error (broken trust chain) resolving

Casey Deccio casey at
Mon Nov 22 21:02:46 UTC 2010

On Mon, Nov 22, 2010 at 5:28 AM, Brian J. Murrell <brian at> wrote:
> Casey Deccio <casey <at>> writes:
>> After a review of NSEC3 showed that this particular behavior is
>> expected because org has been signed using NSEC3 with the opt-out bit
>> set.
> I'm afraid I'm getting a bit lost due to my real lack of understanding of the
> details of DNSSEC.  I wish I had the time to really sit down and understand the
> concepts in complete detail.  :-(
> So does the RFC reference just explain why the AD bit (i.e. and not the bigger
> problem of the spew of log entries from named) is not set

yes, I was clarifying that my particular observation with respect to
the AD bit was not a useful insight into troubleshooting the other

> or does that explain
> the entire problem I am seeing (namely the continuous log spew from named)?

I still don't have the answer to this.  Perhaps a BIND developer may
have better insight into the log messages and what may be going on.


More information about the bind-users mailing list