From 896c567247371cc14e49774c3b844a7038c37a60 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 3 Dec 2015 19:03:21 +0100
Subject: [PATCH] resolved: add a limit on the max DNSSEC RRSIG expiry skew we
 allow

---
 src/resolve/resolved-dns-dnssec.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index 89833441fd..608a8a2191 100644
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -36,6 +36,9 @@
 #define VERIFY_RRS_MAX 256
 #define MAX_KEY_SIZE (32*1024)
 
+/* Permit a maximum clock skew of 1h 10min. This should be enough to deal with DST confusion */
+#define SKEW_MAX (1*USEC_PER_HOUR + 10*USEC_PER_MINUTE)
+
 /*
  * The DNSSEC Chain of trust:
  *
@@ -230,8 +233,12 @@ static int dnssec_rrsig_expired(DnsResourceRecord *rrsig, usec_t realtime) {
         if (inception > expiration)
                 return -EKEYREJECTED;
 
-        /* Permit a certain amount of clock skew of 10% of the valid time range */
+        /* Permit a certain amount of clock skew of 10% of the valid
+         * time range. This takes inspiration from unbound's
+         * resolver. */
         skew = (expiration - inception) / 10;
+        if (skew > SKEW_MAX)
+                skew = SKEW_MAX;
 
         if (inception < skew)
                 inception = 0;