From 045d0d481c47bd136225a195c9f579dd5f50b69f Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 11 Feb 2016 11:24:22 +0100
Subject: [PATCH 1/2] Offline dnssec validation at a given point in time

---
 src/dnssec.c                 | 18 ++++++++++++------
 src/getdns/getdns_extra.h.in | 35 +++++++++++++++++++++++++++++++++++
 src/libgetdns.symbols        |  1 +
 3 files changed, 48 insertions(+), 6 deletions(-)

diff --git a/src/dnssec.c b/src/dnssec.c
index 94cf8cfd..bf18a701 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -3359,9 +3359,10 @@ static int wire_validate_dnssec(struct mem_funcs *mf,
  *
  */
 getdns_return_t
-getdns_validate_dnssec(getdns_list *records_to_validate,
+getdns_validate_dnssec2(getdns_list *records_to_validate,
     getdns_list *support_records,
-    getdns_list *trust_anchors)
+    getdns_list *trust_anchors,
+    time_t now, uint32_t skew)
 {
 	uint8_t to_val_buf[4096], *to_val,
 		support_buf[4096], *support,
@@ -3377,9 +3378,6 @@ getdns_validate_dnssec(getdns_list *records_to_validate,
 	size_t i;
 	getdns_dict *reply;
 
-	time_t now;
-	uint32_t skew;
-
 #if defined(SEC_DEBUG) && SEC_DEBUG
 	fflush(stdout);
 #endif
@@ -3387,7 +3385,6 @@ getdns_validate_dnssec(getdns_list *records_to_validate,
 	if (!records_to_validate || !support_records || !trust_anchors)
 		return GETDNS_RETURN_INVALID_PARAMETER;
 	mf = &records_to_validate->mf;
-	now = time(NULL);
 	skew = 0;
 
 	/* First convert everything to wire format
@@ -3453,6 +3450,15 @@ exit_free_support:
 }
 
 
+getdns_return_t
+getdns_validate_dnssec(getdns_list *records_to_validate,
+    getdns_list *support_records,
+    getdns_list *trust_anchors)
+{
+	return getdns_validate_dnssec2(records_to_validate, support_records,
+	    trust_anchors, time(NULL), 0);
+}
+
 /******************  getdns_root_trust_anchor() Function  ********************
  *****************************************************************************/
 
diff --git a/src/getdns/getdns_extra.h.in b/src/getdns/getdns_extra.h.in
index 49664177..5493a7d8 100644
--- a/src/getdns/getdns_extra.h.in
+++ b/src/getdns/getdns_extra.h.in
@@ -31,6 +31,7 @@
 #include <getdns/getdns.h>
 #include <sys/time.h>
 #include <stdio.h>
+#include <time.h>
 
 #ifdef __cplusplus
 extern "C" {
@@ -635,6 +636,40 @@ getdns_fp2rr_list(
     FILE *in, getdns_list **rr_list,
     const char *origin, uint32_t default_ttl);
 
+/**
+ * Validate replies or resource records.
+ *
+ * @param  to_validate     A list of RR-dicts with companion RRSIG-RR-dicts
+ *                         which will be validated.  Or a list of reply-dicts
+ *                         that will be validated.  The "replies_tree" list
+ *                         of a response dict can be used directly here.
+ * @param  support_records A list of DS's RR-dicts and DNSKEY RR-dicts with
+ *                         companion RRSIG-RR-dicts that lead up from one of
+ *                         the trust_anchors to the RR-dicts or replies to
+ *                         validate.  The "validation_chain" list of a response
+ *                         dict (with the dnssec_return_validation_chain
+ *                         extension) can be used directly here.
+ * @param  trust_anchors   The list of trusted DNSKEYs or DS'es RR-dicts.
+ *                         The result of the getdns_root_trust_anchor() or the
+ *                         getdns_context_get_dnssec_trust_anchors() function
+ *                         can be used directly here.
+ * @param  validation_time The point in time in seconds since 1 January 1970
+ *                         00:00:00 UTC, ignoring leap seconds, wrapping using
+ *                         "Serial number arithmetic", as defined in RFC1982.
+ * @param  skew            The numer of seconds of skew that is allowed in 
+ *                         either direction when checking an RRSIG's 
+ *                         Expiration and Inception fields
+ * @return The dnssec status of validated records or replies, 
+ *         GETDNS_DNSSEC_SECURE, GETDNS_DNSSEC_INSECURE,
+ *         GETDNS_DNSSEC_INDETERMINATE or GETDNS_DNSSEC_BOGUS, or an error
+ *         return code.
+ */
+getdns_return_t
+getdns_validate_dnssec2(getdns_list *to_validate,
+    getdns_list *support_records,
+    getdns_list *trust_anchors,
+    time_t validation_time, uint32_t skew);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/src/libgetdns.symbols b/src/libgetdns.symbols
index 8b35ff37..14fc4cf6 100644
--- a/src/libgetdns.symbols
+++ b/src/libgetdns.symbols
@@ -130,6 +130,7 @@ getdns_snprint_json_list
 getdns_str2rr_dict
 getdns_strerror
 getdns_validate_dnssec
+getdns_validate_dnssec2
 getdns_wire2rr_dict
 getdns_wire2rr_dict_buf
 getdns_wire2rr_dict_scan

From 707b0d21c889242d77e99a2379fe4abf7573308c Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 11 Feb 2016 11:27:03 +0100
Subject: [PATCH 2/2] bugfix: don't reset skew

---
 src/dnssec.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/dnssec.c b/src/dnssec.c
index bf18a701..0fd33e01 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -3385,7 +3385,6 @@ getdns_validate_dnssec2(getdns_list *records_to_validate,
 	if (!records_to_validate || !support_records || !trust_anchors)
 		return GETDNS_RETURN_INVALID_PARAMETER;
 	mf = &records_to_validate->mf;
-	skew = 0;
 
 	/* First convert everything to wire format
 	 */