From 24225cadc55e4b57a3cf8c9f2119512fd87d7f9c Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Mon, 17 Jul 2017 10:29:45 +0200
Subject: [PATCH] rec: Fix validation at the exact RRSIG inception or
 expiration time
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Reported by Petr Špaček of cz.nic (thanks!).

(cherry picked from commit 179b340d522e36a65e799b048dcdae85c0237fdc)
---
 pdns/validate.cc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pdns/validate.cc b/pdns/validate.cc
index 4388f492a..3b61fe2d8 100644
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -163,7 +163,7 @@ void validateWithKeySet(const cspmap_t& rrsets, cspmap_t& validated, const keyse
 	bool isValid = false;
 	try {
 	  unsigned int now=time(0);
-	  if(signature->d_siginception < now && signature->d_sigexpire > now) {
+	  if(signature->d_siginception <= now && signature->d_sigexpire >= now) {
 	    std::shared_ptr<DNSCryptoKeyEngine> dke = shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::makeFromPublicKeyString(l.d_algorithm, l.d_key));
 	    isValid = dke->verify(msg, signature->d_signature);
             LOG("signature by key with tag "<<signature->d_tag<<" was " << (isValid ? "" : "NOT ")<<"valid"<<endl);
@@ -368,7 +368,7 @@ vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, keyset_t &keyset)
           bool isValid = false;
           try {
             unsigned int now = time(0);
-            if(i->d_siginception < now && i->d_sigexpire > now) {
+            if(i->d_siginception <= now && i->d_sigexpire >= now) {
               std::shared_ptr<DNSCryptoKeyEngine> dke = shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::makeFromPublicKeyString(j.d_algorithm, j.d_key));
               isValid = dke->verify(msg, i->d_signature);
             }
-- 
2.40.0