Strange tiny time limit RRSIG

Evan Hunt each at isc.org
Fri Aug 14 17:01:09 UTC 2009


> But I am getting the error that the signature is *expired*. Not that it is
> being replaced because its only valid for 15 days - 1 hour in the future.

It would look that way.  I think the message you're seeing comes from here:

                vbprintf(2, "\trrsig by %s dropped - %s\n",
                         sigstr,
                         expired ? "expired" :
                                   "failed to verify");

Does that look right?

"expired" is a boolean which is set earlier in the code:

                if (key != NULL && issigningkey(key))
                        expired = isc_serial_gt(now + cycle, rrsig.timeexpire);
                else
                        expired = isc_serial_gt(now, rrsig.timeexpire);

"cycle" is the -i interval, so in your case it's checking whether
rrsig.timeexpire is less than fifteen days from now, and if it is, it
will claim to be dropping the signature because it's expired.

We could clarify the log message, I guess.

> But I want to re-use signatures and use jitter.

That's fine, but the jitter window and cycle interval are both larger
than they need to be.  The default cycle interval is a 7.5 days (one
quarter of 30 days, which is the default signature validity interval),
so if you dropped the -i argument, you wouldn't be seeing this issue.
There still might be a signature with an expiry time 15 days in the future,
but it wouldn't be dropped until 7.5 days from now.

Or, if you kept the -j option but scaled it down, to say 20 days instead
of 30, then the earlist expiration times would be 20 days from now instead
of 15, so the -i flag wouldn't hit them for five days.

--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.



More information about the bind-users mailing list