DNSSEC resolution on BIND in 'forwarder' mode fails with SERVFAIL or 'broken trust chain' errors
Issue
BIND
server fails with resolution of DNSSEC addresses.
The logs contain following errors:
broken trust chain resolving 'DDD.CCC.BBB.AAA.in-addr.arpa/PTR/IN'
client ... (DDD.CCC.BBB.AAA.in-addr.arpa): view internal: query failed (SERVFAIL) for DDD.CCC.BBB.AAA.in-addr.arpa/IN/PTR at ../../../bin/named/query.c:8580
Deactivation of DNSSEC resolution restores main DNS functionality:
dnssec-enable no;
dnssec-validation no;
Environment
- Red Hat Enterprise Linux
- bind with
forward
mode
- bind with
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.