From: Ondřej Surý <ondrej@isc.org>
Date: Mon, 30 Mar 2026 10:32:23 +0000 (+0200)
Subject: fix: usr: Count temporal problems with DNSSEC validation as attempts
X-Git-Tag: v9.21.21~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3b9ad92cddd30535c4f1799b0b9345fd8e262b7b;p=thirdparty%2Fbind9.git

fix: usr: Count temporal problems with DNSSEC validation as attempts

After KeyTrap, the temporal DNSSEC were originally hard errors that
caused validation failures even if the records had another valid
signature.  This has been changed and the RRSIGs outside of the
inception and expiration time are not counted as hard errors.  However,
these errors are not even counted as validation attempts, so excessive
number of expired RRSIGs would cause some non-cryptograhic extra work
for the validator.  This has been fixed and the temporal errors are
correctly counted as validation attempts.

Closes #5760

Merge branch '5760-count-DNSSEC-temporal-errors-as-validation-attempts' into 'main'

See merge request isc-projects/bind9!11589
---

3b9ad92cddd30535c4f1799b0b9345fd8e262b7b