dnssec-signzone and jitter bug... still
Paul Wouters
paul at xelerance.com
Tue Nov 1 22:13:21 UTC 2011
On Tue, 1 Nov 2011, Paul Wouters wrote:
> There have been discussions in the past over this, but we were once again
> bitten by this dnssec-signzone bug:
>
> Tue Nov 1 12:11:28 2011 signDomain: sign command: /usr/sbin/dnssec-signzone
> -C -u -r /dev/random -t -o openswan.org -f /var/tmp/openswan.org.sign.tmp
> -i 1296000 -e +2592000 -j 1296000 -k Kopenswan.org.+005+07398
> /var/tmp/dnsx_sign_domain_openswan.org.31202 Kopenswan.org.+005+64562
> Error: DNSSEC signature has expired for openswan.org. AAAA
> This signature expires at Nov 4, in three(!) days. The signature was
> generated on Oct 8,
> and all this time dnssec-signzone thinks it is valid to retain it, while
> clearly being
> outside the -i interval window.
>
> I again have to conclude that jittering is not correctly implemented. It
> seems jittering
> is done AFTER determining the valid start/end times via the -s/-e/-i options.
>
> To me, the above signing commands means "all RRSIGs should be valid from -1h
> to at the
> very least +1296000 seconds and at most +2592000 seconds, spread out"
>
> Currently however, it seems a valid end time is (minimum lifetime) -
> (jitter), which in my
> case means "0" if you want to jitter between +2w and +4w.
>
> This is dnssec-signzone from 9.7.3
I just confirmed this bug with 9.9.0a3 as well.
Paul
More information about the bind-users
mailing list