return count;
}
-uint32_t getCurrentInception()
+uint32_t getCurrentInception(unsigned int safety)
{
- uint32_t now = time(0);
+ uint32_t now = time(0) - safety; // if we sign 'now' all clocks have to be correct at UTC midnight
now -= (now % (7*86400));
return now;
}
struct DNSSECPrivateKey;
void fillOutRRSIG(DNSSECPrivateKey& dpk, const std::string& signQName, RRSIGRecordContent& rrc, vector<shared_ptr<DNSRecordContent> >& toSign);
-uint32_t getCurrentInception();
+uint32_t getCurrentInception(unsigned int safety=0);
void addSignature(DNSSECKeeper& dk, DNSBackend& db, const std::string signQName, const std::string& wildcardname, uint16_t signQType, uint32_t signTTL, DNSPacketWriter::Place signPlace,
vector<shared_ptr<DNSRecordContent> >& toSign, vector<DNSResourceRecord>& outsigned, uint32_t origTTL);
int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::string signQName, uint16_t signQType, uint32_t signTTL,
rrc.d_labels=countLabels(signQName);
rrc.d_originalttl=signTTL;
- rrc.d_siginception=getCurrentInception();
+ rrc.d_siginception=getCurrentInception(3600); // 1 hour safety margin, we start dishing out new week after an hour
rrc.d_sigexpire = rrc.d_siginception + 14*86400; // XXX should come from zone metadata
rrc.d_signer = toLower(signer);
rrc.d_tag = 0;
projects / thirdparty / pdns.git / commitdiff
