dig +sigchase looping

[Raymond Drew Walker]

I’m experiencing an interesting issue where sometimes when performing a sigchase on a valid signed zone the command loops indefinitely when an expired RRSIG exists:

Live example:
dig +sigchase +trusted-key=./trusted.keys aa.nau.edu A

Notes:
There is currently a valid RRSIG for this zone.
dig compiled with -DDIG_SIGCHASE=1
BIND 9.9.4

Roughly %50 of the time it returns as expected, while other times looping in such a fashion:

;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expired
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expired
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expired
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expired
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expired
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expired

Any particular reason this should be expected or is it bug worthy (or fixed in 9.9.5, as I didn’t see anything in the change log referring to it)?
—
Raymond Walker
Software Systems Engineer StSp.
ITS - Northern Arizona University
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140221/0a6cdbc2/attachment-0001.html>