Add the ability to dig to specify the signing time

bin/dig/dig.c

@@ -1522,8 +1522,31 @@ plus_option(char *option, bool is_batchfile, bool *need_clone,
 		}
 		break;
 	case 'f': /* fail */
-		FULLCHECK("fail");
+		switch (cmd[1]) {
-		lookup->servfail_stops = state;
+		case 'a':
+			FULLCHECK("fail");
+			lookup->servfail_stops = state;
+			break;
+		case 'u':
+			FULLCHECK("fuzztime");
+			lookup->fuzzing = state;
+			if (lookup->fuzzing) {
+				if (value == NULL) {
+					lookup->fuzztime = 0x622acce1;
+					break;
+				}
+				result = parse_uint(&num, value, 0xffffffff,
+						    "fuzztime");
+				if (result != ISC_R_SUCCESS) {
+					warn("Couldn't parse fuzztime");
+					goto exit_or_usage;
+				}
+				lookup->fuzztime = num;
+			}
+			break;
+		default:
+			goto invalid_option;
+		}
 		break;
 	case 'h':
 		switch (cmd[1]) {

bin/dig/dig.rst

@@ -388,6 +388,14 @@ abbreviation is unambiguous; for example, :option:`+cd` is equivalent to
    to not try the next server, which is the reverse of normal stub
    resolver behavior.
 
+.. option:: +fuzztime[=value], +nofuzztime
+
+   This option allows the signing time to be specified when generating
+   signed messages.  If a value is specified it is the seconds since
+   00:00:00 January 1, 1970 UTC ignoring leap seconds.  If no value
+   is specified 1646972129 (Fri 11 Mar 2022 04:15:29 UTC) is used.
+   The default is ``+nofuzztime`` and the current time is used.
+
 .. option:: +header-only, +noheader-only
 
    This option sends a query with a DNS header without a question section. The

bin/dig/dighost.c

@@ -795,6 +795,8 @@ clone_lookup(dig_lookup_t *lookold, bool servers) {
 	looknew->done_as_is = lookold->done_as_is;
 	looknew->dscp = lookold->dscp;
 	looknew->rrcomments = lookold->rrcomments;
+	looknew->fuzzing = lookold->fuzzing;
+	looknew->fuzztime = lookold->fuzztime;
 
 	if (lookold->ecs_addr != NULL) {
 		size_t len = sizeof(isc_sockaddr_t);
@@ -2438,6 +2440,11 @@ setup_lookup(dig_lookup_t *lookup) {
 		check_result(result, "dns_message_setsig0key");
 	}
 
+	if (lookup->fuzzing) {
+		lookup->sendmsg->fuzzing = true;
+		lookup->sendmsg->fuzztime = lookup->fuzztime;
+	}
+
 	lookup->sendspace = isc_mem_get(mctx, COMMSIZE);
 
 	result = dns_compress_init(&cctx, mctx);

bin/dig/dighost.h

@@ -108,10 +108,11 @@ struct dig_lookup {
 	isc_refcount_t references;
 	bool aaonly, adflag, badcookie, besteffort, cdflag, cleared, comments,
 		dns64prefix, dnssec, doing_xfr, done_as_is, ednsneg, expandaaaa,
-		expire, header_only, identify, /*%< Append an "on server <foo>"
+		expire, fuzzing, header_only, identify, /*%< Append an "on
-						  message */
+							   server <foo>" message
-		identify_previous_line,	       /*% Prepend a "Nameserver <foo>:"
+							 */
-						  message, with newline and tab */
+		identify_previous_line, /*% Prepend a "Nameserver <foo>:"
+					   message, with newline and tab */
 		idnin, idnout, ignore, multiline, need_search, new_search,
 		noclass, nocrypto, nottl, ns_search_only, /*%< dig +nssearch,
 							     host -C */
@@ -188,6 +189,7 @@ struct dig_lookup {
 		char *tls_key_file;
 		isc_tlsctx_cache_t *tls_ctx_cache;
 	};
+	isc_stdtime_t fuzztime;
 };
 
 /*% The dig_query structure */

doc/man/dig.1in

@@ -450,6 +450,15 @@ resolver behavior.
 .UNINDENT
 .INDENT 0.0
 .TP
+.B +fuzztime[=value], +nofuzztime
+This option allows the signing time to be specified when generating
+signed messages.  If a value is specified it is the seconds since
+00:00:00 January 1, 1970 UTC ignoring leap seconds.  If no value
+is specified 1646972129 (Fri 11 Mar 2022 04:15:29 UTC) is used.
+The default is \fB+nofuzztime\fP and the current time is used.
+.UNINDENT
+.INDENT 0.0
+.TP
 .B +header\-only, +noheader\-only
 This option sends a query with a DNS header without a question section. The
 default is to add a question section. The query type and query name