Difference in validating behavior 9.18 / 9.20

John Thurston john.thurston at alaska.gov
Fri Feb 7 01:48:28 UTC 2025 

We run both 9.18 and 9.20. We currently have servers running:

    9.18.31
    9.18.33
    9.20.3
    9.20.5

The 9.18 and 9.20 validating resolvers behave differently when exposed 
to expired RRSIG records.

Both versions log errors of the type

> validating transfer3.rastglb.cdc.gov/A: verify failed due to bad 
> signature (keyid=13215): RRSIG has expired
but 9.18 goes on to log

> validating transfer3.rastglb.cdc.gov/A: no valid signature found
and returns a SERVFAIL

9.20 returns a fully validated response.

Both servers will return the same set of records (9.18 must be queried 
with the +cd flag) when asked:

> transfer3.rastglb.cdc.gov. 5    IN A       198.246.125.128
>
> transfer3.rastglb.cdc.gov. 5    IN      RRSIG   A 5 4 5 20250126201505 
> 20241028201505 13215 rastglb.cdc.gov. 
> Kx+n+gsnq0BSko0tl/B3HftLDp1XtiIyImBnlE/dAWgv8VD8xwq4bPns 
> CO1R3k3beerK1UB/OpP9VKViRnN+3E4S5fg9vpZOFsDXB4T7PmDg5N12 
> PwN26IJC8BrvUnqkPFdYEJGzb+orKHZsa949shODtnAVkttC4NsYvIRq MR8=
>
> transfer3.rastglb.cdc.gov. 5    IN      RRSIG   A 8 4 5 20250309140556 
> 20241209140556 43989 rastglb.cdc.gov. 
> XSLHv9vpeY9O0JdfxPzIrkJjU8CkfioV4S0dorRK6GL8DLHjqwpyyM1k 
> km2MjF/2lXMjAl+D4+QrNhQFfDo50njTbSKfDsDSWUZC/QffESlw6t6x 
> XdCrShtJ6YVYltK1FgWf5xOepxEFLw0pn7I2ntDmXVLwsNkapdKqGugt vzc=

But 9.18 appears to stumble, and consider the presence of 13215 to be 
the end of the validation-road.

I found this in the release notes

>          --- 9.18.27 released ---
>
> 6374.   [bug]           Skip to next RRSIG if signature has expired or is in
>                          the future rather than failing immediately. [GL #4586]

But I'm not sure how to interpret it. Is it saying that GL#4586 has left 
a bug, and should be corrected as described? or is it describing the 
behavior we should see in versions >= 9.18.27 ?

-- 
--
Do things because you should, not just because you can.

John Thurston    907-465-8591
John.Thurston at alaska.gov
Department of Administration
State of Alaska
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250206/8eed03d1/attachment.htm>

More information about the bind-users mailing list