For those of you facing a curious issue with BIND failing to resolve records
for some zones today it’s not necessarily BIND having “a Friday moment” 😊
It looks like the LetsEncrypt root certificate expiry is even impacting some
DNSSEC zones that have used a LetsEncrypt certificate to sign their zone file.
For example my BIND 9.17.18 / Ubuntu 21.04 servers are failing to resolve
{anything}.slack.com at the moment, presumably because Slack have used
LetsEncrypt to sign their zone. BIND is logging the following in my
query-errors.log file:
(app.slack.com): query failed (broken trust chain) for app.slack.com/IN/A at
query.c:7658
There’s a little more info about the LetsEncrypt issue at the following two
links (not my site):
https://scotthelme.co.uk/lets-encrypt-old-root-expiration/
and
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
Richard.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
