Revert "dnssec: enforce safe rrsig-refresh"

This partial revert of d8b1e148 fixes the main issue of https://status.ripe.net/incidents/5pl1dpp2kvmz

Revert "dnssec: enforce safe rrsig-refresh"
d15c59d7 · Daniel Salzman · 7b10b979 · d15c59d7
Commit d15c59d7 authored 1 year ago by Daniel Salzman
--- a/src/knot/dnssec/zone-events.c
+++ b/src/knot/dnssec/zone-events.c
@@ -172,9 +172,7 @@ int knot_dnssec_zone_sign(zone_update_t *update,
 	update_policy_from_zone(ctx.policy, update->new_cont);

 	if (ctx.policy->rrsig_refresh_before < ctx.policy->zone_maximal_ttl + ctx.policy->propagation_delay) {
-		log_zone_error(zone_name, "DNSSEC, rrsig-refresh too low to prevent expired RRSIGs in resolver caches");
-		result = KNOT_EINVAL;
-		goto done;
+		log_zone_warning(zone_name, "DNSSEC, rrsig-refresh too low to prevent expired RRSIGs in resolver caches");
 	}
 	if (ctx.policy->rrsig_lifetime <= ctx.policy->rrsig_refresh_before) {
 		log_zone_error(zone_name, "DNSSEC, rrsig-lifetime lower than rrsig-refresh");