Hi all,
Today I was in for a big surprise when testing my dnssec setup. I used
the BIND 9.2.3 name server and tools.

I configured a name server on one machine as the master of domain
'myzone.com' and signed the zone file. I setup another name server on a
different machine and configured it to forward queries for 'myzone.com'
to the first name server after including a 'trusted-keys' statement in
named.conf.

Then, I queried the second name server for a host in 'myzone.com' using
dig with +dnssec specified.

The logs showed this:
Dec 07 11:44:36.0lu validating machine1.myzone.com A: attempting
positive response validation
Dec 07 11:44:36.0lu validating machine1.myzone.com A: verify rdataset:
SIG failed to verify
Dec 07 11:44:36.0lu validating machine1.myzone.com A: failed to verify
rdataset
Dec 07 11:44:36.0lu validating machine1.myzone.com A: no valid
signature found

And no response was returned. I debugged the dnssec part of the code
(where verification of SIG records is done) and found that it was
faulty. The BIND 9.2.3 source has the following statements at line 364
of file bind-9.2.3/lib/dns/dnssec.c. The function is
dns_dnssec_verify()

if (isc_serial_lt(sig.timesigned, sig.timeexpire))
return (DNS_R_SIGINVALID);

The function isc_serial_lt (lt is less than) returns true if the first
arg is less than the second arg.

The above piece of code compares the time of signing a
RR(sig.timesigned) with time of its expiry(sig.timeexpire). If
sig.timesigned is less than sig.timeexpire the DNS code returns
DNS_R_SIGINVALID (invalid signature). But obviously, it should be the
other way round since time of signing a record has to be less (or
earlier) than the time of expiry. The times are in seconds since
00:00:00 UTC, January 1, 1970

I changed the above call to isc_serial_lt by swapping the args and
recompiled the source. The problem was solved. Now the AD bit was being
set in the dig response and the answer was returned.

I checked with BIND 9.3.0, the code there is fine i.e. DNS_R_SIGINVALID
is returned when sig.timeexpire is less than sig.timesigned.

Does anyone has similar experiences? If not, I wonder how was the
dnssec part in BIND 9.2.3 working all these days.


Thnx
Nishant