Y2038 bug when checking DNSSEC signature expiration

[bortzmeyer]

Apparently, in lib/Zonemaster/Engine/Test/DNSSEC.pm, Zonemaster checks the possible expiration of DNSSEC signatures by just a regular "lower than" operator. If this is indeed the case, it is a Y2038 bug. RFC 4034, section 3.1.5, says "all comparisons involving these fields [inception and expiration] MUST use "Serial number arithmetic", as defined in RFC1982".
It seems there is fifteen years to address that.

[matsduf]

@bortzmeyer, thank you for pointing that out. We should fix that well ahead of the time limit.

If this is indeed the case, it is a Y2038 bug.

I can't see any restriction on how to compare the time in the DNSSEC08 specification. So I think it is indeed a regular comparison.

It seems LDNS can handle such serial arithmetic comparison. Maybe we could rely on that.

[matsduf]

There are more test case specifications (not just DNSSEC08) that require the RRSIG to be valid, but all of them should use the same method.