When an rdataset is signed, its ttl is normalized based on the signature

validity period.

CHANGES

@@ -1,3 +1,6 @@
+ 218.	[func]		When an rdataset is signed, its ttl is normalized
+			based on the signature validity period.
+
  217.	[func]		Also-notify and trusted-keys can now be used in a
 			config file.
 

lib/dns/resolver.c

@@ -2448,14 +2448,19 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
 				}
 			}
 
+			/*
+			 * Normalize the rdataset and sigrdataset TTLs.
+			 */
+			if (sigrdataset != NULL) {
+				rdataset->ttl = ISC_MIN(rdataset->ttl,
+							sigrdataset->ttl);
+				sigrdataset->ttl = rdataset->ttl;
+			}
+
 			/*
 			 * Cache this rdataset/sigrdataset pair as
 			 * pending data.
 			 */
-#ifdef notyet
-			if (sigrdataset != NULL)
-				set_ttl(rdataset, sigrdataset);
-#endif
 			rdataset->trust = dns_trust_pending;
 			if (sigrdataset != NULL)
 				sigrdataset->trust = dns_trust_pending;

lib/dns/validator.c

@@ -864,6 +864,19 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
 		if (result != ISC_R_SUCCESS)
 			validator_log(val, ISC_LOG_DEBUG(3),
 				      "failed to verify rdataset");
+		else {
+			isc_uint32_t ttl;
+			isc_stdtime_t now;
+
+			isc_stdtime_get(&now);
+			ttl = ISC_MIN(event->rdataset->ttl,
+				      val->siginfo->timeexpire - now);
+			if (val->keyset != NULL)
+				ttl = ISC_MIN(ttl, val->keyset->ttl);
+			event->rdataset->ttl = ttl;
+			event->sigrdataset->ttl = ttl;
+		}
+
 		if (val->keynode != NULL)
 			dns_keytable_detachkeynode(val->keytable,
 						   &val->keynode);