Is dnssec subject to intermittent failures?
Dewayne Geraghty
dnssec-validation auto;
after some testing we inserted into production.
Today my named refused to resolve with these messages:
In lame-servers.log (hundreds of these)
16-Jul-2021 06:04:47.412 broken trust chain resolving
'googlemail.l.google.com/A/IN'
and a little later in default.log
16-Jul-2021 06:17:09.018 client @0x2e3be400 127.0.5.91#47479
(freebsd.org.lookup.dkimwl.org): query failed (broken trust chain) for
freebsd.org.lookup.dkimwl.org/IN/A at query.c:6818
16-Jul-2021 06:19:00.604 client @0x2c66fc00 127.0.5.91#8845
(googlemail.com): query failed (broken trust chain) for
googlemail.com/IN/A at query.c:6818
After commenting out the validation line and HUPing named, it functioned
correctly. I repeated by reapplying dnssec-validation and again refused
to resolve.
Is something in dnssec misbehaving of am I just being lucky?
Regards, Dewayne.
_______________________________________________
freebsd-...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questi...@freebsd.org"
John Levine
>A few weeks ago I modified my named.conf to include
>dnssec-validation auto;
>after some testing we inserted into production.
>
>Today my named refused to resolve with these messages:
>
>In lame-servers.log (hundreds of these)
>16-Jul-2021 06:04:47.412 broken trust chain resolving
>'googlemail.l.google.com/A/IN'
>
>and a little later in default.log
>16-Jul-2021 06:17:09.018 client @0x2e3be400 127.0.5.91#47479
>(freebsd.org.lookup.dkimwl.org): query failed (broken trust chain) for
>freebsd.org.lookup.dkimwl.org/IN/A at query.c:6818
>16-Jul-2021 06:19:00.604 client @0x2c66fc00 127.0.5.91#8845
>(googlemail.com): query failed (broken trust chain) for
>googlemail.com/IN/A at query.c:6818
signed with DNSSEC so there shouldn't be anything to fail.