Add checkconf check for signatures-jitter

Having a value higher than signatures-validity does not make sense
and should be treated as a configuration error.

diff --git a/bin/tests/system/checkconf/bad-kasp-jitter.conf b/bin/tests/system/checkconf/bad-kasp-jitter.conf
new file mode 100644 (file)
index 0000000..e358957
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-jitter.conf
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * The dnssec-policy jitter is more than signatures-validity,
+ * which is not allowed.
+ */
+dnssec-policy high-jitter {
+       signatures-jitter P8DT1S;
+       signatures-validity P8D;
+};
+
+zone "example.net" {
+       type primary;
+       file "example.db";
+       dnssec-policy high-jitter;
+};

diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index e9341671cd763687f9380dc25b471052e6499d64..aab79e9064544a752bbdccf7d4951c2ad0a91562 100644 (file)
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -6487,7 +6487,9 @@ The following options can be specified in a :any:`dnssec-policy` statement:
     vary the validity interval of individual signatures. The validity of a
     newly generated signatures is in range between :any:`signatures-validity`
     (maximum) and :any:`signatures-validity` minus :any:`signatures-jitter`
-    (minimum). The default jitter is 12 hours.
+    (minimum). The default jitter is 12 hours and the configured value must
+    be lower than :any:`signatures-validity` and
+    :any:`signatures-validity-dnskey`.
 
 .. namedconf:statement:: signatures-refresh
    :tags: dnssec

diff --git a/lib/dns/update.c b/lib/dns/update.c
index 1302bb4dbaa88bf2192c36710ed37a96f036f602..a6b8f2adf4ad3306b02f55d539fc72edde356d96 100644 (file)
--- a/lib/dns/update.c
+++ b/lib/dns/update.c
@@ -1486,6 +1486,11 @@ dns__jitter_expire(dns_zone_t *zone) {
        if (kasp != NULL) {
                jitter = dns_kasp_sigjitter(kasp);
                sigvalidity = dns_kasp_sigvalidity(kasp);
+               INSIST(jitter <= sigvalidity);
+       }
+
+       if (jitter > sigvalidity) {
+               jitter = sigvalidity;
        }
 
        if (sigvalidity >= 3600U) {

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 5d6a2428aecde816c73d4a6f734fb53c47971c8c..c70579e0aff81b62837145a5034565649b2c124f 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -6926,6 +6926,11 @@ calculate_rrsig_validity(dns_zone_t *zone, isc_stdtime_t now,
        if (zone->kasp != NULL) {
                jitter = dns_kasp_sigjitter(zone->kasp);
                sigvalidity = dns_kasp_sigvalidity(zone->kasp);
+               INSIST(jitter <= sigvalidity);
+       }
+
+       if (jitter > sigvalidity) {
+               jitter = sigvalidity;
        }
 
        *inception = now - 3600; /* Allow for clock skew. */

diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c
index 9b65b636081a46e9d2f76edea0e423934446c964..419818f25707d337fa26a84645d885d1ddb16270 100644 (file)
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@@ -480,6 +480,15 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
        }
        dns_kasp_setsigvalidity_dnskey(kasp, sigvalidity);
 
+       if (sigjitter > sigvalidity) {
+               cfg_obj_log(
+                       config, logctx, ISC_LOG_ERROR,
+                       "dnssec-policy: policy '%s' signatures-jitter cannot "
+                       "be larger than signatures-validity-dnskey",
+                       kaspname);
+               result = ISC_R_FAILURE;
+       }
+
        sigvalidity = get_duration(maps, "signatures-validity",
                                   DNS_KASP_SIG_VALIDITY);
        if (sigrefresh >= (sigvalidity * 0.9)) {
@@ -492,6 +501,15 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
        }
        dns_kasp_setsigvalidity(kasp, sigvalidity);
 
+       if (sigjitter > sigvalidity) {
+               cfg_obj_log(
+                       config, logctx, ISC_LOG_ERROR,
+                       "dnssec-policy: policy '%s' signatures-jitter cannot "
+                       "be larger than signatures-validity",
+                       kaspname);
+               result = ISC_R_FAILURE;
+       }
+
        if (result != ISC_R_SUCCESS) {
                goto cleanup;
        }