From: Kees Monshouwer <mind04@monshouwer.org>
Date: Mon, 29 Oct 2018 10:30:25 +0000 (+0100)
Subject: rec: allow the signture inception to be off by a number of seconds.
X-Git-Tag: dnsdist-1.3.3~3^2~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9a3ab3e4f53f1c5400aec406df9624fb6209abbc;p=thirdparty%2Fpdns.git

rec: allow the signture inception to be off by a number of seconds.
---

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index 3c7ec0ee31..e8a4807d8e 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -3364,6 +3364,12 @@ static int serviceMain(int argc, char*argv[])
     exit(1);
   }
 
+  g_signatureInceptionSkew = ::arg().asNum("signature-inception-skew");
+  if (g_signatureInceptionSkew < 0) {
+    g_log<<Logger::Error<<"A negative value for 'signature-inception-skew' is not allowed"<<endl;
+    exit(1);
+  }
+
   g_dnssecLogBogus = ::arg().mustDo("dnssec-log-bogus");
   g_maxNSEC3Iterations = ::arg().asNum("nsec3-max-iterations");
 
@@ -3959,6 +3965,7 @@ int main(int argc, char **argv)
     ::arg().set("trace","if we should output heaps of logging. set to 'fail' to only log failing domains")="off";
     ::arg().set("dnssec", "DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate")="process-no-validate";
     ::arg().set("dnssec-log-bogus", "Log DNSSEC bogus validations")="no";
+    ::arg().set("signature-inception-skew", "Allow the signture inception to be off by this number of seconds")="60";
     ::arg().set("daemon","Operate as a daemon")="no";
     ::arg().setSwitch("write-pid","Write a PID file")="yes";
     ::arg().set("loglevel","Amount of logging. Higher is more. Do not set below 3")="6";
diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst
index be1ed5ce4b..61b09eb0f5 100644
--- a/pdns/recursordist/docs/settings.rst
+++ b/pdns/recursordist/docs/settings.rst
@@ -1096,6 +1096,15 @@ Query example (where 192.0.2.14 is your server):
 PowerDNS can change its user and group id after binding to its socket.
 Can be used for better :doc:`security <security>`.
 
+.. _setting-signature-inception-skew:
+
+``signature-inception-skew``
+----------------------------------
+-  Integer
+-  Default: 60
+
+Allow the signture inception to be off by this number of seconds. Negative values are not allowed.
+
 .. _setting-single-socket:
 
 ``single-socket``
diff --git a/pdns/validate.cc b/pdns/validate.cc
index f0fba47392..c081fe1556 100644
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -6,6 +6,7 @@
 #include "base32.hh"
 #include "logger.hh"
 bool g_dnssecLOG{false};
+time_t g_signatureInceptionSkew{0};
 uint16_t g_maxNSEC3Iterations{0};
 
 #define LOG(x) if(g_dnssecLOG) { g_log <<Logger::Warning << x; }
@@ -676,7 +677,7 @@ static const vector<DNSName> getZoneCuts(const DNSName& begin, const DNSName& en
 
 bool isRRSIGNotExpired(const time_t now, const shared_ptr<RRSIGRecordContent> sig)
 {
-  return sig->d_siginception <= now && sig->d_sigexpire >= now;
+  return sig->d_siginception - g_signatureInceptionSkew <= now && sig->d_sigexpire >= now;
 }
 
 static bool checkSignatureWithKey(time_t now, const shared_ptr<RRSIGRecordContent> sig, const shared_ptr<DNSKEYRecordContent> key, const std::string& msg)
@@ -693,7 +694,7 @@ static bool checkSignatureWithKey(time_t now, const shared_ptr<RRSIGRecordConten
       LOG("signature by key with tag "<<sig->d_tag<<" and algorithm "<<DNSSECKeeper::algorithm2name(sig->d_algorithm)<<" was " << (result ? "" : "NOT ")<<"valid"<<endl);
     }
     else {
-      LOG("Signature is "<<((sig->d_siginception > now) ? "not yet valid" : "expired")<<" (inception: "<<sig->d_siginception<<", expiration: "<<sig->d_sigexpire<<", now: "<<now<<")"<<endl);
+      LOG("Signature is "<<((sig->d_siginception - g_signatureInceptionSkew > now) ? "not yet valid" : "expired")<<" (inception: "<<sig->d_siginception<<", inception skew: "<<g_signatureInceptionSkew<<", expiration: "<<sig->d_sigexpire<<", now: "<<now<<")"<<endl);
     }
   }
   catch(const std::exception& e) {
diff --git a/pdns/validate.hh b/pdns/validate.hh
index 23ebfe877b..d58b492063 100644
--- a/pdns/validate.hh
+++ b/pdns/validate.hh
@@ -28,6 +28,7 @@
 #include "dnsrecords.hh"
  
 extern bool g_dnssecLOG;
+extern time_t g_signatureInceptionSkew;
 extern uint16_t g_maxNSEC3Iterations;
 
 // 4033 5