From d90efbf48f3b8bad8f29610583f6349b7ae3d802 Mon Sep 17 00:00:00 2001 From: Bert Hubert Date: Tue, 6 Nov 2012 11:06:21 +0000 Subject: [PATCH] at midnight UTC we would switch to new signatures, that became valid as of 'now', with no safety margin. Add one hour overlap. git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@2857 d19b8d6e-7fed-0310-83ef-9ca221ded41b --- pdns/dnssecinfra.cc | 4 ++-- pdns/dnssecinfra.hh | 2 +- pdns/dnssecsigner.cc | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pdns/dnssecinfra.cc b/pdns/dnssecinfra.cc index 7449373944..5fc79dcf80 100644 --- a/pdns/dnssecinfra.cc +++ b/pdns/dnssecinfra.cc @@ -318,9 +318,9 @@ int countLabels(const std::string& signQName) return count; } -uint32_t getCurrentInception() +uint32_t getCurrentInception(unsigned int safety) { - uint32_t now = time(0); + uint32_t now = time(0) - safety; // if we sign 'now' all clocks have to be correct at UTC midnight now -= (now % (7*86400)); return now; } diff --git a/pdns/dnssecinfra.hh b/pdns/dnssecinfra.hh index 9de60fbbcc..25d1568b2a 100644 --- a/pdns/dnssecinfra.hh +++ b/pdns/dnssecinfra.hh @@ -117,7 +117,7 @@ class DNSSECKeeper; struct DNSSECPrivateKey; void fillOutRRSIG(DNSSECPrivateKey& dpk, const std::string& signQName, RRSIGRecordContent& rrc, vector >& toSign); -uint32_t getCurrentInception(); +uint32_t getCurrentInception(unsigned int safety=0); void addSignature(DNSSECKeeper& dk, DNSBackend& db, const std::string signQName, const std::string& wildcardname, uint16_t signQType, uint32_t signTTL, DNSPacketWriter::Place signPlace, vector >& toSign, vector& outsigned, uint32_t origTTL); int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::string signQName, uint16_t signQType, uint32_t signTTL, diff --git a/pdns/dnssecsigner.cc b/pdns/dnssecsigner.cc index 08c618d75c..055becda4b 100644 --- a/pdns/dnssecsigner.cc +++ b/pdns/dnssecsigner.cc @@ -35,7 +35,7 @@ int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::st rrc.d_labels=countLabels(signQName); rrc.d_originalttl=signTTL; - rrc.d_siginception=getCurrentInception(); + rrc.d_siginception=getCurrentInception(3600); // 1 hour safety margin, we start dishing out new week after an hour rrc.d_sigexpire = rrc.d_siginception + 14*86400; // XXX should come from zone metadata rrc.d_signer = toLower(signer); rrc.d_tag = 0; -- 2.47.2