1. Resolver error when try to resolve to outside domain. But it works for local domain.
2. Found the error from /var/log/messages :
May 8 18:14:40 server1 named[3782]: validating @0x7fa0e467a780: write.coffee.dlv.isc.org NSEC: bad cache hit (dlv.isc.org/DNSKEY)
May 8 18:14:40 server1 named[3782]: error (broken trust chain) resolving 'safebrowsing-cache.google.com.dlv.isc.org/DLV/IN': 8.8.8.8#53
May 8 18:14:40 server1 named[3782]: error (broken trust chain) resolving 'safebrowsing-cache.google.com/AAAA/IN': 8.8.8.8#53
Obviously I know that this might related with my laptop date and time as my cmos battery already died (drained and not replaced yet!) So, the hardware clock (RTC) is not reliable. It will be always 2008 after boot up.
This will lead to dnssec error, and ntpdate not working properly. I mean DLV validation failed.
It can be found in /etc/named.conf, you can either enable or disable it. I believe this kind of problem (battery) rarely happen for a real server (not like my lovely laptop).
dnssec-enable yes;
dnssec-validation yes;
So my solutions was :
1. I choose not to disable dnssec.
2. Run the ntpdate, and after date and time is synced.
ntpdate 0.centos.pool.ntp.org 3. Restart named service, and try to dig any domain back.
service named restart4. If you want to rely on hardware clock (RTC), run this.
hwclock --systohcDone!
Some reference for the solution (many thanks):
http://www.topdog.za.net/2012/08/22/fix-bind-error--broken-trust-chain--resolving/
http://pewetheb.blogspot.co.uk/2013/11/named-error-broken-trust-chain.html
