# host google.com <http://google.com> 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:
Host google.com <http://google.com> not found: 2(SERVFAIL)
[root@rn6 etc]# systemctl status named-chroot.service
● named-chroot.service - Berkeley Internet Name Domain (DNS)
...
Jun 13 01:40:05 rn6.abc.local named[32171]: broken trust chain
resolving
'google.com/A/IN <http://google.com/A/IN>': 208.67.220.220#53
Found in /var/log/messages:
Jun 13 01:43:12 rn6 named[32171]: validating google.com/A
<http://google.com/A>: bad cache hit
(com/DS)
Jun 13 01:43:12 rn6 named[32171]: broken trust chain resolving
'google.com/A/IN <http://google.com/A/IN>': 208.67.220.220#53
I added this to named.conf, options block:
dnssec-validation no;
and it fixed it.
How do I fix it without dnssec-validation no; ?
-T
On 6/14/21 7:36 AM, Petr Mensik wrote:
dnssec-validation yes; should work, ensure include
"/etc/named.root.key"; is in named.conf too. dnssec-validation auto;
would work even without it.
It requires your forwarders to supply DNSSEC records. Check with:
dig @$IP +dnssec com ds
Or with validation:
delv @$IP com ds
Replace $IP with any IP you want to check, be it localhost, or OpenDNS
servers. Should be recursive.
It has to include RRSIG also. All serious resolvers always include
DNSSEC records.
You can use "rndc flushtree com" to flush that name from the cache. It
should work after another query. If it happens again try changing
forwarder servers to different set.
Cheers,
Petr
Hi Petr,
That fixed it. I was missing the named.root.key.
Thank you!
-T
Open DNS's family friendly DNS server
$ delv @208.67.222.123 com ds
; fully validated
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure