Skip to content

Broken trust chain on corner case secure chain

Summary

Consider the following chain:

parent. DS 1
parent. DS 2
parent. DS 3
parent. RRSIG(DS)

example.parent. DNSKEY 257 id=1
example.parent. DNSKEY 257 id=2
example.parent. DNSKEY 256 id=99
example.parent. RRSIG(DNSKEY) id=1

This delegation will result in a broken trust chain, despite there is a secure chain via DNSKEY with id=1. There are also broken chains (DS 3 has no corresponding DNSKEY, DNSKEY with id=2 is not signing).

This works in 9.19.20, but no longer in 9.19.21. Could it be the KeyTrap fix in 9.21 that is causing this?

Older versions (9.18, 9.16) are not affected.

BIND version affected

9.19.21

Steps to reproduce

To do.

What is the current bug behavior?

Broken trust chain.

What is the expected correct behavior?

Secure answer.

Relevant configuration files

Default empty config.

Relevant logs

To do.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information