Date: 15 Jul 2021 21:32:36 -0400 From: "John Levine" <johnl@iecc.com> To: freebsd-questions@freebsd.org Cc: dewayne@heuristicsystems.com.au Subject: Re: Is dnssec subject to intermittent failures? Message-ID: <20210716013236.E25D023C384C@ary.qy> In-Reply-To: <9c03e923-5794-3bd2-5b27-b18592b95fd7@heuristicsystems.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
It appears that Dewayne Geraghty <dewayne@heuristicsystems.com.au> said: >A few weeks ago I modified my named.conf to include >dnssec-validation auto; >after some testing we inserted into production. > >Today my named refused to resolve with these messages: > >In lame-servers.log (hundreds of these) >16-Jul-2021 06:04:47.412 broken trust chain resolving >'googlemail.l.google.com/A/IN' > >and a little later in default.log >16-Jul-2021 06:17:09.018 client @0x2e3be400 127.0.5.91#47479 >(freebsd.org.lookup.dkimwl.org): query failed (broken trust chain) for >freebsd.org.lookup.dkimwl.org/IN/A at query.c:6818 >16-Jul-2021 06:19:00.604 client @0x2c66fc00 127.0.5.91#8845 >(googlemail.com): query failed (broken trust chain) for >googlemail.com/IN/A at query.c:6818 Something is screwed up at your end. None of those three domains are signed with DNSSEC so there shouldn't be anything to fail.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20210716013236.E25D023C384C>