Y2038 bug when checking DNSSEC signature expiration #1299
Comments
|
@bortzmeyer, thank you for pointing that out. We should fix that well ahead of the time limit. |
I can't see any restriction on how to compare the time in the DNSSEC08 specification. So I think it is indeed a regular comparison. It seems LDNS can handle such serial arithmetic comparison. Maybe we could rely on that. |
|
There are more test case specifications (not just DNSSEC08) that require the RRSIG to be valid, but all of them should use the same method. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Apparently, in
lib/Zonemaster/Engine/Test/DNSSEC.pm, Zonemaster checks the possible expiration of DNSSEC signatures by just a regular "lower than" operator. If this is indeed the case, it is a Y2038 bug. RFC 4034, section 3.1.5, says "all comparisons involving these fields [inception and expiration] MUST use "Serial number arithmetic", as defined in RFC1982".It seems there is fifteen years to address that.
The text was updated successfully, but these errors were encountered: