add support -T sigvalinsecs

2026-04-21 14:17:27 -04:00 · 2018-05-03 16:43:15 +10:00 · 2018-05-03 16:43:15 +10:00 · 87a3dc8ab9
commit 87a3dc8ab9
parent 0667bf7ae7
4 changed files with 69 additions and 25 deletions
--- a/bin/named/main.c
+++ b/bin/named/main.c
@ -129,6 +129,7 @@ static unsigned int delay = 0;
 static isc_boolean_t nonearest = ISC_FALSE;
 static isc_boolean_t notcp = ISC_FALSE;
 static isc_boolean_t fixedlocal = ISC_FALSE;
+static isc_boolean_t sigvalinsecs = ISC_FALSE;

 /*
 * -4 and -6
@ -541,6 +542,8 @@ parse_T_opt(char *option) {
 		if (dns_zone_mkey_month < dns_zone_mkey_day) {
 			named_main_earlyfatal("bad mkeytimer");
 		}
+	} else if (!strcmp(option, "sigvalinsecs")) {
+		sigvalinsecs = ISC_TRUE;
 	} else if (!strncmp(option, "tat=", 4)) {
 		named_g_tat_interval = atoi(option + 4);
 	} else {
@ -1111,6 +1114,8 @@ setup(void) {
 		ns_server_setoption(sctx, NS_SERVER_DISABLE4, ISC_TRUE);
 	if (disable6)
 		ns_server_setoption(sctx, NS_SERVER_DISABLE6, ISC_TRUE);
+	if (sigvalinsecs)
+		ns_server_setoption(sctx, NS_SERVER_SIGVALINSECS, ISC_TRUE);

 	named_g_server->sctx->delay = delay;
 }
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@ -1439,7 +1439,9 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	}

 	if (ztype == dns_zone_master || raw != NULL) {
+		const cfg_obj_t *validity, *resign;
 		isc_boolean_t allow = ISC_FALSE, maint = ISC_FALSE;
+		isc_boolean_t sigvalinsecs;

 		obj = NULL;
 		result = named_config_get(maps, "dnskey-sig-validity", &obj);
@ -1450,26 +1452,29 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		obj = NULL;
 		result = named_config_get(maps, "sig-validity-interval", &obj);
 		INSIST(result == ISC_R_SUCCESS && obj != NULL);
-		{
-			const cfg_obj_t *validity, *resign;

-			validity = cfg_tuple_get(obj, "validity");
-			seconds = cfg_obj_asuint32(validity) * 86400;
-			dns_zone_setsigvalidityinterval(zone, seconds);
-
-			resign = cfg_tuple_get(obj, "re-sign");
-			if (cfg_obj_isvoid(resign)) {
-				seconds /= 4;
-			} else {
-				if (seconds > 7 * 86400)
-					seconds = cfg_obj_asuint32(resign) *
-							86400;
-				else
-					seconds = cfg_obj_asuint32(resign) *
-							3600;
-			}
-			dns_zone_setsigresigninginterval(zone, seconds);
+		sigvalinsecs = ns_server_getoption(named_g_server->sctx,
+						   NS_SERVER_SIGVALINSECS);
+		validity = cfg_tuple_get(obj, "validity");
+		seconds = cfg_obj_asuint32(validity);
+		if (!sigvalinsecs) {
+			seconds *= 86400;
 		}
+		dns_zone_setsigvalidityinterval(zone, seconds);
+
+		resign = cfg_tuple_get(obj, "re-sign");
+		if (cfg_obj_isvoid(resign)) {
+			seconds /= 4;
+		} else if (!sigvalinsecs) {
+			if (seconds > 7 * 86400) {
+				seconds = cfg_obj_asuint32(resign) * 86400;
+			} else {
+				seconds = cfg_obj_asuint32(resign) * 3600;
+			}
+		} else {
+			seconds = cfg_obj_asuint32(resign);
+		}
+		dns_zone_setsigresigninginterval(zone, seconds);

 		obj = NULL;
 		result = named_config_get(maps, "key-directory", &obj);
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@ -6412,6 +6412,7 @@ zone_resigninc(dns_zone_t *zone) {
 	isc_boolean_t check_ksk, keyset_kskonly = ISC_FALSE;
 	isc_result_t result;
 	isc_stdtime_t now, inception, soaexpire, expire, stop;
+	isc_uint32_t jitter, sigvalidityinterval;
 	unsigned int i;
 	unsigned int nkeys = 0;
 	unsigned int resign;
@ -6456,14 +6457,24 @@ zone_resigninc(dns_zone_t *zone) {
 		goto failure;
 	}

+	sigvalidityinterval = zone->sigvalidityinterval;
 	inception = now - 3600;	/* Allow for clock skew. */
-	soaexpire = now + dns_zone_getsigvalidityinterval(zone);
+	soaexpire = now + sigvalidityinterval;
 	/*
 	 * Spread out signatures over time if they happen to be
 	 * clumped.  We don't do this for each add_sigs() call as
 	 * we still want some clustering to occur.
 	 */
-	expire = soaexpire - isc_random_uniform(3600) - 1;
+	if (sigvalidityinterval >= 3600U) {
+		if (sigvalidityinterval > 7200U) {
+			jitter = isc_random_uniform(3600);
+		} else {
+			jitter = isc_random_uniform(1200);
+		}
+		expire = soaexpire - jitter - 1;
+	} else {
+		expire = soaexpire - 1;
+	}
 	stop = now + 5;

 	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
@ -7406,6 +7417,7 @@ zone_nsec3chain(dns_zone_t *zone) {
 	isc_boolean_t first;
 	isc_result_t result;
 	isc_stdtime_t now, inception, soaexpire, expire;
+	isc_uint32_t jitter, sigvalidityinterval;
 	unsigned int i;
 	unsigned int nkeys = 0;
 	isc_uint32_t nodes;
@ -7474,15 +7486,25 @@ zone_nsec3chain(dns_zone_t *zone) {
 		goto failure;
 	}

+	sigvalidityinterval = dns_zone_getsigvalidityinterval(zone);
 	inception = now - 3600;	/* Allow for clock skew. */
-	soaexpire = now + dns_zone_getsigvalidityinterval(zone);
+	soaexpire = now + sigvalidityinterval;

 	/*
 	 * Spread out signatures over time if they happen to be
 	 * clumped.  We don't do this for each add_sigs() call as
 	 * we still want some clustering to occur.
 	 */
-	expire = soaexpire - isc_random_uniform(3600);
+	if (sigvalidityinterval >= 3600U) {
+		if (sigvalidityinterval > 7200U) {
+			jitter = isc_random_uniform(3600);
+		} else {
+			jitter = isc_random_uniform(1200);
+		}
+		expire = soaexpire - jitter - 1;
+	} else {
+		expire = soaexpire - 1;
+	}

 	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
 	keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
@ -8342,6 +8364,7 @@ zone_sign(dns_zone_t *zone) {
 	isc_boolean_t first;
 	isc_result_t result;
 	isc_stdtime_t now, inception, soaexpire, expire;
+	isc_uint32_t jitter, sigvalidityinterval;
 	unsigned int i, j;
 	unsigned int nkeys = 0;
 	isc_uint32_t nodes;
@ -8392,15 +8415,25 @@ zone_sign(dns_zone_t *zone) {
 		goto failure;
 	}

+	sigvalidityinterval = dns_zone_getsigvalidityinterval(zone);
 	inception = now - 3600;	/* Allow for clock skew. */
-	soaexpire = now + dns_zone_getsigvalidityinterval(zone);
+	soaexpire = now + sigvalidityinterval;

 	/*
 	 * Spread out signatures over time if they happen to be
 	 * clumped.  We don't do this for each add_sigs() call as
 	 * we still want some clustering to occur.
 	 */
-	expire = soaexpire - isc_random_uniform(3600);
+	if (sigvalidityinterval >= 3600U) {
+		if (sigvalidityinterval > 7200U) {
+			jitter = isc_random_uniform(3600);
+		} else {
+			jitter = isc_random_uniform(1200);
+		}
+		expire = soaexpire - jitter - 1;
+	} else {
+		expire = soaexpire - 1;
+	}

 	/*
 	 * We keep pulling nodes off each iterator in turn until
@ -17633,7 +17666,7 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,

 	keyexpire = dns_zone_getkeyvalidityinterval(zone);
 	if (keyexpire == 0) {
-		keyexpire = soaexpire;
+		keyexpire = soaexpire - 1;
 	} else {
 		keyexpire += now;
 	}
--- a/lib/ns/include/ns/server.h
+++ b/lib/ns/include/ns/server.h
@ -40,6 +40,7 @@
 #define NS_SERVER_DISABLE4	0x00000100U	/*%< -6 */
 #define NS_SERVER_DISABLE6	0x00000200U	/*%< -4 */
 #define NS_SERVER_FIXEDLOCAL	0x00000400U	/*%< -T fixedlocal */
+#define NS_SERVER_SIGVALINSECS	0x00000800U	/*%< -T sigvalinsecs */

 /*%
 * Type for callback function to get hostname.