#include <isc/netaddr.h>
#include <isc/platform.h>
#include <isc/print.h>
+#include <isc/random.h>
#include <isc/serial.h>
#include <isc/stats.h>
#include <isc/stdtime.h>
sign_nsec, update_nsec3, process_nsec3, sign_nsec3 } state;
};
+static uint32_t
+dns__jitter_expire(dns_zone_t *zone, uint32_t sigvalidityinterval) {
+ /* Spread out signatures over time */
+ if (sigvalidityinterval >= 3600U) {
+ uint32_t expiryinterval = dns_zone_getsigresigninginterval(zone);
+
+ if (sigvalidityinterval < 7200U) {
+ expiryinterval = 1200;
+ } else if (expiryinterval > sigvalidityinterval) {
+ expiryinterval = sigvalidityinterval;
+ } else {
+ expiryinterval = sigvalidityinterval - expiryinterval;
+ }
+ uint32_t jitter = isc_random_uniform(expiryinterval);
+ sigvalidityinterval -= jitter;
+ }
+ return (sigvalidityinterval);
+}
+
isc_result_t
dns_update_signaturesinc(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
dns_dbversion_t *oldver, dns_dbversion_t *newver,
isc_stdtime_get(&now);
state->inception = now - 3600; /* Allow for some clock skew. */
- state->expire = now + sigvalidityinterval;
+ state->expire = now + dns__jitter_expire(zone, sigvalidityinterval);
state->keyexpire = dns_zone_getkeyvalidityinterval(zone);
if (state->keyexpire == 0) {
state->keyexpire = state->expire;
dst_key_t *zone_keys[DNS_MAXZONEKEYS];
bool check_ksk, keyset_kskonly = false;
isc_result_t result;
- isc_stdtime_t now, inception, soaexpire, expire, stop;
- uint32_t jitter, sigvalidityinterval;
+ isc_stdtime_t now, inception, soaexpire, expire, fullexpire, stop;
+ uint32_t sigvalidityinterval, expiryinterval;
unsigned int i;
unsigned int nkeys = 0;
unsigned int resign;
sigvalidityinterval = zone->sigvalidityinterval;
inception = now - 3600; /* Allow for clock skew. */
soaexpire = now + sigvalidityinterval;
+ expiryinterval = dns_zone_getsigresigninginterval(zone);
+ if (expiryinterval > sigvalidityinterval) {
+ expiryinterval = sigvalidityinterval;
+ } else {
+ expiryinterval = sigvalidityinterval - expiryinterval;
+ }
+
/*
* Spread out signatures over time if they happen to be
* clumped. We don't do this for each add_sigs() call as
- * we still want some clustering to occur.
+ * we still want some clustering to occur. In normal operations
+ * the records should be re-signed as they fall due and they should
+ * already be spread out. However if the server is off for a
+ * period we need to ensure that the clusters don't become
+ * synchronised by using the full jitter range.
*/
if (sigvalidityinterval >= 3600U) {
+ uint32_t normaljitter, fulljitter;
if (sigvalidityinterval > 7200U) {
- jitter = isc_random_uniform(3600);
+ normaljitter = isc_random_uniform(3600);
+ fulljitter = isc_random_uniform(expiryinterval);
} else {
- jitter = isc_random_uniform(1200);
+ normaljitter = fulljitter = isc_random_uniform(1200);
}
- expire = soaexpire - jitter - 1;
+ expire = soaexpire - normaljitter - 1;
+ fullexpire = soaexpire - fulljitter - 1;
} else {
- expire = soaexpire - 1;
+ expire = fullexpire = soaexpire - 1;
}
stop = now + 5;
break;
}
+ /*
+ * If re-signing is over 5 minutes late use 'fullexpire'
+ * to redistribute the signature over the complete
+ * re-signing window, otherwise only add a small amount
+ * of jitter.
+ */
result = add_sigs(db, version, name, zone, covers,
zonediff.diff, zone_keys, nkeys, zone->mctx,
- inception, expire, check_ksk, keyset_kskonly);
+ inception,
+ resign > (now - 300) ? expire : fullexpire,
+ check_ksk, keyset_kskonly);
if (result != ISC_R_SUCCESS) {
dns_zone_log(zone, ISC_LOG_ERROR,
"zone_resigninc:add_sigs -> %s",
bool first;
isc_result_t result;
isc_stdtime_t now, inception, soaexpire, expire;
- uint32_t jitter, sigvalidityinterval;
+ uint32_t jitter, sigvalidityinterval, expiryinterval;
unsigned int i;
unsigned int nkeys = 0;
uint32_t nodes;
sigvalidityinterval = dns_zone_getsigvalidityinterval(zone);
inception = now - 3600; /* Allow for clock skew. */
soaexpire = now + sigvalidityinterval;
+ expiryinterval = dns_zone_getsigresigninginterval(zone);
+ if (expiryinterval > sigvalidityinterval) {
+ expiryinterval = sigvalidityinterval;
+ } else {
+ expiryinterval = sigvalidityinterval - expiryinterval;
+ }
/*
* Spread out signatures over time if they happen to be
*/
if (sigvalidityinterval >= 3600U) {
if (sigvalidityinterval > 7200U) {
- jitter = isc_random_uniform(3600);
+ jitter = isc_random_uniform(expiryinterval);
} else {
jitter = isc_random_uniform(1200);
}
projects / thirdparty / bind9.git / commitdiff
