From 82ca80c2e9e0b833695584acbfe4b13cdfffda7c Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Sat, 17 Feb 2024 09:22:58 +1100 Subject: [PATCH 1/2] Move onto the next RRSIG on DNS_R_SIGEXPIRED or DNS_R_SIGFUTURE --- lib/dns/validator.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/dns/validator.c b/lib/dns/validator.c index a71e52f25f..62647270a0 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -1590,6 +1590,10 @@ validate_answer(dns_validator_t *val, bool resume) { } vresult = verify(val, val->key, &rdata, val->siginfo->keyid); + if (vresult == DNS_R_SIGEXPIRED || vresult == DNS_R_SIGFUTURE) { + resume = false; + continue; + } if (vresult != ISC_R_SUCCESS) { val->failed = true; validator_log(val, ISC_LOG_DEBUG(3), From 297472bfcc26ff58db789756c8fa4c1d4910857c Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 29 Apr 2024 13:56:28 +1000 Subject: [PATCH 2/2] Add CHANGES and release note for [GL #4586] for BIND 9.18 --- CHANGES | 3 +++ doc/notes/notes-current.rst | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index ba83424e8b..3a8ce8bbe7 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +6374. [bug] Skip to next RRSIG if signature has expired or is in + the future rather than failing immediately. [GL #4586] + 6372. [func] Implement signature jitter for dnssec-policy. [GL #4554] --- 9.18.26 released --- diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index e59cc4eacb..830db8efa5 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -33,7 +33,9 @@ Removed Features Feature Changes ~~~~~~~~~~~~~~~ -- None. +- DNSSEC signatures that are not valid because the current time falls outside + the signature inception and expiration dates no longer count are skipped + instead of causing instant validation failure. :gl:`#4586` Bug Fixes ~~~~~~~~~