Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
rec: extend the validity period of signatures by a number of seconds #7081
There are some weird, maybe even broken, dnssec implementations out there. This pull is a workaround for the sign with inception is NOW problem. This is done by a loadbalancer vendor with a letter and a number in it's name. This is bad because only a very small time difference between signer and validator is enough for a domain to go bogus from time to time.
If you do backport this to 4.1, I'd suggest having it off by default. (And turning it on by default in 4.2.)
This is weird and paranoid, but people could have compliance reasons for being unable to accept expired RRSIGs, and people are less careful about reading the changelogs of point releases.
(A CA using a different resolver got in trouble because this feature was on by default. But they just made a mistake -- it was always on by default, they didn't miss a change.)
We are talking about 60 seconds to compensate for clock skew, not hours or days (like in other software).
When your validation process is this critical and compliance is that important, you should always read change-logs. If you fail to do so, don't blame software for a more sane mode of operation. For normal users this small number of seconds will prevent some insanely hard to debug validation failures. And by doing so it will save many hours of debugging and speed up the dnssec adoption as a whole. Something CAs should love...
I'm against a switched off default in 4.1.x, because this will mean people will choose a shitty value for this option when they hit this problem. And this value stay in there config for years.
In my opinion this is one of those pulls where “The Needs of the Many Outweigh the Needs of the Few”.
Or maybe we should just release 4.2.0 ;)
Looks to be this https://bugzilla.mozilla.org/show_bug.cgi?id=1398427 for anyone else interested.