dnssec-signzone and jitter bug... still
Paul Wouters
paul at xelerance.com
Tue Nov 1 19:30:23 UTC 2011
There have been discussions in the past over this, but we were once again bitten by this dnssec-signzone bug:
Tue Nov 1 12:11:28 2011 signDomain: sign command: /usr/sbin/dnssec-signzone -C -u -r /dev/random -t -o openswan.org -f /var/tmp/openswan.org.sign.tmp -i 1296000 -e +2592000 -j 1296000 -k Kopenswan.org.+005+07398 /var/tmp/dnsx_sign_domain_openswan.org.31202 Kopenswan.org.+005+64562
Doing a check that every signature it at least valid for 1296000 seconds:
[paul at bofh ]$ ./ldns-verify-zone -o 1296000 openswan.org.signed.new |grep Error
Error: DNSSEC signature has expired for openswan.org. AAAA
Error: DNSSEC signature has expired for openswan.org. NSEC
Error: DNSSEC signature has expired for br1.openswan.org. NSEC
Error: DNSSEC signature has expired for br2.openswan.org. A
Error: DNSSEC signature has expired for bugs.openswan.org. A
Error: DNSSEC signature has expired for git.openswan.org. NSEC
Error: DNSSEC signature has expired for ip.openswan.org. NSEC
Error: DNSSEC signature has expired for lists.openswan.org. A
Error: DNSSEC signature has expired for livetest.openswan.org. A
Error: DNSSEC signature has expired for http.livetest.openswan.org. A
Error: DNSSEC signature has expired for http.livetest.openswan.org. NSEC
Error: DNSSEC signature has expired for secure.livetest.openswan.org. NSEC
Error: DNSSEC signature has expired for mi6.openswan.org. A
Error: DNSSEC signature has expired for mi6.openswan.org. NSEC
Error: DNSSEC signature has expired for nso.openswan.org. NSEC
Error: DNSSEC signature has expired for testing.openswan.org. CNAME
Error: DNSSEC signature has expired for tests.openswan.org. CNAME
Error: DNSSEC signature has expired for tests.openswan.org. NSEC
Error: DNSSEC signature has expired for tla.openswan.org. A
Error: DNSSEC signature has expired for tla.openswan.org. NSEC
Error: DNSSEC signature has expired for tla.openswan.org. NSEC
Error: DNSSEC signature has expired for uml.openswan.org. NSEC
Error: DNSSEC signature has expired for unknown.openswan.org. NSEC
Error: DNSSEC signature has expired for wikki.openswan.org. NSEC
Error: DNSSEC signature has expired for www.openswan.org. A
Picking the first error from the signed zone file:
7200 AAAA 2001:888:2003:1004:c2ff:eeff:fe00:195
7200 RRSIG AAAA 5 2 7200 20111104135001 (
20111008053610 29468 openswan.org.
LBisHS/qOuZpE7gRkzsq2x0J3hRBtAyxoqlw
FP3tz4q4MxTEdcotjYvQFKtzRXkTESEGPVYd
XPWE7xxFfgA3nvxVy9vqoZRVmW322Fv1ODGb
qyO4XGZVk1BhNchO5jnTGY0PdbX5ab7kxa9j
XEokDIqEq1oKsZehRfVaN1KRWYA= )
This signature expires at Nov 4, in three(!) days. The signature was generated on Oct 8,
and all this time dnssec-signzone thinks it is valid to retain it, while clearly being
outside the -i interval window.
I again have to conclude that jittering is not correctly implemented. It seems jittering
is done AFTER determining the valid start/end times via the -s/-e/-i options.
To me, the above signing commands means "all RRSIGs should be valid from -1h to at the
very least +1296000 seconds and at most +2592000 seconds, spread out"
Currently however, it seems a valid end time is (minimum lifetime) - (jitter), which in my
case means "0" if you want to jitter between +2w and +4w.
This is dnssec-signzone from 9.7.3
Paul
More information about the bind-users
mailing list