Hi Sebastian On 15/12/17 10:19, Sebastian Schmidt via Unbound-users wrote: > On 15 December 2017 at 6:09:19 pm, W.C.A. Wijngaards via Unbound-users > ([email protected] <mailto:[email protected]>) wrote: >> When I run unbound-host, I get no errors, >> ./unbound-host www.wilda.nsec.0skar.czwww.wilda.nsec.0skar.cz >> <http://www.wilda.nsec.0skar.czwww.wilda.nsec.0skar.cz> -f >> root.key -v -t A >> www.wilda.nsec.0skar.czwww.wilda.nsec.0skar.cz >> <http://www.wilda.nsec.0skar.czwww.wilda.nsec.0skar.cz> has address >> 85.239.227.179 (secure) >> >> Unbound performs serial arithmatic on the timestamps in the rrsig, >> according to RFC. >> >> (What does that mean? The timestamps are 32bit in the RRSIG, but the >> value is interpreted relative to the current date. And what you cannot >> do is express something like a point more than some number of years >> future or past.) >> >> Best regards, Wouter > > > Hello Wouter, > > > Thanks for the insight. Maybe this has something to with the platform?
Yes it is the compiler. Clang fails, gcc succeeds. I can make clang succeed with a small code change together with the removal of -O2 (disabling clang's optimizer). The code change is instead of if(incep - expi > 0) ..fail.. it now has var=incep-expi; if(var > 0) ..fail.. Clangs optimizer seems to take the wrong branch in the if statement. If I printout the value calculated, I get the correct output. Something like if(!((incep-expi)&0x80000000)) ..fail.. does not trick the optimizer into taking the right branch. The code change is in the code repository. CFLAGS=-g ./configure This disables -O2 as well, with the current version of unbound. Or as a workaround, maybe ignore this, perhaps with domain-insecure, because it seems to only happen for the int32_t values of (1391084010 - -823674496 > 0). And 2080 is uncommon in RRSIG timestamps. Best regards, Wouter > > CentOS 6.9: > > $ unbound-host -v -f /etc/unbound/root.key -t A www.wilda.nsec.0skar.cz > > www.wilda.nsec.0skar.cz is an alias for flexi.oskarcz.net. (secure) > > flexi.oskarcz.net has address 85.239.227.179 (secure) > > > MacOS 10.13.2 (High Sierra): > > $ unbound-host -v -t A -f /usr/local/etc/unbound/root.key > www.wilda.nsec.0skar.cz > > www.wilda.nsec.0skar.cz is an alias for flexi.oskarcz.net. (BOGUS > (security failure)) > > flexi.oskarcz.net has address 85.239.227.179 (BOGUS (security failure)) > > validation failure <www.wilda.nsec.0skar.cz. A IN>: signature > inception after expiration from 85.239.227.179 for key nsec.0skar.cz. > while building chain of trust > > > FreeBSD 11.1: > > $ unbound-host -v -f /usr/local/etc/unbound/root.key -t A > www.wilda.nsec.0skar.cz > > www.wilda.nsec.0skar.cz is an alias for flexi.oskarcz.net. (BOGUS > (security failure)) > > flexi.oskarcz.net has address 85.239.227.179 (BOGUS (security failure)) > > validation failure <www.wilda.nsec.0skar.cz. A IN>: signature > inception after expiration from 2001:1528:132:70::1 for key > nsec.0skar.cz. while building chain of trust > > > Kind Regards > > Sebastian >
signature.asc
Description: OpenPGP digital signature
