[Opendnssec-user] Jitter/validity corner case

Sebastian Castro sebastian at nzrs.net.nz
Thu Jul 8 03:53:15 UTC 2010


I'm currently testing a feature in OpenDNSSEC to generate identical
signed zones starting from identical input (keys and policy as well).
The idea is to eliminate the random jitter and expiration and to
generate a discrete jitter function based on the relative order of the
RRset being signed in the input zone.

Anyway, while testing this idea, we found a corner case.

The policy indicates Jitter of 2 days, a default Validity of 12 hours
and denial validity of 24 hours. ods-kaspcheck complains with a warning,
but it should be treated as an error. The reason is, after making the
change and before checking with ods-kaspcheck, my signer started to die
unexpectedly with the message:

Jul  8 14:49:31 srsov-sebastian1 ods-signerd: Error while signing:
[Errno 32] Broken pipe

Running the signer from command line returned $? == 1 and no error
message. In the output file used by the signer, you can read

; signing failed: DNSSEC signature has expiration date earlier than
inception date

which totally makes sense: if the signature expiration is calculated as
now + validity +/- rand( jitter ), the probability of creating an
expiration value lower than inception is equal to ( jitter - validity /
jitter ).

Now, back to test the functionality ;D
Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535

More information about the Opendnssec-user mailing list