Hi: I'm currently testing a feature in OpenDNSSEC to generate identical signed zones starting from identical input (keys and policy as well). The idea is to eliminate the random jitter and expiration and to generate a discrete jitter function based on the relative order of the RRset being signed in the input zone.
Anyway, while testing this idea, we found a corner case. The policy indicates Jitter of 2 days, a default Validity of 12 hours and denial validity of 24 hours. ods-kaspcheck complains with a warning, but it should be treated as an error. The reason is, after making the change and before checking with ods-kaspcheck, my signer started to die unexpectedly with the message: Jul 8 14:49:31 srsov-sebastian1 ods-signerd: Error while signing: [Errno 32] Broken pipe Running the signer from command line returned $? == 1 and no error message. In the output file used by the signer, you can read ; signing failed: DNSSEC signature has expiration date earlier than inception date which totally makes sense: if the signature expiration is calculated as now + validity +/- rand( jitter ), the probability of creating an expiration value lower than inception is equal to ( jitter - validity / jitter ). Now, back to test the functionality ;D -- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535 _______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
