From: Mark Andrews Date: Thu, 3 May 2018 06:43:15 +0000 (+1000) Subject: add support -T sigvalinsecs X-Git-Tag: v9.13.1~10^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=87a3dc8ab930ce4b3f338905903ffa08e4113159;p=thirdparty%2Fbind9.git add support -T sigvalinsecs --- diff --git a/bin/named/main.c b/bin/named/main.c index 341a8c794d9..6838d3c4c41 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -129,6 +129,7 @@ static unsigned int delay = 0; static isc_boolean_t nonearest = ISC_FALSE; static isc_boolean_t notcp = ISC_FALSE; static isc_boolean_t fixedlocal = ISC_FALSE; +static isc_boolean_t sigvalinsecs = ISC_FALSE; /* * -4 and -6 @@ -541,6 +542,8 @@ parse_T_opt(char *option) { if (dns_zone_mkey_month < dns_zone_mkey_day) { named_main_earlyfatal("bad mkeytimer"); } + } else if (!strcmp(option, "sigvalinsecs")) { + sigvalinsecs = ISC_TRUE; } else if (!strncmp(option, "tat=", 4)) { named_g_tat_interval = atoi(option + 4); } else { @@ -1111,6 +1114,8 @@ setup(void) { ns_server_setoption(sctx, NS_SERVER_DISABLE4, ISC_TRUE); if (disable6) ns_server_setoption(sctx, NS_SERVER_DISABLE6, ISC_TRUE); + if (sigvalinsecs) + ns_server_setoption(sctx, NS_SERVER_SIGVALINSECS, ISC_TRUE); named_g_server->sctx->delay = delay; } diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index a6a59c3231a..81040e5e245 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -1439,7 +1439,9 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, } if (ztype == dns_zone_master || raw != NULL) { + const cfg_obj_t *validity, *resign; isc_boolean_t allow = ISC_FALSE, maint = ISC_FALSE; + isc_boolean_t sigvalinsecs; obj = NULL; result = named_config_get(maps, "dnskey-sig-validity", &obj); @@ -1450,26 +1452,29 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, obj = NULL; result = named_config_get(maps, "sig-validity-interval", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); - { - const cfg_obj_t *validity, *resign; - - validity = cfg_tuple_get(obj, "validity"); - seconds = cfg_obj_asuint32(validity) * 86400; - dns_zone_setsigvalidityinterval(zone, seconds); - resign = cfg_tuple_get(obj, "re-sign"); - if (cfg_obj_isvoid(resign)) { - seconds /= 4; + sigvalinsecs = ns_server_getoption(named_g_server->sctx, + NS_SERVER_SIGVALINSECS); + validity = cfg_tuple_get(obj, "validity"); + seconds = cfg_obj_asuint32(validity); + if (!sigvalinsecs) { + seconds *= 86400; + } + dns_zone_setsigvalidityinterval(zone, seconds); + + resign = cfg_tuple_get(obj, "re-sign"); + if (cfg_obj_isvoid(resign)) { + seconds /= 4; + } else if (!sigvalinsecs) { + if (seconds > 7 * 86400) { + seconds = cfg_obj_asuint32(resign) * 86400; } else { - if (seconds > 7 * 86400) - seconds = cfg_obj_asuint32(resign) * - 86400; - else - seconds = cfg_obj_asuint32(resign) * - 3600; + seconds = cfg_obj_asuint32(resign) * 3600; } - dns_zone_setsigresigninginterval(zone, seconds); + } else { + seconds = cfg_obj_asuint32(resign); } + dns_zone_setsigresigninginterval(zone, seconds); obj = NULL; result = named_config_get(maps, "key-directory", &obj); diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 22ba83bad19..adb76a59712 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -6412,6 +6412,7 @@ zone_resigninc(dns_zone_t *zone) { isc_boolean_t check_ksk, keyset_kskonly = ISC_FALSE; isc_result_t result; isc_stdtime_t now, inception, soaexpire, expire, stop; + isc_uint32_t jitter, sigvalidityinterval; unsigned int i; unsigned int nkeys = 0; unsigned int resign; @@ -6456,14 +6457,24 @@ zone_resigninc(dns_zone_t *zone) { goto failure; } + sigvalidityinterval = zone->sigvalidityinterval; inception = now - 3600; /* Allow for clock skew. */ - soaexpire = now + dns_zone_getsigvalidityinterval(zone); + soaexpire = now + sigvalidityinterval; /* * Spread out signatures over time if they happen to be * clumped. We don't do this for each add_sigs() call as * we still want some clustering to occur. */ - expire = soaexpire - isc_random_uniform(3600) - 1; + if (sigvalidityinterval >= 3600U) { + if (sigvalidityinterval > 7200U) { + jitter = isc_random_uniform(3600); + } else { + jitter = isc_random_uniform(1200); + } + expire = soaexpire - jitter - 1; + } else { + expire = soaexpire - 1; + } stop = now + 5; check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK); @@ -7406,6 +7417,7 @@ zone_nsec3chain(dns_zone_t *zone) { isc_boolean_t first; isc_result_t result; isc_stdtime_t now, inception, soaexpire, expire; + isc_uint32_t jitter, sigvalidityinterval; unsigned int i; unsigned int nkeys = 0; isc_uint32_t nodes; @@ -7474,15 +7486,25 @@ zone_nsec3chain(dns_zone_t *zone) { goto failure; } + sigvalidityinterval = dns_zone_getsigvalidityinterval(zone); inception = now - 3600; /* Allow for clock skew. */ - soaexpire = now + dns_zone_getsigvalidityinterval(zone); + soaexpire = now + sigvalidityinterval; /* * Spread out signatures over time if they happen to be * clumped. We don't do this for each add_sigs() call as * we still want some clustering to occur. */ - expire = soaexpire - isc_random_uniform(3600); + if (sigvalidityinterval >= 3600U) { + if (sigvalidityinterval > 7200U) { + jitter = isc_random_uniform(3600); + } else { + jitter = isc_random_uniform(1200); + } + expire = soaexpire - jitter - 1; + } else { + expire = soaexpire - 1; + } check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK); keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY); @@ -8342,6 +8364,7 @@ zone_sign(dns_zone_t *zone) { isc_boolean_t first; isc_result_t result; isc_stdtime_t now, inception, soaexpire, expire; + isc_uint32_t jitter, sigvalidityinterval; unsigned int i, j; unsigned int nkeys = 0; isc_uint32_t nodes; @@ -8392,15 +8415,25 @@ zone_sign(dns_zone_t *zone) { goto failure; } + sigvalidityinterval = dns_zone_getsigvalidityinterval(zone); inception = now - 3600; /* Allow for clock skew. */ - soaexpire = now + dns_zone_getsigvalidityinterval(zone); + soaexpire = now + sigvalidityinterval; /* * Spread out signatures over time if they happen to be * clumped. We don't do this for each add_sigs() call as * we still want some clustering to occur. */ - expire = soaexpire - isc_random_uniform(3600); + if (sigvalidityinterval >= 3600U) { + if (sigvalidityinterval > 7200U) { + jitter = isc_random_uniform(3600); + } else { + jitter = isc_random_uniform(1200); + } + expire = soaexpire - jitter - 1; + } else { + expire = soaexpire - 1; + } /* * We keep pulling nodes off each iterator in turn until @@ -17633,7 +17666,7 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, keyexpire = dns_zone_getkeyvalidityinterval(zone); if (keyexpire == 0) { - keyexpire = soaexpire; + keyexpire = soaexpire - 1; } else { keyexpire += now; } diff --git a/lib/ns/include/ns/server.h b/lib/ns/include/ns/server.h index 880de7dad21..bcfb69a92c5 100644 --- a/lib/ns/include/ns/server.h +++ b/lib/ns/include/ns/server.h @@ -40,6 +40,7 @@ #define NS_SERVER_DISABLE4 0x00000100U /*%< -6 */ #define NS_SERVER_DISABLE6 0x00000200U /*%< -4 */ #define NS_SERVER_FIXEDLOCAL 0x00000400U /*%< -T fixedlocal */ +#define NS_SERVER_SIGVALINSECS 0x00000800U /*%< -T sigvalinsecs */ /*% * Type for callback function to get hostname.