Permalink
Browse files

revert d90efbf and add 7 days margin to inception

  • Loading branch information...
1 parent 5d1ab3e commit b61e407d76f0728761ff0e8f51e2cf7a82b6df4b @mind04 mind04 committed with mind04 Feb 20, 2013
Showing with 10 additions and 9 deletions.
  1. +2 −2 pdns/dnssecinfra.cc
  2. +1 −1 pdns/dnssecinfra.hh
  3. +3 −2 pdns/dnssecsigner.cc
  4. +4 −4 pdns/serialtweaker.cc
View
@@ -318,9 +318,9 @@ int countLabels(const std::string& signQName)
return count;
}
-uint32_t getCurrentInception(unsigned int safety)
+uint32_t getStartOfWeek()
{
- uint32_t now = time(0) - safety; // if we sign 'now' all clocks have to be correct at UTC midnight
+ uint32_t now = time(0);
now -= (now % (7*86400));
return now;
}
View
@@ -117,7 +117,7 @@ class DNSSECKeeper;
struct DNSSECPrivateKey;
void fillOutRRSIG(DNSSECPrivateKey& dpk, const std::string& signQName, RRSIGRecordContent& rrc, vector<shared_ptr<DNSRecordContent> >& toSign);
-uint32_t getCurrentInception(unsigned int safety=0);
+uint32_t getStartOfWeek();
void addSignature(DNSSECKeeper& dk, DNSBackend& db, const std::string& signer, const std::string signQName, const std::string& wildcardname, uint16_t signQType, uint32_t signTTL, DNSPacketWriter::Place signPlace,
vector<shared_ptr<DNSRecordContent> >& toSign, vector<DNSResourceRecord>& outsigned, uint32_t origTTL);
int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::string signQName, uint16_t signQType, uint32_t signTTL,
@@ -30,13 +30,14 @@ int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::st
{
if(toSign.empty())
return -1;
+ uint32_t startOfWeek = getStartOfWeek();
RRSIGRecordContent rrc;
rrc.d_type=signQType;
rrc.d_labels=countLabels(signQName);
rrc.d_originalttl=signTTL;
- rrc.d_siginception=getCurrentInception(3600); // 1 hour safety margin, we start dishing out new week after an hour
- rrc.d_sigexpire = rrc.d_siginception + 14*86400; // XXX should come from zone metadata
+ rrc.d_siginception=startOfWeek - 7*86400; // XXX should come from zone metadata
+ rrc.d_sigexpire=startOfWeek + 14*86400;
rrc.d_signer = signer.empty() ? "." : toLower(signer);
rrc.d_tag = 0;
@@ -33,7 +33,7 @@ bool editSOA(DNSSECKeeper& dk, const string& qname, DNSPacket* dp)
SOAData sd;
fillSOAData(rr.content, sd);
if(pdns_iequals(kind,"INCEPTION")) {
- time_t inception = getCurrentInception();
+ time_t inception = getStartOfWeek();
struct tm tm;
localtime_r(&inception, &tm);
boost::format fmt("%04d%02d%02d%02d");
@@ -42,18 +42,18 @@ bool editSOA(DNSSECKeeper& dk, const string& qname, DNSPacket* dp)
sd.serial = lexical_cast<uint32_t>(newserdate);
}
else if(pdns_iequals(kind,"INCEPTION-WEEK")) {
- time_t inception = getCurrentInception();
+ time_t inception = getStartOfWeek();
sd.serial = inception / (7*86400);
}
else if(pdns_iequals(kind,"INCREMENT-WEEKS")) {
- time_t inception = getCurrentInception();
+ time_t inception = getStartOfWeek();
sd.serial += inception / (7*86400);
}
else if(pdns_iequals(kind,"EPOCH")) {
sd.serial = time(0);
}
else if(pdns_iequals(kind,"INCEPTION-EPOCH")) {
- time_t inception = getCurrentInception();
+ time_t inception = getStartOfWeek();
if (sd.serial < inception) {
sd.serial = inception;
}

0 comments on commit b61e407

Please sign in to comment.