From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Fri, 13 Jun 2025 07:41:53 +0000 (+0200)
Subject: Restructure EDE computation to follow RFC1982 as well
X-Git-Tag: dnsdist-2.0.0-beta1~7^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f50aa912a2140dd8756c0d819eee3b68ea6c4baf;p=thirdparty%2Fpdns.git

Restructure EDE computation to follow RFC1982 as well

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>
---

diff --git a/pdns/validate.cc b/pdns/validate.cc
index c7cec0549d..2f83e1fb75 100644
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -988,10 +988,17 @@ namespace {
      - The validator's notion of the current time MUST be less than or equal to the time listed in the RRSIG RR's Expiration field.
      - The validator's notion of the current time MUST be greater than or equal to the time listed in the RRSIG RR's Inception field.
   */
-  if (isRRSIGIncepted(now, sig) && isRRSIGNotExpired(now, sig)) {
+  vState localEDE = vState::Indeterminate;
+  if (!isRRSIGIncepted(now, sig)) {
+    localEDE = vState::BogusSignatureNotYetValid;
+  }
+  else if (!isRRSIGNotExpired(now, sig)) {
+    localEDE = vState::BogusSignatureExpired;
+  }
+  if (localEDE == vState::Indeterminate) {
     return true;
   }
-  ede = ((sig.d_siginception - g_signatureInceptionSkew) > now) ? vState::BogusSignatureNotYetValid : vState::BogusSignatureExpired;
+  ede = localEDE;
   VLOG(log, qname << ": Signature is "<<(ede == vState::BogusSignatureNotYetValid ? "not yet valid" : "expired")<<" (inception: "<<sig.d_siginception<<", inception skew: "<<g_signatureInceptionSkew<<", expiration: "<<sig.d_sigexpire<<", now: "<<now<<")"<<endl);
   return false;
 }