3356. [bug] Cap the TTL of signed RRsets when RRSIGs are

approaching their expiry, so they don't remain in caches after expiry. [RT #26429]
2025-08-22 18:19:42 +00:00 · 2012-07-25 17:06:34 -05:00 · 2012-07-25 17:06:34 -05:00 · e7857b5ee0
commit e7857b5ee0
parent e13ffd32c2
14 changed files with 366 additions and 25 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
 3356.	[bug]		Cap the TTL of signed RRsets when RRSIGs are 
 			approaching their expiry, so they don't remain
 			in caches after expiry. [RT #26429]
 3355.	[port]		Use more portable awk in verify system test.
 3354.	[func]		Improve OpenSSL error logging. [RT #29932]
--- a/bin/named/query.c
+++ b/bin/named/query.c
@ -25,6 +25,7 @@
 #include <isc/hex.h>
 #include <isc/mem.h>
 #include <isc/serial.h>
 #include <isc/stats.h>
 #include <isc/util.h>
@ -2825,14 +2826,15 @@ query_add_cname(ns_client_t *client, dns_name_t *qname, dns_name_t *tname,
 */
 static void
 mark_secure(ns_client_t *client, dns_db_t *db, dns_name_t *name,
-	    isc_uint32_t ttl, dns_rdataset_t *rdataset,
+	    dns_rdata_rrsig_t *rrsig, dns_rdataset_t *rdataset,
 	    dns_rdataset_t *sigrdataset)
 {
 	isc_result_t result;
 	dns_dbnode_t *node = NULL;
 	dns_clientinfomethods_t cm;
 	dns_clientinfo_t ci;
-
+	isc_stdtime_t now;	
 	rdataset->trust = dns_trust_secure;
 	sigrdataset->trust = dns_trust_secure;
 	dns_clientinfomethods_init(&cm, ns_client_sourceip);
@ -2844,17 +2846,10 @@ mark_secure(ns_client_t *client, dns_db_t *db, dns_name_t *name,
 	result = dns_db_findnodeext(db, name, ISC_TRUE, &cm, &ci, &node);
 	if (result != ISC_R_SUCCESS)
 		return;
-	/*
+		
-	 * Bound the validated ttls then minimise.
+	isc_stdtime_get(&now);
-	 */
+	dns_rdataset_trimttl(rdataset, sigrdataset, rrsig, now,
-	if (sigrdataset->ttl > ttl)
+			     client->view->acceptexpired);
 		sigrdataset->ttl = ttl;
 	if (rdataset->ttl > ttl)
 		rdataset->ttl = ttl;
 	if (rdataset->ttl > sigrdataset->ttl)
 		rdataset->ttl = sigrdataset->ttl;
 	else
 		sigrdataset->ttl = rdataset->ttl;
 	(void)dns_db_addrdataset(db, node, NULL, client->now, rdataset,
 				 0, NULL);
@ -2985,8 +2980,7 @@ validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
 			if (verify(key, name, rdataset, &rdata, client)) {
 				dst_key_free(&key);
 				dns_rdataset_disassociate(&keyrdataset);
-				mark_secure(client, db, name,
+				mark_secure(client, db, name, &rrsig,
 					    rrsig.originalttl,
 					    rdataset, sigrdataset);
 				return (ISC_TRUE);
 			}
--- a/bin/tests/system/dnssec/ns2/example.db.in
+++ b/bin/tests/system/dnssec/ns2/example.db.in
@ -144,3 +144,6 @@ ns.upper		A	10.53.0.3
 LOWER			NS	NS.LOWER
 NS.LOWER		A	10.53.0.3
 expiring                 NS      ns.expiring
 ns.expiring              A       10.53.0.3
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@ -33,7 +33,8 @@ zonefile=example.db
 for subdomain in secure bogus dynamic keyless nsec3 optout nsec3-unknown \
    optout-unknown multiple rsasha256 rsasha512 kskonly update-nsec3 \
    auto-nsec auto-nsec3 secure.below-cname ttlpatch split-dnssec \
-    split-smart expired upper lower
+    split-smart expired expiring upper lower
 do
 	cp ../ns3/dsset-$subdomain.example. .
 done
--- a/bin/tests/system/dnssec/ns3/expired.example.db.in
+++ b/bin/tests/system/dnssec/ns3/expired.example.db.in
@ -23,7 +23,9 @@ $TTL 300	; 5 minutes
 				3600       ; minimum (1 hour)
 				)
 			NS	ns
 			MX	10 mx
 ns			A	10.53.0.3
 mx 		 	A 	10.0.0.30
 a			A	10.0.0.1
 b			A	10.0.0.2
@ -43,3 +45,5 @@ ns.nosoa		A	10.53.0.7
 normalthenrrsig		A	10.0.0.28
 rrsigonly		A	10.0.0.29
--- a/bin/tests/system/dnssec/ns3/expiring.example.db.in
+++ b/bin/tests/system/dnssec/ns3/expiring.example.db.in
@ -23,7 +23,9 @@ $TTL 300	; 5 minutes
 				3600       ; minimum (1 hour)
 				)
 			NS	ns
 			MX	10 mx
 ns			A	10.53.0.3
 mx 		 	A 	10.0.0.30
 a			A	10.0.0.1
 b			A	10.0.0.2
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@ -381,7 +381,8 @@ kskname=`$KEYGEN -q -r $RANDFILE $zone`
 zskname=`$KEYGEN -q -r $RANDFILE -f KSK $zone`
 cp $infile $zonefile
 $SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile > /dev/null 2>&1
-rm -f ${zskname}.private ${kskname}.private
+mv -f ${zskname}.private ${zskname}.private.moved
 mv -f ${kskname}.private ${kskname}.private.moved
 #
 # A zone where the signer's name has been forced to uppercase.
--- a/bin/tests/system/dnssec/ns4/named3.conf
+++ b/bin/tests/system/dnssec/ns4/named3.conf
@ -0,0 +1,51 @@
 /*
 * Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
 *
 * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
 * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 * PERFORMANCE OF THIS SOFTWARE.
 */
 /* $Id: named2.conf,v 1.3 2011/01/04 23:47:13 tbox Exp $ */
 // NS4
 controls { /* empty */ };
 options {
 	query-source address 10.53.0.4;
 	notify-source 10.53.0.4;
 	transfer-source 10.53.0.4;
 	port 5300;
 	pid-file "named.pid";
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
 	recursion yes;
 	acache-enable yes;
 	dnssec-enable yes;
 	dnssec-validation auto;
        bindkeys-file "managed.conf";
        dnssec-accept-expired yes;
 };
 key rndc_key {
        secret "1234abcd8765";
        algorithm hmac-md5;
 };
 controls {
        inet 10.53.0.4 port 9953 allow { any; } keys { rndc_key; };
 };
 zone "." {
 	type hint;
 	file "../../common/root.hint";
 };
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@ -1675,5 +1675,104 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 echo "I:testing TTL is capped at RRSIG expiry time ($n)"
 ret=0
 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 freeze expiring.example 2>&1 | sed 's/^/I:ns3 /'
 (
 cd ns3
 RANDFILE=../random.data
 for file in K*.moved; do
  mv $file `basename $file .moved`
 done
 $SIGNER -S -r $RANDFILE -N increment -e now+1mi -o expiring.example expiring.example.db > /dev/null 2>&1
 ) || ret=1
 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload expiring.example 2>&1 | sed 's/^/I:ns3 /'
 $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 flush
 $DIG +noall +answer +dnssec +cd -p 5300 expiring.example soa @10.53.0.4 > dig.out.ns4.1.$n
 $DIG +noall +answer +dnssec -p 5300 expiring.example soa @10.53.0.4 > dig.out.ns4.2.$n
 ttls=`awk '{print $2}' dig.out.ns4.1.$n`
 ttls2=`awk '{print $2}' dig.out.ns4.2.$n`
 for ttl in $ttls; do
    [ $ttl -eq 300 ] || ret=1
 done
 for ttl in $ttls2; do
    [ $ttl -le 60 ] || ret=1
 done
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 echo "I:testing TTL is capped at RRSIG expiry time for records in the additional section ($n)"
 ret=0
 $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 flush
 $DIG +noall +additional +dnssec +cd -p 5300 expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n
 $DIG +noall +additional +dnssec -p 5300 expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n
 ttls=`awk '{print $2}' dig.out.ns4.1.$n`
 ttls2=`awk '{print $2}' dig.out.ns4.2.$n`
 for ttl in $ttls; do
    [ $ttl -eq 300 ] || ret=1
 done
 for ttl in $ttls2; do
    [ $ttl -le 60 ] || ret=1
 done
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 cp ns4/named3.conf ns4/named.conf
 $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reconfig 2>&1 | sed 's/^/I:ns4 /'
 sleep 3
 echo "I:testing TTL of about to expire RRsets with dnssec-accept-expired yes; ($n)"
 ret=0
 $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 flush
 $DIG +noall +answer +dnssec +cd -p 5300 expiring.example soa @10.53.0.4 > dig.out.ns4.1.$n
 $DIG +noall +answer +dnssec -p 5300 expiring.example soa @10.53.0.4 > dig.out.ns4.2.$n
 ttls=`awk '{print $2}' dig.out.ns4.1.$n`
 ttls2=`awk '{print $2}' dig.out.ns4.2.$n`
 for ttl in $ttls; do
    [ $ttl -eq 300 ] || ret=1
 done
 for ttl in $ttls2; do
    [ $ttl -le 120 -a $ttl -gt 60 ] || ret=1
 done
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 echo "I:testing TTL of expired RRsets with dnssec-accept-expired yes; ($n)"
 ret=0
 $DIG +noall +answer +dnssec +cd -p 5300 expired.example soa @10.53.0.4 > dig.out.ns4.1.$n
 $DIG +noall +answer +dnssec -p 5300 expired.example soa @10.53.0.4 > dig.out.ns4.2.$n
 ttls=`awk '{print $2}' dig.out.ns4.1.$n`
 ttls2=`awk '{print $2}' dig.out.ns4.2.$n`
 for ttl in $ttls; do
    [ $ttl -eq 300 ] || ret=1
 done
 for ttl in $ttls2; do
    [ $ttl -le 120 -a $ttl -gt 60 ] || ret=1
 done
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 echo "I:testing TTL is capped at RRSIG expiry time for records in the additional section with dnssec-accept-expired yes; ($n)"
 ret=0
 $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 flush
 $DIG +noall +additional +dnssec +cd -p 5300 expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n
 $DIG +noall +additional +dnssec -p 5300 expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n
 ttls=`awk '{print $2}' dig.out.ns4.1.$n`
 ttls2=`awk '{print $2}' dig.out.ns4.2.$n`
 for ttl in $ttls; do
    [ $ttl -eq 300 ] || ret=1
 done
 for ttl in $ttls2; do
    [ $ttl -le 120  -a $ttl -gt 60 ] || ret=1
 done
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 echo "I:exit status: $status"
 exit $status
--- a/lib/dns/include/dns/rdataset.h
+++ b/lib/dns/include/dns/rdataset.h
@ -56,6 +56,7 @@
 #include <isc/stdtime.h>
 #include <dns/types.h>
 #include <dns/rdatastruct.h>
 ISC_LANG_BEGINDECLS
@ -651,6 +652,25 @@ dns_rdataset_expire(dns_rdataset_t *rdataset);
 * Mark the rdataset to be expired in the backing database.
 */
 void
 dns_rdataset_trimttl(dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
                     dns_rdata_rrsig_t *rrsig, isc_stdtime_t now,
                     isc_boolean_t acceptexpired);
 /*%<
 * Trim the ttl of 'rdataset' and 'sigrdataset' so that they will expire
 * at or before 'rrsig->expiretime'.  If 'acceptexpired' is true and the
 * signature has expired or will expire in the next 120 seconds, limit
 * the ttl to be no more than 120 seconds.
 *
 * The ttl is further limited by the original ttl as stored in 'rrsig'
 * and the original ttl values of 'rdataset' and 'sigrdataset'.
 *
 * Requires:
 * \li	'rdataset' is a valid rdataset.
 * \li	'sigrdataset' is a valid rdataset.
 * \li	'rrsig' is non NULL.
 */
 const char *
 dns_trust_totext(dns_trust_t trust);
 /*
--- a/lib/dns/rdataset.c
+++ b/lib/dns/rdataset.c
@ -26,6 +26,7 @@
 #include <isc/buffer.h>
 #include <isc/mem.h>
 #include <isc/random.h>
 #include <isc/serial.h>
 #include <isc/util.h>
 #include <dns/name.h>
@ -772,3 +773,30 @@ dns_rdataset_expire(dns_rdataset_t *rdataset) {
 	if (rdataset->methods->expire != NULL)
 		(rdataset->methods->expire)(rdataset);
 }
 void
 dns_rdataset_trimttl(dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
 		     dns_rdata_rrsig_t *rrsig, isc_stdtime_t now,
 		     isc_boolean_t acceptexpired)
 {
 	isc_uint32_t ttl = 0;
 	REQUIRE(DNS_RDATASET_VALID(rdataset));
 	REQUIRE(DNS_RDATASET_VALID(sigrdataset));
 	REQUIRE(rrsig != NULL);
 	/*
 	 * If we accept expired RRsets keep them for no more than 120 seconds.
 	 */
        if (acceptexpired &&
            (isc_serial_le(rrsig->timeexpire, ((now + 120) & 0xffffffff)) ||
             isc_serial_le(rrsig->timeexpire, now)))
                ttl = 120;
        else if (isc_serial_ge(rrsig->timeexpire, now))
                ttl = rrsig->timeexpire - now;
        ttl = ISC_MIN(ISC_MIN(rdataset->ttl, sigrdataset->ttl),
                      ISC_MIN(rrsig->originalttl, ttl));
        rdataset->ttl = ttl;
        sigrdataset->ttl = ttl;
 }
--- a/lib/dns/tests/Makefile.in
+++ b/lib/dns/tests/Makefile.in
@ -40,14 +40,14 @@ OBJS =		dnstest.@O@
 SRCS =		dnstest.c master_test.c dbiterator_test.c time_test.c \
 		private_test.c update_test.c zonemgr_test.c zt_test.c \
 		dbdiff_test.c nsec3_test.c dispatch_test.c rdatasetstats_test.c \
-		rbt_test.c
+		rbt_test.c rdataset_test.c
 SUBDIRS =
 TARGETS =	master_test@EXEEXT@ dbiterator_test@EXEEXT@ time_test@EXEEXT@ \
 		private_test@EXEEXT@ update_test@EXEEXT@ zonemgr_test@EXEEXT@ \
 		zt_test@EXEEXT@ dbversion_test@EXEEXT@ dbdiff_test@EXEEXT@ \
 		nsec3_test@EXEEXT@ dispatch_test@EXEEXT@ rdatasetstats_test@EXEEXT@ \
-		rbt_test@EXEEXT@
+		rbt_test@EXEEXT@ rdataset_test@EXEEXT@
@BIND9_MAKE_RULES@
@ -106,6 +106,11 @@ nsec3_test@EXEEXT@: nsec3_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
 			nsec3_test.@O@ dnstest.@O@ ${DNSLIBS} \
 				${ISCLIBS} ${LIBS}
 rdataset_test@EXEEXT@: rdataset_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
 			rdataset_test.@O@ dnstest.@O@ ${DNSLIBS} \
 				${ISCLIBS} ${LIBS}
 dispatch_test@EXEEXT@: dispatch_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
--- a/lib/dns/tests/rdataset_test.c
+++ b/lib/dns/tests/rdataset_test.c
@ -0,0 +1,131 @@
 /*
 * Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
 *
 * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
 * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 * PERFORMANCE OF THIS SOFTWARE.
 */
 /* $Id$ */
 /*! \file */
 #include <config.h>
 #include <atf-c.h>
 #include <unistd.h>
 #include <dns/rdataset.h>
 #include <dns/rdatastruct.h>
 #include "dnstest.h"
 /*
 * Individual unit tests
 */
 /* Successful load test */
 ATF_TC(trimttl);
 ATF_TC_HEAD(trimttl, tc) {
 	atf_tc_set_md_var(tc, "descr", "dns_master_loadfile() loads a "
 				       "valid master file and returns success");
 }
 ATF_TC_BODY(trimttl, tc) {
 	isc_result_t result;
 	dns_rdataset_t rdataset, sigrdataset;
 	dns_rdata_rrsig_t rrsig;
 	isc_stdtime_t ttltimenow, ttltimeexpire;
 	ttltimenow = 10000000;
 	ttltimeexpire = ttltimenow + 800;
 	UNUSED(tc);
 	dns_rdataset_init(&rdataset);
 	dns_rdataset_init(&sigrdataset);
 	result = dns_test_begin(NULL, ISC_FALSE);
 	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 	rdataset.ttl = 900;
 	sigrdataset.ttl = 1000;
 	rrsig.timeexpire = ttltimeexpire;
 	rrsig.originalttl = 1000;
 	dns_rdataset_trimttl(&rdataset, &sigrdataset, &rrsig, ttltimenow,
 			     ISC_TRUE);
 	ATF_REQUIRE_EQ(rdataset.ttl, 800);
 	ATF_REQUIRE_EQ(sigrdataset.ttl, 800);
 	rdataset.ttl = 900;
 	sigrdataset.ttl = 1000;
 	rrsig.timeexpire = ttltimenow - 200;
 	rrsig.originalttl = 1000;
 	dns_rdataset_trimttl(&rdataset, &sigrdataset, &rrsig, ttltimenow,
 			     ISC_TRUE);
 	ATF_REQUIRE_EQ(rdataset.ttl, 120);
 	ATF_REQUIRE_EQ(sigrdataset.ttl, 120);
 	rdataset.ttl = 900;
 	sigrdataset.ttl = 1000;
 	rrsig.timeexpire = ttltimenow - 200;
 	rrsig.originalttl = 1000;
 	dns_rdataset_trimttl(&rdataset, &sigrdataset, &rrsig, ttltimenow,
 			     ISC_FALSE);
 	ATF_REQUIRE_EQ(rdataset.ttl, 0);
 	ATF_REQUIRE_EQ(sigrdataset.ttl, 0);
 	sigrdataset.ttl = 900;
 	rdataset.ttl = 1000;
 	rrsig.timeexpire = ttltimeexpire;
 	rrsig.originalttl = 1000;
 	dns_rdataset_trimttl(&rdataset, &sigrdataset, &rrsig, ttltimenow,
 			     ISC_TRUE);
 	ATF_REQUIRE_EQ(rdataset.ttl, 800);
 	ATF_REQUIRE_EQ(sigrdataset.ttl, 800);
 	sigrdataset.ttl = 900;
 	rdataset.ttl = 1000;
 	rrsig.timeexpire = ttltimenow - 200;
 	rrsig.originalttl = 1000;
 	dns_rdataset_trimttl(&rdataset, &sigrdataset, &rrsig, ttltimenow,
 			     ISC_TRUE);
 	ATF_REQUIRE_EQ(rdataset.ttl, 120);
 	ATF_REQUIRE_EQ(sigrdataset.ttl, 120);
 	sigrdataset.ttl = 900;
 	rdataset.ttl = 1000;
 	rrsig.timeexpire = ttltimenow - 200;
 	rrsig.originalttl = 1000;
 	dns_rdataset_trimttl(&rdataset, &sigrdataset, &rrsig, ttltimenow,
 			     ISC_FALSE);
 	ATF_REQUIRE_EQ(rdataset.ttl, 0);
 	ATF_REQUIRE_EQ(sigrdataset.ttl, 0);
 	dns_test_end();
 }
 /*
 * Main
 */
 ATF_TP_ADD_TCS(tp) {
 	ATF_TP_ADD_TC(tp, trimttl);
 	return (atf_no_error());
 }
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@ -2078,15 +2078,13 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
 			validator_log(val, ISC_LOG_DEBUG(3),
 				      "failed to verify rdataset");
 		else {
 			isc_uint32_t ttl;
 			isc_stdtime_t now;
 			isc_stdtime_get(&now);
-			ttl = ISC_MIN(event->rdataset->ttl,
+			dns_rdataset_trimttl(event->rdataset,
-				      ISC_MIN(val->siginfo->originalttl,
+					     event->sigrdataset,
-					      val->siginfo->timeexpire - now));
+					     val->siginfo, now,
-			event->rdataset->ttl = ttl;
+					     val->view->acceptexpired);
 			event->sigrdataset->ttl = ttl;
 		}
 		if (val->keynode != NULL)