From: Matthijs Mekking <matthijs@isc.org>
Date: Thu, 1 Feb 2024 08:34:33 +0000 (+0100)
Subject: Implement signature jitter
X-Git-Tag: v9.19.24~28^2~2
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=67f403a42371f943751a28411ded61949ca83fdf;p=thirdparty%2Fbind9.git

Implement signature jitter

When calculating the RRSIG validity, jitter is now derived from the
config option rather than from the refresh value.
---

diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h
index 3b8c68e0f25..cd8a5bd13ff 100644
--- a/lib/dns/include/dns/kasp.h
+++ b/lib/dns/include/dns/kasp.h
@@ -117,6 +117,7 @@ struct dns_kasp {
 #define DNS_KASP_VALID(kasp) ISC_MAGIC_VALID(kasp, DNS_KASP_MAGIC)
 
 /* Defaults */
+#define DEFAULT_JITTER		     (12 * 3600)
 #define DNS_KASP_SIG_JITTER	     "PT12H"
 #define DNS_KASP_SIG_REFRESH	     "P5D"
 #define DNS_KASP_SIG_VALIDITY	     "P14D"
diff --git a/lib/dns/update.c b/lib/dns/update.c
index cbcbe1c1390..1302bb4dbaa 100644
--- a/lib/dns/update.c
+++ b/lib/dns/update.c
@@ -1477,23 +1477,25 @@ struct dns_update_state {
 };
 
 static uint32_t
-dns__jitter_expire(dns_zone_t *zone, uint32_t sigvalidityinterval) {
+dns__jitter_expire(dns_zone_t *zone) {
 	/* Spread out signatures over time */
-	if (sigvalidityinterval >= 3600U) {
-		uint32_t expiryinterval =
-			dns_zone_getsigresigninginterval(zone);
-
-		if (sigvalidityinterval < 7200U) {
-			expiryinterval = 1200;
-		} else if (expiryinterval > sigvalidityinterval) {
-			expiryinterval = sigvalidityinterval;
+	isc_stdtime_t jitter = DEFAULT_JITTER;
+	isc_stdtime_t sigvalidity = dns_zone_getsigvalidityinterval(zone);
+	dns_kasp_t *kasp = dns_zone_getkasp(zone);
+
+	if (kasp != NULL) {
+		jitter = dns_kasp_sigjitter(kasp);
+		sigvalidity = dns_kasp_sigvalidity(kasp);
+	}
+
+	if (sigvalidity >= 3600U) {
+		if (sigvalidity > 7200U) {
+			sigvalidity -= isc_random_uniform(jitter);
 		} else {
-			expiryinterval = sigvalidityinterval - expiryinterval;
+			sigvalidity -= isc_random_uniform(1200);
 		}
-		uint32_t jitter = isc_random_uniform(expiryinterval);
-		sigvalidityinterval -= jitter;
 	}
-	return (sigvalidityinterval);
+	return (sigvalidity);
 }
 
 isc_result_t
@@ -1549,8 +1551,7 @@ dns_update_signaturesinc(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 		state->now = isc_stdtime_now();
 		state->inception = state->now - 3600; /* Allow for some clock
 							 skew. */
-		state->expire = state->now +
-				dns__jitter_expire(zone, sigvalidityinterval);
+		state->expire = state->now + dns__jitter_expire(zone);
 		state->soaexpire = state->now + sigvalidityinterval;
 		state->keyexpire = dns_zone_getkeyvalidityinterval(zone);
 		if (state->keyexpire == 0) {
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index c444709917a..5d6a2428aec 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -6919,19 +6919,18 @@ calculate_rrsig_validity(dns_zone_t *zone, isc_stdtime_t now,
 	REQUIRE(soaexpire != NULL);
 	/* expire and fullexpire are optional */
 
-	isc_stdtime_t sigvalidityinterval =
-		dns_zone_getsigvalidityinterval(zone);
-	isc_stdtime_t expiryinterval = dns_zone_getsigresigninginterval(zone);
-	isc_stdtime_t normaljitter = 0, fulljitter = 0;
+	isc_stdtime_t jitter = DEFAULT_JITTER;
+	isc_stdtime_t sigvalidity = dns_zone_getsigvalidityinterval(zone);
+	isc_stdtime_t shortjitter = 0, fulljitter = 0;
 
-	*inception = now - 3600; /* Allow for clock skew. */
-	*soaexpire = now + sigvalidityinterval;
-	if (expiryinterval > sigvalidityinterval) {
-		expiryinterval = sigvalidityinterval;
-	} else {
-		expiryinterval = sigvalidityinterval - expiryinterval;
+	if (zone->kasp != NULL) {
+		jitter = dns_kasp_sigjitter(zone->kasp);
+		sigvalidity = dns_kasp_sigvalidity(zone->kasp);
 	}
 
+	*inception = now - 3600; /* Allow for clock skew. */
+	*soaexpire = now + sigvalidity;
+
 	/*
 	 * Spread out signatures over time if they happen to be
 	 * clumped.  We don't do this for each add_sigs() call as
@@ -6941,16 +6940,16 @@ calculate_rrsig_validity(dns_zone_t *zone, isc_stdtime_t now,
 	 * period we need to ensure that the clusters don't become
 	 * synchronised by using the full jitter range.
 	 */
-	if (sigvalidityinterval >= 3600U) {
-		if (sigvalidityinterval > 7200U) {
-			normaljitter = isc_random_uniform(3600);
-			fulljitter = isc_random_uniform(expiryinterval);
+	if (sigvalidity >= 3600U) {
+		if (sigvalidity > 7200U) {
+			shortjitter = isc_random_uniform(3600);
+			fulljitter = isc_random_uniform(jitter);
 		} else {
-			normaljitter = fulljitter = isc_random_uniform(1200);
+			shortjitter = fulljitter = isc_random_uniform(1200);
 		}
 	}
 
-	SET_IF_NOT_NULL(expire, *soaexpire - normaljitter - 1);
+	SET_IF_NOT_NULL(expire, *soaexpire - shortjitter - 1);
 	SET_IF_NOT_NULL(fullexpire, *soaexpire - fulljitter - 1);
 }