wildcard dnssec test fails
W.C.A. Wijngaards
wouter at nlnetlabs.nl
Fri Dec 15 10:49:49 UTC 2017
Hi,
Wait, no, just CFLAGS=-g ./configure disables -O2, but you also need the
code change. So that won't work as a workaround.
Best regards, Wouter
On 15/12/17 11:40, W.C.A. Wijngaards via Unbound-users wrote:
> Hi Sebastian
>
> On 15/12/17 10:19, Sebastian Schmidt via Unbound-users wrote:
>> On 15 December 2017 at 6:09:19 pm, W.C.A. Wijngaards via Unbound-users
>> (unbound-users at unbound.net <mailto:unbound-users at unbound.net>) wrote:
>>> When I run unbound-host, I get no errors,
>>> ./unbound-host www.wilda.nsec.0skar.czwww.wilda.nsec.0skar.cz
>>> <http://www.wilda.nsec.0skar.czwww.wilda.nsec.0skar.cz> -f
>>> root.key -v -t A
>>> www.wilda.nsec.0skar.czwww.wilda.nsec.0skar.cz
>>> <http://www.wilda.nsec.0skar.czwww.wilda.nsec.0skar.cz> has address
>>> 85.239.227.179 (secure)
>>>
>>> Unbound performs serial arithmatic on the timestamps in the rrsig,
>>> according to RFC.
>>>
>>> (What does that mean? The timestamps are 32bit in the RRSIG, but the
>>> value is interpreted relative to the current date. And what you cannot
>>> do is express something like a point more than some number of years
>>> future or past.)
>>>
>>> Best regards, Wouter
>>
>>
>> Hello Wouter,
>>
>>
>> Thanks for the insight. Maybe this has something to with the platform?
>
> Yes it is the compiler. Clang fails, gcc succeeds. I can make clang
> succeed with a small code change together with the removal of -O2
> (disabling clang's optimizer).
>
> The code change is instead of if(incep - expi > 0) ..fail.. it now has
> var=incep-expi; if(var > 0) ..fail..
>
> Clangs optimizer seems to take the wrong branch in the if statement. If
> I printout the value calculated, I get the correct output. Something
> like if(!((incep-expi)&0x80000000)) ..fail.. does not trick the
> optimizer into taking the right branch.
>
> The code change is in the code repository.
> CFLAGS=-g ./configure
> This disables -O2 as well, with the current version of unbound.
>
> Or as a workaround, maybe ignore this, perhaps with domain-insecure,
> because it seems to only happen for the int32_t values of (1391084010 -
> -823674496 > 0). And 2080 is uncommon in RRSIG timestamps.
>
> Best regards, Wouter
>
>>
>> CentOS 6.9:
>>
>> $ unbound-host -v -f /etc/unbound/root.key -t A www.wilda.nsec.0skar.cz
>>
>> www.wilda.nsec.0skar.cz is an alias for flexi.oskarcz.net. (secure)
>>
>> flexi.oskarcz.net has address 85.239.227.179 (secure)
>>
>>
>> MacOS 10.13.2 (High Sierra):
>>
>> $ unbound-host -v -t A -f /usr/local/etc/unbound/root.key
>> www.wilda.nsec.0skar.cz
>>
>> www.wilda.nsec.0skar.cz is an alias for flexi.oskarcz.net. (BOGUS
>> (security failure))
>>
>> flexi.oskarcz.net has address 85.239.227.179 (BOGUS (security failure))
>>
>> validation failure <www.wilda.nsec.0skar.cz. A IN>: signature
>> inception after expiration from 85.239.227.179 for key nsec.0skar.cz.
>> while building chain of trust
>>
>>
>> FreeBSD 11.1:
>>
>> $ unbound-host -v -f /usr/local/etc/unbound/root.key -t A
>> www.wilda.nsec.0skar.cz
>>
>> www.wilda.nsec.0skar.cz is an alias for flexi.oskarcz.net. (BOGUS
>> (security failure))
>>
>> flexi.oskarcz.net has address 85.239.227.179 (BOGUS (security failure))
>>
>> validation failure <www.wilda.nsec.0skar.cz. A IN>: signature
>> inception after expiration from 2001:1528:132:70::1 for key
>> nsec.0skar.cz. while building chain of trust
>>
>>
>> Kind Regards
>>
>> Sebastian
>>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20171215/abb05a1d/attachment.bin>
More information about the Unbound-users
mailing list