Help with DNSSEC issue... (bncr.fi.cr) - swinog

9 Apr 2018


      Hi List
Usually I have no problems identifying DNSSEC issues, but I don't get
this one.
Our two main caching DNS Servers run bind 9.11.2-P1, after flushing
the cache and even restarting still see an issue with this domain:
09-Apr-2018 09:28:25.934 no valid RRSIG resolving 'ns2.bncr.fi.cr/DS/IN': 201.220.29.22#53
09-Apr-2018 09:28:26.111 no valid RRSIG resolving 'ns2.bncr.fi.cr/DS/IN': 201.220.29.151#53
09-Apr-2018 09:28:26.111 no valid DS resolving 'ns2.bncr.fi.cr/AAAA/IN': 201.220.29.22#53
09-Apr-2018 09:28:26.111 no valid DS resolving 'ns2.bncr.fi.cr/A/IN': 201.220.29.22#53
09-Apr-2018 09:28:26.286 broken trust chain resolving 'ns2.bncr.fi.cr/A/IN': 201.220.29.151#53
https://en.internet.nl/site/www.bncr.fi.cr/199938/ => DNSSEC Valid
http://dnsviz.net/d/www.bncr.fi.cr/dnssec/ => No issues
Doing the same test via a 9.10.3-P4-Debian with Validation enabled,
works fine.
Retrieving any +dnssec with dig shows there is an RRSIG for those
entries.
Does anyone have an idea what the cause of this issue could be?
Maybe an algo which Bind 9.10 understands (or does not and therefore
skipps testing) but 9.11 not? The log of bind 9.10 looks like the
validation did succeed thou...
Mit freundlichen Grüssen
-Benoît Panizzon-
-- 
I m p r o W a r e   A G    -    Leiter Commerce Kunden
______________________________________________________

Zurlindenstrasse 29             Tel  +41 61 826 93 00
CH-4133 Pratteln                Fax  +41 61 826 93 01
Schweiz                         Web  http://www.imp.ch
______________________________________________________