[Opendnssec-develop] Re: [Opendnssec-otr] Off-by-one error and new year

Rick van Rein rick at openfortress.nl
Tue Jan 17 12:50:31 UTC 2012

Hello Rickard,

Good text.  Especially good that you made a "grep" with a test that
is known to work for this problem.

> Remove the affected signatures:
> If there are signatures in the zone with extra long validity periods,
> then it is recommended to drop all of the signatures and re-sign the
> zone. This can be done with the following commands:
> > ods-signer clear <zone>
> > ods-signer sign <zone>

This temporarily breaks the domain's validity, right?  This
should be avoided if possible -- which I think it is.

There is no immediate need to do flush signatures --the signatures
are valid, but they shouldn't last so long-- and the following step
of key rollover stops future problems from happening.  I would
not want to remove these signatures in a way that breaks validation.
and would hope to see support of that in an email of this kind.

> Mitigate replay attacks:
> If your are changing your zone data, then there is a chance for an
> attacker to replay old data since the signature is still valid. You
> need to assess the risk and possible cost of such an attack. If you
> need to mitigate such an attack, then you need to roll your keys:
> > ods-ksmutil key rollover --zone <zone>

You also mentioned potential future domain invalidity, is that
also a reason to be choosing to do this?

I suppose it comes down to a choice, right?  clear+resign or do a
KSK rollover (including parent actions).

> Solution:
> The issue has been fixed in ldns 1.6.12. Upgrade to this version in
> order to not get affected the next time.

"next time" meaning "you should upgrade to the new LDNS before the
end of the current year" right?

I hope these are useful remarks.


More information about the Opendnssec-develop mailing list