New comment - [#160539] broken trust chain
Team at TruBrain
team at trubrain.com
Fri Sep 25 14:29:14 UTC 2020
There is a new comment in the ticket submitted by Josef Moellers to TruBrain Comment added by : Josef Moellers Comment Content: <div class="freshdesk_quote"><blockquote class="freshdesk_quote"><div>On 25.09.20 15:13, Josef Moellers wrote:<br>> Hi,<br>> <br>> When running bind 9.11.22 on SUSE SLES12-SP4, I get spurious errors<br>> <br>> broken trust chain resolving '<a href="http://www.suse.de/A/IN':" rel="noreferrer">www.suse.de/A/IN':</a> 205.251.193.167#53<br>> <br>> when running "dig @localhost <a href="http://www.suse.de" rel="noreferrer">www.suse.de</a> +short" which then produces no<br>> output.<br>> <br>> I have set up two forward name servers:<br>> <br>> forwarders {<br>> 217.0.43.1;<br>> 192.168.122.1;<br>> };<br>> <br>> in /etc/named.d/forwarders.conf<br>> <br>> Occasionally the 192.168.122.1 address is given in the error message, it<br>> is the IP address of my VM host running dnsmasq.<br>> <br>> The /etc/rndc.key file is properly set up and named is running in a<br>> chrooted environment where the /etc/rndc.key is copied to the chroot jail.<br>> <br>> I had seen the "broken trust chain" error with 9.16 when the<br>> /etc/rndc.key file had not been created due to an old script which still<br>> called rndc-confgen with "-r /dev/urandom" (in which case rndc-confgen<br>> would not create the file), but that was 9.16 and the 9.11.22 version of<br>> rndc-confgen still accepts this option.<br>> <br>> The clocks of the VM and the rest of the world are in sync.<br>> <br>> Does anyone have a hint as to what might cause this error?<br><br>I just foudn out that in the good case, the key in /etc/bind.keys is<br>accepted, in the bad case it is not:<br>good:managed-keys-zone: Key 20326 for zone . acceptance timer complete:<br>key now trusted<br>bad:managed-keys-zone: No DNSKEY RRSIGs found for '.': success<br><br>So the question is: what causes this?<br><br>Josef<br>-- <br>SUSE Software Solutions Germany GmbH<br>Maxfeldstr. 5<br>90409 Nürnberg<br>Germany<br><br>(HRB 36809, AG Nürnberg)<br>Geschäftsführer: Felix Imendörffer<br>_______________________________________________<br>bind-workers mailing list<br>bind-workers at lists.isc.org<br><a href="https://lists.isc.org/mailman/listinfo/bind-workers" rel="noreferrer">https://lists.isc.org/mailman/listinfo/bind-workers</a><br>
</div></blockquote></div>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-workers/attachments/20200925/1ea3439c/attachment.htm>
More information about the bind-workers
mailing list