From: Mark Andrews Date: Fri, 17 Aug 2018 00:56:02 +0000 (+1000) Subject: increase jitter to cover the entire potential steady state expire range when initiall... X-Git-Tag: v9.13.3~15^2~2 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=050fca2139a69b8057a8f5f87966b1e7215d78bc;p=thirdparty%2Fbind9.git increase jitter to cover the entire potential steady state expire range when initially signing the zone --- diff --git a/lib/dns/zone.c b/lib/dns/zone.c index a35d3ae3cee..e11398e63ae 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -8419,7 +8419,7 @@ zone_sign(dns_zone_t *zone) { bool first; isc_result_t result; isc_stdtime_t now, inception, soaexpire, expire; - uint32_t jitter, sigvalidityinterval; + uint32_t jitter, sigvalidityinterval, expiryinterval; unsigned int i, j; unsigned int nkeys = 0; uint32_t nodes; @@ -8473,6 +8473,12 @@ zone_sign(dns_zone_t *zone) { sigvalidityinterval = dns_zone_getsigvalidityinterval(zone); inception = now - 3600; /* Allow for clock skew. */ soaexpire = now + sigvalidityinterval; + expiryinterval = dns_zone_getsigresigninginterval(zone); + if (expiryinterval > sigvalidityinterval) { + expiryinterval = sigvalidityinterval; + } else { + expiryinterval = sigvalidityinterval - expiryinterval; + } /* * Spread out signatures over time if they happen to be @@ -8481,7 +8487,7 @@ zone_sign(dns_zone_t *zone) { */ if (sigvalidityinterval >= 3600U) { if (sigvalidityinterval > 7200U) { - jitter = isc_random_uniform(3600); + jitter = isc_random_uniform(expiryinterval); } else { jitter = isc_random_uniform(1200); }