Merge branch '4586-don-t-count-expired-future-rrsigs-in-verification-failure-quota-bind-9.18' into 'bind-9.18'

[9.18] Draft: Resolve "Don't count expired / future RRSIGs in verification failure quota"

See merge request isc-projects/bind9!8749

CHANGES

@@ -1,3 +1,6 @@
+6374.	[bug]		Skip to next RRSIG if signature has expired or is in
+			the future rather than failing immediately. [GL #4586]
+
 6372.	[func]		Implement signature jitter for dnssec-policy. [GL #4554]
 
 	--- 9.18.26 released ---

doc/notes/notes-current.rst

@@ -33,7 +33,9 @@ Removed Features
 Feature Changes
 ~~~~~~~~~~~~~~~
 
-- None.
+- DNSSEC signatures that are not valid because the current time falls outside
+  the signature inception and expiration dates no longer count are skipped
+  instead of causing instant validation failure. :gl:`#4586`
 
 Bug Fixes
 ~~~~~~~~~

lib/dns/validator.c

@@ -1590,6 +1590,10 @@ validate_answer(dns_validator_t *val, bool resume) {
 		}
 
 		vresult = verify(val, val->key, &rdata, val->siginfo->keyid);
+		if (vresult == DNS_R_SIGEXPIRED || vresult == DNS_R_SIGFUTURE) {
+			resume = false;
+			continue;
+		}
 		if (vresult != ISC_R_SUCCESS) {
 			val->failed = true;
 			validator_log(val, ISC_LOG_DEBUG(3),