exit(1);
}
+ g_signatureInceptionSkew = ::arg().asNum("signature-inception-skew");
+ if (g_signatureInceptionSkew < 0) {
+ L<<Logger::Error<<"A negative value for 'signature-inception-skew' is not allowed"<<endl;
+ exit(1);
+ }
+
g_dnssecLogBogus = ::arg().mustDo("dnssec-log-bogus");
g_maxNSEC3Iterations = ::arg().asNum("nsec3-max-iterations");
::arg().set("trace","if we should output heaps of logging. set to 'fail' to only log failing domains")="off";
::arg().set("dnssec", "DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate")="process-no-validate";
::arg().set("dnssec-log-bogus", "Log DNSSEC bogus validations")="no";
+ ::arg().set("signature-inception-skew", "Allow the signture inception to be off by this number of seconds")="0";
::arg().set("daemon","Operate as a daemon")="no";
::arg().setSwitch("write-pid","Write a PID file")="yes";
::arg().set("loglevel","Amount of logging. Higher is more. Do not set below 3")="6";
PowerDNS can change its user and group id after binding to its socket.
Can be used for better :doc:`security <security>`.
+.. _setting-signature-inception-skew:
+
+``signature-inception-skew``
+----------------------------------
+.. versionadded:: 4.1.5
+
+- Integer
+- Default: 0
+
+Allow the signature inception to be off by this number of seconds. Negative values are not allowed.
+
.. _setting-single-socket:
``single-socket``
#include "base32.hh"
#include "logger.hh"
bool g_dnssecLOG{false};
+time_t g_signatureInceptionSkew{0};
uint16_t g_maxNSEC3Iterations{0};
#define LOG(x) if(g_dnssecLOG) { L <<Logger::Warning << x; }
bool isRRSIGNotExpired(const time_t now, const shared_ptr<RRSIGRecordContent> sig)
{
- return sig->d_siginception <= now && sig->d_sigexpire >= now;
+ return sig->d_siginception - g_signatureInceptionSkew <= now && sig->d_sigexpire >= now;
}
static bool checkSignatureWithKey(time_t now, const shared_ptr<RRSIGRecordContent> sig, const shared_ptr<DNSKEYRecordContent> key, const std::string& msg)
LOG("signature by key with tag "<<sig->d_tag<<" and algorithm "<<DNSSECKeeper::algorithm2name(sig->d_algorithm)<<" was " << (result ? "" : "NOT ")<<"valid"<<endl);
}
else {
- LOG("Signature is "<<((sig->d_siginception > now) ? "not yet valid" : "expired")<<" (inception: "<<sig->d_siginception<<", expiration: "<<sig->d_sigexpire<<", now: "<<now<<")"<<endl);
+ LOG("Signature is "<<((sig->d_siginception - g_signatureInceptionSkew > now) ? "not yet valid" : "expired")<<" (inception: "<<sig->d_siginception<<", inception skew: "<<g_signatureInceptionSkew<<", expiration: "<<sig->d_sigexpire<<", now: "<<now<<")"<<endl);
}
}
catch(const std::exception& e) {
#include "dnsrecords.hh"
extern bool g_dnssecLOG;
+extern time_t g_signatureInceptionSkew;
extern uint16_t g_maxNSEC3Iterations;
// 4033 5