DNSSEC validation broken trust July 22-23rd time.nist.gov
J Doe
general at nativemethods.com
Fri Jul 25 22:28:58 UTC 2025
Hi Julian,
Ok, thanks. It slipped my mind to use DNSviz - thank you for mentioning it.
- J
On 7/24/25 01:19, Julian Panke wrote:
> Hi,
>
> DNSviz is showing the issue very clearly so it was not on your side https://dnsviz.net/d/time.nist.gov/aID54g/dnssec/
>
> regards
>
> Julian Panke
>
>
>
> -------- Ursprüngliche Nachricht --------
> Am 24.07.25 00:18 schrieb J Doe <general at nativemethods.com>:
>
>> Hi,
>>
>> I have a small mail server that is using: BIND 9.20.11 and performs
>> recursion and DNSSEC validation.
>>
>> From yesterday (July 22nd), to today (July 23rd), I noticed the
>> following in the server logs
>>
>> 22-Jul-2025 23:59:50.347 lame-servers: info: no valid RRSIG resolving
>> 'glb.nist.gov/DNSKEY/IN': 132.163.4.64#53
>> 22-Jul-2025 23:59:50.347 lame-servers: info: broken trust chain
>> resolving 'ntp1.glb.nist.gov/A/IN': 129.6.13.8#53
>> 22-Jul-2025 23:59:50.347 query-errors: info: client @0xe3af1ee9020
>> 127.0.0.1#13211 (time.nist.gov): query failed (broken trust chain) for
>> time.nist.gov/IN/A at query.c:7849
>>
>> The host in question (time.nist.gov), is used by this server for NTP.
>> The problem appears to have resolved itself today (July 23rd), at around
>> 10:00 AM EDT and happily NTP is able to complete with this particular host.
>>
>> Did anyone else notice something similar ?
>>
>> Thanks,
>>
>> - J
>>
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>
>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
More information about the bind-users
mailing list