wildcard dnssec test fails

W.C.A. Wijngaards wouter at nlnetlabs.nl
Fri Dec 15 10:40:38 UTC 2017 

Hi Sebastian

On 15/12/17 10:19, Sebastian Schmidt via Unbound-users wrote:
> On 15 December 2017 at 6:09:19 pm, W.C.A. Wijngaards via Unbound-users
> (unbound-users at unbound.net <mailto:unbound-users at unbound.net>) wrote:
>> When I run unbound-host, I get no errors, 
>> ./unbound-host  www.wilda.nsec.0skar.czwww.wilda.nsec.0skar.cz
>> <http://www.wilda.nsec.0skar.czwww.wilda.nsec.0skar.cz> -f 
>> root.key -v -t A 
>> www.wilda.nsec.0skar.czwww.wilda.nsec.0skar.cz
>> <http://www.wilda.nsec.0skar.czwww.wilda.nsec.0skar.cz> has address 
>> 85.239.227.179 (secure) 
>>
>> Unbound performs serial arithmatic on the timestamps in the rrsig, 
>> according to RFC. 
>>
>> (What does that mean? The timestamps are 32bit in the RRSIG, but the 
>> value is interpreted relative to the current date. And what you cannot 
>> do is express something like a point more than some number of years 
>> future or past.) 
>>
>> Best regards, Wouter 
> 
> 
> Hello Wouter,
> 
> 
> Thanks for the insight. Maybe this has something to with the platform?

Yes it is the compiler.  Clang fails, gcc succeeds.  I can make clang
succeed with a small code change together with the removal of -O2
(disabling clang's optimizer).

The code change is instead of if(incep - expi > 0) ..fail..  it now has
var=incep-expi; if(var > 0) ..fail..

Clangs optimizer seems to take the wrong branch in the if statement.  If
I printout the value calculated, I get the correct output.  Something
like if(!((incep-expi)&0x80000000)) ..fail.. does not trick the
optimizer into taking the right branch.

The code change is in the code repository.
CFLAGS=-g ./configure
This disables -O2 as well, with the current version of unbound.

Or as a workaround, maybe ignore this, perhaps with domain-insecure,
because it seems to only happen for the int32_t values of (1391084010 -
-823674496 > 0).  And 2080 is uncommon in RRSIG timestamps.

Best regards, Wouter

> 
>  CentOS 6.9:
> 
>   $ unbound-host -v -f /etc/unbound/root.key -t A www.wilda.nsec.0skar.cz
> 
>   www.wilda.nsec.0skar.cz is an alias for flexi.oskarcz.net. (secure)
> 
>   flexi.oskarcz.net has address 85.239.227.179 (secure)
> 
> 
> MacOS 10.13.2 (High Sierra):
> 
>   $ unbound-host -v -t A -f /usr/local/etc/unbound/root.key
> www.wilda.nsec.0skar.cz
> 
>   www.wilda.nsec.0skar.cz is an alias for flexi.oskarcz.net. (BOGUS
> (security failure))
> 
>   flexi.oskarcz.net has address 85.239.227.179 (BOGUS (security failure))
> 
>   validation failure <www.wilda.nsec.0skar.cz. A IN>: signature
> inception after expiration from 85.239.227.179 for key nsec.0skar.cz.
> while building chain of trust
> 
> 
> FreeBSD 11.1:
> 
>   $ unbound-host -v -f /usr/local/etc/unbound/root.key -t A
> www.wilda.nsec.0skar.cz
> 
>   www.wilda.nsec.0skar.cz is an alias for flexi.oskarcz.net. (BOGUS
> (security failure))
> 
>   flexi.oskarcz.net has address 85.239.227.179 (BOGUS (security failure))
> 
>   validation failure <www.wilda.nsec.0skar.cz. A IN>: signature
> inception after expiration from 2001:1528:132:70::1 for key
> nsec.0skar.cz. while building chain of trust
> 
> 
> Kind Regards
> 
> Sebastian
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20171215/316a16d2/attachment.bin>

More information about the Unbound-users mailing list