On ke, 03 touko 2023, Rob van Halteren wrote:
Hi Alexander,
Do you mean that forwarding is actually working correct but that
addresses with log entry “broken trust chain resolving ‘addres’ are
most likely sites that have dnssec issues ? I have lots of entry’s
like that in my log.
Correct. DNSSEC support across multiple DNS zones on the Internet is
patchy, so to say. DNSSEC validation is often failing due to this or
that zone intermediaries or misconfigurations. That's why BIND has
separate options to enable/disable DNSSEC validation.
Spotify is simply not providing DNSSEC signatures for its own zone:
https://dnsviz.net/d/spotify.com/dnssec/
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland