Is dnssec subject to intermittent failures?
dewayne at heuristicsystems.com.au
Fri Jul 16 00:50:08 UTC 2021
A few weeks ago I modified my named.conf to include
after some testing we inserted into production.
Today my named refused to resolve with these messages:
In lame-servers.log (hundreds of these)
16-Jul-2021 06:04:47.412 broken trust chain resolving
and a little later in default.log
16-Jul-2021 06:17:09.018 client @0x2e3be400 127.0.5.91#47479
(freebsd.org.lookup.dkimwl.org): query failed (broken trust chain) for
freebsd.org.lookup.dkimwl.org/IN/A at query.c:6818
16-Jul-2021 06:19:00.604 client @0x2c66fc00 127.0.5.91#8845
(googlemail.com): query failed (broken trust chain) for
googlemail.com/IN/A at query.c:6818
After commenting out the validation line and HUPing named, it functioned
correctly. I repeated by reapplying dnssec-validation and again refused
Is something in dnssec misbehaving of am I just being lucky?
More information about the freebsd-questions