fix: check valid from/until

zmap · Oct 10, 2024 · 21eb9e4 · 21eb9e4
1 parent ff4651e
commit 21eb9e4
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 2 deletions.
diff --git a/rootanchors.go b/rootanchors.go
@@ -2,6 +2,7 @@ package rootanchors
 
 import (
 	"encoding/xml"
+	"time"
 
 	"github.com/miekg/dns"
 )
@@ -63,11 +64,15 @@ func GetRawAnchors() TrustAnchor {
 }
 
 // GetDSRecords returns root anchors as DS records defined by miekg/dns.
-func GetDSRecords() map[uint16]dns.DS {
+func GetValidDSRecords() map[uint16]dns.DS {
 	ta := GetRawAnchors()
 
 	dsRecords := make(map[uint16]dns.DS)
 	for _, kd := range ta.KeyDigests {
+		if !isKeyDigestValid(kd) {
+			continue
+		}
+
 		dsRecords[kd.KeyTag] = dns.DS{
 			Hdr:        dns.RR_Header{Name: ta.Zone},
 			KeyTag:     kd.KeyTag,
@@ -79,3 +84,21 @@ func GetDSRecords() map[uint16]dns.DS {
 
 	return dsRecords
 }
+
+func isKeyDigestValid(kd KeyDigest) bool {
+	validFrom, err := time.Parse(time.RFC3339, kd.ValidFrom)
+	if err != nil {
+		return false
+	}
+
+	if kd.ValidUntil == "" {
+		return time.Now().After(validFrom)
+	}
+
+	validUntil, err := time.Parse(time.RFC3339, kd.ValidUntil)
+	if err != nil {
+		return false
+	}
+
+	return time.Now().After(validFrom) && time.Now().Before(validUntil)
+}
diff --git a/rootanchors_test.go b/rootanchors_test.go
@@ -17,7 +17,7 @@ func TestRootDNSKEYValidation(t *testing.T) {
 	}
 	t.Logf("DNSKEY records: %v", dnsKeys)
 
-	dsRecords := rootanchors.GetDSRecords()
+	dsRecords := rootanchors.GetValidDSRecords()
 	if err != nil {
 		t.Fatalf("Failed to get DS records from trust anchor: %v", err)
 	}