Difference in validating behavior 9.18 / 9.20

Thu, 06 Feb 2025 17:49:28 -0800 

We run both 9.18 and 9.20. We currently have servers running:

   9.18.31
   9.18.33
   9.20.3
   9.20.5
The 9.18 and 9.20 validating resolvers behave differently when exposed to expired RRSIG records. 

Both versions log errors of the type
validating transfer3.rastglb.cdc.gov/A: verify failed due to bad signature (keyid=13215): RRSIG has expired 
but 9.18 goes on to log


validating transfer3.rastglb.cdc.gov/A: no valid signature found

and returns a SERVFAIL

9.20 returns a fully validated response.
Both servers will return the same set of records (9.18 must be queried with the +cd flag) when asked: 


transfer3.rastglb.cdc.gov. 5    IN A       198.246.125.128
transfer3.rastglb.cdc.gov. 5    IN      RRSIG   A 5 4 5 20250126201505 20241028201505 13215 rastglb.cdc.gov. Kx+n+gsnq0BSko0tl/B3HftLDp1XtiIyImBnlE/dAWgv8VD8xwq4bPns CO1R3k3beerK1UB/OpP9VKViRnN+3E4S5fg9vpZOFsDXB4T7PmDg5N12 PwN26IJC8BrvUnqkPFdYEJGzb+orKHZsa949shODtnAVkttC4NsYvIRq MR8=
transfer3.rastglb.cdc.gov. 5    IN      RRSIG   A 8 4 5 20250309140556 20241209140556 43989 rastglb.cdc.gov. XSLHv9vpeY9O0JdfxPzIrkJjU8CkfioV4S0dorRK6GL8DLHjqwpyyM1k km2MjF/2lXMjAl+D4+QrNhQFfDo50njTbSKfDsDSWUZC/QffESlw6t6x XdCrShtJ6YVYltK1FgWf5xOepxEFLw0pn7I2ntDmXVLwsNkapdKqGugt vzc=
But 9.18 appears to stumble, and consider the presence of 13215 to be the end of the validation-road. 

I found this in the release notes


         --- 9.18.27 released ---

6374.   [bug]           Skip to next RRSIG if signature has expired or is in
                         the future rather than failing immediately. [GL #4586]
But I'm not sure how to interpret it. Is it saying that GL#4586 has left a bug, and should be corrected as described? or is it describing the behavior we should see in versions >= 9.18.27 ? 

--
--
Do things because you should, not just because you can.

John Thurston    907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to