Add checkconf check for signatures-jitter

author Matthijs Mekking <matthijs@isc.org>

Tue, 16 Apr 2024 13:49:13 +0000 (15:49 +0200)

committer Matthijs Mekking <matthijs@isc.org>

Thu, 18 Apr 2024 15:00:07 +0000 (15:00 +0000)
author Matthijs Mekking <matthijs@isc.org>
Tue, 16 Apr 2024 13:49:13 +0000 (15:49 +0200)
committer Matthijs Mekking <matthijs@isc.org>
Thu, 18 Apr 2024 15:00:07 +0000 (15:00 +0000)
diff --git a/bin/tests/system/checkconf/bad-kasp-jitter.conf b/bin/tests/system/checkconf/bad-kasp-jitter.conf

new file mode 100644 (file)

index 0000000..e358957
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-jitter.conf
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * The dnssec-policy jitter is more than signatures-validity,
+ * which is not allowed.
+ */
+dnssec-policy high-jitter {
+       signatures-jitter P8DT1S;
+       signatures-validity P8D;
+};
+
+zone "example.net" {
+       type primary;
+       file "example.db";
+       dnssec-policy high-jitter;
+};
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst

index 214f64edfeba8c3eef8536dd06538ec1f9ae1dfb..cb2f5126afaf03dfe29858ecea8976d662097c30 100644 (file)
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -6517,7 +6517,9 @@ The following options can be specified in a :any:`dnssec-policy` statement:
      vary the validity interval of individual signatures. The validity of a
      newly generated signatures is in range between :any:`signatures-validity`
      (maximum) and :any:`signatures-validity` minus :any:`signatures-jitter`
-    (minimum). The default jitter is 12 hours.
+    (minimum). The default jitter is 12 hours and the configured value must
+    be lower than :any:`signatures-validity` and
+    :any:`signatures-validity-dnskey`.
  
  .. namedconf:statement:: signatures-refresh
     :tags: dnssec
diff --git a/lib/dns/update.c b/lib/dns/update.c

index d3c449e83dc96a97090b68350dc7944e5ba536da..f062e8aff6cd243fe1b2df74aa78543d5de4bdef 100644 (file)
--- a/lib/dns/update.c
+++ b/lib/dns/update.c
@@ -1501,6 +1501,11 @@ dns__jitter_expire(dns_zone_t *zone) {
         if (kasp != NULL) {
                 jitter = dns_kasp_sigjitter(kasp);
                 sigvalidity = dns_kasp_sigvalidity(kasp);
+               INSIST(jitter <= sigvalidity);
+       }
+
+       if (jitter > sigvalidity) {
+               jitter = sigvalidity;
         }
  
         if (sigvalidity >= 3600U) {
diff --git a/lib/dns/zone.c b/lib/dns/zone.c

index 1ad55e3c4351cdd7f56fc7e4cb44eb9659682336..4cbb3d316ab261f9defee882fa379c8c1756379b 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -7199,6 +7199,11 @@ calculate_rrsig_validity(dns_zone_t *zone, isc_stdtime_t now,
         if (zone->kasp != NULL) {
                 jitter = dns_kasp_sigjitter(zone->kasp);
                 sigvalidity = dns_kasp_sigvalidity(zone->kasp);
+               INSIST(jitter <= sigvalidity);
+       }
+
+       if (jitter > sigvalidity) {
+               jitter = sigvalidity;
         }
  
         *inception = now - 3600; /* Allow for clock skew. */
diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c

index db0a382324b73dd0299db41a87cb23c8d2e5e485..a482062a2be56b3f5c5a05321672e266318144cf 100644 (file)
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@@ -380,6 +380,15 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
         }
         dns_kasp_setsigvalidity_dnskey(kasp, sigvalidity);
  
+       if (sigjitter > sigvalidity) {
+               cfg_obj_log(
+                       config, logctx, ISC_LOG_ERROR,
+                       "dnssec-policy: policy '%s' signatures-jitter cannot "
+                       "be larger than signatures-validity-dnskey",
+                       kaspname);
+               result = ISC_R_FAILURE;
+       }
+
         sigvalidity = get_duration(maps, "signatures-validity",
                                    DNS_KASP_SIG_VALIDITY);
         if (sigrefresh >= (sigvalidity * 0.9)) {
@@ -392,6 +401,15 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
         }
         dns_kasp_setsigvalidity(kasp, sigvalidity);
  
+       if (sigjitter > sigvalidity) {
+               cfg_obj_log(
+                       config, logctx, ISC_LOG_ERROR,
+                       "dnssec-policy: policy '%s' signatures-jitter cannot "
+                       "be larger than signatures-validity",
+                       kaspname);
+               result = ISC_R_FAILURE;
+       }
+
         if (result != ISC_R_SUCCESS) {
                 goto cleanup;
         }
author	Matthijs Mekking <matthijs@isc.org>
	Tue, 16 Apr 2024 13:49:13 +0000 (15:49 +0200)
committer	Matthijs Mekking <matthijs@isc.org>
	Thu, 18 Apr 2024 15:00:07 +0000 (15:00 +0000)
bin/tests/system/checkconf/bad-kasp-jitter.conf	[new file with mode: 0644]	patch \| blob
doc/arm/reference.rst		patch \| blob \| blame \| history
lib/dns/update.c		patch \| blob \| blame \| history
lib/dns/zone.c		patch \| blob \| blame \| history
lib/isccfg/kaspconf.c		patch \| blob \| blame \| history