resolved: add a limit on the max DNSSEC RRSIG expiry skew we allow

author: Lennart Poettering <lennart@poettering.net> 2015-12-03 19:03:21 +0100
committer: Lennart Poettering <lennart@poettering.net> 2015-12-03 21:17:49 +0100
commit: 896c567247371cc14e49774c3b844a7038c37a60 (patch)
tree: ebcf5b0a1c325dc4fd6d462d3f7bde41aa7e77cd /src/resolve/resolved-dns-dnssec.c
parent: 0d2cd47617b423f37d7425be7a56ae2fca8ff9f6 (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index 89833441fd..608a8a2191 100644
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -36,6 +36,9 @@
 #define VERIFY_RRS_MAX 256
 #define MAX_KEY_SIZE (32*1024)
 
+/* Permit a maximum clock skew of 1h 10min. This should be enough to deal with DST confusion */
+#define SKEW_MAX (1*USEC_PER_HOUR + 10*USEC_PER_MINUTE)
+
 /*
  * The DNSSEC Chain of trust:
  *
@@ -230,8 +233,12 @@ static int dnssec_rrsig_expired(DnsResourceRecord *rrsig, usec_t realtime) {
         if (inception > expiration)
                 return -EKEYREJECTED;
 
-        /* Permit a certain amount of clock skew of 10% of the valid time range */
+        /* Permit a certain amount of clock skew of 10% of the valid
+         * time range. This takes inspiration from unbound's
+         * resolver. */
         skew = (expiration - inception) / 10;
+        if (skew > SKEW_MAX)
+                skew = SKEW_MAX;
 
         if (inception < skew)
                 inception = 0;
author	Lennart Poettering <lennart@poettering.net>	2015-12-03 19:03:21 +0100
committer	Lennart Poettering <lennart@poettering.net>	2015-12-03 21:17:49 +0100
commit	896c567247371cc14e49774c3b844a7038c37a60 (patch)
tree	ebcf5b0a1c325dc4fd6d462d3f7bde41aa7e77cd /src/resolve/resolved-dns-dnssec.c
parent	0d2cd47617b423f37d7425be7a56ae2fca8ff9f6 (diff)