From: Matthijs Mekking Date: Tue, 16 Apr 2024 13:49:13 +0000 (+0200) Subject: Add checkconf check for signatures-jitter X-Git-Tag: v9.19.24~28^2 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=c3d8932f79907bf55580bc0ff86f38343a785914;p=thirdparty%2Fbind9.git Add checkconf check for signatures-jitter Having a value higher than signatures-validity does not make sense and should be treated as a configuration error. --- diff --git a/bin/tests/system/checkconf/bad-kasp-jitter.conf b/bin/tests/system/checkconf/bad-kasp-jitter.conf new file mode 100644 index 00000000000..e3589574370 --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-jitter.conf @@ -0,0 +1,27 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * The dnssec-policy jitter is more than signatures-validity, + * which is not allowed. + */ +dnssec-policy high-jitter { + signatures-jitter P8DT1S; + signatures-validity P8D; +}; + +zone "example.net" { + type primary; + file "example.db"; + dnssec-policy high-jitter; +}; diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index e9341671cd7..aab79e90645 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -6487,7 +6487,9 @@ The following options can be specified in a :any:`dnssec-policy` statement: vary the validity interval of individual signatures. The validity of a newly generated signatures is in range between :any:`signatures-validity` (maximum) and :any:`signatures-validity` minus :any:`signatures-jitter` - (minimum). The default jitter is 12 hours. + (minimum). The default jitter is 12 hours and the configured value must + be lower than :any:`signatures-validity` and + :any:`signatures-validity-dnskey`. .. namedconf:statement:: signatures-refresh :tags: dnssec diff --git a/lib/dns/update.c b/lib/dns/update.c index 1302bb4dbaa..a6b8f2adf4a 100644 --- a/lib/dns/update.c +++ b/lib/dns/update.c @@ -1486,6 +1486,11 @@ dns__jitter_expire(dns_zone_t *zone) { if (kasp != NULL) { jitter = dns_kasp_sigjitter(kasp); sigvalidity = dns_kasp_sigvalidity(kasp); + INSIST(jitter <= sigvalidity); + } + + if (jitter > sigvalidity) { + jitter = sigvalidity; } if (sigvalidity >= 3600U) { diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 5d6a2428aec..c70579e0aff 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -6926,6 +6926,11 @@ calculate_rrsig_validity(dns_zone_t *zone, isc_stdtime_t now, if (zone->kasp != NULL) { jitter = dns_kasp_sigjitter(zone->kasp); sigvalidity = dns_kasp_sigvalidity(zone->kasp); + INSIST(jitter <= sigvalidity); + } + + if (jitter > sigvalidity) { + jitter = sigvalidity; } *inception = now - 3600; /* Allow for clock skew. */ diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c index 9b65b636081..419818f2570 100644 --- a/lib/isccfg/kaspconf.c +++ b/lib/isccfg/kaspconf.c @@ -480,6 +480,15 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp, } dns_kasp_setsigvalidity_dnskey(kasp, sigvalidity); + if (sigjitter > sigvalidity) { + cfg_obj_log( + config, logctx, ISC_LOG_ERROR, + "dnssec-policy: policy '%s' signatures-jitter cannot " + "be larger than signatures-validity-dnskey", + kaspname); + result = ISC_R_FAILURE; + } + sigvalidity = get_duration(maps, "signatures-validity", DNS_KASP_SIG_VALIDITY); if (sigrefresh >= (sigvalidity * 0.9)) { @@ -492,6 +501,15 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp, } dns_kasp_setsigvalidity(kasp, sigvalidity); + if (sigjitter > sigvalidity) { + cfg_obj_log( + config, logctx, ISC_LOG_ERROR, + "dnssec-policy: policy '%s' signatures-jitter cannot " + "be larger than signatures-validity", + kaspname); + result = ISC_R_FAILURE; + } + if (result != ISC_R_SUCCESS) { goto cleanup; }