"broken trust chain" for non-existing AAAA records

lst_hoe02 at kwsoft.de lst_hoe02 at kwsoft.de
Mon Nov 29 13:43:38 UTC 2010


Zitat von Mark Andrews <marka at isc.org>:

>
> In message <20101118131400.37717e5p5tardzm0 at webmail.kwsoft.de>,  
> lst_hoe02 at kwsof
> t.de writes:
>> We are using Bind 9.7 at the border to resolve DNS queries for a small
>> LAN. After moving forward in using IPv6 we discovered many "broken
>> trust chain" errors in the bind log for non existing AAAA records. One
>> example is
>>
>> Nov 18 01:18:21 firewall named[27580]: error (broken trust chain)
>> resolving 'smtp.g.comcast.net/AAAA/IN': 76.96.53.47#53
>> Nov 18 01:18:21 firewall named[27580]: error (broken trust chain)
>> resolving 'smtp.g.comcast.net/AAAA/IN': 68.87.66.201#53
>> Nov 18 01:18:29 firewall named[27580]: error (broken trust chain)
>> resolving 'smtp.g.comcast.net/AAAA/IN': 76.96.53.47#53
>> Nov 18 01:18:29 firewall named[27580]: error (broken trust chain)
>> resolving 'smtp.g.comcast.net/AAAA/IN': 76.96.53.47#53
>>
>> From what i can see there is no DNSSEC for comcast.net so this should
>> not happen and the A record just resolve fine. Any comment if this
>> should worry me?
>
> A broken chain of trust can be *anywhere* in the trust chain.
>
> Remember named has to prove that a answer should be insecure (not
> signed) by looking for the absence of a DS RRset at a delegation
> point above the name in question.


Sorry to come up with this again...
As far as i understand if i get a secure answer from the root-NS that  
there is no DS for the domain in inquestion (de. net. etc) there  
should be no "broken trust chain" further on because there is  
(validated) none?


> If validation is working correctly you should be able to get a
> validated negative response for DS net.  Note the "ad" in the flags
> below which indicates that named thinks the answer is secure.


This is working, no problem but i still get "broken trust chain" for  
some non existing AAAA records like for example this one:

; <<>> DiG 9.7.0-P1 <<>> +dnssec mail.cdu-freiburg.de AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54325
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;mail.cdu-freiburg.de.		IN	AAAA


Nov 29 14:37:01 firewall named[976]: error (broken trust chain)  
resolving 'mail.cdu-freiburg.de/AAAA/IN': 62.116.129.129#53


; <<>> DiG 9.7.0-P1 <<>> +dnssec de. DS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9033
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;de.				IN	DS

;; AUTHORITY SECTION:
.			3	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2010112801  
1800 900 604800 86400
.			3	IN	RRSIG	SOA 8 0 86400 20101205000000 20101127230000 40288 .  
HxKeNrwFeDxJDKKbBcQJQQ8aXf1sEs93J1rcm647RI3Qw3bpm9Dbs+xj  
aYki5iRhk0HHjDHm1Kj2gGXFdKlzMAExszF7js1IaCs+EgePqwSqDoHT  
lSduCn/hqlrklOqrwQkjYJhJkEYLJuhKVHTkilbC/w94RxVK3Uh5qEdJ K44=
de.			3	IN	RRSIG	NSEC 8 1 86400 20101205000000 20101127230000 40288 .  
DfHYLjIgdB3M+ib9Gn6anvtE27UTdZWX9nqvzf7ts4+X2TCVwlPmGtn7  
4EXwrDTfYNe5YEWh67MO/7mcUeZ2LcqqyQifIu0hJZf5RBmys0ml39JZ  
VNcSaWr7N5J3OV2GCJl366w24Eeuuje+xAJAyIfzE68LkMlnypjbrAAT mtA=
de.			3	IN	NSEC	dj. NS RRSIG NSEC


So it is validated that the TLD de. has no DS (-> NSEC) but Bind 9.7  
report a broken trust chain for the IPv6 record of  
"mail.cdu-freiburg.de". I have not even find something looking like  
DNSKEY further down the road so why the error is reported?

Many Thanks

Andreas





-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6046 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20101129/cb0ff3cd/attachment.bin>


More information about the bind-users mailing list