[Opendnssec-user] Jitter/validity corner case
Sebastian Castro
sebastian at nzrs.net.nz
Thu Jul 8 03:53:15 UTC 2010
Hi:
I'm currently testing a feature in OpenDNSSEC to generate identical
signed zones starting from identical input (keys and policy as well).
The idea is to eliminate the random jitter and expiration and to
generate a discrete jitter function based on the relative order of the
RRset being signed in the input zone.
Anyway, while testing this idea, we found a corner case.
The policy indicates Jitter of 2 days, a default Validity of 12 hours
and denial validity of 24 hours. ods-kaspcheck complains with a warning,
but it should be treated as an error. The reason is, after making the
change and before checking with ods-kaspcheck, my signer started to die
unexpectedly with the message:
Jul 8 14:49:31 srsov-sebastian1 ods-signerd: Error while signing:
[Errno 32] Broken pipe
Running the signer from command line returned $? == 1 and no error
message. In the output file used by the signer, you can read
; signing failed: DNSSEC signature has expiration date earlier than
inception date
which totally makes sense: if the signature expiration is calculated as
now + validity +/- rand( jitter ), the probability of creating an
expiration value lower than inception is equal to ( jitter - validity /
jitter ).
Now, back to test the functionality ;D
--
Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535
More information about the Opendnssec-user
mailing list