auto-dnssec resign timers

Fri, 17 Sep 2010 02:48:06 -0700 

Hi,

I'm experimenting with the auto-dnssec feature of bind 9.7.0-P1. I know
it's outdated; I did skim over the changelog up until 9.7.2rc2, and
didn't find anything that seems like this issue.

This query demonstrates the issue:
; <<>> DiG 9.6.0-APPLE-P2 <<>> +dnssec SOA dnssec.dest-unreach.be
@imset.org +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8632
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssec.dest-unreach.be.                IN      SOA

;; ANSWER SECTION:
dnssec.dest-unreach.be. 86400   IN      SOA     serv02.imset.org.
hostmaster.dest-unreach.be. 55 3600 3600 172800 300
dnssec.dest-unreach.be. 86400   IN      RRSIG   SOA 7 3 86400 20100919163624
20100916153624 42614 dnssec.dest-unreach.be.
WBdpqpLCa/5cnMAThAcftrOysfdN8K594WAM+6AMyRPiEpXVF6JRqJWH
N46J3aN6BliM09bA9RxYOoClCcIsJA==

;; AUTHORITY SECTION:
dnssec.dest-unreach.be. 300     IN      NS      serv02.imset.org.
dnssec.dest-unreach.be. 300     IN      NS      sdns1.ovh.net.
dnssec.dest-unreach.be. 300     IN      RRSIG   NS 7 3 300 20100919161438
20100916153624 42614 dnssec.dest-unreach.be.
U6KZzFZecSZNEL0Wp8NxlmjgitQfXbHNt1+S85sZxm9Ti8oNiWMhESts
SmLTmos4VU2yqSo6KOq8mQ/xvoehhw==

;; ADDITIONAL SECTION:
serv02.imset.org.       86400   IN      A       94.23.24.89
serv02.imset.org.       86400   IN      AAAA    
2001:41d0:2:1959:21c:c0ff:fe88:6f58

;; Query time: 7 msec
;; SERVER: 94.23.24.89#53(94.23.24.89)
;; WHEN: Fri Sep 17 11:29:14 2010
;; MSG SIZE  rcvd: 435

(the dnssec.dest-unreach.be zone is my test zone; publicly available,
but not publicly delegated)


In my opinion, BIND should have resigned this by now: The signature is
valid until a little over 2 days. This means that if the slave would
loose contact with the master right now, it will give out signatures
that will expire before their TTL does.
According to my calculations, RRSIGs should be regenerated zone-expire +
RR-ttl seconds before the RRSIG expires.

For reference, the configuration:
zone "dnssec.dest-unreach.be" {
        type master;
        file "/var/lib/bind/dnssec.dest-unreach.be.zone";
        update-policy local;
        auto-dnssec maintain;
        dnssec-secure-to-insecure yes;
        key-directory "/etc/bind/keys";
        sig-validity-interval 3;
};

And to be completely honest: the configured slave NS record doesn't
really slave this zone; but BIND shouldn't know or care.

greets,
Niobos

_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to