[Opendnssec-develop] Re: [Opendnssec-otr] Off-by-one error and new year

Matthijs Mekking matthijs at nlnetlabs.nl
Tue Jan 17 13:15:45 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/17/2012 02:00 PM, Rickard Bellgrim wrote:
>>> Remove the affected signatures:
>>> If there are signatures in the zone with extra long validity periods,
>>> then it is recommended to drop all of the signatures and re-sign the
>>> zone. This can be done with the following commands:
>>>> ods-signer clear <zone>
>>>> ods-signer sign <zone>
>>
>> This temporarily breaks the domain's validity, right?  This
>> should be avoided if possible -- which I think it is.
> 
> "ods-signer clear" will clear the internal signatures. New ones will
> be created and distributed during the next scheduled re-sign. The sign
> command will force this to happen now.
> 
> The keys are still there, just that we get a new set of signatures.
> Nothing will break here.

Rickard is right here (and faster than me with typing ;)).

>>> Solution:
>>> The issue has been fixed in ldns 1.6.12. Upgrade to this version in
>>> order to not get affected the next time.
>>
>> "next time" meaning "you should upgrade to the new LDNS before the
>> end of the current year" right?
> 
> Yes, will fix that text.

The next time the bug will have effect is 1st of January 2014. That date
will be converted to December 31 2016.

Best regards,
  Matthijs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPFXSBAAoJEA8yVCPsQCW5ktkIAJ6V7kds/E7PP2ssAwUZtoz9
tbOKmSJ7Dnf/gwjf77F2TOQuqL5jiMXr9rUfbilRlgokLMag8j5wrr/Y1dmjWITm
x81qkeASE5ajkbT9Fi7VHs6XibL1H3KOTSPdBu52wRq1EHHcUdBksnTPZxqcBioL
D1r+qPO9MSjj2Ty0DaSn1MkiQla2hLACoN7c16UDA2bZ5s2+Z/Ygnu7hbAXvc1kn
1Ys0/a23XrcZEAjpkxaoi3vqBfJ3K5Boln6yyBnJRzQb4ioLnDZjJ//zHuHsez+2
IfMmhyQ98SzZfrVIM6L/T/IaCCKgMTEkkfXab7DjklPbSFaMeTHwP6iHy8e6X2g=
=hZZ8
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list