Re: DNSSEC:RRSIG validity period has not begun

Tue, 14 Oct 2008 15:19:56 -0700 

In message <[EMAIL PROTECTED]>, Stephane Bortzmeyer writes:
> On Tue, Oct 14, 2008 at 06:50:17AM -0600,
>  Rajalakshmi R <[EMAIL PROTECTED]> wrote 
>  a message of 33 lines which said:
> 
> > raji.com.               86400   IN      RRSIG   DNSKEY 5 2 86400
> >    20081113142126 20081014142126
> 
> 14th october 2008, 14:21, UTC

> > 14-Oct-2008 17:16:34.386 validating @0x555555742220: raji.com DNSKEY: verif
> y rdataset (keyidA667): RRSIG validity period has not begun 
> 
> Clock off by a few minutes? 

        Off by several hours.  I suspect the machine that signed
        the zone has the timezone incorrectly set with the "correct"
        local time being displayed.  The fix is to correctly set
        the time zone on the machine then re-set the clock so that
        it displays the correct local time.  This will result the
        machines concept of UTC being correct.  dnssec-signzone
        already signs the zone with the starting time set to
        1 hour earlier than the real signing time.

                i.e. 14:21:26 when it was 15:21:26

        Below are received lines from the original email showing
        the time the first message was processed.  mx.isc.org is
        syncronised using NTP and I suspect victor.provo.novell.com
        is as well as it's timestamp is 1 second earlier.

        DNSSEC doesn't require NTP's precision.  It just requires
        the clock to be reasonably accurate +/- 15 minutes would
        be fine.

        Mark

Received: from victor.provo.novell.com (victor.provo.novell.com [137.65.250.26])
        (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
        (Client CN "imap.novell.com", Issuer "APPS" (not verified))
        by mx.isc.org (Postfix) with ESMTPS id 61D3211401C
        for <[email protected]>; Tue, 14 Oct 2008 12:43:52 +0000 (UTC)
        (envelope-from [EMAIL PROTECTED])
Received: from INET-PRV3-MTA by victor.provo.novell.com
        with Novell_GroupWise; Tue, 14 Oct 2008 06:43:51 -0600

> RFC 4034 :
> 
>    The Signature Expiration Time and Inception Time field values MUST be
>    represented either as an unsigned decimal integer indicating seconds
>    since 1 January 1970 00:00:00 UTC, or in the form YYYYMMDDHHmmSS in
>    UTC, where:
> 
>       YYYY is the year (0001-9999, but see Section 3.1.5);
>       MM is the month number (01-12);
>       DD is the day of the month (01-31);
>       HH is the hour, in 24 hour notation (00-23);
>       mm is the minute (00-59); and
>       SS is the second (00-59).
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: [EMAIL PROTECTED]

Reply via email to