summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-01-13 01:04:03 +0100
committerLennart Poettering <lennart@poettering.net>2016-01-13 20:21:36 +0100
commit5ae5cd4052d85368ec0ca17562d404fa476badc5 (patch)
tree3370036bf0bc0a88486976d92ee5cbaa28e790d2
parentf506d09f714ce7c405d27cdf5939e1fdc3ed1a07 (diff)
resolved: consider inverted RRSIG validity intervals expired
-rw-r--r--src/resolve/resolved-dns-dnssec.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index 43fcbe1460..3f487f5e0e 100644
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -442,8 +442,9 @@ static int dnssec_rrsig_expired(DnsResourceRecord *rrsig, usec_t realtime) {
expiration = rrsig->rrsig.expiration * USEC_PER_SEC;
inception = rrsig->rrsig.inception * USEC_PER_SEC;
+ /* Consider inverted validity intervals as expired */
if (inception > expiration)
- return -EKEYREJECTED;
+ return true;
/* Permit a certain amount of clock skew of 10% of the valid
* time range. This takes inspiration from unbound's