broken trust chain
Josef Moellers
jmoellers at suse.de
Fri Sep 25 14:28:52 UTC 2020
On 25.09.20 15:13, Josef Moellers wrote:
> Hi,
>
> When running bind 9.11.22 on SUSE SLES12-SP4, I get spurious errors
>
> broken trust chain resolving 'www.suse.de/A/IN': 205.251.193.167#53
>
> when running "dig @localhost www.suse.de +short" which then produces no
> output.
>
> I have set up two forward name servers:
>
> forwarders {
> 217.0.43.1;
> 192.168.122.1;
> };
>
> in /etc/named.d/forwarders.conf
>
> Occasionally the 192.168.122.1 address is given in the error message, it
> is the IP address of my VM host running dnsmasq.
>
> The /etc/rndc.key file is properly set up and named is running in a
> chrooted environment where the /etc/rndc.key is copied to the chroot jail.
>
> I had seen the "broken trust chain" error with 9.16 when the
> /etc/rndc.key file had not been created due to an old script which still
> called rndc-confgen with "-r /dev/urandom" (in which case rndc-confgen
> would not create the file), but that was 9.16 and the 9.11.22 version of
> rndc-confgen still accepts this option.
>
> The clocks of the VM and the rest of the world are in sync.
>
> Does anyone have a hint as to what might cause this error?
I just foudn out that in the good case, the key in /etc/bind.keys is
accepted, in the bad case it is not:
good:managed-keys-zone: Key 20326 for zone . acceptance timer complete:
key now trusted
bad:managed-keys-zone: No DNSKEY RRSIGs found for '.': success
So the question is: what causes this?
Josef
--
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5
90409 Nürnberg
Germany
(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer
More information about the bind-workers
mailing list