From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Wed, 18 Mar 2020 16:47:49 +0000 (+0100)
Subject: dnsdist: Set the DoH ticket rotation delay before loading tickets
X-Git-Tag: dnsdist-1.5.0-alpha1~7^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F8949%2Fhead;p=thirdparty%2Fpdns.git

dnsdist: Set the DoH ticket rotation delay before loading tickets

Before that change, we could have loaded DoH STEK from a file without
properly setting the next rotation, causing a ticket rotation to
happen during the first TLS session establishment.
This can be prevented by setting `ticketsKeysRotationDelay=0`.
---

diff --git a/pdns/dnsdistdist/doh.cc b/pdns/dnsdistdist/doh.cc
index 6abf4b304e..781aac1c34 100644
--- a/pdns/dnsdistdist/doh.cc
+++ b/pdns/dnsdistdist/doh.cc
@@ -1098,6 +1098,7 @@ static void setupTLSContext(DOHAcceptContext& acceptCtx,
 
   h2o_ssl_register_alpn_protocols(ctx.get(), h2o_http2_alpn_protocols);
 
+  acceptCtx.d_ticketsKeyRotationDelay = tlsConfig.d_ticketsKeyRotationDelay;
   if (tlsConfig.d_ticketKeyFile.empty()) {
     acceptCtx.handleTicketsKeyRotation();
   }