DNSSEC requires that forwarders support DNSSEC. Check that the forwarders return DNSSEC records when they are queried. The forwarders should also be validating to filter spoofed responses from the internet. You should be getting a answer like this if the forwarders are validating.
[beetle:~] marka% dig +dnssec ds com ; <<>> DiG 9.15.4 <<>> +dnssec ds com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31284 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: 5cf268bbbafd31a9010000005fdc081a24542baf0ffea0bb (good) ;; QUESTION SECTION: ;com. IN DS ;; ANSWER SECTION: com. 40483 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 com. 40483 IN RRSIG DS 8 1 86400 20201229170000 20201216160000 26116 . cgPgcSi6cq++komd2l+PzrCsawleAikedcwcGk5PbNr1onkXZGNypJoF 7QQJ4GjMf4b7t+bO5f8szmo0cd2bz+DD0DMXoqUSFvEH4gOX9naoHcm0 90MS5Wfdeg43gNDSot/U74RJS1CS50U3SreFd2ZFIik9MlCHrSFLf/9V 7EqTJrs3xz9d/EG34O6qjaEqdw4GW40d3sA6kDGtSC+I9t4rttSEeasZ FnkZWLCOvzOLfYQlCVqaWpYCnvNdoQUPsbmDCEJf22tanPUft59hPRMu HmJAOKj77vy+kQWXaBcBo//NUX2asBLus8S7sJ9BDxpGUAsS9o+TdRlq YkIHBA== ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Dec 18 12:38:34 AEDT 2020 ;; MSG SIZE rcvd: 395 [beetle:~] marka% > On 18 Dec 2020, at 11:36, Nicolas Bock <[email protected]> wrote: > > Hi, > > When I configure my named to forward to our corporate DNS > servers (10.0.0.2 and 10.0.0.3), I end up getting error > messages such as > > Dec 17 20:58:06 dns-server named[843946]: fetch: www.canonical.com/A > Dec 17 20:58:06 dns-server named[843946]: fetch: com/DS > Dec 17 20:58:06 dns-server named[843946]: delete_node(): 0x7fa7e331e010 > www.canonical.com (bucket 15) > Dec 17 20:58:06 dns-server named[843946]: delete_node(): 0x7fa7e331b080 > com (bucket 2) > Dec 17 20:58:06 dns-server named[843946]: no valid RRSIG resolving > 'com/DS/IN': 10.0.0.2#53 > Dec 17 20:58:06 dns-server named[843946]: delete_node(): 0x7fa7e331b080 > com (bucket 2) > Dec 17 20:58:06 dns-server named[843946]: no valid RRSIG resolving > 'com/DS/IN': 10.0.0.3#53 > Dec 17 20:58:06 dns-server named[843946]: delete_node(): 0x7fa7e331b080 > com (bucket 2) > Dec 17 20:58:06 dns-server named[843946]: no valid DS resolving > 'www.canonical.com/A/IN': 10.0.0.2#53 > Dec 17 20:58:06 dns-server named[843946]: delete_node(): 0x7fa7e331e010 > www.canonical.com (bucket 15) > Dec 17 20:58:06 dns-server named[843946]: validating > www.canonical.com/A: bad cache hit (com/DS) > Dec 17 20:58:06 dns-server named[843946]: delete_node(): 0x7fa7e331e010 > www.canonical.com (bucket 15) > Dec 17 20:58:06 dns-server named[843946]: broken trust chain resolving > 'www.canonical.com/A/IN': 10.0.0.3#53 > > I don't quite understand why. Are 10.0.0.{2,3} incorrectly > set up for DNSSEC? It looks like DNSSEC is already breaking > for com. How can I trace what the root cause is? > > Thanks! > > Nick > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > [email protected] > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
