resolved: consider inverted RRSIG validity intervals expired
This commit is contained in:
parent
f506d09f71
commit
5ae5cd4052
|
@ -442,8 +442,9 @@ static int dnssec_rrsig_expired(DnsResourceRecord *rrsig, usec_t realtime) {
|
||||||
expiration = rrsig->rrsig.expiration * USEC_PER_SEC;
|
expiration = rrsig->rrsig.expiration * USEC_PER_SEC;
|
||||||
inception = rrsig->rrsig.inception * USEC_PER_SEC;
|
inception = rrsig->rrsig.inception * USEC_PER_SEC;
|
||||||
|
|
||||||
|
/* Consider inverted validity intervals as expired */
|
||||||
if (inception > expiration)
|
if (inception > expiration)
|
||||||
return -EKEYREJECTED;
|
return true;
|
||||||
|
|
||||||
/* Permit a certain amount of clock skew of 10% of the valid
|
/* Permit a certain amount of clock skew of 10% of the valid
|
||||||
* time range. This takes inspiration from unbound's
|
* time range. This takes inspiration from unbound's
|
||||||
|
|
Loading…
Reference in New Issue