From: Mark Andrews <marka@isc.org>
Date: Thu, 3 May 2018 06:43:15 +0000 (+1000)
Subject: add support -T sigvalinsecs
X-Git-Tag: v9.9.13rc1~9^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eb69786ff6a8a958eec496f67deb4de42ca70543;p=thirdparty%2Fbind9.git

add support -T sigvalinsecs

(cherry picked from commit 87a3dc8ab930ce4b3f338905903ffa08e4113159)
(cherry picked from commit 69340b5ac58d95ab767f2f40bcd73c9b2d6bf2f7)
(cherry picked from commit dd05287a31bf605af9980477835ee5ff6a6ce5b5)
(cherry picked from commit ba76a92338003dc71d850794b2913f36440362e1)
---

diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h
index c29dcf874e7..f0e0c3e77a9 100644
--- a/bin/named/include/named/globals.h
+++ b/bin/named/include/named/globals.h
@@ -14,8 +14,6 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: globals.h,v 1.92 2011/11/09 18:44:04 each Exp $ */
-
 #ifndef NAMED_GLOBALS_H
 #define NAMED_GLOBALS_H 1
 
@@ -166,6 +164,7 @@ EXTERN isc_boolean_t		ns_g_notcp		INIT(ISC_FALSE);
 EXTERN isc_boolean_t		ns_g_disable6		INIT(ISC_FALSE);
 EXTERN isc_boolean_t		ns_g_disable4		INIT(ISC_FALSE);
 EXTERN isc_boolean_t		ns_g_fixedlocal		INIT(ISC_FALSE);
+EXTERN isc_boolean_t		ns_g_sigvalinsecs	INIT(ISC_FALSE);
 
 
 EXTERN dns_acl_t *		ns_g_mapped		INIT(NULL);
diff --git a/bin/named/main.c b/bin/named/main.c
index e0cc0785791..6675fa4fe7a 100644
--- a/bin/named/main.c
+++ b/bin/named/main.c
@@ -497,6 +497,8 @@ parse_T_opt(char *option) {
 		if (dns_zone_mkey_month < dns_zone_mkey_day) {
 			ns_main_earlyfatal("bad mkeytimer");
 		}
+	} else if (!strcmp(option, "sigvalinsecs")) {
+		ns_g_sigvalinsecs = ISC_TRUE;
 	} else {
 		fprintf(stderr, "unknown -T flag '%s\n", option);
 	}
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index 303c4cf1700..855e972edeb 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -1286,31 +1286,33 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	}
 
 	if (ztype == dns_zone_master || raw != NULL) {
+		const cfg_obj_t *validity, *resign;
 		isc_boolean_t allow = ISC_FALSE, maint = ISC_FALSE;
 
 		obj = NULL;
 		result = ns_config_get(maps, "sig-validity-interval", &obj);
 		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		{
-			const cfg_obj_t *validity, *resign;
-
-			validity = cfg_tuple_get(obj, "validity");
-			seconds = cfg_obj_asuint32(validity) * 86400;
-			dns_zone_setsigvalidityinterval(zone, seconds);
 
-			resign = cfg_tuple_get(obj, "re-sign");
-			if (cfg_obj_isvoid(resign)) {
-				seconds /= 4;
+		validity = cfg_tuple_get(obj, "validity");
+		seconds = cfg_obj_asuint32(validity);
+		if (!ns_g_sigvalinsecs) {
+			seconds *= 86400;
+		}
+		dns_zone_setsigvalidityinterval(zone, seconds);
+
+		resign = cfg_tuple_get(obj, "re-sign");
+		if (cfg_obj_isvoid(resign)) {
+			seconds /= 4;
+		} else if (!ns_g_sigvalinsecs) {
+			if (seconds > 7 * 86400) {
+				seconds = cfg_obj_asuint32(resign) * 86400;
 			} else {
-				if (seconds > 7 * 86400)
-					seconds = cfg_obj_asuint32(resign) *
-							86400;
-				else
-					seconds = cfg_obj_asuint32(resign) *
-							3600;
+				seconds = cfg_obj_asuint32(resign) * 3600;
 			}
-			dns_zone_setsigresigninginterval(zone, seconds);
+		} else {
+			seconds = cfg_obj_asuint32(resign);
 		}
+		dns_zone_setsigresigninginterval(zone, seconds);
 
 		obj = NULL;
 		result = ns_config_get(maps, "key-directory", &obj);
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index a67aed94c7b..7971f7ffa02 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -5906,7 +5906,7 @@ zone_resigninc(dns_zone_t *zone) {
 	isc_boolean_t check_ksk, keyset_kskonly = ISC_FALSE;
 	isc_result_t result;
 	isc_stdtime_t now, inception, soaexpire, expire, stop;
-	isc_uint32_t jitter;
+	isc_uint32_t jitter, sigvalidityinterval;
 	unsigned int i;
 	unsigned int nkeys = 0;
 	unsigned int resign;
@@ -5951,15 +5951,25 @@ zone_resigninc(dns_zone_t *zone) {
 	}
 
 	isc_stdtime_get(&now);
+	sigvalidityinterval = zone->sigvalidityinterval;
 	inception = now - 3600;	/* Allow for clock skew. */
-	soaexpire = now + dns_zone_getsigvalidityinterval(zone);
+	soaexpire = now + sigvalidityinterval;
 	/*
 	 * Spread out signatures over time if they happen to be
 	 * clumped.  We don't do this for each add_sigs() call as
 	 * we still want some clustering to occur.
 	 */
-	isc_random_get(&jitter);
-	expire = soaexpire - jitter % 3600 - 1;
+	if (sigvalidityinterval >= 3600U) {
+		isc_random_get(&jitter);
+		if (sigvalidityinterval > 7200U) {
+			jitter %= 3600;
+		} else {
+			jitter %= 1200;
+		}
+		expire = soaexpire - jitter - 1;
+	} else {
+		expire = soaexpire - 1;
+	}
 	stop = now + 5;
 
 	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
@@ -6854,7 +6864,7 @@ zone_nsec3chain(dns_zone_t *zone) {
 	isc_boolean_t first;
 	isc_result_t result;
 	isc_stdtime_t now, inception, soaexpire, expire;
-	isc_uint32_t jitter;
+	isc_uint32_t jitter, sigvalidityinterval;
 	unsigned int i;
 	unsigned int nkeys = 0;
 	isc_uint32_t nodes;
@@ -6924,16 +6934,26 @@ zone_nsec3chain(dns_zone_t *zone) {
 	}
 
 	isc_stdtime_get(&now);
+	sigvalidityinterval = dns_zone_getsigvalidityinterval(zone);
 	inception = now - 3600;	/* Allow for clock skew. */
-	soaexpire = now + dns_zone_getsigvalidityinterval(zone);
+	soaexpire = now + sigvalidityinterval;
 
 	/*
 	 * Spread out signatures over time if they happen to be
 	 * clumped.  We don't do this for each add_sigs() call as
 	 * we still want some clustering to occur.
 	 */
-	isc_random_get(&jitter);
-	expire = soaexpire - jitter % 3600;
+	if (sigvalidityinterval >= 3600U) {
+		isc_random_get(&jitter);
+		if (sigvalidityinterval > 7200U) {
+			jitter %= 3600;
+		} else {
+			jitter %= 1200;
+		}
+		expire = soaexpire - jitter - 1;
+	} else {
+		expire = soaexpire - 1;
+	}
 
 	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
 	keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
@@ -7795,7 +7815,7 @@ zone_sign(dns_zone_t *zone) {
 	isc_boolean_t first;
 	isc_result_t result;
 	isc_stdtime_t now, inception, soaexpire, expire;
-	isc_uint32_t jitter;
+	isc_uint32_t jitter, sigvalidityinterval;
 	unsigned int i, j;
 	unsigned int nkeys = 0;
 	isc_uint32_t nodes;
@@ -7847,16 +7867,26 @@ zone_sign(dns_zone_t *zone) {
 	}
 
 	isc_stdtime_get(&now);
+	sigvalidityinterval = dns_zone_getsigvalidityinterval(zone);
 	inception = now - 3600;	/* Allow for clock skew. */
-	soaexpire = now + dns_zone_getsigvalidityinterval(zone);
+	soaexpire = now + sigvalidityinterval;
 
 	/*
 	 * Spread out signatures over time if they happen to be
 	 * clumped.  We don't do this for each add_sigs() call as
 	 * we still want some clustering to occur.
 	 */
-	isc_random_get(&jitter);
-	expire = soaexpire - jitter % 3600;
+	if (sigvalidityinterval >= 3600U) {
+		isc_random_get(&jitter);
+		if (sigvalidityinterval > 7200U) {
+			jitter %= 3600;
+		} else {
+			jitter %= 1200;
+		}
+		expire = soaexpire - jitter - 1;
+	} else {
+		expire = soaexpire - 1;
+	}
 
 	/*
 	 * We keep pulling nodes off each iterator in turn until