Wednesday, November 13, 2013

Named: error (broken trust chain)

My DNS server keeps complaining similar to this:
error (broken trust chain) resolving '0.ubuntu.pool.ntp.org/AAAA/IN': 208.67.220.220#53
Having researched on Google, many people suggested that the problem lies on the time accuracy. Therefore, we need to update the clock.

I had updated my system using ntpdate. But bind9 error logs didn't change.

After taking few times tinkering about his weird problem, I was stumbled upon a mailing list discussion about dnssec. It was an old discussion. There was a bug in the bind version (then) which produced similar error output if configured as forwarder.

I immediately changed my named.conf.options, from the following:
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

to this one:
dnssec-enable no;
dnssec-validation no;

after I restarted the bind9 service (I am using Ubuntu 12.04):
service bind9 restart

finally, business went normal again!

I haven't dug deep about this issue. Once I figure out the problem, I'll update this post.

10 comments:

  1. Thank you for your post! This was exactly my issue.

    ReplyDelete
  2. Arif, thx man...this is exactly with my symptom, yup looks like Bind's bug, because this not happens with Unbound.

    ReplyDelete
  3. Thank you, same problem solved by your post!

    ReplyDelete
  4. It is about server's wrong date problem. Check your server's date!

    ReplyDelete
  5. Just another "me too" - thank you, this post solved my problem as well.

    ReplyDelete
  6. This comment has been removed by the author.

    ReplyDelete
  7. Great post man, fix my Ubuntu problem also. But I actually went from dnssec-validation auto; to dnssec-validation no; and poof succeeded. Thanks!

    ReplyDelete
  8. Very good info this solved the problem, but note it seems to be the case that there is usually some DNS poisoning going on which causes this error. Under normal circumstances you should not receive this and it is usually a good warning if you get this no matter what domain is queried.

    ReplyDelete
  9. Any catch with this issue that why it is coming. We having same issue and got resolved by restarting named server, but didn't found why this is happening. As per me it seems like bug in "9.8.2-0.37.rc1.el6_7.6" updating it to "9.8.2-0.62.rc1.el6_9.4" will resolve the issue(hypothetical.

    Please if you have figured anything else please reply asap.

    ReplyDelete