I’m experiencing an interesting issue where sometimes when performing a sigchase on a valid signed zone the command loops indefinitely when an expired RRSIG exists:
Live example: dig +sigchase +trusted-key=./trusted.keys aa.nau.edu A Notes: There is currently a valid RRSIG for this zone. dig compiled with -DDIG_SIGCHASE=1 BIND 9.9.4 Roughly %50 of the time it returns as expected, while other times looping in such a fashion: ;; OK a DS valids a DNSKEY in the RRset ;; Now verify that this DNSKEY validates the DNSKEY RRset ;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expired ;; OK a DS valids a DNSKEY in the RRset ;; Now verify that this DNSKEY validates the DNSKEY RRset ;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expired ;; OK a DS valids a DNSKEY in the RRset ;; Now verify that this DNSKEY validates the DNSKEY RRset ;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expired ;; OK a DS valids a DNSKEY in the RRset ;; Now verify that this DNSKEY validates the DNSKEY RRset ;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expired ;; OK a DS valids a DNSKEY in the RRset ;; Now verify that this DNSKEY validates the DNSKEY RRset ;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expired ;; OK a DS valids a DNSKEY in the RRset ;; Now verify that this DNSKEY validates the DNSKEY RRset ;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expired Any particular reason this should be expected or is it bug worthy (or fixed in 9.9.5, as I didn’t see anything in the change log referring to it)? — Raymond Walker Software Systems Engineer StSp. ITS - Northern Arizona University
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
