dnssec-signzone and jitter bug... still

Paul Wouters paul at xelerance.com
Tue Nov 1 22:52:34 UTC 2011 

On Tue, 1 Nov 2011, Paul Wouters wrote:

>> There have been discussions in the past over this, but we were once again 
>> bitten by this dnssec-signzone bug:
>> 
>> Tue Nov  1 12:11:28 2011 signDomain: sign command: 
>> /usr/sbin/dnssec-signzone -C -u -r /dev/random -t -o openswan.org  -f 
>> /var/tmp/openswan.org.sign.tmp -i 1296000  -e +2592000 -j 1296000  -k 
>> Kopenswan.org.+005+07398 /var/tmp/dnsx_sign_domain_openswan.org.31202 
>> Kopenswan.org.+005+64562
>
>> Error: DNSSEC signature has expired for openswan.org.	AAAA
>
>> This signature expires at Nov 4, in three(!) days. The signature was 
>> generated on Oct 8,
>> and all this time dnssec-signzone thinks it is valid to retain it, while 
>> clearly being
>> outside the -i interval window.
>> 
>> I again have to conclude that jittering is not correctly implemented. It 
>> seems jittering
>> is done AFTER determining the valid start/end times via the -s/-e/-i 
>> options.
>> 
>> To me, the above signing commands means "all RRSIGs should be valid from 
>> -1h to at the
>> very least +1296000 seconds and at most +2592000 seconds, spread out"
>> 
>> Currently however, it seems a valid end time is (minimum lifetime) - 
>> (jitter), which in my
>> case means "0" if you want to jitter between +2w and +4w.
>> 
>> This is dnssec-signzone from 9.7.3
>
> I just confirmed this bug with 9.9.0a3 as well.

My issue is resolved with the following patch. (the cycle variable contains
the contents of the dnssec-signzone -i option)

--- ./bin/dnssec/dnssec-signzone.c	2011-11-01 18:39:53.000000000 -0400
+++ ./bin/dnssec/dnssec-signzone.c.new	2011-11-01 18:41:16.000000000 -0400
@@ -537,10 +537,7 @@

  		key = keythatsigned(&rrsig);
  		sig_format(&rrsig, sigstr, sizeof(sigstr));
-		if (key != NULL && issigningkey(key))
-			expired = isc_serial_gt(now + cycle, rrsig.timeexpire);
-		else
-			expired = isc_serial_gt(now, rrsig.timeexpire);
+		expired = isc_serial_gt(now + cycle, rrsig.timeexpire);

  		if (isc_serial_gt(rrsig.timesigned, rrsig.timeexpire)) {
  			/* rrsig is dropped and not replaced */

I don't understand exactly what the code was trying to do. Perhaps it tried to
roll keys faster? In which case it might need now + cycle + something to keep
that logic intact compared to non-key records.

Paul

More information about the bind-users mailing list