[Opendnssec-user] Opendnssec signer Y2K bug?
Tom Hendrikx
tom at whyscream.net
Fri Dec 23 09:23:58 UTC 2011
On 12/23/2011 09:47 AM, Rickard Bellgrim wrote:
>> OpenDNSSEC uses Unix time for its calculations. So only seconds are
>> handled. The real conversion is done within ldns. I will check that it
>> is like this.
>
> The is the summery of the calculations in OpenDNSSEC.
>
> ******
>
> time_t signtime = now();
> time_t jitter = duration2time(sc->sig_jitter);
> time_t validity = 0;
> time_t random_jitter = ods_rand(jitter*2);
>
> if (rrtype == LDNS_RR_TYPE_NSEC || rrtype == LDNS_RR_TYPE_NSEC3) {
> validity = duration2time(sc->sig_validity_denial);
> } else {
> validity = duration2time(sc->sig_validity_default);
> }
>
> time_t expiration = (signtime + validity + random_jitter) - jitter;
>
> ******
>
> duration2time just converts years, months, days, hours, and minutes
> into seconds. 1 year == 365 days. 1 month = 31 days.
>
> So the calculation is only in Unix time. The result is handed over to
> ldns_rr_rrsig_set_expiration() via ldns_native2rdf_int32().
>
> Either the problem is in the incoming configuration or in ldns.
>
>> I am not seeing this behavior with ldns 1.6.10, 20120103022921
>> 20111221021001. Will try with 1.6.11.
>
> It also looks ok with 1.6.11, 20120101043200 20111223070542.
>
> How does your signconf look like according to syslog? grep for
> "signconf" and you will see a line with the values the Signer Engine
> is using.
>
Ah yes, I see.
2011-12-23T08:36:44+01:00 christine ods-signerd: [signconf] zone
tomhendrikx.nl signconf: RESIGN[PT7200S] REFRESH[PT777600S]
VALIDITY[PT864000S] DENIAL[PT864000S] JITTER[P] OFFSET[P] NSEC[50]
DNSKEYTTL[PT3600S] SOATTL[PT3600S] MINIMUM[PT3600S] SERIAL[datecounter]
AUDIT[1]
kasp.xml for this zone is attached, and gives other values for refresh,
validity and denial. Running 'ods-ksmutil update all' outputs
'ods-enforcerd: No change to:
/var/lib/opendnssec/signconf/tomhendrikx.nl.xml', but the signconf xml
does have the values as listed in the signconf log line above, and not
the values from kasp.xml
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kasp.xml
Type: text/xml
Size: 1420 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20111223/fc35423b/attachment.xml>
More information about the Opendnssec-user
mailing list