Hi Alexander,

Do you mean that forwarding is actually working correct but that addresses with 
log entry “broken trust chain resolving ‘addres’ are most likely sites that 
have dnssec issues ?
I have lots of entry’s like that in my log.

Regards,

ROB VAN HALTEREN
AV | IT System Engineer
Entrepotdok 66
NL-1018 AD Amsterdam
T: +31 20 530 9696

Out of office on Monday's
www.filmmore.eu <http://www.filmmore.eu/>
 <http://www.filmmore.eu/>
 <http://www.imdb.com/company/co0190130/> <http://twitter.com/filmmore> 
<http://www.facebook.com/FilmmoreINT/> 
<http://www.linkedin.com/company/filmmore-amsterdam/>




> On 3 May 2023, at 16:55, Alexander Bokovoy <[email protected]> wrote:
> 
> On ke, 03 touko 2023, Rob van Halteren via FreeIPA-users wrote:
>> Hi,
>> I have trouble resolving some addresses with my freeipa server . in the log 
>> there are lots of "broken trust chain" lines. like:
>> 
>> validating gew4-spclient.spotify.com/CNAME: bad cache hit (com/DS)
>> May  3 14:36:11 myserver named-pkcs11[30906]: validating 
>> gew4-spclient.spotify.com/CNAME: bad cache hit (com/DS)
>> May  3 14:36:11 myserver named-pkcs11[30906]: broken trust chain resolving 
>> 'gew4-spclient.spotify.com/A/IN': 8.8.8.8#53
>> May  3 14:36:11 myserver named-pkcs11[30906]: broken trust chain resolving 
>> 'gew4-spclient.spotify.com/TYPE65/IN': 8.8.8.8#53
>> 
>> I setup a global forward to 8.8.8.8 and forward only setting in the web gui.
>> 
>> I tried to change the dnssec settings in /etc/named.conf :  dnssec-enable 
>> no;      dnssec-validation no;
>> That did not help.
>> 
>> I run freeipa 4.6.8. Release: 5.el7.centos.12 on centos7.9
>> 
>> When I change forwarding to: forward disabled in the webgui, i get lots of 
>> "network unreachable resolving" in the logs.
>> I then can resolve most addresses but not all
>> 
>> To me looks like dns is not resolving as expected, but have no clue in where 
>> to look for a solution.
> 
> spotify.com isn't signed correctly. You can see this with 'delv'
> utility: https://kb.isc.org/docs/aa-01152
> 
> $ delv @8.8.8.8 gew4-spclient.spotify.com +vtrust +multi
> ;; fetch: gew4-spclient.spotify.com/A
> ;; validating gew4-spclient.spotify.com/CNAME: starting
> ;; validating gew4-spclient.spotify.com/CNAME: attempting insecurity proof
> ;; validating gew4-spclient.spotify.com/CNAME: checking existence of DS at 
> 'com'
> ;; fetch: com/DS
> ;; validating com/DS: starting
> ;; validating com/DS: attempting positive response validation
> ;; fetch: ./DNSKEY
> ;; validating ./DNSKEY: starting
> ;; validating ./DNSKEY: attempting positive response validation
> ;; validating ./DNSKEY: verify rdataset (keyid=20326): success
> ;; validating ./DNSKEY: marking as secure (DS)
> ;; validating com/DS: in fetch_callback_dnskey
> ;; validating com/DS: keyset with trust secure
> ;; validating com/DS: resuming validate
> ;; validating com/DS: verify rdataset (keyid=60955): success
> ;; validating com/DS: marking as secure, noqname proof not needed
> ;; validating gew4-spclient.spotify.com/CNAME: in fetch_callback_ds
> ;; validating gew4-spclient.spotify.com/CNAME: resuming proveunsecure
> ;; validating gew4-spclient.spotify.com/CNAME: checking existence of DS at 
> 'spotify.com'
> ;; fetch: spotify.com/DS
> ;; validating spotify.com/DS: starting
> ;; validating spotify.com/DS: attempting negative response validation from 
> message
> ;;   validating CK0POJMG874LJREF7EFN8430QVIT8BSM.com/NSEC3: starting
> ;;   validating CK0POJMG874LJREF7EFN8430QVIT8BSM.com/NSEC3: attempting 
> positive response validation
> ;; fetch: com/DNSKEY
> ;; validating com/DNSKEY: starting
> ;; validating com/DNSKEY: attempting positive response validation
> ;; validating com/DNSKEY: verify rdataset (keyid=30909): success
> ;; validating com/DNSKEY: marking as secure (DS)
> ;;   validating CK0POJMG874LJREF7EFN8430QVIT8BSM.com/NSEC3: in 
> fetch_callback_dnskey
> ;;   validating CK0POJMG874LJREF7EFN8430QVIT8BSM.com/NSEC3: keyset with trust 
> secure
> ;;   validating CK0POJMG874LJREF7EFN8430QVIT8BSM.com/NSEC3: resuming validate
> ;;   validating CK0POJMG874LJREF7EFN8430QVIT8BSM.com/NSEC3: verify rdataset 
> (keyid=46551): success
> ;;   validating CK0POJMG874LJREF7EFN8430QVIT8BSM.com/NSEC3: marking as 
> secure, noqname proof not needed
> ;; validating spotify.com/DS: in validator_callback_nsec
> ;; validating spotify.com/DS: resuming validate_nx
> ;;   validating com/SOA: starting
> ;;   validating com/SOA: attempting positive response validation
> ;;   validating com/SOA: keyset with trust secure
> ;;   validating com/SOA: verify rdataset (keyid=46551): success
> ;;   validating com/SOA: marking as secure, noqname proof not needed
> ;; validating spotify.com/DS: in validator_callback_nsec
> ;; validating spotify.com/DS: resuming validate_nx
> ;;   validating VB2HUP9O0DVURL5ULM1QVE6079MMRS5P.com/NSEC3: starting
> ;;   validating VB2HUP9O0DVURL5ULM1QVE6079MMRS5P.com/NSEC3: attempting 
> positive response validation
> ;;   validating VB2HUP9O0DVURL5ULM1QVE6079MMRS5P.com/NSEC3: keyset with trust 
> secure
> ;;   validating VB2HUP9O0DVURL5ULM1QVE6079MMRS5P.com/NSEC3: verify rdataset 
> (keyid=46551): success
> ;;   validating VB2HUP9O0DVURL5ULM1QVE6079MMRS5P.com/NSEC3: marking as 
> secure, noqname proof not needed
> ;; validating spotify.com/DS: in validator_callback_nsec
> ;; validating spotify.com/DS: resuming validate_nx
> ;; validating spotify.com/DS: looking for relevant NSEC3
> ;; validating spotify.com/DS: looking for relevant NSEC3
> ;; validating spotify.com/DS: looking for relevant NSEC3
> ;; validating spotify.com/DS: NSEC3 indicates potential closest encloser: 
> 'com'
> ;; validating spotify.com/DS: NSEC3 at super-domain com
> ;; validating spotify.com/DS: looking for relevant NSEC3
> ;; validating spotify.com/DS: NSEC3 proves name does not exist: 'spotify.com'
> ;; validating spotify.com/DS: NSEC3 indicates optout
> ;; validating spotify.com/DS: in checkwildcard: *.com
> ;; validating spotify.com/DS: looking for relevant NSEC3
> ;; validating spotify.com/DS: NSEC3 at super-domain com
> ;; validating spotify.com/DS: looking for relevant NSEC3
> ;; validating spotify.com/DS: in checkwildcard: *.com
> ;; validating spotify.com/DS: nonexistence proof(s) found
> ;; validating gew4-spclient.spotify.com/CNAME: in fetch_callback_ds
> ;; validating gew4-spclient.spotify.com/CNAME: marking as answer 
> (fetch_callback_ds)
> ;; fetch: edge-web-gew4.dual-gslb.spotify.com/A
> ;; validating edge-web-gew4.dual-gslb.spotify.com/A: starting
> ;; validating edge-web-gew4.dual-gslb.spotify.com/A: attempting insecurity 
> proof
> ;; validating edge-web-gew4.dual-gslb.spotify.com/A: checking existence of DS 
> at 'com'
> ;; validating edge-web-gew4.dual-gslb.spotify.com/A: checking existence of DS 
> at 'spotify.com'
> ;; validating edge-web-gew4.dual-gslb.spotify.com/A: marking as answer 
> (proveunsecure (4))
> ; unsigned answer
> gew4-spclient.spotify.com. 31 IN      CNAME   
> edge-web-gew4.dual-gslb.spotify.com.
> edge-web-gew4.dual-gslb.spotify.com. 58       IN A    35.186.224.17
> 
> -- 
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
> 

_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to