From d15c59d76bcd07537446a567cf9f9b83659ffcef Mon Sep 17 00:00:00 2001
From: Daniel Salzman <daniel.salzman@nic.cz>
Date: Fri, 3 Nov 2023 10:30:54 +0100
Subject: [PATCH] Revert "dnssec: enforce safe rrsig-refresh"

This partial revert of d8b1e148f785392e7119654e24c381602dce263d fixes
the main issue of https://status.ripe.net/incidents/5pl1dpp2kvmz
---
 src/knot/dnssec/zone-events.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/knot/dnssec/zone-events.c b/src/knot/dnssec/zone-events.c
index e58900cdbc..58871ebd66 100644
--- a/src/knot/dnssec/zone-events.c
+++ b/src/knot/dnssec/zone-events.c
@@ -172,9 +172,7 @@ int knot_dnssec_zone_sign(zone_update_t *update,
 	update_policy_from_zone(ctx.policy, update->new_cont);
 
 	if (ctx.policy->rrsig_refresh_before < ctx.policy->zone_maximal_ttl + ctx.policy->propagation_delay) {
-		log_zone_error(zone_name, "DNSSEC, rrsig-refresh too low to prevent expired RRSIGs in resolver caches");
-		result = KNOT_EINVAL;
-		goto done;
+		log_zone_warning(zone_name, "DNSSEC, rrsig-refresh too low to prevent expired RRSIGs in resolver caches");
 	}
 	if (ctx.policy->rrsig_lifetime <= ctx.policy->rrsig_refresh_before) {
 		log_zone_error(zone_name, "DNSSEC, rrsig-lifetime lower than rrsig-refresh");
-- 
GitLab