delv could not verify after upgrade to 9.11.3-1ubuntu1.11-Ubuntu

Asked by Zhang Huanjie on 2020-01-23

delv could not verify after upgrade to 9.11.3-1ubuntu1.11-Ubuntu from 9.11.3-1ubuntu1.9-Ubuntu.

it says:
delv @
;; validating no valid signature found
;; insecurity proof failed resolving '':
;; broken trust chain resolving '':
;; resolution failed: broken trust chain

I am sure 9.11.3-1ubuntu1.9-Ubuntu works.

Question information

English Edit question
Ubuntu bind9 Edit question
No assignee Edit question
Solved by:
Zhang Huanjie
Last query:
Last reply:

Does dig work OK to the same IP?
If you have iptable / ufw configured are you allowing 53/TCP in and out?

Also try:

delv -4 @

Can you Telnet to on port 53

Zhang Huanjie (bg6cq) said : #3

Just now I find .cn domain key expired before 8 hours, so I could not do test now.

The following two files are output of "delv -d 10" and "delv -d 10" of delv 9.11.3-1ubuntu1.11-Ubuntu, logged before 4 days . verify ok, it's key alg is NSEC3RSASHA1 verify fail, it's key alg is ECDSAP384SHA384

I am sure both verify ok when delv is 9.11.3-1ubuntu1.9-Ubuntu

a lot of thanks

I suggest you report a bug. Mark it as a regression

Zhang Huanjie (bg6cq) said : #5

thank you for you advice.

I do a fresh install of ubuntu 18.04, and do some test.

The problem was caused by libssl1.1 upgrade, not caused by delv upgrade.

In the fresh installation of ubuntu 18.04, libssl1.1 version is 1.1.0g-2ubuntu4. delv works ok.

After upgrade libssl1.1 to 1.1.1-1ubuntu2.1~18.04.5, delv could not verify

If you use a different URL does it work OK or is it all URLs?

Zhang Huanjie (bg6cq) said : #7

bind 9.11.0 - 9.11.15 could not work with libssl1.1 1.1.1-1ubuntu2.1~18.04.5
bind 9.14.* work