From: Ralph Dolmans <ralph@nlnetlabs.nl>
Date: Mon, 5 Sep 2016 12:30:46 +0000 (+0000)
Subject: Take configured minimum TTL into consideration when reducing TTL to original
X-Git-Tag: release-1.5.10~16
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=19ebdbf6a61103b9a7a34fceb2eda2bd10b57a7b;p=thirdparty%2Funbound.git

Take configured minimum TTL into consideration when reducing TTL to original
TTL from RRSIG.


git-svn-id: file:///svn/unbound/trunk@3849 be551aaa-1e26-0410-a405-d3ace91eadb9
---

diff --git a/doc/Changelog b/doc/Changelog
index aff207843..248ed13b1 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+5 September 2016: Ralph
+	- Take configured minimum TTL into consideration when reducing TTL
+	  to original TTL from RRSIG.
+
 5 September 2016: Wouter
 	- Fix #829: doc of sldns_wire2str_rdata_buf() return value has an
 	  off-by-one typo, from Jinmei Tatuya (Infoblox).
diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c
index 1dd07b420..e60f3f936 100644
--- a/validator/val_sigcrypt.c
+++ b/validator/val_sigcrypt.c
@@ -1283,15 +1283,23 @@ adjust_ttl(struct val_env* ve, uint32_t unow,
 	/* so now:
 	 * d->ttl: rrset ttl read from message or cache. May be reduced
 	 * origttl: original TTL from signature, authoritative TTL max.
+	 * MIN_TTL: minimum TTL from config.
 	 * expittl: TTL until the signature expires.
 	 *
-	 * Use the smallest of these.
+	 * Use the smallest of these, but don't let origttl set the TTL
+	 * below the minimum.
 	 */
-	if(d->ttl > (time_t)origttl) {
-		verbose(VERB_QUERY, "rrset TTL larger than original TTL,"
-			" adjusting TTL downwards");
+	if(MIN_TTL > (time_t)origttl && d->ttl > MIN_TTL) {
+		verbose(VERB_QUERY, "rrset TTL larger than original and minimum"
+			" TTL, adjusting TTL downwards to mimimum ttl");
+		d->ttl = MIN_TTL;
+	}
+	else if(MIN_TTL <= origttl && d->ttl > (time_t)origttl) {
+		verbose(VERB_QUERY, "rrset TTL larger than original TTL, "
+		"adjusting TTL downwards to original ttl");
 		d->ttl = origttl;
 	}
+
 	if(expittl > 0 && d->ttl > (time_t)expittl) {
 		verbose(VERB_ALGO, "rrset TTL larger than sig expiration ttl,"
 			" adjusting TTL downwards");