Is dnssec subject to intermittent failures?
John Levine
johnl at iecc.com
Fri Jul 16 01:32:40 UTC 2021
It appears that Dewayne Geraghty <dewayne at heuristicsystems.com.au> said:
>A few weeks ago I modified my named.conf to include
>dnssec-validation auto;
>after some testing we inserted into production.
>
>Today my named refused to resolve with these messages:
>
>In lame-servers.log (hundreds of these)
>16-Jul-2021 06:04:47.412 broken trust chain resolving
>'googlemail.l.google.com/A/IN'
>
>and a little later in default.log
>16-Jul-2021 06:17:09.018 client @0x2e3be400 127.0.5.91#47479
>(freebsd.org.lookup.dkimwl.org): query failed (broken trust chain) for
>freebsd.org.lookup.dkimwl.org/IN/A at query.c:6818
>16-Jul-2021 06:19:00.604 client @0x2c66fc00 127.0.5.91#8845
>(googlemail.com): query failed (broken trust chain) for
>googlemail.com/IN/A at query.c:6818
Something is screwed up at your end. None of those three domains are
signed with DNSSEC so there shouldn't be anything to fail.
More information about the freebsd-questions
mailing list