Hi John, About the release note you mention with the [GL #4586], this indicates the Gitlab issue that was fixed and resulted in this release note. Here it is: https://gitlab.isc.org/isc-projects/bind9/-/issues/4586 The fix for 9.18 would have been implemented here: https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8749 which would have been a backport from here: https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8746 which would have fixed the problem in main.
I was going to test but it seems that the expired RRSIG was removed from transfer3.rastglb.cdc.gov Thank you, Darren Ankney On Thu, Feb 6, 2025 at 8:49 PM John Thurston <john.thurs...@alaska.gov> wrote: > > We run both 9.18 and 9.20. We currently have servers running: > > 9.18.31 > 9.18.33 > 9.20.3 > 9.20.5 > > The 9.18 and 9.20 validating resolvers behave differently when exposed to > expired RRSIG records. > > Both versions log errors of the type > > validating transfer3.rastglb.cdc.gov/A: verify failed due to bad signature > (keyid=13215): RRSIG has expired > > but 9.18 goes on to log > > validating transfer3.rastglb.cdc.gov/A: no valid signature found > > and returns a SERVFAIL > > 9.20 returns a fully validated response. > > Both servers will return the same set of records (9.18 must be queried with > the +cd flag) when asked: > > transfer3.rastglb.cdc.gov. 5 IN A 198.246.125.128 > > transfer3.rastglb.cdc.gov. 5 IN RRSIG A 5 4 5 20250126201505 > 20241028201505 13215 rastglb.cdc.gov. > Kx+n+gsnq0BSko0tl/B3HftLDp1XtiIyImBnlE/dAWgv8VD8xwq4bPns > CO1R3k3beerK1UB/OpP9VKViRnN+3E4S5fg9vpZOFsDXB4T7PmDg5N12 > PwN26IJC8BrvUnqkPFdYEJGzb+orKHZsa949shODtnAVkttC4NsYvIRq MR8= > > transfer3.rastglb.cdc.gov. 5 IN RRSIG A 8 4 5 20250309140556 > 20241209140556 43989 rastglb.cdc.gov. > XSLHv9vpeY9O0JdfxPzIrkJjU8CkfioV4S0dorRK6GL8DLHjqwpyyM1k > km2MjF/2lXMjAl+D4+QrNhQFfDo50njTbSKfDsDSWUZC/QffESlw6t6x > XdCrShtJ6YVYltK1FgWf5xOepxEFLw0pn7I2ntDmXVLwsNkapdKqGugt vzc= > > But 9.18 appears to stumble, and consider the presence of 13215 to be the end > of the validation-road. > > I found this in the release notes > > --- 9.18.27 released --- > > 6374. [bug] Skip to next RRSIG if signature has expired or is in > the future rather than failing immediately. [GL #4586] > > But I'm not sure how to interpret it. Is it saying that GL#4586 has left a > bug, and should be corrected as described? or is it describing the behavior > we should see in versions >= 9.18.27 ? > > -- > -- > Do things because you should, not just because you can. > > John Thurston 907-465-8591 > john.thurs...@alaska.gov > Department of Administration > State of Alaska > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
