1 files changed, 10 insertions, 4 deletions

diff --git a/contrib/bind/bin/named/db_sec.c b/contrib/bind/bin/named/db_sec.c
index 2d3425d..0ce0d9f 100644
--- a/contrib/bind/bin/named/db_sec.c
+++ b/contrib/bind/bin/named/db_sec.c
@@ -479,7 +479,9 @@ verify_set(struct db_rrset *rrset) {
 	struct sig_record *sigdata;
 	struct dnode *sigdn;
 	struct databuf *sigdp;
-	time_t now;
+	u_int32_t now;
+	u_int32_t exptime;
+	u_int32_t signtime;
 	char *signer;
 	u_char name_n[MAXDNAME];
 	u_char *sig, *eom;
@@ -492,6 +494,7 @@ verify_set(struct db_rrset *rrset) {
 	int dnssec_failed = 0, dnssec_succeeded = 0;
 	int return_value;
 	int i;
+	int expired = 0;
 
 	if (rrset == NULL || rrset->rr_name == NULL) {
 		ns_warning (ns_log_default, "verify_set: missing rrset/name");
@@ -527,11 +530,14 @@ verify_set(struct db_rrset *rrset) {
 		 * Don't verify a set if the SIG inception time is in
 		 * the future.  This should be fixed before 2038 (BEW)
 		 */
-		if ((time_t)ntohl(sigdata->sig_time_n) > now)
+		signtime = ntohl(sigdata->sig_time_n);
+		if (SEQ_GT(signtime, now))
 			continue;
 
 		/* An expired set is dropped, but the data is not. */
-		if ((time_t)ntohl(sigdata->sig_exp_n) < now) {
+		exptime = ntohl(sigdata->sig_exp_n);
+		if (SEQ_GT(now, exptime)) {
+			expired++;
 			db_detach(&sigdn->dp);
 			sigdp = NULL;
 			continue;
@@ -723,7 +729,7 @@ verify_set(struct db_rrset *rrset) {
 	}
 
 end:
-	if (dnssec_failed > 0)
+	if (dnssec_failed > 0 || expired > 0)
 		rrset_trim_sigs(rrset);
 	if (trustedkey == 0 && key != NULL)
 		dst_free_key(key);