From: Peter van Dijk <peter.van.dijk@powerdns.com>
Date: Mon, 9 Jun 2025 13:44:18 +0000 (+0200)
Subject: rec validate: use rfc1982 math for RRSIG timestamps
X-Git-Tag: dnsdist-2.0.0-beta1~7^2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9f7ae7c5e47ff9464a6e3de45c038ea634d95863;p=thirdparty%2Fpdns.git

rec validate: use rfc1982 math for RRSIG timestamps
---

diff --git a/pdns/validate.cc b/pdns/validate.cc
index 1666460697..e1e38b50d1 100644
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -973,14 +973,12 @@ dState getDenial(const cspmap_t &validrrsets, const DNSName& qname, const uint16
 
 bool isRRSIGNotExpired(const time_t now, const RRSIGRecordContent& sig)
 {
-  // Should use https://www.rfc-editor.org/rfc/rfc4034.txt section 3.1.5
-  return sig.d_sigexpire >= now;
+  return rfc1982LessThan<uint32_t>(now, sig.d_sigexpire);
 }
 
 bool isRRSIGIncepted(const time_t now, const RRSIGRecordContent& sig)
 {
-  // Should use https://www.rfc-editor.org/rfc/rfc4034.txt section 3.1.5
-  return sig.d_siginception - g_signatureInceptionSkew <= now;
+  return rfc1982LessThan<uint32_t>(sig.d_siginception - g_signatureInceptionSkew, now);
 }
 
 namespace {