From: Lennart Poettering Date: Wed, 13 Jan 2016 00:04:03 +0000 (+0100) Subject: resolved: consider inverted RRSIG validity intervals expired X-Git-Tag: v229~138^2~14 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5ae5cd4052d85368ec0ca17562d404fa476badc5;p=thirdparty%2Fsystemd.git resolved: consider inverted RRSIG validity intervals expired --- diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c index 43fcbe14605..3f487f5e0e3 100644 --- a/src/resolve/resolved-dns-dnssec.c +++ b/src/resolve/resolved-dns-dnssec.c @@ -442,8 +442,9 @@ static int dnssec_rrsig_expired(DnsResourceRecord *rrsig, usec_t realtime) { expiration = rrsig->rrsig.expiration * USEC_PER_SEC; inception = rrsig->rrsig.inception * USEC_PER_SEC; + /* Consider inverted validity intervals as expired */ if (inception > expiration) - return -EKEYREJECTED; + return true; /* Permit a certain amount of clock skew of 10% of the valid * time range. This takes inspiration from unbound's