resolved: consider inverted RRSIG validity intervals expired

2016-01-13 01:04:03 +01:00 · 2016-01-13 01:04:03 +01:00 · 5ae5cd4052
parent f506d09f71
commit 5ae5cd4052
1 changed files with 2 additions and 1 deletions
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@ -442,8 +442,9 @@ static int dnssec_rrsig_expired(DnsResourceRecord *rrsig, usec_t realtime) {
        expiration = rrsig->rrsig.expiration * USEC_PER_SEC;
        inception = rrsig->rrsig.inception * USEC_PER_SEC;

+        /* Consider inverted validity intervals as expired */
        if (inception > expiration)
-                return -EKEYREJECTED;
+                return true;

        /* Permit a certain amount of clock skew of 10% of the valid
         * time range. This takes inspiration from unbound's