diff options
| author | Florian Obser <florian@cvs.openbsd.org> | 2019-02-17 16:15:32 +0000 |
|---|---|---|
| committer | Florian Obser <florian@cvs.openbsd.org> | 2019-02-17 16:15:32 +0000 |
| commit | 0347adb9afb18cd919ec36dc58fc5830e4de2742 (patch) | |
| tree | f91a6c7f83be97851b5eec731e4b6c4519720f2a /sbin | |
| parent | a8320d7756491baf78eb2c4453d30ff82251c478 (diff) | |
Since we do a naive string comparison to see if the trust anchor
changed we need to fix the TTL to the value we would get from the root
for the ksk DNSKEY (currently 2 days). Otherwise we would interpret a
lowerd TTL from a cache as changed trust anchor.
Use the same define everywhere.
(Considering the glacial speed with which the root ksk rotates this should
be fine for the forseable future.)
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/unwind/frontend.c | 4 | ||||
| -rw-r--r-- | sbin/unwind/resolver.c | 5 | ||||
| -rw-r--r-- | sbin/unwind/unwind.h | 3 |
3 files changed, 5 insertions, 7 deletions
diff --git a/sbin/unwind/frontend.c b/sbin/unwind/frontend.c index fcad36774d7..71b34db1de3 100644 --- a/sbin/unwind/frontend.c +++ b/sbin/unwind/frontend.c @@ -1,4 +1,4 @@ -/* $OpenBSD: frontend.c,v 1.13 2019/02/17 14:49:15 florian Exp $ */ +/* $OpenBSD: frontend.c,v 1.14 2019/02/17 16:15:31 florian Exp $ */ /* * Copyright (c) 2018 Florian Obser <florian@openbsd.org> @@ -1184,7 +1184,7 @@ parse_trust_anchor(struct trust_anchor_head *tah, int fd) while ((line = strsep(&str, "\n")) != NULL) { if (sldns_str2wire_rr_buf(line, rr, &len, &dname_len, - 172800, NULL, 0, NULL, 0) != 0) + ROOT_DNSKEY_TTL, NULL, 0, NULL, 0) != 0) continue; if (sldns_wirerr_get_type(rr, len, dname_len) == LDNS_RR_TYPE_DNSKEY) diff --git a/sbin/unwind/resolver.c b/sbin/unwind/resolver.c index 38edf4f0a53..863ecfb8cc3 100644 --- a/sbin/unwind/resolver.c +++ b/sbin/unwind/resolver.c @@ -1,4 +1,4 @@ -/* $OpenBSD: resolver.c,v 1.18 2019/02/17 14:52:16 florian Exp $ */ +/* $OpenBSD: resolver.c,v 1.19 2019/02/17 16:15:31 florian Exp $ */ /* * Copyright (c) 2018 Florian Obser <florian@openbsd.org> @@ -59,9 +59,6 @@ #define UB_LOG_VERBOSE 4 #define UB_LOG_BRIEF 0 -/* don't cause churn when trust anchor comes from a cache */ -#define ROOT_DNSKEY_TTL 172800 - #define PORTAL_CHECK_SEC 15 #define PORTAL_CHECK_MAXSEC 600 diff --git a/sbin/unwind/unwind.h b/sbin/unwind/unwind.h index 4aabeda22d7..968d83740a1 100644 --- a/sbin/unwind/unwind.h +++ b/sbin/unwind/unwind.h @@ -1,4 +1,4 @@ -/* $OpenBSD: unwind.h,v 1.9 2019/02/17 14:49:15 florian Exp $ */ +/* $OpenBSD: unwind.h,v 1.10 2019/02/17 16:15:31 florian Exp $ */ /* * Copyright (c) 2018 Florian Obser <florian@openbsd.org> @@ -35,6 +35,7 @@ #define OPT_VERBOSE2 0x00000002 #define OPT_NOACTION 0x00000004 +#define ROOT_DNSKEY_TTL 172800 /* TTL from authority */ #define KSK2017 ". 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=" enum { |