Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DNSSEC RRSIG expire can have 10% time skew of lifetime (with min 3600s-max 86400s) #1481

Open
bwbroersma opened this issue Aug 9, 2024 · 0 comments
Open

DNSSEC RRSIG expire can have 10% time skew of lifetime (with min 3600s-max 86400s) #1481

bwbroersma opened this issue Aug 9, 2024 · 0 comments
Milestone
intake

Comments

@bwbroersma
Copy link
Collaborator

Unbound is used with a default signature time skew configuration.
This means the DNSSEC RRSIG expire time can be 10% of it lifetime skewed, with a minimum of 3600s (1 hour) and a maximum of 86400s (24 hours). This fixes at minimum DST issues and at maximum timezone issues.

Depending on the client side DNS resolver, the domain could be unreachable (if Google DNS 8.8.8.8 is used).
Currently no warning is given, see:
https://internet.nl/site/expiredsig3600.go.dnscheck.tools/2911709/ 84%
https://internet.nl/site/expiredsig3601.go.dnscheck.tools/2911710/ 50%

Should this be documented in the DNSSEC explain text?

Should a ℹ️ informational, ⚠️ warning or ❌ failure be shown?

Relevant unbound files/documentation mentioning this:

  • /doc/example.conf.in lines 683-687 
     	# The signature inception and expiration dates are allowed to be off
 	# by 10% of the signature lifetime (expir-incep) from our local clock.
 	# This leeway is capped with a minimum and a maximum.  In seconds.
 	# val-sig-skew-min: 3600
 	# val-sig-skew-max: 86400
  • /util/config_file.c lines 268-269 
     	cfg->val_sig_skew_min = 3600; /* at least daylight savings trouble */
 	cfg->val_sig_skew_max = 86400; /* at most timezone settings trouble */
  • /doc/unbound.conf.5.in lines 1293-1308 
     .B val\-sig\-skew\-min: \fI<seconds>
 Minimum number of seconds of clock skew to apply to validated signatures.
 A value of 10% of the signature lifetime (expiration \- inception) is
 used, capped by this setting.  Default is 3600 (1 hour) which allows for
 daylight savings differences.  Lower this value for more strict checking
 of short lived signatures.
 .TP
 .B val\-sig\-skew\-max: \fI<seconds>
 Maximum number of seconds of clock skew to apply to validated signatures.
 A value of 10% of the signature lifetime (expiration \- inception)
 is used, capped by this setting.  Default is 86400 (24 hours) which
 allows for timezone setting problems in stable domains.  Setting both
 min and max very low disables the clock skew allowances.  Setting both
 min and max very high makes the validator check the signature timestamps
 less strictly.
 .TP
@bwbroersma bwbroersma added the new test These issues suggest a new (sub)test that is currently not part of internet.nl label Aug 9, 2024
@bwbroersma bwbroersma added this to the intake milestone Aug 9, 2024
This was referenced Aug 9, 2024
Open
Open
@bwbroersma bwbroersma removed the new test These issues suggest a new (sub)test that is currently not part of internet.nl label Aug 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
intake
Development

No branches or pull requests
1 participant
@bwbroersma