diff options
author | Lennart Poettering <lennart@poettering.net> | 2015-12-03 19:03:21 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2015-12-03 21:17:49 +0100 |
commit | 896c567247371cc14e49774c3b844a7038c37a60 (patch) | |
tree | ebcf5b0a1c325dc4fd6d462d3f7bde41aa7e77cd /src | |
parent | 0d2cd47617b423f37d7425be7a56ae2fca8ff9f6 (diff) |
resolved: add a limit on the max DNSSEC RRSIG expiry skew we allow
Diffstat (limited to 'src')
-rw-r--r-- | src/resolve/resolved-dns-dnssec.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c index 89833441fd..608a8a2191 100644 --- a/src/resolve/resolved-dns-dnssec.c +++ b/src/resolve/resolved-dns-dnssec.c @@ -36,6 +36,9 @@ #define VERIFY_RRS_MAX 256 #define MAX_KEY_SIZE (32*1024) +/* Permit a maximum clock skew of 1h 10min. This should be enough to deal with DST confusion */ +#define SKEW_MAX (1*USEC_PER_HOUR + 10*USEC_PER_MINUTE) + /* * The DNSSEC Chain of trust: * @@ -230,8 +233,12 @@ static int dnssec_rrsig_expired(DnsResourceRecord *rrsig, usec_t realtime) { if (inception > expiration) return -EKEYREJECTED; - /* Permit a certain amount of clock skew of 10% of the valid time range */ + /* Permit a certain amount of clock skew of 10% of the valid + * time range. This takes inspiration from unbound's + * resolver. */ skew = (expiration - inception) / 10; + if (skew > SKEW_MAX) + skew = SKEW_MAX; if (inception < skew) inception = 0; |