- requirements.txt updated with design choice explanations.
- Reading fixes: fix to set unlame when child confirms parent glue,
and fix to avoid duplicate addresses in delegation point.
+ - verify_rrsig routine checks expiration last.
9 December 2009: Wouter
- Fix Bug#287(reopened): update of ldns tarball with fix for parse
/* original ttl, always ok */
- /* verify inception, expiration dates */
- if(!check_dates(ve, now, sig+2+8, sig+2+12, reason)) {
- return sec_status_bogus;
- }
-
if(!*buf_canon) {
/* create rrset canonical format in buffer, ready for
* signature */
sec = verify_canonrrset(buf, (int)sig[2+2],
sigblock, sigblock_len, key, keylen, reason);
- /* check if TTL is too high - reduce if so */
if(sec == sec_status_secure) {
+ /* check if TTL is too high - reduce if so */
adjust_ttl(ve, now, rrset, sig+2+4, sig+2+8, sig+2+12);
+
+ /* verify inception, expiration dates
+ * Do this last so that if you ignore expired-sigs the
+ * rest is sure to be OK. */
+ if(!check_dates(ve, now, sig+2+8, sig+2+12, reason)) {
+ return sec_status_bogus;
+ }
}
return sec;
projects / thirdparty / unbound.git / commitdiff
