Maintained by: NLnet Labs

wildcard dnssec test fails

Sebastian Schmidt
Fri Dec 15 23:28:39 CET 2017


Hi,

Thanks so much for finding the problem. I've recompiled unbound with GNU gcc for now. It seamed like the simplest solution. 
I never would have thought that the access to a internet service (to the end user) could be broken because of a compiler optimisation. Still so many things have to go "wrong" for this to happen. 

Will this be reported to the clang developers?

Regards,
Sebastian


On 15 December 2017 at 8:50:14 pm, W.C.A. Wijngaards via Unbound-users (unbound-users at unbound.net) wrote:
> Hi,
>  
> Wait, no, just CFLAGS=-g ./configure disables -O2, but you also need the
> code change. So that won't work as a workaround.
>  
> Best regards, Wouter
>  
> On 15/12/17 11:40, W.C.A. Wijngaards via Unbound-users wrote:
> > Hi Sebastian
> >
> > On 15/12/17 10:19, Sebastian Schmidt via Unbound-users wrote:
> >> On 15 December 2017 at 6:09:19 pm, W.C.A. Wijngaards via Unbound-users
> >> (unbound-users at unbound.net ) wrote:
> >>> When I run unbound-host, I get no errors,
> >>> ./unbound-host www.wilda.nsec.0skar.czwww.wilda.nsec.0skar.cz
> >>> -f
> >>> root.key -v -t A
> >>> www.wilda.nsec.0skar.czwww.wilda.nsec.0skar.cz
> >>> has address
> >>> 85.239.227.179 (secure)
> >>>
> >>> Unbound performs serial arithmatic on the timestamps in the rrsig,
> >>> according to RFC.
> >>>
> >>> (What does that mean? The timestamps are 32bit in the RRSIG, but the
> >>> value is interpreted relative to the current date. And what you cannot
> >>> do is express something like a point more than some number of years
> >>> future or past.)
> >>>
> >>> Best regards, Wouter
> >>
> >>
> >> Hello Wouter,
> >>
> >>
> >> Thanks for the insight. Maybe this has something to with the platform?
> >
> > Yes it is the compiler. Clang fails, gcc succeeds. I can make clang
> > succeed with a small code change together with the removal of -O2
> > (disabling clang's optimizer).
> >
> > The code change is instead of if(incep - expi > 0) ..fail.. it now has
> > var=incep-expi; if(var > 0) ..fail..
> >
> > Clangs optimizer seems to take the wrong branch in the if statement. If
> > I printout the value calculated, I get the correct output. Something
> > like if(!((incep-expi)&0x80000000)) ..fail.. does not trick the
> > optimizer into taking the right branch.
> >
> > The code change is in the code repository.
> > CFLAGS=-g ./configure
> > This disables -O2 as well, with the current version of unbound.
> >
> > Or as a workaround, maybe ignore this, perhaps with domain-insecure,
> > because it seems to only happen for the int32_t values of (1391084010 -
> > -823674496 > 0). And 2080 is uncommon in RRSIG timestamps.
> >
> > Best regards, Wouter
> >
> >>
> >> CentOS 6.9:
> >>
> >> $ unbound-host -v -f /etc/unbound/root.key -t A www.wilda.nsec.0skar.cz
> >>
> >> www.wilda.nsec.0skar.cz is an alias for flexi.oskarcz.net. (secure)
> >>
> >> flexi.oskarcz.net has address 85.239.227.179 (secure)
> >>
> >>
> >> MacOS 10.13.2 (High Sierra):
> >>
> >> $ unbound-host -v -t A -f /usr/local/etc/unbound/root.key
> >> www.wilda.nsec.0skar.cz
> >>
> >> www.wilda.nsec.0skar.cz is an alias for flexi.oskarcz.net. (BOGUS
> >> (security failure))
> >>
> >> flexi.oskarcz.net has address 85.239.227.179 (BOGUS (security failure))
> >>
> >> validation failure : signature
> >> inception after expiration from 85.239.227.179 for key nsec.0skar.cz.
> >> while building chain of trust
> >>
> >>
> >> FreeBSD 11.1:
> >>
> >> $ unbound-host -v -f /usr/local/etc/unbound/root.key -t A
> >> www.wilda.nsec.0skar.cz
> >>
> >> www.wilda.nsec.0skar.cz is an alias for flexi.oskarcz.net. (BOGUS
> >> (security failure))
> >>
> >> flexi.oskarcz.net has address 85.239.227.179 (BOGUS (security failure))
> >>
> >> validation failure : signature
> >> inception after expiration from 2001:1528:132:70::1 for key
> >> nsec.0skar.cz. while building chain of trust
> >>
> >>
> >> Kind Regards
> >>
> >> Sebastian
> >>
> >
> >
>  
>  
>