dnssec-signzone and jitter bug... still

Paul Wouters paul at xelerance.com
Tue Nov 1 22:13:21 UTC 2011

On Tue, 1 Nov 2011, Paul Wouters wrote:

> There have been discussions in the past over this, but we were once again 
> bitten by this dnssec-signzone bug:
> Tue Nov  1 12:11:28 2011 signDomain: sign command: /usr/sbin/dnssec-signzone 
> -C -u -r /dev/random -t -o openswan.org  -f /var/tmp/openswan.org.sign.tmp 
> -i 1296000  -e +2592000 -j 1296000  -k Kopenswan.org.+005+07398 
> /var/tmp/dnsx_sign_domain_openswan.org.31202 Kopenswan.org.+005+64562

> Error: DNSSEC signature has expired for openswan.org.	AAAA

> This signature expires at Nov 4, in three(!) days. The signature was 
> generated on Oct 8,
> and all this time dnssec-signzone thinks it is valid to retain it, while 
> clearly being
> outside the -i interval window.
> I again have to conclude that jittering is not correctly implemented. It 
> seems jittering
> is done AFTER determining the valid start/end times via the -s/-e/-i options.
> To me, the above signing commands means "all RRSIGs should be valid from -1h 
> to at the
> very least +1296000 seconds and at most +2592000 seconds, spread out"
> Currently however, it seems a valid end time is (minimum lifetime) - 
> (jitter), which in my
> case means "0" if you want to jitter between +2w and +4w.
> This is dnssec-signzone from 9.7.3

I just confirmed this bug with 9.9.0a3 as well.


More information about the bind-users mailing list