From 8f6cc1227d521881ddd4f5fb2e4c34dba48441e8 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Wed, 18 Mar 2020 17:47:49 +0100
Subject: [PATCH] dnsdist: Set the DoH ticket rotation delay before loading
 tickets

Before that change, we could have loaded DoH STEK from a file without
properly setting the next rotation, causing a ticket rotation to
happen during the first TLS session establishment.
This can be prevented by setting `ticketsKeysRotationDelay=0`.
---
 pdns/dnsdistdist/doh.cc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pdns/dnsdistdist/doh.cc b/pdns/dnsdistdist/doh.cc
index 6abf4b304e..781aac1c34 100644
--- a/pdns/dnsdistdist/doh.cc
+++ b/pdns/dnsdistdist/doh.cc
@@ -1098,6 +1098,7 @@ static void setupTLSContext(DOHAcceptContext& acceptCtx,
 
   h2o_ssl_register_alpn_protocols(ctx.get(), h2o_http2_alpn_protocols);
 
+  acceptCtx.d_ticketsKeyRotationDelay = tlsConfig.d_ticketsKeyRotationDelay;
   if (tlsConfig.d_ticketKeyFile.empty()) {
     acceptCtx.handleTicketsKeyRotation();
   }
-- 
2.47.2