* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id$ */
-
/*% */
#include <config.h>
}
if (ztype == dns_zone_master || raw != NULL) {
+ const cfg_obj_t *validity, *resign;
isc_boolean_t allow = ISC_FALSE, maint = ISC_FALSE;
obj = NULL;
result = ns_config_get(maps, "sig-validity-interval", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
- {
- const cfg_obj_t *validity, *resign;
-
- validity = cfg_tuple_get(obj, "validity");
- seconds = cfg_obj_asuint32(validity) * 86400;
- dns_zone_setsigvalidityinterval(zone, seconds);
- resign = cfg_tuple_get(obj, "re-sign");
- if (cfg_obj_isvoid(resign)) {
- seconds /= 4;
+ validity = cfg_tuple_get(obj, "validity");
+ seconds = cfg_obj_asuint32(validity);
+ if (!ns_g_sigvalinsecs) {
+ seconds *= 86400;
+ }
+ dns_zone_setsigvalidityinterval(zone, seconds);
+
+ resign = cfg_tuple_get(obj, "re-sign");
+ if (cfg_obj_isvoid(resign)) {
+ seconds /= 4;
+ } else if (!ns_g_sigvalinsecs) {
+ if (seconds > 7 * 86400) {
+ seconds = cfg_obj_asuint32(resign) * 86400;
} else {
- if (seconds > 7 * 86400)
- seconds = cfg_obj_asuint32(resign) *
- 86400;
- else
- seconds = cfg_obj_asuint32(resign) *
- 3600;
+ seconds = cfg_obj_asuint32(resign) * 3600;
}
- dns_zone_setsigresigninginterval(zone, seconds);
+ } else {
+ seconds = cfg_obj_asuint32(resign);
}
+ dns_zone_setsigresigninginterval(zone, seconds);
obj = NULL;
result = ns_config_get(maps, "key-directory", &obj);
isc_boolean_t check_ksk, keyset_kskonly = ISC_FALSE;
isc_result_t result;
isc_stdtime_t now, inception, soaexpire, expire, stop;
- isc_uint32_t jitter;
+ isc_uint32_t jitter, sigvalidityinterval;
unsigned int i;
unsigned int nkeys = 0;
unsigned int resign;
}
isc_stdtime_get(&now);
+ sigvalidityinterval = zone->sigvalidityinterval;
inception = now - 3600; /* Allow for clock skew. */
- soaexpire = now + dns_zone_getsigvalidityinterval(zone);
+ soaexpire = now + sigvalidityinterval;
/*
* Spread out signatures over time if they happen to be
* clumped. We don't do this for each add_sigs() call as
* we still want some clustering to occur.
*/
- isc_random_get(&jitter);
- expire = soaexpire - jitter % 3600 - 1;
+ if (sigvalidityinterval >= 3600U) {
+ isc_random_get(&jitter);
+ if (sigvalidityinterval > 7200U) {
+ jitter %= 3600;
+ } else {
+ jitter %= 1200;
+ }
+ expire = soaexpire - jitter - 1;
+ } else {
+ expire = soaexpire - 1;
+ }
stop = now + 5;
check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
isc_boolean_t first;
isc_result_t result;
isc_stdtime_t now, inception, soaexpire, expire;
- isc_uint32_t jitter;
+ isc_uint32_t jitter, sigvalidityinterval;
unsigned int i;
unsigned int nkeys = 0;
isc_uint32_t nodes;
}
isc_stdtime_get(&now);
+ sigvalidityinterval = dns_zone_getsigvalidityinterval(zone);
inception = now - 3600; /* Allow for clock skew. */
- soaexpire = now + dns_zone_getsigvalidityinterval(zone);
+ soaexpire = now + sigvalidityinterval;
/*
* Spread out signatures over time if they happen to be
* clumped. We don't do this for each add_sigs() call as
* we still want some clustering to occur.
*/
- isc_random_get(&jitter);
- expire = soaexpire - jitter % 3600;
+ if (sigvalidityinterval >= 3600U) {
+ isc_random_get(&jitter);
+ if (sigvalidityinterval > 7200U) {
+ jitter %= 3600;
+ } else {
+ jitter %= 1200;
+ }
+ expire = soaexpire - jitter - 1;
+ } else {
+ expire = soaexpire - 1;
+ }
check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
isc_boolean_t first;
isc_result_t result;
isc_stdtime_t now, inception, soaexpire, expire;
- isc_uint32_t jitter;
+ isc_uint32_t jitter, sigvalidityinterval;
unsigned int i, j;
unsigned int nkeys = 0;
isc_uint32_t nodes;
}
isc_stdtime_get(&now);
+ sigvalidityinterval = dns_zone_getsigvalidityinterval(zone);
inception = now - 3600; /* Allow for clock skew. */
- soaexpire = now + dns_zone_getsigvalidityinterval(zone);
+ soaexpire = now + sigvalidityinterval;
/*
* Spread out signatures over time if they happen to be
* clumped. We don't do this for each add_sigs() call as
* we still want some clustering to occur.
*/
- isc_random_get(&jitter);
- expire = soaexpire - jitter % 3600;
+ if (sigvalidityinterval >= 3600U) {
+ isc_random_get(&jitter);
+ if (sigvalidityinterval > 7200U) {
+ jitter %= 3600;
+ } else {
+ jitter %= 1200;
+ }
+ expire = soaexpire - jitter - 1;
+ } else {
+ expire = soaexpire - 1;
+ }
/*
* We keep pulling nodes off each iterator in turn until
projects / thirdparty / bind9.git / commitdiff
