revert d90efbf48f3b8bad8f29610583f6349b7ae3d802 and add 7 days margin to inception

diff --git a/pdns/dnssecinfra.cc b/pdns/dnssecinfra.cc
index 5fc79dcf8089b91f15d11f966a49c79e7ffa0c9d..86b52bdbc2f86f2b1bc2e4cde925ab387aed1c47 100644 (file)
--- a/pdns/dnssecinfra.cc
+++ b/pdns/dnssecinfra.cc
@@ -318,9 +318,9 @@ int countLabels(const std::string& signQName)
   return count;
 }
 
-uint32_t getCurrentInception(unsigned int safety)
+uint32_t getStartOfWeek()
 {
-  uint32_t now = time(0) - safety; // if we sign 'now' all clocks have to be correct at UTC midnight
+  uint32_t now = time(0);
   now -= (now % (7*86400));
   return now;
 }

diff --git a/pdns/dnssecinfra.hh b/pdns/dnssecinfra.hh
index 6ad04378a124f1941d82508a729590283af87d4c..635107c08e2827822c1580632092f35c2ed547e9 100644 (file)
--- a/pdns/dnssecinfra.hh
+++ b/pdns/dnssecinfra.hh
@@ -117,7 +117,7 @@ class DNSSECKeeper;
 struct DNSSECPrivateKey;
 
 void fillOutRRSIG(DNSSECPrivateKey& dpk, const std::string& signQName, RRSIGRecordContent& rrc, vector<shared_ptr<DNSRecordContent> >& toSign);
-uint32_t getCurrentInception(unsigned int safety=0);
+uint32_t getStartOfWeek();
 void addSignature(DNSSECKeeper& dk, DNSBackend& db, const std::string& signer, const std::string signQName, const std::string& wildcardname, uint16_t signQType, uint32_t signTTL, DNSPacketWriter::Place signPlace, 
   vector<shared_ptr<DNSRecordContent> >& toSign, vector<DNSResourceRecord>& outsigned, uint32_t origTTL);
 int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::string signQName, uint16_t signQType, uint32_t signTTL, 

diff --git a/pdns/dnssecsigner.cc b/pdns/dnssecsigner.cc
index 7c276c882746ce4dcba7652f429d52131bf27653..1abb87030174c4cd980e3fcdb06e2656c7c87615 100644 (file)
--- a/pdns/dnssecsigner.cc
+++ b/pdns/dnssecsigner.cc
@@ -30,13 +30,14 @@ int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::st
 {
   if(toSign.empty())
     return -1;
+  uint32_t startOfWeek = getStartOfWeek();
   RRSIGRecordContent rrc;
   rrc.d_type=signQType;
 
   rrc.d_labels=countLabels(signQName); 
   rrc.d_originalttl=signTTL; 
-  rrc.d_siginception=getCurrentInception(3600); // 1 hour safety margin, we start dishing out new week after an hour
-  rrc.d_sigexpire = rrc.d_siginception + 14*86400; // XXX should come from zone metadata
+  rrc.d_siginception=startOfWeek - 7*86400; // XXX should come from zone metadata
+  rrc.d_sigexpire=startOfWeek + 14*86400;
   rrc.d_signer = signer.empty() ? "." : toLower(signer);
   rrc.d_tag = 0;
   

diff --git a/pdns/serialtweaker.cc b/pdns/serialtweaker.cc
index 2d7a07b80e8748974eb8749293b6cbe00c896e4f..cf6590133c0e9d43da57daf56bb22ac427bbb5a0 100644 (file)
--- a/pdns/serialtweaker.cc
+++ b/pdns/serialtweaker.cc
@@ -33,7 +33,7 @@ bool editSOA(DNSSECKeeper& dk, const string& qname, DNSPacket* dp)
       SOAData sd;
       fillSOAData(rr.content, sd);
       if(pdns_iequals(kind,"INCEPTION")) {        
-        time_t inception = getCurrentInception();
+        time_t inception = getStartOfWeek();
         struct tm tm;
         localtime_r(&inception, &tm);
         boost::format fmt("%04d%02d%02d%02d");
@@ -42,18 +42,18 @@ bool editSOA(DNSSECKeeper& dk, const string& qname, DNSPacket* dp)
         sd.serial = lexical_cast<uint32_t>(newserdate);
       }
       else if(pdns_iequals(kind,"INCEPTION-WEEK")) {        
-        time_t inception = getCurrentInception();
+        time_t inception = getStartOfWeek();
         sd.serial = inception / (7*86400);
       }
       else if(pdns_iequals(kind,"INCREMENT-WEEKS")) {        
-        time_t inception = getCurrentInception();
+        time_t inception = getStartOfWeek();
         sd.serial += inception / (7*86400);
       }
       else if(pdns_iequals(kind,"EPOCH")) {        
         sd.serial = time(0);
       }
       else if(pdns_iequals(kind,"INCEPTION-EPOCH")) {        
-       time_t inception = getCurrentInception();
+       time_t inception = getStartOfWeek();
        if (sd.serial < inception) {
           sd.serial = inception;
         }