Skip to content

trust anchor bootstrap does not work: [vldr] bad keys, broken trust chain

Something weird is when attempting TA bootstrap:

rm -f *.mdb /tmp/root.keys && kresd -a 127.0.0.1#5353 -v -k /tmp/root.keys
==9656== Memcheck, a memory error detector
==9656== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==9656== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==9656== Command: kresd -a 127.0.0.1#5353 -v -k /tmp/root.keys
==9656== 
[ ta ] keyfile '/tmp/root.keys': doesn't exist, bootstrapping
[ ta ] warning: root anchor bootstrapped, you SHOULD check the key manually, see: https://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.html#sigs
[system] interactive mode
> [    0][plan] plan '.' type 'DNSKEY'
[51149][iter]   '.' type 'DNSKEY' id was assigned, parent id 0
[51149][resl]   => using root hints
[64772][iter]   '.' type 'DNSKEY' id was assigned, parent id 0
[64772][resl]   => querying: '2001:dc3::35' score: 10 zone cut: '.' m12n: '.' type: 'DNSKEY' proto: 'udp'
[64772][resl]   => querying: '202.12.27.33' score: 10 zone cut: '.' m12n: '.' type: 'DNSKEY' proto: 'udp'
[64772][iter]   <= rcode: NOERROR
[64772][vldr]   <= bad keys, broken trust chain
[    0][resl] finished: 8, queries: 0, mempool: 81952 B
[ ta ] active refresh failed, rcode: 2
[ ta ] next refresh: 86400000
[    0][plan] plan '.' type 'NS'
[23829][iter]   '.' type 'NS' id was assigned, parent id 0
[23829][resl]   => using root hints
[ 3535][iter]   '.' type 'NS' id was assigned, parent id 0
[ 3535][plan]   plan '.' type 'DNSKEY'
[34898][iter]     '.' type 'DNSKEY' id was assigned, parent id 3535
[34898][resl]     => querying: '2001:dc3::35' score: 10 zone cut: '.' m12n: '.' type: 'DNSKEY' proto: 'udp'
[34898][resl]     => querying: '202.12.27.33' score: 10 zone cut: '.' m12n: '.' type: 'DNSKEY' proto: 'udp'
[34898][iter]     <= rcode: NOERROR
[34898][vldr]     <= bad keys, broken trust chain
[    0][resl] finished: 8, queries: 0, mempool: 81952 B

The important (and weird) part seems to be:

[34898][iter]     <= rcode: NOERROR
[34898][vldr]     <= bad keys, broken trust chain

Huh? Is validator running before the bootstrap is finished?

In any case, the bootstrap fails because of this and the kresd is returning SERVFAIL for all the queries.

Affected version: fd84f602

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information