Path: csiph.com!news.uzoreto.com!news.etla.org!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail
From: Mark Andrews <marka@isc.org>
Newsgroups: comp.protocols.dns.bind
Subject: Re: broken trust chain
Date: Wed, 29 Jul 2020 11:15:24 +1000
Lines: 96
Approved: bind-users@lists.isc.org
Message-ID: <mailman.771.1595985291.942.bind-users@lists.isc.org>
References: <6dac61267286414c979b7ab501647acd@inwi.ma> <69EA083F-F510-431B-82E8-2EC9D3D28E37@isc.org>
NNTP-Posting-Host: lists.isc.org
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.6\))
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Trace: usenet.stanford.edu 1595985334 13649 149.20.1.60 (29 Jul 2020 01:15:34 GMT)
X-Complaints-To: action@cs.stanford.edu
Cc: bind-users@lists.isc.org
To: Youssef.FassiFihri@inwi.ma
Return-Path: <marka@isc.org>
X-Original-To: bind-users@lists.isc.org
Delivered-To: bind-users@lists.isc.org
In-Reply-To: <6dac61267286414c979b7ab501647acd@inwi.ma>
X-Mailer: Apple Mail (2.3445.9.6)
X-BeenThere: bind-users@lists.isc.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BIND Users Mailing List <bind-users.lists.isc.org>
List-Unsubscribe: <https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe>
List-Archive: <https://lists.isc.org/pipermail/bind-users/>
List-Post: <mailto:bind-users@lists.isc.org>
List-Help: <mailto:bind-users-request@lists.isc.org?subject=help>
List-Subscribe: <https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe>
X-Mailman-Original-Message-ID: <69EA083F-F510-431B-82E8-2EC9D3D28E37@isc.org>
X-Mailman-Original-References: <6dac61267286414c979b7ab501647acd@inwi.ma>
Xref: csiph.com comp.protocols.dns.bind:16025

A network link that is dropping packets can trigger EDNS failures in =
versions of
BIND before 9.13.3.  These versions have code to compensate for servers =
that
fail to respond to EDNS queries or fail to respond to EDNS queries with =
DO=3D1
or fail to respond to queries with (particular) EDNS options set. BIND =
would
fallback to plain DNS queries to workaround these issues, but that broke
DNSSEC when the answers where coming from a signed zone and the packet =
loss
is due to network issues.

5029.   [func]          Workarounds for servers that misbehave when =
queried
                        with EDNS have been removed, because these =
broken
                        servers and the workarounds for their =
noncompliance
                        cause unnecessary delays, increase code =
complexity,
                        and prevent deployment of new DNS features. See
                        https://dnsflagday.net for further details. [GL =
#150]


> On 29 Jul 2020, at 09:10, <Youssef.FassiFihri@inwi.ma> =
<Youssef.FassiFihri@inwi.ma> wrote:
>=20
> Hi All,
>=20
> I am using Bind as resolver for end users  .
>=20
> At various time, bind logs show "broken trust chain" continuously  , =
for about 20mn  ~ 30 mn causing an increase of "recursive clients" shown =
in "rndc status" and a decrease of  "DNS sucess rate KPI" supervised =
from end users side.  then the error disappear and everything is OK.
>=20
> the problem appears on different server at different time.
>=20
> What could be the problem?
>=20
> Regards,=20
>=20
>=20
> =C2=AB Ce message et toutes les pi=C3=A8ces y jointes sont =
susceptibles de contenir des informations confidentielles ou =
privil=C3=A9gi=C3=A9es, lesquelles ne doivent =C3=AAtre reproduites, =
diffus=C3=A9es ou exploit=C3=A9es sans autorisation. L=E2=80=99int=C3=A9gr=
it=C3=A9 des messages =C3=A9lectroniques n=E2=80=99=C3=A9tant pas =
garantie, WANA CORPORATE d=C3=A9cline toute responsabilit=C3=A9 dans le =
cas o=C3=B9 ce message aurait =C3=A9t=C3=A9 alt=C3=A9r=C3=A9, d=C3=A9form=C3=
=A9 ou falsifi=C3=A9.
>=20
> Ce message est =C3=A9tabli =C3=A0 l'attention exclusive de ses =
destinataires. Si vous avez re=C3=A7u ce message par erreur, veuillez le =
signaler =C3=A0 l=E2=80=99exp=C3=A9diteur et le d=C3=A9truire y compris =
les pi=C3=A8ces jointes.
>=20
> Merci. =C2=BB
>=20
> =
--------------------------------------------------------------------------=
--------------------------------------------------------------------------=
--------------------------------------------------------------------------=
--------------------------
>=20
> =C2=AB This message and its attachments may contain confidential or =
privileged information that should not be copied, distributed or used =
without authorization. As the integrity of emails may not be guaranteed, =
WANA CORPORATE is not liable for messages that have been modified, =
changed or falsified.
>=20
> If you have received this email in error, please notify the sender and =
delete this message and its attachments.
>=20
> Thank you. =C2=BB
>=20
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to =
unsubscribe from this list
>=20
> ISC funds the development of this software with paid support =
subscriptions. Contact us at https://www.isc.org/contact/ for more =
information.
>=20
>=20
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

--=20
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org