Skip to content
Snippets Groups Projects
Commit 716ec1a9 authored by Daniel Salzman's avatar Daniel Salzman
Browse files

Revert "dnssec: enforce safe rrsig-refresh" 

This partiall revert of d8b1e148 fixes
the main issue of https://status.ripe.net/incidents/5pl1dpp2kvmz
parent 819a7f13
No related branches found
No related tags found
No related merge requests found
Pipeline #118798 passed
Stage: build
Stage: test
Hide whitespace changes
Inline Side-by-side
src/knot/dnssec/zone-events.c
+ 1
3
View file @ 716ec1a9
...@@ -171,9 +171,7 @@ int knot_dnssec_zone_sign(zone_update_t *update, ...@@ -171,9 +171,7 @@ int knot_dnssec_zone_sign(zone_update_t *update,
update_policy_from_zone(ctx.policy, update->new_cont); update_policy_from_zone(ctx.policy, update->new_cont);
if (ctx.policy->rrsig_refresh_before < ctx.policy->zone_maximal_ttl + ctx.policy->propagation_delay) { if (ctx.policy->rrsig_refresh_before < ctx.policy->zone_maximal_ttl + ctx.policy->propagation_delay) {
log_zone_error(zone_name, "DNSSEC, rrsig-refresh too low to prevent expired RRSIGs in resolver caches"); log_zone_warning(zone_name, "DNSSEC, rrsig-refresh too low to prevent expired RRSIGs in resolver caches");
result = KNOT_EINVAL;
goto done;
} }
if (ctx.policy->rrsig_lifetime <= ctx.policy->rrsig_refresh_before) { if (ctx.policy->rrsig_lifetime <= ctx.policy->rrsig_refresh_before) {
log_zone_error(zone_name, "DNSSEC, rrsig-lifetime lower than rrsig-refresh"); log_zone_error(zone_name, "DNSSEC, rrsig-lifetime lower than rrsig-refresh");
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment