auto-dnssec resign timers
Niobos
niobos at dest-unreach.be
Fri Sep 17 09:44:07 UTC 2010
Hi,
I'm experimenting with the auto-dnssec feature of bind 9.7.0-P1. I know
it's outdated; I did skim over the changelog up until 9.7.2rc2, and
didn't find anything that seems like this issue.
This query demonstrates the issue:
; <<>> DiG 9.6.0-APPLE-P2 <<>> +dnssec SOA dnssec.dest-unreach.be
@imset.org +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8632
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssec.dest-unreach.be. IN SOA
;; ANSWER SECTION:
dnssec.dest-unreach.be. 86400 IN SOA serv02.imset.org.
hostmaster.dest-unreach.be. 55 3600 3600 172800 300
dnssec.dest-unreach.be. 86400 IN RRSIG SOA 7 3 86400 20100919163624
20100916153624 42614 dnssec.dest-unreach.be.
WBdpqpLCa/5cnMAThAcftrOysfdN8K594WAM+6AMyRPiEpXVF6JRqJWH
N46J3aN6BliM09bA9RxYOoClCcIsJA==
;; AUTHORITY SECTION:
dnssec.dest-unreach.be. 300 IN NS serv02.imset.org.
dnssec.dest-unreach.be. 300 IN NS sdns1.ovh.net.
dnssec.dest-unreach.be. 300 IN RRSIG NS 7 3 300 20100919161438
20100916153624 42614 dnssec.dest-unreach.be.
U6KZzFZecSZNEL0Wp8NxlmjgitQfXbHNt1+S85sZxm9Ti8oNiWMhESts
SmLTmos4VU2yqSo6KOq8mQ/xvoehhw==
;; ADDITIONAL SECTION:
serv02.imset.org. 86400 IN A 94.23.24.89
serv02.imset.org. 86400 IN AAAA 2001:41d0:2:1959:21c:c0ff:fe88:6f58
;; Query time: 7 msec
;; SERVER: 94.23.24.89#53(94.23.24.89)
;; WHEN: Fri Sep 17 11:29:14 2010
;; MSG SIZE rcvd: 435
(the dnssec.dest-unreach.be zone is my test zone; publicly available,
but not publicly delegated)
In my opinion, BIND should have resigned this by now: The signature is
valid until a little over 2 days. This means that if the slave would
loose contact with the master right now, it will give out signatures
that will expire before their TTL does.
According to my calculations, RRSIGs should be regenerated zone-expire +
RR-ttl seconds before the RRSIG expires.
For reference, the configuration:
zone "dnssec.dest-unreach.be" {
type master;
file "/var/lib/bind/dnssec.dest-unreach.be.zone";
update-policy local;
auto-dnssec maintain;
dnssec-secure-to-insecure yes;
key-directory "/etc/bind/keys";
sig-validity-interval 3;
};
And to be completely honest: the configured slave NS record doesn't
really slave this zone; but BIND shouldn't know or care.
greets,
Niobos
More information about the bind-users
mailing list