Validate the the RRset TTL is <= the OrigTTL.

This commit is contained in:
David Blacka 2017-01-06 12:54:16 -05:00
parent 444601fb2a
commit 8d3746fc22

View File

@ -211,6 +211,13 @@ public class DnsSecVerifier
} }
} }
if (rrset.getTTL() > sigrec.getOrigTTL())
{
log.fine("RRset's TTL is greater than the Signature's orignal TTL");
if (reasons != null) reasons.add("RRset TTL greater than RRSIG origTTL");
return false;
}
return true; return true;
} }