Re: FreeBSD Trust Chain

It appears that Tim Daneliuk <tundra@tundraware.com> said:
>One of our master named servers suddenly decided to quit resolving.
>After poking around we saw errors to the effect of "trust chain broken"
>in the named logs.  Turning off dnssec validation fixed that (sort of) but
>that seems like the wrong way to take care of this problem.
>
>How do we go about validating and/or reinstalling the certificates needed
>for the trust chain to work again?

DNSSEC doesn't use certificates, it uses a chain of signatures starting at
the root.  The only thing you need to get started is the root zone's
key signing key.  That key hasn't changed in four years and every DNS
cache should ship with the current one, so if you're having validation
problems, something has been stomping on files on your computer.

You can get a copy of the root key at https://www.iana.org/dnssec/files

Or here it is:

.	172800	IN	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1502433573 ;;Fri Aug 11 02:39:33 2017

R's,
John