Forum: >>> Magnum BBS <<<

broken trust chain

From Youssef.FassiFihri@inwi.ma@21:1/5 to All on Tue Jul 28 23:10:25 2020

Hi All,

I am using Bind as resolver for end users .

At various time, bind logs show "broken trust chain" continuously , for about 20mn ~ 30 mn causing an increase of "recursive clients" shown in "rndc status" and a decrease of "DNS sucess rate KPI" supervised from end users side. then the error
disappear and everything is OK.

the problem appears on different server at different time.

What could be the problem?

Regards,

________________________________

� Ce message et toutes les pi�ces y jointes sont susceptibles de contenir des informations confidentielles ou privil�gi�es, lesquelles ne doivent �tre reproduites, diffus�es ou exploit�es sans autorisation. L'int�grit� des messages �lectroniques n'�tant
pas garantie, WANA CORPORATE d�cline toute responsabilit� dans le cas o� ce message aurait �t� alt�r�, d�form� ou falsifi�.

Ce message est �tabli � l'attention exclusive de ses destinataires. Si vous avez re�u ce message par erreur, veuillez le signaler � l'exp�diteur et le d�truire y compris les pi�ces jointes.

Merci. �

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

� This message and its attachments may contain confidential or privileged information that should not be copied, distributed or used without authorization. As the integrity of emails may not be guaranteed, WANA CORPORATE is not liable for messages that
have been modified, changed or falsified.

If you have received this email in error, please notify the sender and delete this message and its attachments.

Thank you. �

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">
Hi All,
 

I am using Bind as resolver for end users  .
 

At various time, bind logs show "broken trust chain" continuously  , for about 20mn  ~ 30 mn causing an increase of "recursive clients" shown in "rndc status" and a decrease of 
"DNS sucess rate KPI" supervised from end users side.  then
the error disappear and everything is OK.
 

the problem appears on different server at different time. 

What could be the problem?
 

Regards, 
</div>

 
� Ce message et toutes les pi�ces y jointes sont susceptibles de contenir des informations confidentielles ou privil�gi�es, lesquelles ne doivent �tre reproduites, diffus�es ou exploit�es sans autorisation. L’int�grit� des messages �lectroniques n&#
8217;�tant pas
garantie, WANA CORPORATE d�cline toute responsabilit� dans le cas o� ce message aurait �t� alt�r�, d�form� ou falsifi�. 

Ce message est �tabli � l'attention exclusive de ses destinataires. Si vous avez re�u ce message par erreur, veuillez le signaler � l’exp�diteur et le d�truire y compris les pi�ces jointes. 

Merci. � 

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 

� This message and its attachments may contain confidential or privileged information that should not be copied, distributed or used without authorization. As the integrity of emails may not be guaranteed, WANA CORPORATE is not liable for messages that
have
been modified, changed or falsified. 

If you have received this email in error, please notify the sender and delete this message and its attachments. 

Thank you. � 


</body>
</html>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From John W. Blue@21:1/5 to All on Tue Jul 28 23:30:54 2020

What version of BIND are you using?

John

From: bind-users [mailto:bind-users-bounces@lists.isc.org] On Behalf Of Youssef.FassiFihri@inwi.ma
Sent: Tuesday, July 28, 2020 6:10 PM
To: bind-users@lists.isc.org
Subject: broken trust chain

Hi All,

I am using Bind as resolver for end users .

At various time, bind logs show "broken trust chain" continuously , for about 20mn ~ 30 mn causing an increase of "recursive clients" shown in "rndc status" and a decrease of "DNS sucess rate KPI" supervised from end users side. then the error
disappear and everything is OK.

the problem appears on different server at different time.

What could be the problem?

Regards,

________________________________

� Ce message et toutes les pi�ces y jointes sont susceptibles de contenir des informations confidentielles ou privil�gi�es, lesquelles ne doivent �tre reproduites, diffus�es ou exploit�es sans autorisation. L'int�grit� des messages �lectroniques n'�tant
pas garantie, WANA CORPORATE d�cline toute responsabilit� dans le cas o� ce message aurait �t� alt�r�, d�form� ou falsifi�.

Ce message est �tabli � l'attention exclusive de ses destinataires. Si vous avez re�u ce message par erreur, veuillez le signaler � l'exp�diteur et le d�truire y compris les pi�ces jointes.

Merci. �

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

� This message and its attachments may contain confidential or privileged information that should not be copied, distributed or used without authorization. As the integrity of emails may not be guaranteed, WANA CORPORATE is not liable for messages that
have been modified, changed or falsified.

If you have received this email in error, please notify the sender and delete this message and its attachments.

Thank you. �

<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style>
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
What version of BIND are you using?<o:p></o:p>
<o:p> </o:p>
John<o:p></o:p>
<o:p> </o:p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
From: bind-users [mailto:bind-users-bounces@
lists.isc.org]
On Behalf Of Youssef.FassiFihri@inwi.ma 
Sent: Tuesday, July 28, 2020 6:10 PM 
To: bind-users@lists.isc.org 
Subject: broken trust chain<o:p></o:p>
</div>
</div>
<o:p> </o:p>
<div id="divtagdefaultwrapper">
Hi All,<o:p></o:p>
<o:p> </o:p>
I am using Bind as resolver for end users  .<o:p></o:p>
<o:p> </o:p>
At various time, bind logs show "broken trust chain" continuously  , for about 20mn  ~ 30 mn causing an increase of "recursive clients&
quot; shown in "rndc status" and a decrease of  "DNS sucess rate
KPI" supervised from end users side.  then the error disappear and everything is OK.<o:p></o:p>
<o:p> </o:p>
the problem appears on different server at different time.<o:p></o:p>
<o:p> </o:p>
What could be the problem?<o:p></o:p>
<o:p> </o:p>
Regards, <o:p></o:p>
</div>
<o:p> </o:p>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" align="center">
</div>
 
� Ce message et toutes les pi�ces y jointes sont susceptibles de contenir des informations confidentielles ou privil�gi�es, lesquelles ne doivent �tre reproduites, diffus�es ou exploit�es sans autorisation. L’int�grit� des messages �lectroniques n&#
8217;�tant pas
garantie, WANA CORPORATE d�cline toute responsabilit� dans le cas o� ce message aurait �t� alt�r�, d�form� ou falsifi�. 

Ce message est �tabli � l'attention exclusive de ses destinataires. Si vous avez re�u ce message par erreur, veuillez le signaler � l’exp�diteur et le d�truire y compris les pi�ces jointes. 

Merci. � 

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 

� This message and its attachments may contain confidential or privileged information that should not be copied, distributed or used without authorization. As the integrity of emails may not be guaranteed, WANA CORPORATE is not liable for messages that
have
been modified, changed or falsified. 

If you have received this email in error, please notify the sender and delete this message and its attachments. 

Thank you. �<o:p></o:p>
</div>
</body>
</html>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Mark Andrews@21:1/5 to All on Wed Jul 29 11:15:24 2020

Copy: bind-users@lists.isc.org

A network link that is dropping packets can trigger EDNS failures in versions of
BIND before 9.13.3. These versions have code to compensate for servers that fail to respond to EDNS queries or fail to respond to EDNS queries with DO=1
or fail to respond to queries with (particular) EDNS options set. BIND would fallback to plain DNS queries to workaround these issues, but that broke
DNSSEC when the answers where coming from a signed zone and the packet loss
is due to network issues.

5029. [func] Workarounds for servers that misbehave when queried
with EDNS have been removed, because these broken
servers and the workarounds for their noncompliance
cause unnecessary delays, increase code complexity,
and prevent deployment of new DNS features. See
https://dnsflagday.net for further details. [GL #150]

On 29 Jul 2020, at 09:10, <Youssef.FassiFihri@inwi.ma> <Youssef.FassiFihri@inwi.ma> wrote:

Hi All,

I am using Bind as resolver for end users .

At various time, bind logs show "broken trust chain" continuously , for about 20mn ~ 30 mn causing an increase of "recursive clients" shown in "rndc status" and a decrease of "DNS sucess rate KPI" supervised from end users side. then the error

disappear and everything is OK.

the problem appears on different server at different time.

What could be the problem?

Regards,

« Ce message et toutes les pièces y jointes sont susceptibles de contenir des informations confidentielles ou privilégiées, lesquelles ne doivent être reproduites, diffusées ou exploitées sans autorisation. L’intégrité des messages é

lectroniques n’étant pas garantie, WANA CORPORATE décline toute responsabilité dans le cas où ce message aurait été altéré, déformé ou falsifié.

Ce message est établi à l'attention exclusive de ses destinataires. Si vous avez reçu ce message par erreur, veuillez le signaler à l’expéditeur et le détruire y compris les pièces jointes.

Merci. »

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

« This message and its attachments may contain confidential or privileged information that should not be copied, distributed or used without authorization. As the integrity of emails may not be guaranteed, WANA CORPORATE is not liable for messages

that have been modified, changed or falsified.

If you have received this email in error, please notify the sender and delete this message and its attachments.

Thank you. »

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Youssef.FassiFihri@inwi.ma@21:1/5 to All on Wed Jul 29 10:31:19 2020

Copy: bind-users@lists.isc.org

Thank you, Andrews.

________________________________
De : Mark Andrews <marka@isc.org>
Envoy� : mercredi 29 juillet 2020 02:15:24
� : Youssef Fassi Fihri
Cc : bind-users@lists.isc.org
Objet : Re: broken trust chain

A network link that is dropping packets can trigger EDNS failures in versions of
BIND before 9.13.3. These versions have code to compensate for servers that fail to respond to EDNS queries or fail to respond to EDNS queries with DO=1
or fail to respond to queries with (particular) EDNS options set. BIND would fallback to plain DNS queries to workaround these issues, but that broke
DNSSEC when the answers where coming from a signed zone and the packet loss
is due to network issues.

5029. [func] Workarounds for servers that misbehave when queried
with EDNS have been removed, because these broken
servers and the workarounds for their noncompliance
cause unnecessary delays, increase code complexity,
and prevent deployment of new DNS features. See
https://dnsflagday.net for further details. [GL #150]

On 29 Jul 2020, at 09:10, <Youssef.FassiFihri@inwi.ma> <Youssef.FassiFihri@inwi.ma> wrote:

Hi All,

I am using Bind as resolver for end users .

At various time, bind logs show "broken trust chain" continuously , for about 20mn ~ 30 mn causing an increase of "recursive clients" shown in "rndc status" and a decrease of "DNS sucess rate KPI" supervised from end users side. then the error

disappear and everything is OK.

the problem appears on different server at different time.

What could be the problem?

Regards,

� Ce message et toutes les pi�ces y jointes sont susceptibles de contenir des informations confidentielles ou privil�gi�es, lesquelles ne doivent �tre reproduites, diffus�es ou exploit�es sans autorisation. L�int�grit� des messages �lectroniques n��

tant pas garantie, WANA CORPORATE d�cline toute responsabilit� dans le cas o� ce message aurait �t� alt�r�, d�form� ou falsifi�.

Ce message est �tabli � l'attention exclusive de ses destinataires. Si vous avez re�u ce message par erreur, veuillez le signaler � l�exp�diteur et le d�truire y compris les pi�ces jointes.

Merci. �

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

� This message and its attachments may contain confidential or privileged information that should not be copied, distributed or used without authorization. As the integrity of emails may not be guaranteed, WANA CORPORATE is not liable for messages that

have been modified, changed or falsified.

If you have received this email in error, please notify the sender and delete this message and its attachments.

Thank you. �

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org

________________________________

� Ce message et toutes les pi�ces y jointes sont susceptibles de contenir des informations confidentielles ou privil�gi�es, lesquelles ne doivent �tre reproduites, diffus�es ou exploit�es sans autorisation. L�int�grit� des messages �lectroniques n��tant
pas garantie, WANA CORPORATE d�cline toute responsabilit� dans le cas o� ce message aurait �t� alt�r�, d�form� ou falsifi�.

Ce message est �tabli � l'attention exclusive de ses destinataires. Si vous avez re�u ce message par erreur, veuillez le signaler � l�exp�diteur et le d�truire y compris les pi�ces jointes.

Merci. �

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

� This message and its attachments may contain confidential or privileged information that should not be copied, distributed or used without authorization. As the integrity of emails may not be guaranteed, WANA CORPORATE is not liable for messages that
have been modified, changed or falsified.

If you have received this email in error, please notify the sender and delete this message and its attachments.

Thank you. �

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252"> <meta name="Generator" content="Microsoft Exchange Server">
<style></style>
</head>
<body>
<meta content="text/html; charset=UTF-8">
<style type="text/css" style="">
<!--
p
{margin-top:0;
margin-bottom:0}

</style>
<div dir="ltr">
<div id="x_divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:#000000; font-family:Calibri,Helvetica,sans-serif">
Thank you,  Andrews. 

 

</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr">De : Mark Andrews <marka@isc.org> 
Envoy� : mercredi 29 juillet 2020 02:15:24 
� : Youssef Fassi Fihri 
Cc : bind-users@lists.isc.org 
Objet : Re: broken trust chain
<div> </div>
</div>
</div>

<div class="PlainText">A network link that is dropping packets can trigger EDNS failures in versions of 
BIND before 9.13.3.  These versions have code to compensate for servers that 
fail to respond to EDNS queries or fail to respond to EDNS queries with DO=1 
or fail to respond to queries with (particular) EDNS options set. BIND would 
fallback to plain DNS queries to workaround these issues, but that broke DNSSEC when the answers where coming from a signed zone and the packet loss is due to network issues. 

5029.   [func]          Workarounds for servers that misbehave when queried 
                        with EDNS have been removed, because these broken 
                        servers and the workarounds for their noncompliance 
                        cause unnecessary delays, increase code complexity, 
                        and prevent deployment of new DNS features. See 
                        <a href="https://dnsflagday.net">https://dnsflagday.net</a> for further details. [GL #150] 

> On 29 Jul 2020, at 09:10, <Youssef.FassiFihri@inwi.ma> <Youssef.FassiFihri@inwi.ma> wrote: 
> 
> Hi All, 
> 
> I am using Bind as resolver for end users  . 
> 
> At various time, bind logs show "broken trust chain" continuously  , for about 20mn  ~ 30 mn causing an increase of "recursive clients" shown in "rndc status" and a decrease of  "DNS sucess rate KPI&
quot; supervised from end users side.  then the error disappear
and everything is OK. 
> 
> the problem appears on different server at different time. 
> 
> What could be the problem? 
> 
> Regards, 
> 
> 
> � Ce message et toutes les pi�ces y jointes sont susceptibles de contenir des informations confidentielles ou privil�gi�es, lesquelles ne doivent �tre reproduites, diffus�es ou exploit�es sans autorisation. L�int�grit� des messages �lectroniques n��
tant pas
garantie, WANA CORPORATE d�cline toute responsabilit� dans le cas o� ce message aurait �t� alt�r�, d�form� ou falsifi�. 
> 
> Ce message est �tabli � l'attention exclusive de ses destinataires. Si vous avez re�u ce message par erreur, veuillez le signaler � l�exp�diteur et le d�truire y compris les pi�ces jointes. 
> 
> Merci. � 
> 
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<

> 
> � This message and its attachments may contain confidential or privileged information that should not be copied, distributed or used without authorization. As the integrity of emails may not be guaranteed, WANA CORPORATE is not liable for messages
that have
been modified, changed or falsified. 
> 
> If you have received this email in error, please notify the sender and delete this message and its attachments. 
> 
> Thank you. � 
> 
> _______________________________________________ 
> Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list 
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at
<a href="https://www.isc.org/contact/">https://www.isc.org/contact/</a> for more information. 
> 
> 
> bind-users mailing list 
> bind-users@lists.isc.org 
> <a href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> 

-- 
Mark Andrews, ISC 
1 Seymour St., Dundas Valley, NSW 2117, Australia 
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org 

</div>
 

 
� Ce message et toutes les pi�ces y jointes sont susceptibles de contenir des informations confidentielles ou privil�gi�es, lesquelles ne doivent �tre reproduites, diffus�es ou exploit�es sans autorisation. L�int�grit� des messages �lectroniques n��tant
pas
garantie, WANA CORPORATE d�cline toute responsabilit� dans le cas o� ce message aurait �t� alt�r�, d�form� ou falsifi�. 

Ce message est �tabli � l'attention exclusive de ses destinataires. Si vous avez re�u ce message par erreur, veuillez le signaler � l�exp�diteur et le d�truire y compris les pi�ces jointes. 

Merci. � 

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 

� This message and its attachments may contain confidential or privileged information that should not be copied, distributed or used without authorization. As the integrity of emails may not be guaranteed, WANA CORPORATE is not liable for messages that
have
been modified, changed or falsified. 

If you have received this email in error, please notify the sender and delete this message and its attachments. 

Thank you. � 


</body>
</html>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Who's Online

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	296
Nodes:	16 (2 / 14)
Uptime:	91:31:14
Calls:	6,658
Files:	12,203
Messages:	5,334,171

broken trust chain

Who's Online

System Info