From 8d3746fc224ef0b7201aa1a7669237d0753d1559 Mon Sep 17 00:00:00 2001
From: David Blacka <davidb@verisign.com>
Date: Fri, 6 Jan 2017 12:54:16 -0500
Subject: [PATCH] Validate the the RRset TTL is <= the OrigTTL.

---
 src/com/verisignlabs/dnssec/security/DnsSecVerifier.java | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/com/verisignlabs/dnssec/security/DnsSecVerifier.java b/src/com/verisignlabs/dnssec/security/DnsSecVerifier.java
index 3796dac..150a068 100644
--- a/src/com/verisignlabs/dnssec/security/DnsSecVerifier.java
+++ b/src/com/verisignlabs/dnssec/security/DnsSecVerifier.java
@@ -211,6 +211,13 @@ public class DnsSecVerifier
       }
     }
 
+    if (rrset.getTTL() > sigrec.getOrigTTL())
+    {
+      log.fine("RRset's TTL is greater than the Signature's orignal TTL");
+      if (reasons != null) reasons.add("RRset TTL greater than RRSIG origTTL");
+      return false;
+    }
+
     return true;
   }