resolved: don't accept expired RRSIGs

author: Lennart Poettering <lennart@poettering.net> 2015-12-02 22:47:28 +0100
committer: Lennart Poettering <lennart@poettering.net> 2015-12-03 00:26:58 +0100
commit: 2a326321594f752b73a5aec0eb73e5bf59f76b3c (patch)
tree: d9d81d7067b8478539a203d976aaa9992a7e2bd4 /src/resolve/resolved-dns-dnssec.h
parent: 2b442ac87838be7c326c984d8751c96dee7258ab (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/src/resolve/resolved-dns-dnssec.h b/src/resolve/resolved-dns-dnssec.h
index 56f0aec437..8f812bc1fb 100644
--- a/src/resolve/resolved-dns-dnssec.h
+++ b/src/resolve/resolved-dns-dnssec.h
@@ -30,6 +30,7 @@ enum {
         DNSSEC_INVALID,
         DNSSEC_NO_SIGNATURE,
         DNSSEC_MISSING_KEY,
+        DNSSEC_SIGNATURE_EXPIRED,
 };
 
 
@@ -38,8 +39,8 @@ enum {
 int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey);
 int dnssec_key_match_rrsig(DnsResourceKey *key, DnsResourceRecord *rrsig);
 
-int dnssec_verify_rrset(DnsAnswer *answer, DnsResourceKey *key, DnsResourceRecord *rrsig, DnsResourceRecord *dnskey);
-int dnssec_verify_rrset_search(DnsAnswer *a, DnsResourceKey *key, DnsAnswer *validated_dnskeys);
+int dnssec_verify_rrset(DnsAnswer *answer, DnsResourceKey *key, DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, usec_t realtime);
+int dnssec_verify_rrset_search(DnsAnswer *a, DnsResourceKey *key, DnsAnswer *validated_dnskeys, usec_t realtime);
 
 int dnssec_verify_dnskey(DnsResourceRecord *dnskey, DnsResourceRecord *ds);
author	Lennart Poettering <lennart@poettering.net>	2015-12-02 22:47:28 +0100
committer	Lennart Poettering <lennart@poettering.net>	2015-12-03 00:26:58 +0100
commit	2a326321594f752b73a5aec0eb73e5bf59f76b3c (patch)
tree	d9d81d7067b8478539a203d976aaa9992a7e2bd4 /src/resolve/resolved-dns-dnssec.h
parent	2b442ac87838be7c326c984d8751c96dee7258ab (diff)