Date: 12 Jan 2022 22:47:46 -0500 From: "John Levine" <johnl@iecc.com> To: freebsd-questions@freebsd.org Cc: tundra@tundraware.com Subject: Re: FreeBSD Trust Chain Message-ID: <20220113034748.8646A34B2207@ary.qy> In-Reply-To: <42acf221-9f2a-86d3-3a7f-1d5568fce9b9@tundraware.com>
next in thread | previous in thread | raw e-mail | index | archive | help
It appears that Tim Daneliuk <tundra@tundraware.com> said: >One of our master named servers suddenly decided to quit resolving. >After poking around we saw errors to the effect of "trust chain broken" >in the named logs. Turning off dnssec validation fixed that (sort of) but >that seems like the wrong way to take care of this problem. > >How do we go about validating and/or reinstalling the certificates needed >for the trust chain to work again? DNSSEC doesn't use certificates, it uses a chain of signatures starting at the root. The only thing you need to get started is the root zone's key signing key. That key hasn't changed in four years and every DNS cache should ship with the current one, so if you're having validation problems, something has been stomping on files on your computer. You can get a copy of the root key at https://www.iana.org/dnssec/files Or here it is: . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1502433573 ;;Fri Aug 11 02:39:33 2017 R's, John
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20220113034748.8646A34B2207>