broken trust chain

Fri Sep 25 13:13:17 UTC 2020

Hi,

When running bind 9.11.22 on SUSE SLES12-SP4, I get spurious errors

broken trust chain resolving 'www.suse.de/A/IN': 205.251.193.167#53

when running "dig @localhost www.suse.de +short" which then produces no
output.

I have set up two forward name servers:

forwarders {
        217.0.43.1;
        192.168.122.1;
};

in /etc/named.d/forwarders.conf

Occasionally the 192.168.122.1 address is given in the error message, it
is the IP address of my VM host running dnsmasq.

The /etc/rndc.key file is properly set up and named is running in a
chrooted environment where the /etc/rndc.key is copied to the chroot jail.

I had seen the "broken trust chain" error with 9.16 when the
/etc/rndc.key file had not been created due to an old script which still
called rndc-confgen with "-r /dev/urandom" (in which case rndc-confgen
would not create the file), but that was 9.16 and the 9.11.22 version of
rndc-confgen still accepts this option.

The clocks of the VM and the rest of the world are in sync.

Does anyone have a hint as to what might cause this error?

Thanks in advance and ... stay healthy,

Josef

No, I can't upgrade to 9.16 as that would not be allowed due to release
policy.

-- 
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5
90409 Nürnberg
Germany

(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer