Fixup negative TTLs Attila Nagy has reported.

git-svn-id: file:///svn/unbound/trunk@1306 be551aaa-1e26-0410-a405-d3ace91eadb9

daemon/cachedump.c

@@ -67,7 +67,9 @@ to_rr(struct ub_packed_rrset_key* k, struct packed_rrset_data* d,
 	}
 	ldns_rr_set_type(rr, type);
 	ldns_rr_set_class(rr, ntohs(k->rk.rrset_class));
-	ldns_rr_set_ttl(rr, d->rr_ttl[i] - now);
+	if(d->rr_ttl[i] < now)
+		ldns_rr_set_ttl(rr, 0);
+	else	ldns_rr_set_ttl(rr, d->rr_ttl[i] - now);
 	pos = 0;
 	status = ldns_wire2dname(&rdf, k->rk.dname, k->rk.dname_len, &pos);
 	if(status != LDNS_STATUS_OK) {

doc/Changelog

@@ -1,3 +1,6 @@
+16 October 2008: Wouter
+	- Fixup negative TTL values appearing (reported by Attila Nagy).
+
 15 October 2008: Wouter
 	- better documentation for 0x20; remove fallback TODO, it is done.
 	- harden-referral-path feature includes A, AAAA queries for glue,

services/cache/rrset.c

@@ -334,10 +334,13 @@ rrset_update_sec_status(struct rrset_cache* r,
 	}
 	/* update the cached rrset */
 	if(updata->security > cachedata->security) {
+		size_t i;
 		if(updata->trust > cachedata->trust)
 			cachedata->trust = updata->trust;
 		cachedata->security = updata->security;
 		cachedata->ttl = updata->ttl + now;
+		for(i=0; i<cachedata->count+cachedata->rrsig_count; i++)
+			cachedata->rr_ttl[i] = updata->rr_ttl[i]+now;
 	}
 	lock_rw_unlock(&e->lock);
 }
@@ -364,8 +367,15 @@ rrset_check_sec_status(struct rrset_cache* r,
 	}
 	if(cachedata->security > updata->security) {
 		updata->security = cachedata->security;
-		if(cachedata->security == sec_status_bogus)
+		if(cachedata->security == sec_status_bogus) {
+			size_t i;
 			updata->ttl = cachedata->ttl - now;
+			for(i=0; i<cachedata->count+cachedata->rrsig_count; i++)
+				if(cachedata->rr_ttl[i] < now)
+					updata->rr_ttl[i] = 0;
+				else updata->rr_ttl[i] = 
+					cachedata->rr_ttl[i]-now;
+		}
 		if(cachedata->trust > updata->trust)
 			updata->trust = cachedata->trust;
 	}

util/data/msgencode.c

@@ -466,7 +466,10 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, ldns_buffer* pkt,
 				return r;
 			ldns_buffer_write(pkt, &key->rk.type, 2);
 			ldns_buffer_write(pkt, &key->rk.rrset_class, 2);
-			ldns_buffer_write_u32(pkt, data->rr_ttl[i]-timenow);
+			if(data->rr_ttl[i] < timenow)
+				ldns_buffer_write_u32(pkt, 0);
+			else 	ldns_buffer_write_u32(pkt, 
+					data->rr_ttl[i]-timenow);
 			if(c) {
 				if((r=compress_rdata(pkt, data->rr_data[i],
 					data->rr_len[i], region, tree, c))
@@ -500,7 +503,10 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, ldns_buffer* pkt,
 			}
 			ldns_buffer_write_u16(pkt, LDNS_RR_TYPE_RRSIG);
 			ldns_buffer_write(pkt, &key->rk.rrset_class, 2);
-			ldns_buffer_write_u32(pkt, data->rr_ttl[i]-timenow);
+			if(data->rr_ttl[i] < timenow)
+				ldns_buffer_write_u32(pkt, 0);
+			else 	ldns_buffer_write_u32(pkt, 
+					data->rr_ttl[i]-timenow);
 			/* rrsig rdata cannot be compressed, perform 100+ byte
 			 * memcopy. */
 			ldns_buffer_write(pkt, data->rr_data[i],

util/data/packed_rrset.c

@@ -292,9 +292,14 @@ packed_rrset_copy_region(struct ub_packed_rrset_key* key,
 	ck->entry.data = d;
 	packed_rrset_ptr_fixup(d);
 	/* make TTLs relative - once per rrset */
-	for(i=0; i<d->count + d->rrsig_count; i++)
-		d->rr_ttl[i] -= now;
-	d->ttl -= now;
+	for(i=0; i<d->count + d->rrsig_count; i++) {
+		if(d->rr_ttl[i] < now)
+			d->rr_ttl[i] = 0;
+		else	d->rr_ttl[i] -= now;
+	}
+	if(d->ttl < now)
+		d->ttl = 0;
+	else	d->ttl -= now;
 	return ck;
 }
 

validator/val_utils.c

@@ -337,8 +337,11 @@ val_verify_rrset(struct module_env* env, struct val_env* ve,
 		if(sec == sec_status_secure)
 			d->trust = rrset_trust_validated;
 		else if(sec == sec_status_bogus) {
+			size_t i;
 			/* update ttl for rrset to fixed value. */
 			d->ttl = ve->bogus_ttl;
+			for(i=0; i<d->count+d->rrsig_count; i++)
+				d->rr_ttl[i] = ve->bogus_ttl;
 			/* leave RR specific TTL: not used for determine
 			 * if RRset timed out and clients see proper value. */
 			lock_basic_lock(&ve->bogus_lock);