I have verified that this also happens intermittently with dig in BIND 9.9.5 built/configured with:
STD_CDEFINES="-DDIG_SIGCHASE=1" export STD_CDEFINES ./configure --enable-threads --enable-largefile — Raymond Walker Software Systems Engineer StSp. ITS - Northern Arizona University From: Ray Walker <ray.wal...@nau.edu<mailto:ray.wal...@nau.edu>> Date: Friday, February 21, 2014 at 4:28 PM To: "bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>" <bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>> Subject: dig +sigchase looping I’m experiencing an interesting issue where sometimes when performing a sigchase on a valid signed zone the command loops indefinitely when an expired RRSIG exists: Live example: dig +sigchase +trusted-key=./trusted.keys aa.nau.edu A Notes: There is currently a valid RRSIG for this zone. dig compiled with -DDIG_SIGCHASE=1 BIND 9.9.4 Roughly %50 of the time it returns as expected, while other times looping in such a fashion: ;; OK a DS valids a DNSKEY in the RRset ;; Now verify that this DNSKEY validates the DNSKEY RRset ;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expired ;; OK a DS valids a DNSKEY in the RRset ;; Now verify that this DNSKEY validates the DNSKEY RRset ;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expired ;; OK a DS valids a DNSKEY in the RRset ;; Now verify that this DNSKEY validates the DNSKEY RRset ;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expired ;; OK a DS valids a DNSKEY in the RRset ;; Now verify that this DNSKEY validates the DNSKEY RRset ;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expired ;; OK a DS valids a DNSKEY in the RRset ;; Now verify that this DNSKEY validates the DNSKEY RRset ;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expired ;; OK a DS valids a DNSKEY in the RRset ;; Now verify that this DNSKEY validates the DNSKEY RRset ;; VERIFYING DNSKEY RRset for aa.nau.edu. with DNSKEY:25159: RRSIG has expired Any particular reason this should be expected or is it bug worthy (or fixed in 9.9.5, as I didn’t see anything in the change log referring to it)? — Raymond Walker Software Systems Engineer StSp. ITS - Northern Arizona University
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users