Hi, Thanks so much for finding the problem. I've recompiled unbound with GNU gcc for now. It seamed like the simplest solution. I never would have thought that the access to a internet service (to the end user) could be broken because of a compiler optimisation. Still so many things have to go "wrong" for this to happen.
Will this be reported to the clang developers? Regards, Sebastian On 15 December 2017 at 8:50:14 pm, W.C.A. Wijngaards via Unbound-users ([email protected]) wrote: > Hi, > > Wait, no, just CFLAGS=-g ./configure disables -O2, but you also need the > code change. So that won't work as a workaround. > > Best regards, Wouter > > On 15/12/17 11:40, W.C.A. Wijngaards via Unbound-users wrote: > > Hi Sebastian > > > > On 15/12/17 10:19, Sebastian Schmidt via Unbound-users wrote: > >> On 15 December 2017 at 6:09:19 pm, W.C.A. Wijngaards via Unbound-users > >> ([email protected] ) wrote: > >>> When I run unbound-host, I get no errors, > >>> ./unbound-host www.wilda.nsec.0skar.czwww.wilda.nsec.0skar.cz > >>> -f > >>> root.key -v -t A > >>> www.wilda.nsec.0skar.czwww.wilda.nsec.0skar.cz > >>> has address > >>> 85.239.227.179 (secure) > >>> > >>> Unbound performs serial arithmatic on the timestamps in the rrsig, > >>> according to RFC. > >>> > >>> (What does that mean? The timestamps are 32bit in the RRSIG, but the > >>> value is interpreted relative to the current date. And what you cannot > >>> do is express something like a point more than some number of years > >>> future or past.) > >>> > >>> Best regards, Wouter > >> > >> > >> Hello Wouter, > >> > >> > >> Thanks for the insight. Maybe this has something to with the platform? > > > > Yes it is the compiler. Clang fails, gcc succeeds. I can make clang > > succeed with a small code change together with the removal of -O2 > > (disabling clang's optimizer). > > > > The code change is instead of if(incep - expi > 0) ..fail.. it now has > > var=incep-expi; if(var > 0) ..fail.. > > > > Clangs optimizer seems to take the wrong branch in the if statement. If > > I printout the value calculated, I get the correct output. Something > > like if(!((incep-expi)&0x80000000)) ..fail.. does not trick the > > optimizer into taking the right branch. > > > > The code change is in the code repository. > > CFLAGS=-g ./configure > > This disables -O2 as well, with the current version of unbound. > > > > Or as a workaround, maybe ignore this, perhaps with domain-insecure, > > because it seems to only happen for the int32_t values of (1391084010 - > > -823674496 > 0). And 2080 is uncommon in RRSIG timestamps. > > > > Best regards, Wouter > > > >> > >> CentOS 6.9: > >> > >> $ unbound-host -v -f /etc/unbound/root.key -t A www.wilda.nsec.0skar.cz > >> > >> www.wilda.nsec.0skar.cz is an alias for flexi.oskarcz.net. (secure) > >> > >> flexi.oskarcz.net has address 85.239.227.179 (secure) > >> > >> > >> MacOS 10.13.2 (High Sierra): > >> > >> $ unbound-host -v -t A -f /usr/local/etc/unbound/root.key > >> www.wilda.nsec.0skar.cz > >> > >> www.wilda.nsec.0skar.cz is an alias for flexi.oskarcz.net. (BOGUS > >> (security failure)) > >> > >> flexi.oskarcz.net has address 85.239.227.179 (BOGUS (security failure)) > >> > >> validation failure : signature > >> inception after expiration from 85.239.227.179 for key nsec.0skar.cz. > >> while building chain of trust > >> > >> > >> FreeBSD 11.1: > >> > >> $ unbound-host -v -f /usr/local/etc/unbound/root.key -t A > >> www.wilda.nsec.0skar.cz > >> > >> www.wilda.nsec.0skar.cz is an alias for flexi.oskarcz.net. (BOGUS > >> (security failure)) > >> > >> flexi.oskarcz.net has address 85.239.227.179 (BOGUS (security failure)) > >> > >> validation failure : signature > >> inception after expiration from 2001:1528:132:70::1 for key > >> nsec.0skar.cz. while building chain of trust > >> > >> > >> Kind Regards > >> > >> Sebastian > >> > > > > > > >
