[Opendnssec-user] Opendnssec signer Y2K bug?

Tom Hendrikx tom at whyscream.net
Thu Dec 22 20:03:08 UTC 2011


Hi,

Since this morning my opendnssec (1.3.4) log file is filling up with
many of these:

2011-12-22T20:37:49+01:00 christine ods-auditor[13676]: Auditor started
2011-12-22T20:37:49+01:00 christine ods-auditor[13676]: Auditor starting
on tomhendrikx.nl
2011-12-22T20:37:49+01:00 christine ods-auditor[13676]: SOA differs :
from 1 to 2011122200
2011-12-22T20:37:49+01:00 christine ods-auditor[13676]: Auditing
tomhendrikx.nl zone : NSEC3 SIGNED
2011-12-22T20:37:49+01:00 christine ods-auditor[13676]: RRSet
(tomhendrikx.nl, DNSKEY) failed verification : Signature failed to
cryptographically verify, tag = 48325
2011-12-22T20:37:49+01:00 christine ods-auditor[13676]: Signature
lifetime for tomhendrikx.nl, DNSKEY too long - should be at most 864000
but was 32400000
[... repeat previous 2 lines for each rr ..]
2011-12-22T20:37:50+01:00 christine ods-auditor[13676]: Finished
auditing tomhendrikx.nl zone
2011-12-22T20:37:50+01:00 christine ods-signerd: [tools] audit failed
for zone tomhendrikx.nl

When checking the contents of the audited file
(tomhendrikx.nl.finalized) in the tmp/ directory, I'm seeing all kinds
of lines like this:

tomhendrikx.nl. 3600    IN      SOA     a.ns.whyscream.net.
admin.whyscream.net. 2011122200 86400 1800 202750 3600
tomhendrikx.nl. 3600    IN      RRSIG   SOA 8 2 3600 20121231193749
20111222193749 4528 tomhendrikx.nl. [,.key data..]

Since signature lifetime in kasp.xml is at 10 days, it seems to me that
calculation of the signature expiration fails due to the year change.

Inception date is 20111222193749 (2011-12-22 19:37:49), so expiration
should be around 20120101193749 (2012-01-01 19:37:49). But the signer
decided to bring up 20121231193749 (2012-12-31 19:37:49), which is
almost a year off.

Or maybe I just screwed up, and fail to see my own mistake?

--
Tom



More information about the Opendnssec-user mailing list