On 12/23/2011 09:47 AM, Rickard Bellgrim wrote:
OpenDNSSEC uses Unix time for its calculations. So only seconds are
handled. The real conversion is done within ldns. I will check that it
is like this.
The is the summery of the calculations in OpenDNSSEC.
******
time_t signtime = now();
time_t jitter = duration2time(sc->sig_jitter);
time_t validity = 0;
time_t random_jitter = ods_rand(jitter*2);
if (rrtype == LDNS_RR_TYPE_NSEC || rrtype == LDNS_RR_TYPE_NSEC3) {
validity = duration2time(sc->sig_validity_denial);
} else {
validity = duration2time(sc->sig_validity_default);
}
time_t expiration = (signtime + validity + random_jitter) - jitter;
******
duration2time just converts years, months, days, hours, and minutes
into seconds. 1 year == 365 days. 1 month = 31 days.
So the calculation is only in Unix time. The result is handed over to
ldns_rr_rrsig_set_expiration() via ldns_native2rdf_int32().
Either the problem is in the incoming configuration or in ldns.
I am not seeing this behavior with ldns 1.6.10, 20120103022921
20111221021001. Will try with 1.6.11.
It also looks ok with 1.6.11, 20120101043200 20111223070542.
How does your signconf look like according to syslog? grep for
"signconf" and you will see a line with the values the Signer Engine
is using.
Ah yes, I see.
2011-12-23T08:36:44+01:00 christine ods-signerd: [signconf] zone
tomhendrikx.nl signconf: RESIGN[PT7200S] REFRESH[PT777600S]
VALIDITY[PT864000S] DENIAL[PT864000S] JITTER[P] OFFSET[P] NSEC[50]
DNSKEYTTL[PT3600S] SOATTL[PT3600S] MINIMUM[PT3600S] SERIAL[datecounter]
AUDIT[1]
kasp.xml for this zone is attached, and gives other values for refresh,
validity and denial. Running 'ods-ksmutil update all' outputs
'ods-enforcerd: No change to:
/var/lib/opendnssec/signconf/tomhendrikx.nl.xml', but the signconf xml
does have the values as listed in the signconf log line above, and not
the values from kasp.xml
--
Tom
<?xml version="1.0" encoding="UTF-8"?>
<KASP>
<Policy name="sidn">
<Description>Policy for zones that have SIDN (Dutch TLD Registry, .nl) as upstream</Description>
<Signatures>
<Resign>PT2H</Resign>
<Refresh>P9D</Refresh>
<Validity>
<Default>P10D</Default>
<Denial>P10D</Denial>
</Validity>
<Jitter>PT0S</Jitter>
<InceptionOffset>PT0S</InceptionOffset>
</Signatures>
<Denial>
<NSEC3>
<Resalt>P100D</Resalt>
<Hash>
<Algorithm>1</Algorithm>
<Iterations>5</Iterations>
<Salt length="8"/>
</Hash>
</NSEC3>
</Denial>
<Keys>
<TTL>PT3600S</TTL>
<RetireSafety>PT3600S</RetireSafety>
<PublishSafety>PT3600S</PublishSafety>
<Purge>P2D</Purge>
<KSK>
<Algorithm length="4096">8</Algorithm>
<Lifetime>P2Y</Lifetime>
<Repository>SoftHSM</Repository>
</KSK>
<ZSK>
<Algorithm length="1024">8</Algorithm>
<Lifetime>P30D</Lifetime>
<Repository>SoftHSM</Repository>
</ZSK>
</Keys>
<Zone>
<PropagationDelay>PT3600S</PropagationDelay>
<SOA>
<TTL>PT3600S</TTL>
<Minimum>PT3600S</Minimum>
<Serial>datecounter</Serial>
</SOA>
</Zone>
<Parent>
<PropagationDelay>PT7200S</PropagationDelay>
<DS>
<TTL>PT7200S</TTL>
</DS>
<SOA>
<TTL>PT7200S</TTL>
<Minimum>PT900S</Minimum>
</SOA>
</Parent>
<Audit>
</Audit>
</Policy>
<!-- snipped out other policy -->
</KASP>
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
