From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 3 Dec 2015 18:03:21 +0000 (+0100)
Subject: resolved: add a limit on the max DNSSEC RRSIG expiry skew we allow
X-Git-Tag: v229~235^2~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=896c567247371cc14e49774c3b844a7038c37a60;p=thirdparty%2Fsystemd.git

resolved: add a limit on the max DNSSEC RRSIG expiry skew we allow
---

diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index 89833441fdb..608a8a2191a 100644
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -36,6 +36,9 @@
 #define VERIFY_RRS_MAX 256
 #define MAX_KEY_SIZE (32*1024)
 
+/* Permit a maximum clock skew of 1h 10min. This should be enough to deal with DST confusion */
+#define SKEW_MAX (1*USEC_PER_HOUR + 10*USEC_PER_MINUTE)
+
 /*
  * The DNSSEC Chain of trust:
  *
@@ -230,8 +233,12 @@ static int dnssec_rrsig_expired(DnsResourceRecord *rrsig, usec_t realtime) {
         if (inception > expiration)
                 return -EKEYREJECTED;
 
-        /* Permit a certain amount of clock skew of 10% of the valid time range */
+        /* Permit a certain amount of clock skew of 10% of the valid
+         * time range. This takes inspiration from unbound's
+         * resolver. */
         skew = (expiration - inception) / 10;
+        if (skew > SKEW_MAX)
+                skew = SKEW_MAX;
 
         if (inception < skew)
                 inception = 0;