upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-27 12:13:20 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

If kasp is not used, use legacy signature jitter

Browse source 
If the zone is signed with a different way than 'dnssec-policy', use
the legacy way of jittering signatures, that is calculate jitter by
taking the two values of 'sig-validity-interval' and subtracting the
second value from the first value.
This commit is contained in:
Matthijs Mekking 2024-04-18 16:02:48 +02:00
parent f211c05990
commit 0134b91feb
2 changed files with 14 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
lib/dns/update.c
View file

@ -1502,6 +1502,13 @@ dns__jitter_expire(dns_zone_t *zone) {
jitter = dns_kasp_sigjitter(kasp);
sigvalidity = dns_kasp_sigvalidity(kasp);
INSIST(jitter <= sigvalidity);
} else {
jitter = dns_zone_getsigresigninginterval(zone);
if (jitter > sigvalidity) {
jitter = sigvalidity;
} else {
jitter = sigvalidity - jitter;
}
}
if (jitter > sigvalidity) {

7
lib/dns/zone.c
View file

@ -7200,6 +7200,13 @@ calculate_rrsig_validity(dns_zone_t *zone, isc_stdtime_t now,
jitter = dns_kasp_sigjitter(zone->kasp);
sigvalidity = dns_kasp_sigvalidity(zone->kasp);
INSIST(jitter <= sigvalidity);
} else {
jitter = dns_zone_getsigresigninginterval(zone);
if (jitter > sigvalidity) {
jitter = sigvalidity;
} else {
jitter = sigvalidity - jitter;
}
}
if (jitter > sigvalidity) {