dnssec-signzone and jitter bug... still

Paul Wouters paul at xelerance.com
Tue Nov 1 19:30:23 UTC 2011 

There have been discussions in the past over this, but we were once again bitten by this dnssec-signzone bug:

Tue Nov  1 12:11:28 2011 signDomain: sign command: /usr/sbin/dnssec-signzone -C -u -r /dev/random -t -o openswan.org  -f /var/tmp/openswan.org.sign.tmp  -i 1296000  -e +2592000 -j 1296000  -k Kopenswan.org.+005+07398  /var/tmp/dnsx_sign_domain_openswan.org.31202 Kopenswan.org.+005+64562

Doing a check that every signature it at least valid for 1296000 seconds:

[paul at bofh ]$ ./ldns-verify-zone -o 1296000 openswan.org.signed.new |grep Error
Error: DNSSEC signature has expired for openswan.org.	AAAA
Error: DNSSEC signature has expired for openswan.org.	NSEC
Error: DNSSEC signature has expired for br1.openswan.org.	NSEC
Error: DNSSEC signature has expired for br2.openswan.org.	A
Error: DNSSEC signature has expired for bugs.openswan.org.	A
Error: DNSSEC signature has expired for git.openswan.org.	NSEC
Error: DNSSEC signature has expired for ip.openswan.org.	NSEC
Error: DNSSEC signature has expired for lists.openswan.org.	A
Error: DNSSEC signature has expired for livetest.openswan.org.	A
Error: DNSSEC signature has expired for http.livetest.openswan.org.	A
Error: DNSSEC signature has expired for http.livetest.openswan.org.	NSEC
Error: DNSSEC signature has expired for secure.livetest.openswan.org.	NSEC
Error: DNSSEC signature has expired for mi6.openswan.org.	A
Error: DNSSEC signature has expired for mi6.openswan.org.	NSEC
Error: DNSSEC signature has expired for nso.openswan.org.	NSEC
Error: DNSSEC signature has expired for testing.openswan.org.	CNAME
Error: DNSSEC signature has expired for tests.openswan.org.	CNAME
Error: DNSSEC signature has expired for tests.openswan.org.	NSEC
Error: DNSSEC signature has expired for tla.openswan.org.	A
Error: DNSSEC signature has expired for tla.openswan.org.	NSEC
Error: DNSSEC signature has expired for tla.openswan.org.	NSEC
Error: DNSSEC signature has expired for uml.openswan.org.	NSEC
Error: DNSSEC signature has expired for unknown.openswan.org.	NSEC
Error: DNSSEC signature has expired for wikki.openswan.org.	NSEC
Error: DNSSEC signature has expired for www.openswan.org.	A

Picking the first error from the signed zone file:

                        7200    AAAA    2001:888:2003:1004:c2ff:eeff:fe00:195
                         7200    RRSIG   AAAA 5 2 7200 20111104135001 (
                                         20111008053610 29468 openswan.org.
                                         LBisHS/qOuZpE7gRkzsq2x0J3hRBtAyxoqlw
                                         FP3tz4q4MxTEdcotjYvQFKtzRXkTESEGPVYd
                                         XPWE7xxFfgA3nvxVy9vqoZRVmW322Fv1ODGb
                                         qyO4XGZVk1BhNchO5jnTGY0PdbX5ab7kxa9j
                                         XEokDIqEq1oKsZehRfVaN1KRWYA= )

This signature expires at Nov 4, in three(!) days. The signature was generated on Oct 8,
and all this time dnssec-signzone thinks it is valid to retain it, while clearly being
outside the -i interval window.

I again have to conclude that jittering is not correctly implemented. It seems jittering
is done AFTER determining the valid start/end times via the -s/-e/-i options.

To me, the above signing commands means "all RRSIGs should be valid from -1h to at the
very least +1296000 seconds and at most +2592000 seconds, spread out"

Currently however, it seems a valid end time is (minimum lifetime) - (jitter), which in my
case means "0" if you want to jitter between +2w and +4w.

This is dnssec-signzone from 9.7.3

Paul

More information about the bind-users mailing list