[Opendnssec-user] Opendnssec signer Y2K bug?

Rickard Bellgrim rickard at opendnssec.org
Fri Dec 23 08:47:31 UTC 2011

> OpenDNSSEC uses Unix time for its calculations. So only seconds are
> handled. The real conversion is done within ldns. I will check that it
> is like this.

The is the summery of the calculations in OpenDNSSEC.


time_t signtime = now();
time_t jitter = duration2time(sc->sig_jitter);
time_t validity = 0;
time_t random_jitter = ods_rand(jitter*2);

if (rrtype == LDNS_RR_TYPE_NSEC || rrtype == LDNS_RR_TYPE_NSEC3) {
 validity = duration2time(sc->sig_validity_denial);
} else {
 validity = duration2time(sc->sig_validity_default);

time_t expiration = (signtime + validity + random_jitter) - jitter;


duration2time just converts years, months, days, hours, and minutes
into seconds. 1 year == 365 days. 1 month = 31 days.

So the calculation is only in Unix time. The result is handed over to
ldns_rr_rrsig_set_expiration() via ldns_native2rdf_int32().

Either the problem is in the incoming configuration or in ldns.

> I am not seeing this behavior with ldns 1.6.10, 20120103022921
> 20111221021001. Will try with 1.6.11.

It also looks ok with 1.6.11, 20120101043200 20111223070542.

How does your signconf look like according to syslog? grep for
"signconf" and you will see a line with the values the Signer Engine
is using.

// Rickard

More information about the Opendnssec-user mailing list