};
static uint32_t
-dns__jitter_expire(dns_zone_t *zone, uint32_t sigvalidityinterval) {
+dns__jitter_expire(dns_zone_t *zone) {
/* Spread out signatures over time */
- if (sigvalidityinterval >= 3600U) {
- uint32_t expiryinterval =
- dns_zone_getsigresigninginterval(zone);
-
- if (sigvalidityinterval < 7200U) {
- expiryinterval = 1200;
- } else if (expiryinterval > sigvalidityinterval) {
- expiryinterval = sigvalidityinterval;
+ isc_stdtime_t jitter = DEFAULT_JITTER;
+ isc_stdtime_t sigvalidity = dns_zone_getsigvalidityinterval(zone);
+ dns_kasp_t *kasp = dns_zone_getkasp(zone);
+
+ if (kasp != NULL) {
+ jitter = dns_kasp_sigjitter(kasp);
+ sigvalidity = dns_kasp_sigvalidity(kasp);
+ }
+
+ if (sigvalidity >= 3600U) {
+ if (sigvalidity > 7200U) {
+ sigvalidity -= isc_random_uniform(jitter);
} else {
- expiryinterval = sigvalidityinterval - expiryinterval;
+ sigvalidity -= isc_random_uniform(1200);
}
- uint32_t jitter = isc_random_uniform(expiryinterval);
- sigvalidityinterval -= jitter;
}
- return (sigvalidityinterval);
+ return (sigvalidity);
}
isc_result_t
state->now = isc_stdtime_now();
state->inception = state->now - 3600; /* Allow for some clock
skew. */
- state->expire = state->now +
- dns__jitter_expire(zone, sigvalidityinterval);
+ state->expire = state->now + dns__jitter_expire(zone);
state->soaexpire = state->now + sigvalidityinterval;
state->keyexpire = dns_zone_getkeyvalidityinterval(zone);
if (state->keyexpire == 0) {
REQUIRE(soaexpire != NULL);
/* expire and fullexpire are optional */
- isc_stdtime_t sigvalidityinterval =
- dns_zone_getsigvalidityinterval(zone);
- isc_stdtime_t expiryinterval = dns_zone_getsigresigninginterval(zone);
- isc_stdtime_t normaljitter = 0, fulljitter = 0;
+ isc_stdtime_t jitter = DEFAULT_JITTER;
+ isc_stdtime_t sigvalidity = dns_zone_getsigvalidityinterval(zone);
+ isc_stdtime_t shortjitter = 0, fulljitter = 0;
- *inception = now - 3600; /* Allow for clock skew. */
- *soaexpire = now + sigvalidityinterval;
- if (expiryinterval > sigvalidityinterval) {
- expiryinterval = sigvalidityinterval;
- } else {
- expiryinterval = sigvalidityinterval - expiryinterval;
+ if (zone->kasp != NULL) {
+ jitter = dns_kasp_sigjitter(zone->kasp);
+ sigvalidity = dns_kasp_sigvalidity(zone->kasp);
}
+ *inception = now - 3600; /* Allow for clock skew. */
+ *soaexpire = now + sigvalidity;
+
/*
* Spread out signatures over time if they happen to be
* clumped. We don't do this for each add_sigs() call as
* period we need to ensure that the clusters don't become
* synchronised by using the full jitter range.
*/
- if (sigvalidityinterval >= 3600U) {
- if (sigvalidityinterval > 7200U) {
- normaljitter = isc_random_uniform(3600);
- fulljitter = isc_random_uniform(expiryinterval);
+ if (sigvalidity >= 3600U) {
+ if (sigvalidity > 7200U) {
+ shortjitter = isc_random_uniform(3600);
+ fulljitter = isc_random_uniform(jitter);
} else {
- normaljitter = fulljitter = isc_random_uniform(1200);
+ shortjitter = fulljitter = isc_random_uniform(1200);
}
}
- SET_IF_NOT_NULL(expire, *soaexpire - normaljitter - 1);
+ SET_IF_NOT_NULL(expire, *soaexpire - shortjitter - 1);
SET_IF_NOT_NULL(fullexpire, *soaexpire - fulljitter - 1);
}
projects / thirdparty / bind9.git / commitdiff
