[Opendnssec-user] Opendnssec signer Y2K bug?
Rickard Bellgrim
rickard at opendnssec.org
Fri Dec 23 08:47:31 UTC 2011
> OpenDNSSEC uses Unix time for its calculations. So only seconds are
> handled. The real conversion is done within ldns. I will check that it
> is like this.
The is the summery of the calculations in OpenDNSSEC.
******
time_t signtime = now();
time_t jitter = duration2time(sc->sig_jitter);
time_t validity = 0;
time_t random_jitter = ods_rand(jitter*2);
if (rrtype == LDNS_RR_TYPE_NSEC || rrtype == LDNS_RR_TYPE_NSEC3) {
validity = duration2time(sc->sig_validity_denial);
} else {
validity = duration2time(sc->sig_validity_default);
}
time_t expiration = (signtime + validity + random_jitter) - jitter;
******
duration2time just converts years, months, days, hours, and minutes
into seconds. 1 year == 365 days. 1 month = 31 days.
So the calculation is only in Unix time. The result is handed over to
ldns_rr_rrsig_set_expiration() via ldns_native2rdf_int32().
Either the problem is in the incoming configuration or in ldns.
> I am not seeing this behavior with ldns 1.6.10, 20120103022921
> 20111221021001. Will try with 1.6.11.
It also looks ok with 1.6.11, 20120101043200 20111223070542.
How does your signconf look like according to syslog? grep for
"signconf" and you will see a line with the values the Signer Engine
is using.
// Rickard
More information about the Opendnssec-user
mailing list