static isc_boolean_t nonearest = ISC_FALSE;
static isc_boolean_t notcp = ISC_FALSE;
static isc_boolean_t fixedlocal = ISC_FALSE;
+static isc_boolean_t sigvalinsecs = ISC_FALSE;
/*
* -4 and -6
if (dns_zone_mkey_month < dns_zone_mkey_day) {
named_main_earlyfatal("bad mkeytimer");
}
+ } else if (!strcmp(option, "sigvalinsecs")) {
+ sigvalinsecs = ISC_TRUE;
} else if (!strncmp(option, "tat=", 4)) {
named_g_tat_interval = atoi(option + 4);
} else {
ns_server_setoption(sctx, NS_SERVER_DISABLE4, ISC_TRUE);
if (disable6)
ns_server_setoption(sctx, NS_SERVER_DISABLE6, ISC_TRUE);
+ if (sigvalinsecs)
+ ns_server_setoption(sctx, NS_SERVER_SIGVALINSECS, ISC_TRUE);
named_g_server->sctx->delay = delay;
}
if (ztype == dns_zone_master || raw != NULL) {
+ const cfg_obj_t *validity, *resign;
isc_boolean_t allow = ISC_FALSE, maint = ISC_FALSE;
+ isc_boolean_t sigvalinsecs;
obj = NULL;
result = named_config_get(maps, "sig-validity-interval", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
- {
- const cfg_obj_t *validity, *resign;
-
- validity = cfg_tuple_get(obj, "validity");
- seconds = cfg_obj_asuint32(validity) * 86400;
- dns_zone_setsigvalidityinterval(zone, seconds);
- resign = cfg_tuple_get(obj, "re-sign");
- if (cfg_obj_isvoid(resign)) {
- seconds /= 4;
+ sigvalinsecs = ns_server_getoption(named_g_server->sctx,
+ NS_SERVER_SIGVALINSECS);
+ validity = cfg_tuple_get(obj, "validity");
+ seconds = cfg_obj_asuint32(validity);
+ if (!sigvalinsecs) {
+ seconds *= 86400;
+ }
+ dns_zone_setsigvalidityinterval(zone, seconds);
+
+ resign = cfg_tuple_get(obj, "re-sign");
+ if (cfg_obj_isvoid(resign)) {
+ seconds /= 4;
+ } else if (!sigvalinsecs) {
+ if (seconds > 7 * 86400) {
+ seconds = cfg_obj_asuint32(resign) * 86400;
} else {
- if (seconds > 7 * 86400)
- seconds = cfg_obj_asuint32(resign) *
- 86400;
- else
- seconds = cfg_obj_asuint32(resign) *
- 3600;
+ seconds = cfg_obj_asuint32(resign) * 3600;
}
- dns_zone_setsigresigninginterval(zone, seconds);
+ } else {
+ seconds = cfg_obj_asuint32(resign);
}
+ dns_zone_setsigresigninginterval(zone, seconds);
obj = NULL;
result = named_config_get(maps, "key-directory", &obj);
isc_boolean_t check_ksk, keyset_kskonly = ISC_FALSE;
isc_result_t result;
isc_stdtime_t now, inception, soaexpire, expire, stop;
- isc_uint32_t jitter;
+ isc_uint32_t jitter, sigvalidityinterval;
unsigned int i;
unsigned int nkeys = 0;
unsigned int resign;
goto failure;
}
+ sigvalidityinterval = zone->sigvalidityinterval;
inception = now - 3600; /* Allow for clock skew. */
- soaexpire = now + dns_zone_getsigvalidityinterval(zone);
+ soaexpire = now + sigvalidityinterval;
/*
* Spread out signatures over time if they happen to be
* clumped. We don't do this for each add_sigs() call as
* we still want some clustering to occur.
*/
- isc_random_get(&jitter);
- expire = soaexpire - jitter % 3600 - 1;
+ if (sigvalidityinterval >= 3600U) {
+ isc_random_get(&jitter);
+ if (sigvalidityinterval > 7200U) {
+ jitter %= 3600;
+ } else {
+ jitter %= 1200;
+ }
+ expire = soaexpire - jitter - 1;
+ } else {
+ expire = soaexpire - 1;
+ }
stop = now + 5;
check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
isc_boolean_t first;
isc_result_t result;
isc_stdtime_t now, inception, soaexpire, expire;
- isc_uint32_t jitter;
+ isc_uint32_t jitter, sigvalidityinterval;
unsigned int i;
unsigned int nkeys = 0;
isc_uint32_t nodes;
goto failure;
}
+ sigvalidityinterval = dns_zone_getsigvalidityinterval(zone);
inception = now - 3600; /* Allow for clock skew. */
- soaexpire = now + dns_zone_getsigvalidityinterval(zone);
+ soaexpire = now + sigvalidityinterval;
/*
* Spread out signatures over time if they happen to be
* clumped. We don't do this for each add_sigs() call as
* we still want some clustering to occur.
*/
- isc_random_get(&jitter);
- expire = soaexpire - jitter % 3600;
+ if (sigvalidityinterval >= 3600U) {
+ isc_random_get(&jitter);
+ if (sigvalidityinterval > 7200U) {
+ jitter %= 3600;
+ } else {
+ jitter %= 1200;
+ }
+ expire = soaexpire - jitter - 1;
+ } else {
+ expire = soaexpire - 1;
+ }
check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
isc_boolean_t first;
isc_result_t result;
isc_stdtime_t now, inception, soaexpire, expire;
- isc_uint32_t jitter;
+ isc_uint32_t jitter, sigvalidityinterval;
unsigned int i, j;
unsigned int nkeys = 0;
isc_uint32_t nodes;
goto failure;
}
+ sigvalidityinterval = dns_zone_getsigvalidityinterval(zone);
inception = now - 3600; /* Allow for clock skew. */
- soaexpire = now + dns_zone_getsigvalidityinterval(zone);
+ soaexpire = now + sigvalidityinterval;
/*
* Spread out signatures over time if they happen to be
* clumped. We don't do this for each add_sigs() call as
* we still want some clustering to occur.
*/
- isc_random_get(&jitter);
- expire = soaexpire - jitter % 3600;
+ if (sigvalidityinterval >= 3600U) {
+ isc_random_get(&jitter);
+ if (sigvalidityinterval > 7200U) {
+ jitter %= 3600;
+ } else {
+ jitter %= 1200;
+ }
+ expire = soaexpire - jitter - 1;
+ } else {
+ expire = soaexpire - 1;
+ }
/*
* We keep pulling nodes off each iterator in turn until
projects / thirdparty / bind9.git / commitdiff
