[GH-ISSUE #2209] `DnssecDnsHandle` does not appear to validate RRSIG's signature {inception,expiration} fields #920

New issue

Closed

opened 2026-03-16 00:57:54 +03:00 by kerem · 1 comment

kerem commented

2026-03-16 00:57:54 +03:00

Owner

Originally created by @japaric on GitHub (May 13, 2024).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2209

section 5.3.1 of RFC4035 lists all the validation steps that must be performed on RRSIG records, among them:

The validator's notion of the current time MUST be less than or equal to the time listed in the RRSIG RR's Expiration field.

The validator's notion of the current time MUST be greater than or equal to the time listed in the RRSIG RR's Inception field.

I was reading through the DnssecDnsHandle code and could not find a validation of the expiration and inception fields. In fact, I didn't see anything like SystemTime being passed into or used in the validation functions.

I could see the other validation steps specified in the RFC, like checking that the algorithm field does match the field in the DNSKEY record.

I didn't go as far as trying to forge expired RRSIG records to verify that the check was missing. The hickory-dns binary does not use the DnssecDnsHandle object so it was not going to be possible to confirm that using dns-test.

Originally created by @japaric on GitHub (May 13, 2024). Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2209 section 5.3.1 of RFC4035 lists all the validation steps that must be performed on RRSIG records, among them: > - The validator's notion of the current time MUST be less than or equal to the time listed in the RRSIG RR's Expiration field. > - The validator's notion of the current time MUST be greater than or equal to the time listed in the RRSIG RR's Inception field. I was reading through the [`DnssecDnsHandle`](https://github.com/hickory-dns/hickory-dns/blob/97e1f43456da0552d5baf965b354a14c05f2ac95/crates/proto/src/xfer/dnssec_dns_handle.rs) code and could not find a validation of [the expiration and inception fields](https://github.com/hickory-dns/hickory-dns/blob/97e1f43456da0552d5baf965b354a14c05f2ac95/crates/proto/src/rr/dnssec/rdata/sig.rs#L187-L188). In fact, I didn't see anything like `SystemTime` being passed into or used in the validation functions. I could see the other validation steps specified in the RFC, like checking that the algorithm field does match the field in the DNSKEY record. I didn't go as far as trying to forge expired RRSIG records to verify that the check was missing. The `hickory-dns` binary does not use the `DnssecDnsHandle` object so it was not going to be possible to confirm that using `dns-test`.

kerem

2026-03-16 00:57:54 +03:00

closed this issue
added the
bug

feature:dnsssec
labels

kerem commented

2026-03-16 00:58:12 +03:00

Author

Owner

@bluejekyll commented on GitHub (May 18, 2024):

this is really surprising to me. I just took a quick look through the code, and it appears that you're correct at first glance. I'm going to look through the code a bit more to make sure I'm not missing something.

Ok, I reviewed. This is really blowing my mind, I can't believe I didn't add that.

@bluejekyll commented on GitHub (May 18, 2024): this is really surprising to me. I just took a quick look through the code, and it appears that you're correct at first glance. I'm going to look through the code a bit more to make sure I'm not missing something. ---- Ok, I reviewed. This is really blowing my mind, I can't believe I didn't add that.

kerem referenced this issue

2026-03-16 02:25:44 +03:00

[PR #920] [MERGED] Bump tokio-rustls from 0.12.0-alpha.7 to 0.12.0-alpha.8 #1791