If kasp is not used, use legacy signature jitter

If the zone is signed with a different way than 'dnssec-policy', use
the legacy way of jittering signatures, that is calculate jitter by
taking the two values of 'sig-validity-interval' and subtracting the
second value from the first value.

diff --git a/lib/dns/update.c b/lib/dns/update.c
index f062e8aff6cd243fe1b2df74aa78543d5de4bdef..b4d2a1258e15ce0b634f6ad4d14ee3daae8991f8 100644 (file)
--- a/lib/dns/update.c
+++ b/lib/dns/update.c
@@ -1502,6 +1502,13 @@ dns__jitter_expire(dns_zone_t *zone) {
                jitter = dns_kasp_sigjitter(kasp);
                sigvalidity = dns_kasp_sigvalidity(kasp);
                INSIST(jitter <= sigvalidity);
+       } else {
+               jitter = dns_zone_getsigresigninginterval(zone);
+               if (jitter > sigvalidity) {
+                       jitter = sigvalidity;
+               } else {
+                       jitter = sigvalidity - jitter;
+               }
        }
 
        if (jitter > sigvalidity) {

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 4cbb3d316ab261f9defee882fa379c8c1756379b..2bf1a50bb8505ab98ac318d2278f0014a03bbdeb 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -7200,6 +7200,13 @@ calculate_rrsig_validity(dns_zone_t *zone, isc_stdtime_t now,
                jitter = dns_kasp_sigjitter(zone->kasp);
                sigvalidity = dns_kasp_sigvalidity(zone->kasp);
                INSIST(jitter <= sigvalidity);
+       } else {
+               jitter = dns_zone_getsigresigninginterval(zone);
+               if (jitter > sigvalidity) {
+                       jitter = sigvalidity;
+               } else {
+                       jitter = sigvalidity - jitter;
+               }
        }
 
        if (jitter > sigvalidity) {