DNSSEC:RRSIG validity period has not begun

Mark Andrews Mark_Andrews at isc.org
Tue Oct 14 22:16:17 UTC 2008 

In message <20081014141756.GA24033 at nic.fr>, Stephane Bortzmeyer writes:
> On Tue, Oct 14, 2008 at 06:50:17AM -0600,
>  Rajalakshmi R <RRajalakshmi at novell.com> wrote 
>  a message of 33 lines which said:
> 
> > raji.com.               86400   IN      RRSIG   DNSKEY 5 2 86400
> >    20081113142126 20081014142126
> 
> 14th october 2008, 14:21, UTC

> > 14-Oct-2008 17:16:34.386 validating @0x555555742220: raji.com DNSKEY: verif
> y rdataset (keyidA667): RRSIG validity period has not begun 
> 
> Clock off by a few minutes? 

	Off by several hours.  I suspect the machine that signed
	the zone has the timezone incorrectly set with the "correct"
	local time being displayed.  The fix is to correctly set
	the time zone on the machine then re-set the clock so that
	it displays the correct local time.  This will result the
	machines concept of UTC being correct.  dnssec-signzone
	already signs the zone with the starting time set to
	1 hour earlier than the real signing time.

		i.e. 14:21:26 when it was 15:21:26

	Below are received lines from the original email showing
	the time the first message was processed.  mx.isc.org is
	syncronised using NTP and I suspect victor.provo.novell.com
	is as well as it's timestamp is 1 second earlier.

	DNSSEC doesn't require NTP's precision.  It just requires
	the clock to be reasonably accurate +/- 15 minutes would
	be fine.

	Mark

Received: from victor.provo.novell.com (victor.provo.novell.com [137.65.250.26])
        (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
        (Client CN "imap.novell.com", Issuer "APPS" (not verified))
        by mx.isc.org (Postfix) with ESMTPS id 61D3211401C
        for <bind-users at isc.org>; Tue, 14 Oct 2008 12:43:52 +0000 (UTC)
        (envelope-from RRajalakshmi at novell.com)
Received: from INET-PRV3-MTA by victor.provo.novell.com
        with Novell_GroupWise; Tue, 14 Oct 2008 06:43:51 -0600

> RFC 4034 :
> 
>    The Signature Expiration Time and Inception Time field values MUST be
>    represented either as an unsigned decimal integer indicating seconds
>    since 1 January 1970 00:00:00 UTC, or in the form YYYYMMDDHHmmSS in
>    UTC, where:
> 
>       YYYY is the year (0001-9999, but see Section 3.1.5);
>       MM is the month number (01-12);
>       DD is the day of the month (01-31);
>       HH is the hour, in 24 hour notation (00-23);
>       mm is the minute (00-59); and
>       SS is the second (00-59).
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list