Add checkconf check for signatures-jitter

Having a value higher than signatures-validity does not make sense
and should be treated as a configuration error.

(cherry picked from commit c3d8932f79)

bin/tests/system/checkconf/bad-kasp-jitter.conf

@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * The dnssec-policy jitter is more than signatures-validity,
+ * which is not allowed.
+ */
+dnssec-policy high-jitter {
+	signatures-jitter P8DT1S;
+	signatures-validity P8D;
+};
+
+zone "example.net" {
+	type primary;
+	file "example.db";
+	dnssec-policy high-jitter;
+};

doc/arm/reference.rst

@@ -6517,7 +6517,9 @@ The following options can be specified in a :any:`dnssec-policy` statement:
     vary the validity interval of individual signatures. The validity of a
     newly generated signatures is in range between :any:`signatures-validity`
     (maximum) and :any:`signatures-validity` minus :any:`signatures-jitter`
-    (minimum). The default jitter is 12 hours.
+    (minimum). The default jitter is 12 hours and the configured value must
+    be lower than :any:`signatures-validity` and
+    :any:`signatures-validity-dnskey`.
 
 .. namedconf:statement:: signatures-refresh
    :tags: dnssec

lib/dns/update.c

@@ -1501,6 +1501,11 @@ dns__jitter_expire(dns_zone_t *zone) {
 	if (kasp != NULL) {
 		jitter = dns_kasp_sigjitter(kasp);
 		sigvalidity = dns_kasp_sigvalidity(kasp);
+		INSIST(jitter <= sigvalidity);
+	}
+
+	if (jitter > sigvalidity) {
+		jitter = sigvalidity;
 	}
 
 	if (sigvalidity >= 3600U) {

lib/dns/zone.c

@@ -7199,6 +7199,11 @@ calculate_rrsig_validity(dns_zone_t *zone, isc_stdtime_t now,
 	if (zone->kasp != NULL) {
 		jitter = dns_kasp_sigjitter(zone->kasp);
 		sigvalidity = dns_kasp_sigvalidity(zone->kasp);
+		INSIST(jitter <= sigvalidity);
+	}
+
+	if (jitter > sigvalidity) {
+		jitter = sigvalidity;
 	}
 
 	*inception = now - 3600; /* Allow for clock skew. */

lib/isccfg/kaspconf.c

@@ -380,6 +380,15 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
 	}
 	dns_kasp_setsigvalidity_dnskey(kasp, sigvalidity);
 
+	if (sigjitter > sigvalidity) {
+		cfg_obj_log(
+			config, logctx, ISC_LOG_ERROR,
+			"dnssec-policy: policy '%s' signatures-jitter cannot "
+			"be larger than signatures-validity-dnskey",
+			kaspname);
+		result = ISC_R_FAILURE;
+	}
+
 	sigvalidity = get_duration(maps, "signatures-validity",
 				   DNS_KASP_SIG_VALIDITY);
 	if (sigrefresh >= (sigvalidity * 0.9)) {
@@ -392,6 +401,15 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
 	}
 	dns_kasp_setsigvalidity(kasp, sigvalidity);
 
+	if (sigjitter > sigvalidity) {
+		cfg_obj_log(
+			config, logctx, ISC_LOG_ERROR,
+			"dnssec-policy: policy '%s' signatures-jitter cannot "
+			"be larger than signatures-validity",
+			kaspname);
+		result = ISC_R_FAILURE;
+	}
+
 	if (result != ISC_R_SUCCESS) {
 		goto cleanup;
 	}