at midnight UTC we would switch to new signatures, that became valid as of 'now', with no safety margin. Add one hour overlap.

git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@2857 d19b8d6e-7fed-0310-83ef-9ca221ded41b

Author: ahupowerdns

pdns/dnssecinfra.cc

@@ -318,9 +318,9 @@ int countLabels(const std::string& signQName)
   return count;
 }
 
-uint32_t getCurrentInception()
+uint32_t getCurrentInception(unsigned int safety)
 {
-  uint32_t now = time(0);
+  uint32_t now = time(0) - safety; // if we sign 'now' all clocks have to be correct at UTC midnight
   now -= (now % (7*86400));
   return now;
 }

pdns/dnssecinfra.hh

@@ -117,7 +117,7 @@ class DNSSECKeeper;
 struct DNSSECPrivateKey;
 
 void fillOutRRSIG(DNSSECPrivateKey& dpk, const std::string& signQName, RRSIGRecordContent& rrc, vector<shared_ptr<DNSRecordContent> >& toSign);
-uint32_t getCurrentInception();
+uint32_t getCurrentInception(unsigned int safety=0);
 void addSignature(DNSSECKeeper& dk, DNSBackend& db, const std::string signQName, const std::string& wildcardname, uint16_t signQType, uint32_t signTTL, DNSPacketWriter::Place signPlace, 
   vector<shared_ptr<DNSRecordContent> >& toSign, vector<DNSResourceRecord>& outsigned, uint32_t origTTL);
 int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::string signQName, uint16_t signQType, uint32_t signTTL, 

pdns/dnssecsigner.cc

@@ -35,7 +35,7 @@ int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::st
 
   rrc.d_labels=countLabels(signQName); 
   rrc.d_originalttl=signTTL; 
-  rrc.d_siginception=getCurrentInception();
+  rrc.d_siginception=getCurrentInception(3600); // 1 hour safety margin, we start dishing out new week after an hour
   rrc.d_sigexpire = rrc.d_siginception + 14*86400; // XXX should come from zone metadata
   rrc.d_signer = toLower(signer);
   rrc.d_tag = 0;