Hi Alexander,

Do you mean that forwarding is actually working correct but that addresses with log entry “broken trust chain resolving ‘addres’ are most likely sites that have dnssec issues ?
I have lots of entry’s like that in my log.

Regards,

Rob van Halteren
AV | IT System Engineer
Entrepotdok 66
NL-1018 AD Amsterdam
T: +31 20 530 9696

Out of office on Monday's
www.filmmore.eu
filmmore
imdbtwitterfacebooklinkedin




On 3 May 2023, at 16:55, Alexander Bokovoy <abokovoy@redhat.com> wrote:

On ke, 03 touko 2023, Rob van Halteren via FreeIPA-users wrote:
Hi,
I have trouble resolving some addresses with my freeipa server . in the log there are lots of "broken trust chain" lines. like:

validating gew4-spclient.spotify.com/CNAME: bad cache hit (com/DS)
May  3 14:36:11 myserver named-pkcs11[30906]: validating gew4-spclient.spotify.com/CNAME: bad cache hit (com/DS)
May  3 14:36:11 myserver named-pkcs11[30906]: broken trust chain resolving 'gew4-spclient.spotify.com/A/IN': 8.8.8.8#53
May  3 14:36:11 myserver named-pkcs11[30906]: broken trust chain resolving 'gew4-spclient.spotify.com/TYPE65/IN': 8.8.8.8#53

I setup a global forward to 8.8.8.8 and forward only setting in the web gui.

I tried to change the dnssec settings in /etc/named.conf :  dnssec-enable no;      dnssec-validation no;
That did not help.

I run freeipa 4.6.8. Release: 5.el7.centos.12 on centos7.9

When I change forwarding to: forward disabled in the webgui, i get lots of "network unreachable resolving" in the logs.
I then can resolve most addresses but not all

To me looks like dns is not resolving as expected, but have no clue in where to look for a solution.

spotify.com isn't signed correctly. You can see this with 'delv'
utility: https://kb.isc.org/docs/aa-01152

$ delv @8.8.8.8 gew4-spclient.spotify.com +vtrust +multi
;; fetch: gew4-spclient.spotify.com/A
;; validating gew4-spclient.spotify.com/CNAME: starting
;; validating gew4-spclient.spotify.com/CNAME: attempting insecurity proof
;; validating gew4-spclient.spotify.com/CNAME: checking existence of DS at 'com'
;; fetch: com/DS
;; validating com/DS: starting
;; validating com/DS: attempting positive response validation
;; fetch: ./DNSKEY
;; validating ./DNSKEY: starting
;; validating ./DNSKEY: attempting positive response validation
;; validating ./DNSKEY: verify rdataset (keyid=20326): success
;; validating ./DNSKEY: marking as secure (DS)
;; validating com/DS: in fetch_callback_dnskey
;; validating com/DS: keyset with trust secure
;; validating com/DS: resuming validate
;; validating com/DS: verify rdataset (keyid=60955): success
;; validating com/DS: marking as secure, noqname proof not needed
;; validating gew4-spclient.spotify.com/CNAME: in fetch_callback_ds
;; validating gew4-spclient.spotify.com/CNAME: resuming proveunsecure
;; validating gew4-spclient.spotify.com/CNAME: checking existence of DS at 'spotify.com'
;; fetch: spotify.com/DS
;; validating spotify.com/DS: starting
;; validating spotify.com/DS: attempting negative response validation from message
;;   validating CK0POJMG874LJREF7EFN8430QVIT8BSM.com/NSEC3: starting
;;   validating CK0POJMG874LJREF7EFN8430QVIT8BSM.com/NSEC3: attempting positive response validation
;; fetch: com/DNSKEY
;; validating com/DNSKEY: starting
;; validating com/DNSKEY: attempting positive response validation
;; validating com/DNSKEY: verify rdataset (keyid=30909): success
;; validating com/DNSKEY: marking as secure (DS)
;;   validating CK0POJMG874LJREF7EFN8430QVIT8BSM.com/NSEC3: in fetch_callback_dnskey
;;   validating CK0POJMG874LJREF7EFN8430QVIT8BSM.com/NSEC3: keyset with trust secure
;;   validating CK0POJMG874LJREF7EFN8430QVIT8BSM.com/NSEC3: resuming validate
;;   validating CK0POJMG874LJREF7EFN8430QVIT8BSM.com/NSEC3: verify rdataset (keyid=46551): success
;;   validating CK0POJMG874LJREF7EFN8430QVIT8BSM.com/NSEC3: marking as secure, noqname proof not needed
;; validating spotify.com/DS: in validator_callback_nsec
;; validating spotify.com/DS: resuming validate_nx
;;   validating com/SOA: starting
;;   validating com/SOA: attempting positive response validation
;;   validating com/SOA: keyset with trust secure
;;   validating com/SOA: verify rdataset (keyid=46551): success
;;   validating com/SOA: marking as secure, noqname proof not needed
;; validating spotify.com/DS: in validator_callback_nsec
;; validating spotify.com/DS: resuming validate_nx
;;   validating VB2HUP9O0DVURL5ULM1QVE6079MMRS5P.com/NSEC3: starting
;;   validating VB2HUP9O0DVURL5ULM1QVE6079MMRS5P.com/NSEC3: attempting positive response validation
;;   validating VB2HUP9O0DVURL5ULM1QVE6079MMRS5P.com/NSEC3: keyset with trust secure
;;   validating VB2HUP9O0DVURL5ULM1QVE6079MMRS5P.com/NSEC3: verify rdataset (keyid=46551): success
;;   validating VB2HUP9O0DVURL5ULM1QVE6079MMRS5P.com/NSEC3: marking as secure, noqname proof not needed
;; validating spotify.com/DS: in validator_callback_nsec
;; validating spotify.com/DS: resuming validate_nx
;; validating spotify.com/DS: looking for relevant NSEC3
;; validating spotify.com/DS: looking for relevant NSEC3
;; validating spotify.com/DS: looking for relevant NSEC3
;; validating spotify.com/DS: NSEC3 indicates potential closest encloser: 'com'
;; validating spotify.com/DS: NSEC3 at super-domain com
;; validating spotify.com/DS: looking for relevant NSEC3
;; validating spotify.com/DS: NSEC3 proves name does not exist: 'spotify.com'
;; validating spotify.com/DS: NSEC3 indicates optout
;; validating spotify.com/DS: in checkwildcard: *.com
;; validating spotify.com/DS: looking for relevant NSEC3
;; validating spotify.com/DS: NSEC3 at super-domain com
;; validating spotify.com/DS: looking for relevant NSEC3
;; validating spotify.com/DS: in checkwildcard: *.com
;; validating spotify.com/DS: nonexistence proof(s) found
;; validating gew4-spclient.spotify.com/CNAME: in fetch_callback_ds
;; validating gew4-spclient.spotify.com/CNAME: marking as answer (fetch_callback_ds)
;; fetch: edge-web-gew4.dual-gslb.spotify.com/A
;; validating edge-web-gew4.dual-gslb.spotify.com/A: starting
;; validating edge-web-gew4.dual-gslb.spotify.com/A: attempting insecurity proof
;; validating edge-web-gew4.dual-gslb.spotify.com/A: checking existence of DS at 'com'
;; validating edge-web-gew4.dual-gslb.spotify.com/A: checking existence of DS at 'spotify.com'
;; validating edge-web-gew4.dual-gslb.spotify.com/A: marking as answer (proveunsecure (4))
; unsigned answer
gew4-spclient.spotify.com. 31 IN CNAME edge-web-gew4.dual-gslb.spotify.com.
edge-web-gew4.dual-gslb.spotify.com. 58 IN A 35.186.224.17

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland