def do_basic_rrsig_checks(line)
time_now = Time.now.to_i
split = line.split
key_tag = split[10]
@keys_used.push(key_tag) if !@keys_used.include?key_tag
sig_inception = RR::RRSIG.get_time(split[9])
check_policy_changes
if (@policy_has_changed)
if (!@inception_offset_has_changed)
if (sig_inception < (@policy_change_timestamp - @config.signatures.inception_offset))
log(LOG_WARNING, "Skipping signature lifetime check for #{split[0].chop}, #{split[4]} : policy has changed since #{sig_inception} (at #{@policy_change_timestamp})\n")
return
end
else
if (sig_inception < (@policy_change_timestamp - (3600 * 24)))
log(LOG_WARNING, "Skipping signature lifetime check for #{split[0].chop}, #{split[4]} : policy has changed since #{sig_inception} (at #{@policy_change_timestamp})\n")
return
end
end
end
if (sig_inception > (time_now + @config.signatures.inception_offset))
log(LOG_ERR, "Inception error for #{split[0].chop}, #{split[4]} : Signature inception is #{sig_inception}, time now is #{time_now}, inception offset is #{@config.signatures.inception_offset}, difference = #{time_now - sig_inception}")
else
end
sig_expiration = RR::RRSIG.get_time(split[8])
refresh = @config.signatures.refresh
resign = @config.signatures.resign
if ((time_now <= sig_expiration) && time_now > (sig_expiration - refresh + resign))
log(LOG_ERR, "Signature expiration (#{sig_expiration}) for #{split[0]}, #{split[4]} should be later than (the refresh period (#{refresh}) - the resign period (#{resign})) from now (#{time_now})")
else
end
validity = @config.signatures.validity.default
if (split[4]=~/^NSEC/) && (split[4] != "NSEC3PARAM")
validity = @config.signatures.validity.denial
end
min_lifetime = @config.signatures.inception_offset + validity - @config.signatures.jitter
max_lifetime = @config.signatures.inception_offset + validity + @config.signatures.jitter
actual_lifetime = sig_expiration - sig_inception
if (min_lifetime > actual_lifetime)
log(LOG_ERR, "Signature lifetime too short - should be at least #{min_lifetime} but was #{actual_lifetime}")
end
if (max_lifetime < actual_lifetime)
log(LOG_ERR, "Signature lifetime too long - should be at most #{max_lifetime} but was #{actual_lifetime}")
end
end