There have been discussions in the past over this, but we were once again
bitten by this dnssec-signzone bug:
Tue Nov 1 12:11:28 2011 signDomain: sign command: /usr/sbin/dnssec-signzone -C
-u -r /dev/random -t -o openswan.org -f /var/tmp/openswan.org.sign.tmp -i
1296000 -e +2592000 -j 1296000 -k Kopenswan.org.+005+07398
/var/tmp/dnsx_sign_domain_openswan.org.31202 Kopenswan.org.+005+64562
Doing a check that every signature it at least valid for 1296000 seconds:
[paul@bofh ]$ ./ldns-verify-zone -o 1296000 openswan.org.signed.new |grep Error
Error: DNSSEC signature has expired for openswan.org. AAAA
Error: DNSSEC signature has expired for openswan.org. NSEC
Error: DNSSEC signature has expired for br1.openswan.org. NSEC
Error: DNSSEC signature has expired for br2.openswan.org. A
Error: DNSSEC signature has expired for bugs.openswan.org. A
Error: DNSSEC signature has expired for git.openswan.org. NSEC
Error: DNSSEC signature has expired for ip.openswan.org. NSEC
Error: DNSSEC signature has expired for lists.openswan.org. A
Error: DNSSEC signature has expired for livetest.openswan.org. A
Error: DNSSEC signature has expired for http.livetest.openswan.org. A
Error: DNSSEC signature has expired for http.livetest.openswan.org. NSEC
Error: DNSSEC signature has expired for secure.livetest.openswan.org. NSEC
Error: DNSSEC signature has expired for mi6.openswan.org. A
Error: DNSSEC signature has expired for mi6.openswan.org. NSEC
Error: DNSSEC signature has expired for nso.openswan.org. NSEC
Error: DNSSEC signature has expired for testing.openswan.org. CNAME
Error: DNSSEC signature has expired for tests.openswan.org. CNAME
Error: DNSSEC signature has expired for tests.openswan.org. NSEC
Error: DNSSEC signature has expired for tla.openswan.org. A
Error: DNSSEC signature has expired for tla.openswan.org. NSEC
Error: DNSSEC signature has expired for tla.openswan.org. NSEC
Error: DNSSEC signature has expired for uml.openswan.org. NSEC
Error: DNSSEC signature has expired for unknown.openswan.org. NSEC
Error: DNSSEC signature has expired for wikki.openswan.org. NSEC
Error: DNSSEC signature has expired for www.openswan.org. A
Picking the first error from the signed zone file:
7200 AAAA 2001:888:2003:1004:c2ff:eeff:fe00:195
7200 RRSIG AAAA 5 2 7200 20111104135001 (
20111008053610 29468 openswan.org.
LBisHS/qOuZpE7gRkzsq2x0J3hRBtAyxoqlw
FP3tz4q4MxTEdcotjYvQFKtzRXkTESEGPVYd
XPWE7xxFfgA3nvxVy9vqoZRVmW322Fv1ODGb
qyO4XGZVk1BhNchO5jnTGY0PdbX5ab7kxa9j
XEokDIqEq1oKsZehRfVaN1KRWYA= )
This signature expires at Nov 4, in three(!) days. The signature was generated
on Oct 8,
and all this time dnssec-signzone thinks it is valid to retain it, while
clearly being
outside the -i interval window.
I again have to conclude that jittering is not correctly implemented. It seems
jittering
is done AFTER determining the valid start/end times via the -s/-e/-i options.
To me, the above signing commands means "all RRSIGs should be valid from -1h to
at the
very least +1296000 seconds and at most +2592000 seconds, spread out"
Currently however, it seems a valid end time is (minimum lifetime) - (jitter),
which in my
case means "0" if you want to jitter between +2w and +4w.
This is dnssec-signzone from 9.7.3
Paul
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
