[Opendnssec-develop] [OpenDNSSEC] #127: Large SOA serial numbers are not handled properly by "signer"

OpenDNSSEC owner-dnssec-trac at kirei.se
Thu Apr 29 16:18:04 UTC 2010

#127: Large SOA serial numbers are not handled properly by "signer"
Reporter:  Anirban Mukherjee <amukherj@…>          |       Owner:  matthijs
    Type:  defect                                  |      Status:  new     
Priority:  major                                   |   Component:  Signer  
 Version:  1.0.0                                   |    Keywords:          
 If the SOA serial number of the input unsigned zone is larger than
 {{{2^31-1}}} (0x7fffffff or 2147483647), the generated signed zone always
 has a serial number of {{{2^31-1}}} if "keep" or "counter" is used.

 The problem seems to arise due to the use of the atol function in
 signer/tools/signer.c (handle_command function). Since atol converts to a
 signed long, its valid range limit is {{{(-)2^31 to 2^31-1}}}. A param
 value greater than {{{2^31 - 1}}} causes it to return LONG_MAX or

 A possible fix is to use strtoul instead of atol.

 Although this problem is seen for SOA, in theory it could occur for all
 the uint32_t parameters. The attached signer.c uses strtoul instead of
 atol for all uint32_t variables although this may not be strictly
 necessary e.g. TTL should never exceed {{{2^31-1}}}.

 A sample unsigned input zone with a large serial number and the
 corresponding signed zone with incorrect serial is also attached.

Ticket URL: <http://trac.opendnssec.org/ticket/127>
OpenDNSSEC <http://www.opendnssec.org/>

More information about the Opendnssec-develop mailing list