Date: Fri, 16 Jul 2021 10:16:40 +1000 From: Dewayne Geraghty <dewayne@heuristicsystems.com.au> To: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Is dnssec subject to intermittent failures? Message-ID: <9c03e923-5794-3bd2-5b27-b18592b95fd7@heuristicsystems.com.au>
next in thread | raw e-mail | index | archive | help
A few weeks ago I modified my named.conf to include dnssec-validation auto; after some testing we inserted into production. Today my named refused to resolve with these messages: In lame-servers.log (hundreds of these) 16-Jul-2021 06:04:47.412 broken trust chain resolving 'googlemail.l.google.com/A/IN' and a little later in default.log 16-Jul-2021 06:17:09.018 client @0x2e3be400 127.0.5.91#47479 (freebsd.org.lookup.dkimwl.org): query failed (broken trust chain) for freebsd.org.lookup.dkimwl.org/IN/A at query.c:6818 16-Jul-2021 06:19:00.604 client @0x2c66fc00 127.0.5.91#8845 (googlemail.com): query failed (broken trust chain) for googlemail.com/IN/A at query.c:6818 After commenting out the validation line and HUPing named, it functioned correctly. I repeated by reapplying dnssec-validation and again refused to resolve. Is something in dnssec misbehaving of am I just being lucky? Regards, Dewayne.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9c03e923-5794-3bd2-5b27-b18592b95fd7>