broken trust chain

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

broken trust chain

Youssef.FassiFihri

Hi All,


I am using Bind as resolver for end users  .


At various time, bind logs show "broken trust chain" continuously  , for about 20mn  ~ 30 mn causing an increase of "recursive clients" shown in "rndc status" and a decrease of  "DNS sucess rate KPI" supervised from end users side.  then the error disappear and everything is OK.


the problem appears on different server at different time.


What could be the problem?


Regards, 




« Ce message et toutes les pièces y jointes sont susceptibles de contenir des informations confidentielles ou privilégiées, lesquelles ne doivent être reproduites, diffusées ou exploitées sans autorisation. L’intégrité des messages électroniques n’étant pas garantie, WANA CORPORATE décline toute responsabilité dans le cas où ce message aurait été altéré, déformé ou falsifié.

Ce message est établi à l'attention exclusive de ses destinataires. Si vous avez reçu ce message par erreur, veuillez le signaler à l’expéditeur et le détruire y compris les pièces jointes.

Merci. »

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

« This message and its attachments may contain confidential or privileged information that should not be copied, distributed or used without authorization. As the integrity of emails may not be guaranteed, WANA CORPORATE is not liable for messages that have been modified, changed or falsified.

If you have received this email in error, please notify the sender and delete this message and its attachments.

Thank you. »


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: broken trust chain

Bind-Users forum mailing list

What version of BIND are you using?

 

John

 

From: bind-users [mailto:[hidden email]] On Behalf Of [hidden email]
Sent: Tuesday, July 28, 2020 6:10 PM
To: [hidden email]
Subject: broken trust chain

 

Hi All,

 

I am using Bind as resolver for end users  .

 

At various time, bind logs show "broken trust chain" continuously  , for about 20mn  ~ 30 mn causing an increase of "recursive clients" shown in "rndc status" and a decrease of  "DNS sucess rate KPI" supervised from end users side.  then the error disappear and everything is OK.

 

the problem appears on different server at different time.

 

What could be the problem?

 

Regards, 

 



« Ce message et toutes les pièces y jointes sont susceptibles de contenir des informations confidentielles ou privilégiées, lesquelles ne doivent être reproduites, diffusées ou exploitées sans autorisation. L’intégrité des messages électroniques n’étant pas garantie, WANA CORPORATE décline toute responsabilité dans le cas où ce message aurait été altéré, déformé ou falsifié.

Ce message est établi à l'attention exclusive de ses destinataires. Si vous avez reçu ce message par erreur, veuillez le signaler à l’expéditeur et le détruire y compris les pièces jointes.

Merci. »

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

« This message and its attachments may contain confidential or privileged information that should not be copied, distributed or used without authorization. As the integrity of emails may not be guaranteed, WANA CORPORATE is not liable for messages that have been modified, changed or falsified.

If you have received this email in error, please notify the sender and delete this message and its attachments.

Thank you. »


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: broken trust chain

Mark Andrews
In reply to this post by Youssef.FassiFihri
A network link that is dropping packets can trigger EDNS failures in versions of
BIND before 9.13.3.  These versions have code to compensate for servers that
fail to respond to EDNS queries or fail to respond to EDNS queries with DO=1
or fail to respond to queries with (particular) EDNS options set. BIND would
fallback to plain DNS queries to workaround these issues, but that broke
DNSSEC when the answers where coming from a signed zone and the packet loss
is due to network issues.

5029.   [func]          Workarounds for servers that misbehave when queried
                        with EDNS have been removed, because these broken
                        servers and the workarounds for their noncompliance
                        cause unnecessary delays, increase code complexity,
                        and prevent deployment of new DNS features. See
                        https://dnsflagday.net for further details. [GL #150]


> On 29 Jul 2020, at 09:10, <[hidden email]> <[hidden email]> wrote:
>
> Hi All,
>
> I am using Bind as resolver for end users  .
>
> At various time, bind logs show "broken trust chain" continuously  , for about 20mn  ~ 30 mn causing an increase of "recursive clients" shown in "rndc status" and a decrease of  "DNS sucess rate KPI" supervised from end users side.  then the error disappear and everything is OK.
>
> the problem appears on different server at different time.
>
> What could be the problem?
>
> Regards,
>
>
> « Ce message et toutes les pièces y jointes sont susceptibles de contenir des informations confidentielles ou privilégiées, lesquelles ne doivent être reproduites, diffusées ou exploitées sans autorisation. L’intégrité des messages électroniques n’étant pas garantie, WANA CORPORATE décline toute responsabilité dans le cas où ce message aurait été altéré, déformé ou falsifié.
>
> Ce message est établi à l'attention exclusive de ses destinataires. Si vous avez reçu ce message par erreur, veuillez le signaler à l’expéditeur et le détruire y compris les pièces jointes.
>
> Merci. »
>
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> « This message and its attachments may contain confidential or privileged information that should not be copied, distributed or used without authorization. As the integrity of emails may not be guaranteed, WANA CORPORATE is not liable for messages that have been modified, changed or falsified.
>
> If you have received this email in error, please notify the sender and delete this message and its attachments.
>
> Thank you. »
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: [hidden email]

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: broken trust chain

Youssef.FassiFihri

Thank you,  Andrews.



De : Mark Andrews <[hidden email]>
Envoyé : mercredi 29 juillet 2020 02:15:24
À : Youssef Fassi Fihri
Cc : [hidden email]
Objet : Re: broken trust chain
 
A network link that is dropping packets can trigger EDNS failures in versions of
BIND before 9.13.3.  These versions have code to compensate for servers that
fail to respond to EDNS queries or fail to respond to EDNS queries with DO=1
or fail to respond to queries with (particular) EDNS options set. BIND would
fallback to plain DNS queries to workaround these issues, but that broke
DNSSEC when the answers where coming from a signed zone and the packet loss
is due to network issues.

5029.   [func]          Workarounds for servers that misbehave when queried
                        with EDNS have been removed, because these broken
                        servers and the workarounds for their noncompliance
                        cause unnecessary delays, increase code complexity,
                        and prevent deployment of new DNS features. See
                        https://dnsflagday.net for further details. [GL #150]


> On 29 Jul 2020, at 09:10, <[hidden email]> <[hidden email]> wrote:
>
> Hi All,
>
> I am using Bind as resolver for end users  .
>
> At various time, bind logs show "broken trust chain" continuously  , for about 20mn  ~ 30 mn causing an increase of "recursive clients" shown in "rndc status" and a decrease of  "DNS sucess rate KPI" supervised from end users side.  then the error disappear and everything is OK.
>
> the problem appears on different server at different time.
>
> What could be the problem?
>
> Regards,
>
>
> « Ce message et toutes les pièces y jointes sont susceptibles de contenir des informations confidentielles ou privilégiées, lesquelles ne doivent être reproduites, diffusées ou exploitées sans autorisation. L’intégrité des messages électroniques n’étant pas garantie, WANA CORPORATE décline toute responsabilité dans le cas où ce message aurait été altéré, déformé ou falsifié.
>
> Ce message est établi à l'attention exclusive de ses destinataires. Si vous avez reçu ce message par erreur, veuillez le signaler à l’expéditeur et le détruire y compris les pièces jointes.
>
> Merci. »
>
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> « This message and its attachments may contain confidential or privileged information that should not be copied, distributed or used without authorization. As the integrity of emails may not be guaranteed, WANA CORPORATE is not liable for messages that have been modified, changed or falsified.
>
> If you have received this email in error, please notify the sender and delete this message and its attachments.
>
> Thank you. »
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: [hidden email]




« Ce message et toutes les pièces y jointes sont susceptibles de contenir des informations confidentielles ou privilégiées, lesquelles ne doivent être reproduites, diffusées ou exploitées sans autorisation. L’intégrité des messages électroniques n’étant pas garantie, WANA CORPORATE décline toute responsabilité dans le cas où ce message aurait été altéré, déformé ou falsifié.

Ce message est établi à l'attention exclusive de ses destinataires. Si vous avez reçu ce message par erreur, veuillez le signaler à l’expéditeur et le détruire y compris les pièces jointes.

Merci. »

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

« This message and its attachments may contain confidential or privileged information that should not be copied, distributed or used without authorization. As the integrity of emails may not be guaranteed, WANA CORPORATE is not liable for messages that have been modified, changed or falsified.

If you have received this email in error, please notify the sender and delete this message and its attachments.

Thank you. »


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users