Signature Expiration Jitter not working for dynamic NSEC3 zones (#1256) · Issues · ISC Open Source Projects / BIND

Signature Expiration Jitter not working for dynamic NSEC3 zones

Summary

For auto-dnssec zones, on initial signing, BIND should be jittering the signature expirations across the signature validity period. It does this correctly for NSEC zones. But not for NSEC3 zones that were provisioned by dynamically updating an NSEC3PARAM record into the zone.

BIND version used

BIND 9.14.4 (Stable Release) id:ab4c496

(As far as I can tell this affects previous versions of BIND too, back to the 9.12.x release that introduced the jitter feature. It is certainly present in 9.12.3, which we were running prior to 9.14.4.)

Steps to reproduce

Create a new zone with a decent number of records.
Create zone stanza in named.conf with "auto-dnssec maintain" and any sig validity parameters you want to set
rndc reconfig
Use DNS UPDATE to add an NSEC3PARAM record into the zone
Create DNSSEC keys in the zone directory
Trigger zone signing with 'rndc sign
Wait till zone has been completely signed (watch rndc signing -list )
Plot the signature expirations and see if they are spread out (I have a program that does this, referenced below).

What is the current bug behavior?

No jittering of the signature expirations is observed.
The expiration dates are all set to exactly the signature validity period in the future.

What is the expected correct behavior?

My test used a config of "sig-validity-interval 60 10"
The resulting signature expirations should be spread out across the range 10 days to 60 days.
(But they all expire at 60 days.)

Relevant configuration files

We discovered this issue on some of our large production zones. I then reproduced the problem with a smaller test.

My test zone uses the following config file snippet:

zone "blah.com" {
        type master;
        update-policy local;
        auto-dnssec maintain;
        sig-validity-interval 60 10;
        file "zones/blah.com/zonefile";
        key-directory "zones/blah.com";
        notify no;
};

The main "options" stanza also has "dnssec-enable yes;" of course. But I think that's now the default.

Relevant logs and/or screenshots

I've attached two files containing plots of the signature expiration times for my test zone which contained 10,000 RRsets. These plots were generated by the following code:

https://github.com/shuque/dnsmisc/blob/master/plot-rrsig-expirations.py

The first plot is the test of the NSEC3 zone, initialized by dynamically updating an NSEC3PARAM record. This shows no jittering. All signatures expire at around 60 days:

The second plot is for the same zone, but with no NSEC3, and the signatures are jittered correctly for this:

One peculiarity worth noting: when we were originally using this feature, it was working even with NSEC3 zones, but we were using a different method to initialize them: we pre-populated the zone file with the NSEC3PARAM record first, then loaded it into BIND and triggered signing. This worked for a while until we ran into another bug where BIND would sometimes generate incomplete NSEC3 chains. Then after discussion with ISC, we learned that this is not a supported way to initialize NSEC3 zones, and that we should switch to the supported method of inserting the NSEC3PARAM record with UPDATE.

Possible fixes

### Summary

### BIND version used

BIND 9.14.4 (Stable Release) <id:ab4c496>

### Steps to reproduce

* Create a new zone with a decent number of records.
* Create zone stanza in named.conf with "auto-dnssec maintain" and any sig validity parameters you want to set
* rndc reconfig
* Use DNS UPDATE to add an NSEC3PARAM record into the zone
* Create DNSSEC keys in the zone directory
* Trigger zone signing with 'rndc sign <zonename>
* Wait till zone has been completely signed (watch rndc signing -list <zonename>)
* Plot the signature expirations and see if they are spread out (I have a program that does this, referenced below).

### What is the current *bug* behavior?

* No jittering of the signature expirations is observed.
* The expiration dates are all set to exactly the signature validity period in the future.

### What is the expected *correct* behavior?

* My test used a config of "sig-validity-interval 60 10"
* The resulting signature expirations should be spread out across the range 10 days to 60 days.
* (But they all expire at 60 days.)

### Relevant configuration files

We discovered this issue on some of our large production zones. I then reproduced the problem with a smaller test.

My test zone uses the following config file snippet:

```
zone "blah.com" {
        type master;
        update-policy local;
        auto-dnssec maintain;
        sig-validity-interval 60 10;
        file "zones/blah.com/zonefile";
        key-directory "zones/blah.com";
        notify no;
};
```

The main "options" stanza also has "dnssec-enable yes;" of course. But I think that's now the default.

### Relevant logs and/or screenshots

I've attached two files containing plots of the signature expiration times for my test zone which contained 10,000 RRsets. These plots were generated by the following code:

https://github.com/shuque/dnsmisc/blob/master/plot-rrsig-expirations.py

The first plot is the test of the NSEC3 zone, initialized by dynamically updating an NSEC3PARAM record. This shows no jittering. All signatures expire at around 60 days:

![blah-com-rrsigs-nsec3param](/uploads/1a607f8b1d7d48ca656970001e225503/blah-com-rrsigs-nsec3param.png)

The second plot is for the same zone, but with no NSEC3, and the signatures are jittered correctly for this:

![blah-com-rrsigs-no-nsec3param](/uploads/cefccbb054ce6877758a335208fac366/blah-com-rrsigs-no-nsec3param.png)

### Possible fixes