4779. [bug] Expire NTA at the start of the second. Don't update

                        the expiry value if the record has already expired
                        after a successful check. [RT #46368]

diff --git a/CHANGES b/CHANGES
index 4a3278cebe1b4f1a571671786bcecaaca4126202..2949650e8242a35ca17c9fe2136eb1b8260cfa6a 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+4779.  [bug]           Expire NTA at the start of the second. Don't update
+                       the expiry value if the record has already expired
+                       after a successful check. [RT #46368]
+
 4778.  [test]          Improve synth-from-dnssec testing. [RT #46352]
 
 4777.  [cleanup]       Removed a redundant call to configure_view_acl().

diff --git a/lib/dns/nta.c b/lib/dns/nta.c
index 6b55b6f2787e80c86f33f89612ce9b363cd004a0..6823a525d2ff53c6c45873e2828029f86e68ea8c 100644 (file)
--- a/lib/dns/nta.c
+++ b/lib/dns/nta.c
@@ -227,7 +227,8 @@ fetch_done(isc_task_t *task, isc_event_t *event) {
        case DNS_R_NXDOMAIN:
        case DNS_R_NCACHENXRRSET:
        case DNS_R_NXRRSET:
-               nta->expiry = now;
+               if (nta->expiry > now)
+                       nta->expiry = now;
                break;
        default:
                break;
@@ -458,7 +459,7 @@ dns_ntatable_covered(dns_ntatable_t *ntatable, isc_stdtime_t now,
        }
        if (result == ISC_R_SUCCESS) {
                nta = (dns_nta_t *) node->data;
-               answer = ISC_TF(nta->expiry >= now);
+               answer = ISC_TF(nta->expiry > now);
        }
 
        /* Deal with expired NTA */
@@ -551,7 +552,7 @@ dns_ntatable_totext(dns_ntatable_t *ntatable, isc_buffer_t **buf) {
 
                        snprintf(obuf, sizeof(obuf), "%s%s: %s %s",
                                 first ? "" : "\n", nbuf,
-                                n->expiry < now ? "expired" : "expiry",
+                                n->expiry <= now ? "expired" : "expiry",
                                 tbuf);
                        first = ISC_FALSE;
                        result = putstr(buf, obuf);
@@ -605,7 +606,7 @@ dns_ntatable_dump(dns_ntatable_t *ntatable, FILE *fp) {
                        isc_time_set(&t, n->expiry, 0);
                        isc_time_formattimestamp(&t, tbuf, sizeof(tbuf));
                        fprintf(fp, "%s: %s %s\n", nbuf,
-                               n->expiry < now ? "expired" : "expiry",
+                               n->expiry <= now ? "expired" : "expiry",
                                tbuf);
                }
                result = dns_rbtnodechain_next(&chain, NULL, NULL);
@@ -672,7 +673,7 @@ dns_ntatable_save(dns_ntatable_t *ntatable, FILE *fp) {
                dns_rbtnodechain_current(&chain, NULL, NULL, &node);
                if (node->data != NULL) {
                        dns_nta_t *n = (dns_nta_t *) node->data;
-                       if (now <= n->expiry) {
+                       if (n->expiry > now) {
                                isc_buffer_t b;
                                char nbuf[DNS_NAME_FORMATSIZE + 1], tbuf[80];
                                dns_fixedname_t fn;