From: Kees Monshouwer Date: Wed, 20 Feb 2013 21:03:03 +0000 (+0100) Subject: revert d90efbf48f3b8bad8f29610583f6349b7ae3d802 and add 7 days margin to inception X-Git-Tag: auth-3.3-rc1~110^2^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F755%2Fhead;p=thirdparty%2Fpdns.git revert d90efbf48f3b8bad8f29610583f6349b7ae3d802 and add 7 days margin to inception --- diff --git a/pdns/dnssecinfra.cc b/pdns/dnssecinfra.cc index 5fc79dcf80..86b52bdbc2 100644 --- a/pdns/dnssecinfra.cc +++ b/pdns/dnssecinfra.cc @@ -318,9 +318,9 @@ int countLabels(const std::string& signQName) return count; } -uint32_t getCurrentInception(unsigned int safety) +uint32_t getStartOfWeek() { - uint32_t now = time(0) - safety; // if we sign 'now' all clocks have to be correct at UTC midnight + uint32_t now = time(0); now -= (now % (7*86400)); return now; } diff --git a/pdns/dnssecinfra.hh b/pdns/dnssecinfra.hh index 6ad04378a1..635107c08e 100644 --- a/pdns/dnssecinfra.hh +++ b/pdns/dnssecinfra.hh @@ -117,7 +117,7 @@ class DNSSECKeeper; struct DNSSECPrivateKey; void fillOutRRSIG(DNSSECPrivateKey& dpk, const std::string& signQName, RRSIGRecordContent& rrc, vector >& toSign); -uint32_t getCurrentInception(unsigned int safety=0); +uint32_t getStartOfWeek(); void addSignature(DNSSECKeeper& dk, DNSBackend& db, const std::string& signer, const std::string signQName, const std::string& wildcardname, uint16_t signQType, uint32_t signTTL, DNSPacketWriter::Place signPlace, vector >& toSign, vector& outsigned, uint32_t origTTL); int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::string signQName, uint16_t signQType, uint32_t signTTL, diff --git a/pdns/dnssecsigner.cc b/pdns/dnssecsigner.cc index 7c276c8827..1abb870301 100644 --- a/pdns/dnssecsigner.cc +++ b/pdns/dnssecsigner.cc @@ -30,13 +30,14 @@ int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::st { if(toSign.empty()) return -1; + uint32_t startOfWeek = getStartOfWeek(); RRSIGRecordContent rrc; rrc.d_type=signQType; rrc.d_labels=countLabels(signQName); rrc.d_originalttl=signTTL; - rrc.d_siginception=getCurrentInception(3600); // 1 hour safety margin, we start dishing out new week after an hour - rrc.d_sigexpire = rrc.d_siginception + 14*86400; // XXX should come from zone metadata + rrc.d_siginception=startOfWeek - 7*86400; // XXX should come from zone metadata + rrc.d_sigexpire=startOfWeek + 14*86400; rrc.d_signer = signer.empty() ? "." : toLower(signer); rrc.d_tag = 0; diff --git a/pdns/serialtweaker.cc b/pdns/serialtweaker.cc index 2d7a07b80e..cf6590133c 100644 --- a/pdns/serialtweaker.cc +++ b/pdns/serialtweaker.cc @@ -33,7 +33,7 @@ bool editSOA(DNSSECKeeper& dk, const string& qname, DNSPacket* dp) SOAData sd; fillSOAData(rr.content, sd); if(pdns_iequals(kind,"INCEPTION")) { - time_t inception = getCurrentInception(); + time_t inception = getStartOfWeek(); struct tm tm; localtime_r(&inception, &tm); boost::format fmt("%04d%02d%02d%02d"); @@ -42,18 +42,18 @@ bool editSOA(DNSSECKeeper& dk, const string& qname, DNSPacket* dp) sd.serial = lexical_cast(newserdate); } else if(pdns_iequals(kind,"INCEPTION-WEEK")) { - time_t inception = getCurrentInception(); + time_t inception = getStartOfWeek(); sd.serial = inception / (7*86400); } else if(pdns_iequals(kind,"INCREMENT-WEEKS")) { - time_t inception = getCurrentInception(); + time_t inception = getStartOfWeek(); sd.serial += inception / (7*86400); } else if(pdns_iequals(kind,"EPOCH")) { sd.serial = time(0); } else if(pdns_iequals(kind,"INCEPTION-EPOCH")) { - time_t inception = getCurrentInception(); + time_t inception = getStartOfWeek(); if (sd.serial < inception) { sd.serial = inception; }