summaryrefslogtreecommitdiff
path: root/src/resolve/resolved-dns-dnssec.c
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2015-12-03 19:03:21 +0100
committerLennart Poettering <lennart@poettering.net>2015-12-03 21:17:49 +0100
commit896c567247371cc14e49774c3b844a7038c37a60 (patch)
treeebcf5b0a1c325dc4fd6d462d3f7bde41aa7e77cd /src/resolve/resolved-dns-dnssec.c
parent0d2cd47617b423f37d7425be7a56ae2fca8ff9f6 (diff)
resolved: add a limit on the max DNSSEC RRSIG expiry skew we allow
Diffstat (limited to 'src/resolve/resolved-dns-dnssec.c')
-rw-r--r--src/resolve/resolved-dns-dnssec.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index 89833441fd..608a8a2191 100644
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -36,6 +36,9 @@
#define VERIFY_RRS_MAX 256
#define MAX_KEY_SIZE (32*1024)
+/* Permit a maximum clock skew of 1h 10min. This should be enough to deal with DST confusion */
+#define SKEW_MAX (1*USEC_PER_HOUR + 10*USEC_PER_MINUTE)
+
/*
* The DNSSEC Chain of trust:
*
@@ -230,8 +233,12 @@ static int dnssec_rrsig_expired(DnsResourceRecord *rrsig, usec_t realtime) {
if (inception > expiration)
return -EKEYREJECTED;
- /* Permit a certain amount of clock skew of 10% of the valid time range */
+ /* Permit a certain amount of clock skew of 10% of the valid
+ * time range. This takes inspiration from unbound's
+ * resolver. */
skew = (expiration - inception) / 10;
+ if (skew > SKEW_MAX)
+ skew = SKEW_MAX;
if (inception < skew)
inception = 0;