auto-dnssec resign timers

Niobos niobos at dest-unreach.be
Fri Sep 17 09:44:07 UTC 2010 

Hi,

I'm experimenting with the auto-dnssec feature of bind 9.7.0-P1. I know
it's outdated; I did skim over the changelog up until 9.7.2rc2, and
didn't find anything that seems like this issue.

This query demonstrates the issue:
; <<>> DiG 9.6.0-APPLE-P2 <<>> +dnssec SOA dnssec.dest-unreach.be
@imset.org +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8632
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssec.dest-unreach.be.		IN	SOA

;; ANSWER SECTION:
dnssec.dest-unreach.be.	86400	IN	SOA	serv02.imset.org.
hostmaster.dest-unreach.be. 55 3600 3600 172800 300
dnssec.dest-unreach.be.	86400	IN	RRSIG	SOA 7 3 86400 20100919163624
20100916153624 42614 dnssec.dest-unreach.be.
WBdpqpLCa/5cnMAThAcftrOysfdN8K594WAM+6AMyRPiEpXVF6JRqJWH
N46J3aN6BliM09bA9RxYOoClCcIsJA==

;; AUTHORITY SECTION:
dnssec.dest-unreach.be.	300	IN	NS	serv02.imset.org.
dnssec.dest-unreach.be.	300	IN	NS	sdns1.ovh.net.
dnssec.dest-unreach.be.	300	IN	RRSIG	NS 7 3 300 20100919161438
20100916153624 42614 dnssec.dest-unreach.be.
U6KZzFZecSZNEL0Wp8NxlmjgitQfXbHNt1+S85sZxm9Ti8oNiWMhESts
SmLTmos4VU2yqSo6KOq8mQ/xvoehhw==

;; ADDITIONAL SECTION:
serv02.imset.org.	86400	IN	A	94.23.24.89
serv02.imset.org.	86400	IN	AAAA	2001:41d0:2:1959:21c:c0ff:fe88:6f58

;; Query time: 7 msec
;; SERVER: 94.23.24.89#53(94.23.24.89)
;; WHEN: Fri Sep 17 11:29:14 2010
;; MSG SIZE  rcvd: 435

(the dnssec.dest-unreach.be zone is my test zone; publicly available,
but not publicly delegated)


In my opinion, BIND should have resigned this by now: The signature is
valid until a little over 2 days. This means that if the slave would
loose contact with the master right now, it will give out signatures
that will expire before their TTL does.
According to my calculations, RRSIGs should be regenerated zone-expire +
RR-ttl seconds before the RRSIG expires.

For reference, the configuration:
zone "dnssec.dest-unreach.be" {
	type master;
	file "/var/lib/bind/dnssec.dest-unreach.be.zone";
	update-policy local;
	auto-dnssec maintain;
	dnssec-secure-to-insecure yes;
	key-directory "/etc/bind/keys";
	sig-validity-interval 3;
};

And to be completely honest: the configured slave NS record doesn't
really slave this zone; but BIND shouldn't know or care.

greets,
Niobos

More information about the bind-users mailing list