From 4d8edd30dc6b10d2af891ae3ebba6742ec04ca57 Mon Sep 17 00:00:00 2001
From: Brian Wellington <source@isc.org>
Date: Mon, 27 Sep 1999 18:48:23 +0000
Subject: [PATCH] correcty handle sigs in the future

---
 bin/dnssec/dnssec-signzone.c | 15 ++++++++++-----
 bin/tests/signer.c           | 15 ++++++++++-----
 2 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 78cb8bc288..9338835c33 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -253,7 +253,7 @@ signset(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 	if (result != ISC_R_NOTFOUND) {
 		result = dns_rdataset_first(&oldsigset);
 		while (result == ISC_R_SUCCESS) {
-			isc_boolean_t expired;
+			isc_boolean_t expired, future;
 			isc_boolean_t keep = ISC_FALSE, resign = ISC_FALSE;
 
 			dns_rdataset_current(&oldsigset, &oldsigrdata);
@@ -262,14 +262,19 @@ signset(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 			check_result(result, "dns_rdata_tostruct");
 
 			expired = (now + cycle > sig.timeexpire);
+			future = (now < sig.timesigned);
 
 			key = keythatsigned(&sig);
 
-			if (key == NULL &&
-			    expecttofindkey(sig.signer, db, version))
+			if (sig.timesigned > sig.timeexpire)
 				; /* sig is dropped and not replaced */
-			else if (key == NULL)
-				keep = ISC_TRUE;
+			else if (key == NULL && !future &&
+				 expecttofindkey(sig.signer, db, version))
+				; /* sig is dropped and not replaced */
+			else if (key == NULL || future) {
+				if (!expired)
+					keep = ISC_TRUE;
+			}
 			else if (issigningkey(key)) {
 				if (!expired &&
 				    setverifies(name, set, key, &oldsigrdata))
diff --git a/bin/tests/signer.c b/bin/tests/signer.c
index 78cb8bc288..9338835c33 100644
--- a/bin/tests/signer.c
+++ b/bin/tests/signer.c
@@ -253,7 +253,7 @@ signset(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 	if (result != ISC_R_NOTFOUND) {
 		result = dns_rdataset_first(&oldsigset);
 		while (result == ISC_R_SUCCESS) {
-			isc_boolean_t expired;
+			isc_boolean_t expired, future;
 			isc_boolean_t keep = ISC_FALSE, resign = ISC_FALSE;
 
 			dns_rdataset_current(&oldsigset, &oldsigrdata);
@@ -262,14 +262,19 @@ signset(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 			check_result(result, "dns_rdata_tostruct");
 
 			expired = (now + cycle > sig.timeexpire);
+			future = (now < sig.timesigned);
 
 			key = keythatsigned(&sig);
 
-			if (key == NULL &&
-			    expecttofindkey(sig.signer, db, version))
+			if (sig.timesigned > sig.timeexpire)
 				; /* sig is dropped and not replaced */
-			else if (key == NULL)
-				keep = ISC_TRUE;
+			else if (key == NULL && !future &&
+				 expecttofindkey(sig.signer, db, version))
+				; /* sig is dropped and not replaced */
+			else if (key == NULL || future) {
+				if (!expired)
+					keep = ISC_TRUE;
+			}
 			else if (issigningkey(key)) {
 				if (!expired &&
 				    setverifies(name, set, key, &oldsigrdata))