rec: Fix validation at the exact RRSIG inception or expiration time

Reported by Petr Špaček of cz.nic (thanks!).

(cherry picked from commit 179b340d522e36a65e799b048dcdae85c0237fdc)

diff --git a/pdns/validate.cc b/pdns/validate.cc
index 4388f492aba6de741072299a8366b4281ae019dd..3b61fe2d8cc7896140c9e0e48aa378e1a409454b 100644 (file)
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -163,7 +163,7 @@ void validateWithKeySet(const cspmap_t& rrsets, cspmap_t& validated, const keyse
        bool isValid = false;
        try {
          unsigned int now=time(0);
-         if(signature->d_siginception < now && signature->d_sigexpire > now) {
+         if(signature->d_siginception <= now && signature->d_sigexpire >= now) {
            std::shared_ptr<DNSCryptoKeyEngine> dke = shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::makeFromPublicKeyString(l.d_algorithm, l.d_key));
            isValid = dke->verify(msg, signature->d_signature);
             LOG("signature by key with tag "<<signature->d_tag<<" was " << (isValid ? "" : "NOT ")<<"valid"<<endl);
@@ -368,7 +368,7 @@ vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, keyset_t &keyset)
           bool isValid = false;
           try {
             unsigned int now = time(0);
-            if(i->d_siginception < now && i->d_sigexpire > now) {
+            if(i->d_siginception <= now && i->d_sigexpire >= now) {
               std::shared_ptr<DNSCryptoKeyEngine> dke = shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::makeFromPublicKeyString(j.d_algorithm, j.d_key));
               isValid = dke->verify(msg, i->d_signature);
             }