Casey Deccio <casey <at> deccio.net> writes: > > Reproducing these errors and analyzing the debug-level log messages > would be helpful since everything looks consistent from a DNSSEC > perspective, as far as I can see.
Well, I have attempted this. I reproduced my existing bind configuration and added the following to logging: category "dnssec" { "debug_log"; }; channel debug_log { file "/var/tmp/named.debug"; severity debug 100; print-category yes; }; The only written to that file when one of those broken chain lookups happen is: dnssec: validating @0x2295e9b0: 41.70.55.206.sa-trusted.bondedsender.org TXT: starting dnssec: validating @0x2295e9b0: 41.70.55.206.sa-trusted.bondedsender.org TXT: attempting negative response validation dnssec: validator @0x2295e9b0: dns_validator_destroy The dig query that produced that: $ dig @linux -p 1053 41.70.55.206.sa-trusted.bondedsender.org txt ; <<>> DiG 9.7.1-P2 <<>> @linux -p 1053 41.70.55.206.sa-trusted.bondedsender.org txt ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 40957 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;41.70.55.206.sa-trusted.bondedsender.org. IN TXT ;; Query time: 43 msec ;; SERVER: 10.75.22.3#1053(10.75.22.3) ;; WHEN: Tue Nov 9 23:08:39 2010 ;; MSG SIZE rcvd: 58 And the syslog entry: Nov 9 23:08:39 linux named[11040]: error (broken trust chain) resolving '41.70.55.206.sa-trusted.bondedsender.org/TXT/IN': 209.51.221.2#53 So nothing terribly interesting in the debug as far as I can see. Perhaps I don't have enough/the correct debugging enabled? Cheers, b. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users