Ticket #6672 enhancement closed fixed
Implement Serial Number Arithmetic from RFC1982 for comparison of DNS serial numbers and RRSIG inception dates
|Reported by:||rwall||Owned by:||rwall|
(diff, github, buildbot, log)
Description (last modified by rwall) (diff)
In order to implement #6665 properly we will need a mechanism for doing RFC1982 Serial Number Arithmetic.
This can also be used in t.n.secondary.SecondaryAuthority to properly check that serial numbers incremented.
BobNovas has already done most of the work in:
It just needs tidying up.
The Signature Expiration and Inception fields specify a validity period for the signature. The RRSIG record MUST NOT be used for authentication prior to the inception date and MUST NOT be used for authentication after the expiration date.
The Signature Expiration and Inception field values specify a date and time in the form of a 32-bit unsigned number of seconds elapsed since 1 January 1970 00:00:00 UTC, ignoring leap seconds, in network byte order. The longest interval that can be expressed by this format without wrapping is approximately 136 years. An RRSIG RR can have an Expiration field value that is numerically smaller than the Inception field value if the expiration field value is near the 32-bit wrap-around point or if the signature is long lived. Because of this, all comparisons involving these fields MUST use "Serial number arithmetic", as defined in [RFC1982]. As a direct consequence, the values contained in these fields cannot refer to dates more than 68 years in either the past or the future.