dig +sigchase looping

Raymond Drew Walker Ray.Walker at nau.edu
Mon Feb 24 17:05:01 UTC 2014


I have verified that this also happens intermittently with dig in BIND 9.9.5 built/configured with:

STD_CDEFINES="-DDIG_SIGCHASE=1"
export STD_CDEFINES
./configure --enable-threads --enable-largefile
—
Raymond Walker
Software Systems Engineer StSp.
ITS - Northern Arizona University

From: Ray Walker <ray.walker at nau.edu<mailto:ray.walker at nau.edu>>
Date: Friday, February 21, 2014 at 4:28 PM
To: "bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>" <bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>>
Subject: dig +sigchase looping

I’m experiencing an interesting issue where sometimes when performing a sigchase on a valid signed zone the command loops indefinitely when an expired RRSIG exists:

Live example:
dig +sigchase +trusted-key=./trusted.keys aa.nau.edu A

Notes:
There is currently a valid RRSIG for this zone.
dig compiled with -DDIG_SIGCHASE=1
BIND 9.9.4

Roughly %50 of the time it returns as expected, while other times looping in such a fashion:

;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expired
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expired
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expired
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expired
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expired
;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expired

Any particular reason this should be expected or is it bug worthy (or fixed in 9.9.5, as I didn’t see anything in the change log referring to it)?
—
Raymond Walker
Software Systems Engineer StSp.
ITS - Northern Arizona University
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140224/bb90a2d3/attachment-0001.html>


More information about the bind-users mailing list