conf: fixed rrsig configuration allowing higher refresh than lifetime causing...

conf: fixed rrsig configuration allowing higher refresh than lifetime causing knot plan into the past

conf: fixed rrsig configuration allowing higher refresh than lifetime causing...
5d9bdc28 · Filip Siroky · a976c3af · 5d9bdc28
Commit 5d9bdc28 authored 8 years ago by Filip Siroky
--- a/src/knot/conf/tools.c
+++ b/src/knot/conf/tools.c
@@ -367,6 +367,10 @@ int check_policy(
 	                                    C_KSK_SIZE, args->id, args->id_len);
 	conf_val_t zsk = conf_rawid_get_txn(args->conf, args->txn, C_POLICY,
 	                                    C_ZSK_SIZE, args->id, args->id_len);
+	conf_val_t lifetime = conf_rawid_get_txn(args->conf, args->txn, C_POLICY,
+	                                    C_RRSIG_LIFETIME, args->id, args->id_len);
+	conf_val_t refresh = conf_rawid_get_txn(args->conf, args->txn, C_POLICY,
+	                                    C_RRSIG_REFRESH, args->id, args->id_len);

 	int64_t ksk_size = conf_int(&ksk);
 	if (ksk_size != YP_NIL && !dnssec_algorithm_key_size_check(conf_opt(&alg), ksk_size)) {
@@ -380,6 +384,13 @@ int check_policy(
 		return KNOT_EINVAL;
 	}

+	int64_t lifetime_val = conf_int(&lifetime);
+	int64_t refresh_val = conf_int(&refresh);
+	if (lifetime_val <= refresh_val) {
+		args->err_str = "RRSIG lifetime is supposed to be lower than refresh";
+		return KNOT_EINVAL;
+	}
+
 	return KNOT_EOK;
 }