From 0134b91febaa7abf5ee85fbeadd65020b35c4a04 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Thu, 18 Apr 2024 16:02:48 +0200
Subject: [PATCH] If kasp is not used, use legacy signature jitter

If the zone is signed with a different way than 'dnssec-policy', use
the legacy way of jittering signatures, that is calculate jitter by
taking the two values of 'sig-validity-interval' and subtracting the
second value from the first value.
---
 lib/dns/update.c | 7 +++++++
 lib/dns/zone.c   | 7 +++++++
 2 files changed, 14 insertions(+)

diff --git a/lib/dns/update.c b/lib/dns/update.c
index f062e8aff6..b4d2a1258e 100644
--- a/lib/dns/update.c
+++ b/lib/dns/update.c
@@ -1502,6 +1502,13 @@ dns__jitter_expire(dns_zone_t *zone) {
 		jitter = dns_kasp_sigjitter(kasp);
 		sigvalidity = dns_kasp_sigvalidity(kasp);
 		INSIST(jitter <= sigvalidity);
+	} else {
+		jitter = dns_zone_getsigresigninginterval(zone);
+		if (jitter > sigvalidity) {
+			jitter = sigvalidity;
+		} else {
+			jitter = sigvalidity - jitter;
+		}
 	}
 
 	if (jitter > sigvalidity) {
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 4cbb3d316a..2bf1a50bb8 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -7200,6 +7200,13 @@ calculate_rrsig_validity(dns_zone_t *zone, isc_stdtime_t now,
 		jitter = dns_kasp_sigjitter(zone->kasp);
 		sigvalidity = dns_kasp_sigvalidity(zone->kasp);
 		INSIST(jitter <= sigvalidity);
+	} else {
+		jitter = dns_zone_getsigresigninginterval(zone);
+		if (jitter > sigvalidity) {
+			jitter = sigvalidity;
+		} else {
+			jitter = sigvalidity - jitter;
+		}
 	}
 
 	if (jitter > sigvalidity) {