	NSEC	nf. NS RRSIG NSEC

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov 19 12:17:15 2010
;; MSG SIZE  rcvd: 445

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list