zonemaster-engine icon indicating copy to clipboard operation
zonemaster-engine copied to clipboard

Published 20 hours ago verified publisher icon zonemaster

Y2038 bug when checking DNSSEC signature expiration

Open bortzmeyer opened this issue 1 year ago • 3 comments

Apparently, in lib/Zonemaster/Engine/Test/DNSSEC.pm, Zonemaster checks the possible expiration of DNSSEC signatures by just a regular "lower than" operator. If this is indeed the case, it is a Y2038 bug. RFC 4034, section 3.1.5, says "all comparisons involving these fields [inception and expiration] MUST use "Serial number arithmetic", as defined in RFC1982". It seems there is fifteen years to address that.

bortzmeyer avatar Nov 06 '23 15:11 bortzmeyer

@bortzmeyer, thank you for pointing that out. We should fix that well ahead of the time limit.

matsduf avatar Nov 06 '23 15:11 matsduf

If this is indeed the case, it is a Y2038 bug.

I can't see any restriction on how to compare the time in the DNSSEC08 specification. So I think it is indeed a regular comparison.

It seems LDNS can handle such serial arithmetic comparison. Maybe we could rely on that.

ghost avatar Nov 06 '23 15:11 ghost

There are more test case specifications (not just DNSSEC08) that require the RRSIG to be valid, but all of them should use the same method.

matsduf avatar Nov 06 '23 15:11 matsduf