[Opendnssec-user] Opendnssec signer Y2K bug?

Tom Hendrikx tom at whyscream.net
Thu Dec 22 23:49:07 UTC 2011

On 22-12-11 21:03, Tom Hendrikx wrote:
> Hi,
> Since this morning my opendnssec (1.3.4) log file is filling up with
> many of these:
> 2011-12-22T20:37:49+01:00 christine ods-auditor[13676]: Auditor started
> 2011-12-22T20:37:49+01:00 christine ods-auditor[13676]: Auditor starting
> on tomhendrikx.nl
> 2011-12-22T20:37:49+01:00 christine ods-auditor[13676]: SOA differs :
> from 1 to 2011122200
> 2011-12-22T20:37:49+01:00 christine ods-auditor[13676]: Auditing
> tomhendrikx.nl zone : NSEC3 SIGNED
> 2011-12-22T20:37:49+01:00 christine ods-auditor[13676]: RRSet
> (tomhendrikx.nl, DNSKEY) failed verification : Signature failed to
> cryptographically verify, tag = 48325
> 2011-12-22T20:37:49+01:00 christine ods-auditor[13676]: Signature
> lifetime for tomhendrikx.nl, DNSKEY too long - should be at most 864000
> but was 32400000
> [... repeat previous 2 lines for each rr ..]
> 2011-12-22T20:37:50+01:00 christine ods-auditor[13676]: Finished
> auditing tomhendrikx.nl zone
> 2011-12-22T20:37:50+01:00 christine ods-signerd: [tools] audit failed
> for zone tomhendrikx.nl
> When checking the contents of the audited file
> (tomhendrikx.nl.finalized) in the tmp/ directory, I'm seeing all kinds
> of lines like this:
> tomhendrikx.nl. 3600    IN      SOA     a.ns.whyscream.net.
> admin.whyscream.net. 2011122200 86400 1800 202750 3600
> tomhendrikx.nl. 3600    IN      RRSIG   SOA 8 2 3600 20121231193749
> 20111222193749 4528 tomhendrikx.nl. [,.key data..]
> Since signature lifetime in kasp.xml is at 10 days, it seems to me that
> calculation of the signature expiration fails due to the year change.
> Inception date is 20111222193749 (2011-12-22 19:37:49), so expiration
> should be around 20120101193749 (2012-01-01 19:37:49). But the signer
> decided to bring up 20121231193749 (2012-12-31 19:37:49), which is
> almost a year off.
> Or maybe I just screwed up, and fail to see my own mistake?

I did some further triaging, not sure if this adds anything, but here we go:

I have a munin plugin that monitors dnssec signature lifetime in the
wild for a few zones including some not under control, and saw that
there was another zone which seemed to show the same strange expiration
value (except that publication on my setup was held back by the auditor,
and this one was 'in the wild'). Not sure if I should include the name
of this cctld here.

Further testing showed that querying that zone with drill (which the
munin plugin uses) showed the same behaviour (show expiration timestamps
like '20121231224814' where 8-10 days expiration was usual behaviour
over the last year).

However, querying the same record with dig showed a correct expiration.
Additionally, I was unable to reproduce this on several other machines.
All tests were done by checking the value of the expiration field in the
RRSIG for the SOA record.

Maybe ldns (1.6.11) is borked on the ods machine. I'll do some more
tests tomorrow before replacing ldns. If you come up with any ideas, I'd
be glad to hear them:)


More information about the Opendnssec-user mailing list