From d7868e40779918744a6ae0aa19faae7c23f8aed7 Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Thu, 8 Oct 2009 09:18:40 +0000
Subject: [PATCH] Fix double time subtraction in negative cache.

git-svn-id: file:///svn/unbound/trunk@1873 be551aaa-1e26-0410-a405-d3ace91eadb9
---
 doc/Changelog       |  2 ++
 validator/val_neg.c | 11 +++++++----
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/doc/Changelog b/doc/Changelog
index e0a03701e..c891c4c89 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -2,6 +2,8 @@
 	- please doxygen
 	- add val-log-level print to corner case (nameserver.epost.bg).
 	- more detail to errors from insecure delegation checks.
+	- Fix double time subtraction in negative cache reported by 
+	  Amanda Constant and Hugh Mahon.
 
 7 October 2009: Wouter
 	- retry for validation failure in DS and prime results. Less mem use.
diff --git a/validator/val_neg.c b/validator/val_neg.c
index b6a9ca439..03b48a3ea 100644
--- a/validator/val_neg.c
+++ b/validator/val_neg.c
@@ -1276,7 +1276,8 @@ neg_nsec3_proof_ds(struct val_neg_zone* zone, uint8_t* qname, size_t qname_len,
 		if(!(msg = dns_msg_create(qname, qname_len, 
 			LDNS_RR_TYPE_DS, zone->dclass, region, 1))) 
 			return NULL;
-		if(!dns_msg_authadd(msg, region, ce_rrset, now)) 
+		/* TTL reduced in grab_nsec */
+		if(!dns_msg_authadd(msg, region, ce_rrset, 0)) 
 			return NULL;
 		return msg;
 	}
@@ -1302,9 +1303,10 @@ neg_nsec3_proof_ds(struct val_neg_zone* zone, uint8_t* qname, size_t qname_len,
 		if(!(msg = dns_msg_create(qname, qname_len, 
 			LDNS_RR_TYPE_DS, zone->dclass, region, 2))) 
 			return NULL;
-		if(!dns_msg_authadd(msg, region, ce_rrset, now)) 
+		/* now=0 because TTL was reduced in grab_nsec */
+		if(!dns_msg_authadd(msg, region, ce_rrset, 0)) 
 			return NULL;
-		if(!dns_msg_authadd(msg, region, nc_rrset, now)) 
+		if(!dns_msg_authadd(msg, region, nc_rrset, 0)) 
 			return NULL;
 		return msg;
 	}
@@ -1340,7 +1342,8 @@ val_neg_getmsg(struct val_neg_cache* neg, struct query_info* qinfo,
 		if(!(msg = dns_msg_create(qinfo->qname, qinfo->qname_len, 
 			qinfo->qtype, qinfo->qclass, region, 1))) 
 			return NULL;
-		if(!dns_msg_authadd(msg, region, rrset, now)) 
+		/* TTL already subtracted in grab_nsec */
+		if(!dns_msg_authadd(msg, region, rrset, 0)) 
 			return NULL;
 		return msg;
 	}