use the full sig-validity-interval for RRSIG(SOA)

author Mark Andrews <marka@isc.org>

Tue, 25 Feb 2020 01:09:13 +0000 (12:09 +1100)

committer Mark Andrews <marka@isc.org>

Thu, 27 Feb 2020 23:10:26 +0000 (10:10 +1100)
author Mark Andrews <marka@isc.org>
Tue, 25 Feb 2020 01:09:13 +0000 (12:09 +1100)
committer Mark Andrews <marka@isc.org>
Thu, 27 Feb 2020 23:10:26 +0000 (10:10 +1100)
diff --git a/lib/dns/update.c b/lib/dns/update.c

index c48c0fd863425975ba96d1cd966a07d070498a12..f73564299182d1f1d01666a70a7234db10a24574 100644 (file)
--- a/lib/dns/update.c
+++ b/lib/dns/update.c
@@ -1374,7 +1374,7 @@ struct dns_update_state {
         dns_diff_t work;
         dst_key_t *zone_keys[DNS_MAXZONEKEYS];
         unsigned int nkeys;
-       isc_stdtime_t inception, expire;
+       isc_stdtime_t inception, expire, soaexpire;
         dns_ttl_t nsecttl;
         bool check_ksk, keyset_kskonly, build_nsec3;
         enum { sign_updates, remove_orphaned, build_chain, process_nsec,
@@ -1455,7 +1455,9 @@ dns_update_signaturesinc(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
  
                 isc_stdtime_get(&now);
                 state->inception = now - 3600; /* Allow for some clock skew. */
-               state->expire = now + dns__jitter_expire(zone, sigvalidityinterval);
+               state->expire = now +
+                               dns__jitter_expire(zone, sigvalidityinterval);
+               state->soaexpire = now + sigvalidityinterval;
  
                 /*
                  * Do we look at the KSK flag on the DNSKEY to determining which
@@ -1553,13 +1555,19 @@ dns_update_signaturesinc(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
                                 CHECK(rrset_visible(db, newver, name, type,
                                                    &flag));
                                 if (flag) {
+                                       isc_stdtime_t exp;
+
+                                       if (type == dns_rdatatype_soa) {
+                                               exp = state->soaexpire;
+                                       } else {
+                                               exp = state->expire;
+                                       }
                                         CHECK(add_sigs(log, zone, db, newver,
                                                        name, type,
                                                        &state->sig_diff,
                                                        state->zone_keys,
                                                        state->nkeys,
-                                                      state->inception,
-                                                      state->expire,
+                                                      state->inception, exp,
                                                        state->check_ksk,
                                                        state->keyset_kskonly));
                                         sigs++;
author	Mark Andrews <marka@isc.org>
	Tue, 25 Feb 2020 01:09:13 +0000 (12:09 +1100)
committer	Mark Andrews <marka@isc.org>
	Thu, 27 Feb 2020 23:10:26 +0000 (10:10 +1100)