peterzen · peterzen · Jun 25, 2025 · Jun 26, 2025 · Feb 16, 2026
diff --git a/lookup_test.go b/lookup_test.go
@@ -45,6 +45,7 @@ func mockQueryUpdate(t *testing.T, qname string, qtype uint16) (*dns.Msg, error)
 
 func newResolver(t *testing.T) (res *Resolver) {
 	resolver, _ := NewResolver("./testdata/resolv.conf")
+
 	resolver.queryFn = func(qname string, qtype uint16) (*dns.Msg, error) {
 		msg := &dns.Msg{}
 		if isMockQuery == false {

diff --git a/main_test.go b/main_test.go
@@ -0,0 +1,20 @@
+package goresolver
+
+import (
+	"os"
+	"testing"
+	"time"
+)
+
+// TestMain sets a fixed current time so that DNSSEC signatures in
+// archived fixture data remain valid during the tests.
+func TestMain(m *testing.M) {
+	nowFunc = func() time.Time {
+		// 15 March 2019 00:00:00 UTC is within the validity period of
+		// all RRSIG records used in the fixture data.
+		return time.Date(2019, 3, 15, 0, 0, 0, 0, time.UTC)
+	}
+	code := m.Run()
+	nowFunc = time.Now
+	os.Exit(code)
+}
diff --git a/signedzone.go b/signedzone.go
@@ -7,6 +7,11 @@ import (
 	"time"
 )
 
+// nowFunc returns the current time. It is a variable so
+// tests can override it to ensure deterministic behaviour
+// with archived DNS fixture data.
+var nowFunc = time.Now
+
 // SignedZone represents a DNSSEC-enabled zone, its DNSKEY and DS records
 type SignedZone struct {
 	zone         string
@@ -50,7 +55,7 @@ func (z SignedZone) verifyRRSIG(signedRRset *RRSet) (err error) {
 		return err
 	}
 
-	if !signedRRset.rrSig.ValidityPeriod(time.Now()) {
+	if !signedRRset.rrSig.ValidityPeriod(nowFunc()) {
 		log.Println("invalid validity period", err)
 		return ErrRrsigValidityPeriod
 	}