Implement signature jitter

When calculating the RRSIG validity, jitter is now derived from the
config option rather than from the refresh value.

(cherry picked from commit 67f403a42371f943751a28411ded61949ca83fdf)

diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h
index 3dfd922720e2c28f7c043c894d901ae0622f0cc9..76ba52ec9ca3abed1a5206bb90490704f10fe7b7 100644 (file)
--- a/lib/dns/include/dns/kasp.h
+++ b/lib/dns/include/dns/kasp.h
@@ -106,6 +106,7 @@ struct dns_kasp {
 #define DNS_KASP_VALID(kasp) ISC_MAGIC_VALID(kasp, DNS_KASP_MAGIC)
 
 /* Defaults */
+#define DEFAULT_JITTER              (12 * 3600)
 #define DNS_KASP_SIG_JITTER         "PT12H"
 #define DNS_KASP_SIG_REFRESH        "P5D"
 #define DNS_KASP_SIG_VALIDITY       "P14D"

diff --git a/lib/dns/update.c b/lib/dns/update.c
index a94d35276ef641425b6986c6c20e9992d399ad5c..d3c449e83dc96a97090b68350dc7944e5ba536da 100644 (file)
--- a/lib/dns/update.c
+++ b/lib/dns/update.c
@@ -1492,23 +1492,25 @@ struct dns_update_state {
 };
 
 static uint32_t
-dns__jitter_expire(dns_zone_t *zone, uint32_t sigvalidityinterval) {
+dns__jitter_expire(dns_zone_t *zone) {
        /* Spread out signatures over time */
-       if (sigvalidityinterval >= 3600U) {
-               uint32_t expiryinterval =
-                       dns_zone_getsigresigninginterval(zone);
-
-               if (sigvalidityinterval < 7200U) {
-                       expiryinterval = 1200;
-               } else if (expiryinterval > sigvalidityinterval) {
-                       expiryinterval = sigvalidityinterval;
+       isc_stdtime_t jitter = DEFAULT_JITTER;
+       isc_stdtime_t sigvalidity = dns_zone_getsigvalidityinterval(zone);
+       dns_kasp_t *kasp = dns_zone_getkasp(zone);
+
+       if (kasp != NULL) {
+               jitter = dns_kasp_sigjitter(kasp);
+               sigvalidity = dns_kasp_sigvalidity(kasp);
+       }
+
+       if (sigvalidity >= 3600U) {
+               if (sigvalidity > 7200U) {
+                       sigvalidity -= isc_random_uniform(jitter);
                } else {
-                       expiryinterval = sigvalidityinterval - expiryinterval;
+                       sigvalidity -= isc_random_uniform(1200);
                }
-               uint32_t jitter = isc_random_uniform(expiryinterval);
-               sigvalidityinterval -= jitter;
        }
-       return (sigvalidityinterval);
+       return (sigvalidity);
 }
 
 isc_result_t
@@ -1561,8 +1563,7 @@ dns_update_signaturesinc(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
                isc_stdtime_get(&state->now);
                state->inception = state->now - 3600; /* Allow for some clock
                                                         skew. */
-               state->expire = state->now +
-                               dns__jitter_expire(zone, sigvalidityinterval);
+               state->expire = state->now + dns__jitter_expire(zone);
                state->soaexpire = state->now + sigvalidityinterval;
                state->keyexpire = dns_zone_getkeyvalidityinterval(zone);
                if (state->keyexpire == 0) {

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 4b4949d4342f12c4db75f46cf7cb41a06d54c632..1ad55e3c4351cdd7f56fc7e4cb44eb9659682336 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -7192,19 +7192,18 @@ calculate_rrsig_validity(dns_zone_t *zone, isc_stdtime_t now,
        REQUIRE(soaexpire != NULL);
        /* expire and fullexpire are optional */
 
-       isc_stdtime_t sigvalidityinterval =
-               dns_zone_getsigvalidityinterval(zone);
-       isc_stdtime_t expiryinterval = dns_zone_getsigresigninginterval(zone);
-       isc_stdtime_t normaljitter = 0, fulljitter = 0;
+       isc_stdtime_t jitter = DEFAULT_JITTER;
+       isc_stdtime_t sigvalidity = dns_zone_getsigvalidityinterval(zone);
+       isc_stdtime_t shortjitter = 0, fulljitter = 0;
 
-       *inception = now - 3600; /* Allow for clock skew. */
-       *soaexpire = now + sigvalidityinterval;
-       if (expiryinterval > sigvalidityinterval) {
-               expiryinterval = sigvalidityinterval;
-       } else {
-               expiryinterval = sigvalidityinterval - expiryinterval;
+       if (zone->kasp != NULL) {
+               jitter = dns_kasp_sigjitter(zone->kasp);
+               sigvalidity = dns_kasp_sigvalidity(zone->kasp);
        }
 
+       *inception = now - 3600; /* Allow for clock skew. */
+       *soaexpire = now + sigvalidity;
+
        /*
         * Spread out signatures over time if they happen to be
         * clumped.  We don't do this for each add_sigs() call as
@@ -7214,16 +7213,16 @@ calculate_rrsig_validity(dns_zone_t *zone, isc_stdtime_t now,
         * period we need to ensure that the clusters don't become
         * synchronised by using the full jitter range.
         */
-       if (sigvalidityinterval >= 3600U) {
-               if (sigvalidityinterval > 7200U) {
-                       normaljitter = isc_random_uniform(3600);
-                       fulljitter = isc_random_uniform(expiryinterval);
+       if (sigvalidity >= 3600U) {
+               if (sigvalidity > 7200U) {
+                       shortjitter = isc_random_uniform(3600);
+                       fulljitter = isc_random_uniform(jitter);
                } else {
-                       normaljitter = fulljitter = isc_random_uniform(1200);
+                       shortjitter = fulljitter = isc_random_uniform(1200);
                }
        }
 
-       SET_IF_NOT_NULL(expire, *soaexpire - normaljitter - 1);
+       SET_IF_NOT_NULL(expire, *soaexpire - shortjitter - 1);
        SET_IF_NOT_NULL(fullexpire, *soaexpire - fulljitter - 1);
 }