This test is outdated because it tested the 'sig-validity-interval'
option that has been replaced by dnssec-policy's 'signatures-validity',
'signatures-refresh', and 'signatures-jitter' options.
Nevertheless, it tests if the jitter is spread correctly.
Update the test to make use of 'signatures-jitter', set the value
to 1 day (meaning resign in 499 days since 'signatures-validity' is
set to 500 days).
Note that this previously changed erroneously the refresh value to
449 days (should have been 499 days, but that is not allowed by
checkconf, since it is above 90% of 'signatures-validity').
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
- /* validity 500 days, resign in 449 days */
+ /* validity 500 days, with one 1 day jitter (resign in 499 days) */
+ signatures-jitter 1d;
signatures-validity-dnskey 500d;
signatures-validity 500d;
- signatures-refresh 449d;
};
zone "." {
echo_i "checking signatures-validity second field hours vs days ($n)"
ret=0
-# zone configured with 'signatures-validity 500 499;'
+# zone configured with 'signatures-validity 500d; signatures-refresh 1d'
# 499 days in the future w/ a 20 minute runtime to now allowance
min=$(TZ=UTC $PERL -e '@lt=localtime(time() + 499*3600*24 - 20*60); printf "%.4d%0.2d%0.2d%0.2d%0.2d%0.2d\n",$lt[5]+1900,$lt[4]+1,$lt[3],$lt[2],$lt[1],$lt[0];')
dig_with_opts @10.53.0.2 hours-vs-days AXFR >dig.out.ns2.test$n
projects / thirdparty / bind9.git / commitdiff
