diff options
Diffstat (limited to 'contrib/bind/bin/named/db_sec.c')
-rw-r--r-- | contrib/bind/bin/named/db_sec.c | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/contrib/bind/bin/named/db_sec.c b/contrib/bind/bin/named/db_sec.c index 2d3425d..0ce0d9f 100644 --- a/contrib/bind/bin/named/db_sec.c +++ b/contrib/bind/bin/named/db_sec.c @@ -479,7 +479,9 @@ verify_set(struct db_rrset *rrset) { struct sig_record *sigdata; struct dnode *sigdn; struct databuf *sigdp; - time_t now; + u_int32_t now; + u_int32_t exptime; + u_int32_t signtime; char *signer; u_char name_n[MAXDNAME]; u_char *sig, *eom; @@ -492,6 +494,7 @@ verify_set(struct db_rrset *rrset) { int dnssec_failed = 0, dnssec_succeeded = 0; int return_value; int i; + int expired = 0; if (rrset == NULL || rrset->rr_name == NULL) { ns_warning (ns_log_default, "verify_set: missing rrset/name"); @@ -527,11 +530,14 @@ verify_set(struct db_rrset *rrset) { * Don't verify a set if the SIG inception time is in * the future. This should be fixed before 2038 (BEW) */ - if ((time_t)ntohl(sigdata->sig_time_n) > now) + signtime = ntohl(sigdata->sig_time_n); + if (SEQ_GT(signtime, now)) continue; /* An expired set is dropped, but the data is not. */ - if ((time_t)ntohl(sigdata->sig_exp_n) < now) { + exptime = ntohl(sigdata->sig_exp_n); + if (SEQ_GT(now, exptime)) { + expired++; db_detach(&sigdn->dp); sigdp = NULL; continue; @@ -723,7 +729,7 @@ verify_set(struct db_rrset *rrset) { } end: - if (dnssec_failed > 0) + if (dnssec_failed > 0 || expired > 0) rrset_trim_sigs(rrset); if (trustedkey == 0 && key != NULL) dst_free_key(key); |