[Opendnssec-commits] [keihatsu.kirei.se/svn/dnssec] r1578 - in trunk/auditor: lib/kasp_auditor test

Alex Dalitz alexd at nominet.org.uk
Wed Aug 12 13:59:06 CEST 2009


Author: alex
Date: 2009-08-12 13:59:05 +0200 (Wed, 12 Aug 2009)
New Revision: 1578

Modified:
   trunk/auditor/lib/kasp_auditor/auditor.rb
   trunk/auditor/test/auditor_test.rb
Log:
Sorting out expiration : now errors if (now > (expiration - refresh))

Modified: trunk/auditor/lib/kasp_auditor/auditor.rb
===================================================================
--- trunk/auditor/lib/kasp_auditor/auditor.rb	2009-08-12 11:58:59 UTC (rev 1577)
+++ trunk/auditor/lib/kasp_auditor/auditor.rb	2009-08-12 11:59:05 UTC (rev 1578)
@@ -274,14 +274,12 @@
         end
 
         #  d) expiration date in future by at least interval specified by config
-        validity = @config.signatures.validity.default
-        if ([Types.NSEC, Types.NSEC3, Types.NSEC3PARAM].include?rrset.type)
-          validity = @config.signatures.validity.denial
-        end
-        #  We want to check that at least the validity period remains before the signatures expire
-        # @TODO@ Probably want to have a validity WARN level and an ERROR level for validity
-        if ((sig.expiration -  time_now).abs <=  validity)
-          log(LOG_ERR, "Validity error for #{sig.name}, #{sig.type_covered} : Validity is #{validity}, but only #{sig.expiration - time_now} remain (signature expiration is #{sig.expiration}, time now is #{time_now})")
+        refresh = @config.signatures.refresh
+        # We want to check that there is at least the refresh period left before
+        # the signature expires.
+        # @TODO@ Probably want to have a WARN level and an ERROR level
+        if (time_now > (sig.expiration - refresh))
+          log(LOG_ERR, "Signature expiration (#{sig.expiration}) for #{sig.name}, #{sig.type_covered} should be later than the refresh period (#{refresh}) from now #{time_now}")
         else
           #            print "OK : Signature expiration is #{sig.expiration}, time now is #{time_now}, signature validity is #{validity}, difference = #{sig.expiration - time_now}\n"
         end

Modified: trunk/auditor/test/auditor_test.rb
===================================================================
--- trunk/auditor/test/auditor_test.rb	2009-08-12 11:58:59 UTC (rev 1577)
+++ trunk/auditor/test/auditor_test.rb	2009-08-12 11:59:05 UTC (rev 1578)
@@ -63,6 +63,7 @@
       "RRSet (www.tjeb.nl, AAAA) failed verification : Signature record not in validity period, tag = 1390",
       "RRSet (www.tjeb.nl, NSEC) failed verification : Signature record not in validity period, tag = 1390",
       "Inception error for www.tjeb.nl, NSEC : Signature inception is 1275722596, time now is",
+      "Signature expiration (962409629) for www.tjeb.nl, AAAA should be later than the refresh period (120) from now ",
       "RRSIGS should include algorithm RSASHA1 for not.there.tjeb.nl, A, have :",
       "non-DNSSEC RRSet A included in Output that was not present in Input : not.there.tjeb.nl.	3600	IN	A	1.2.3.4",
       "RRSet (not.there.tjeb.nl, A) failed verification : No signatures in the RRSet : not.there.tjeb.nl, A, tag = none",




More information about the Opendnssec-commits mailing list