Broken trust chain resolving 'example.com/A/IN': 127.0.0.53#53 when using delv

I’ve been attempting to validate DNSSEC using the delv www.apple.com, but I keep getting errors: How to test and validate DNSSEC using dig command line - nixCraft Nevertheless, it displayed the message

;; broken trust chain resolving 'www.apple.com/A/IN': 127.0.0.53#53
;; resolution failed: broken trust chain

How do you solve it?

Try using public DNS resolver.

Fixing roken trust chain resolving … resolution failed: broken trust chain message

The syntax is:

delv www.apple.com @dns-server-name-IPv4-here
delv www.apple.com @dns-server-name-IPv6-here
# Try Cloudlfare, Google and IBM dns resolver #
delv www.apple.com @1.1.1.1
delv www.apple.com @8.8.8.8
delv www.apple.com @9.9.9.9
# IPv6 example using IBM quad9 dns #
delv -6 www.cyberciti.biz @2620:fe::fe

Why do I get resolution failed: broken trust chain error despite correctly configured DNSSEC?

You must correctly configure your local DNS resolver to deal with this issue. Your DNS resolver must support DNSSEC. Otherwise, you will lose connectivity. Here is how to configure DNSSEC for popular caching DNS resolver that are typically installed on Linux or Unix:

  1. DNSMASQ dnssec config - Dnsmasq - Gentoo Wiki
  2. Unbound dnssec config - Unbound - Gentoo Wiki
1 Like