From f211c05990ba50ba83c8a4ca0246a06cef08368d Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 16 Apr 2024 15:49:13 +0200
Subject: [PATCH] Add checkconf check for signatures-jitter

Having a value higher than signatures-validity does not make sense
and should be treated as a configuration error.

(cherry picked from commit c3d8932f79907bf55580bc0ff86f38343a785914)
---
 .../system/checkconf/bad-kasp-jitter.conf     | 27 +++++++++++++++++++
 doc/arm/reference.rst                         |  4 ++-
 lib/dns/update.c                              |  5 ++++
 lib/dns/zone.c                                |  5 ++++
 lib/isccfg/kaspconf.c                         | 18 +++++++++++++
 5 files changed, 58 insertions(+), 1 deletion(-)
 create mode 100644 bin/tests/system/checkconf/bad-kasp-jitter.conf

diff --git a/bin/tests/system/checkconf/bad-kasp-jitter.conf b/bin/tests/system/checkconf/bad-kasp-jitter.conf
new file mode 100644
index 0000000000..e358957437
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-jitter.conf
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * The dnssec-policy jitter is more than signatures-validity,
+ * which is not allowed.
+ */
+dnssec-policy high-jitter {
+	signatures-jitter P8DT1S;
+	signatures-validity P8D;
+};
+
+zone "example.net" {
+	type primary;
+	file "example.db";
+	dnssec-policy high-jitter;
+};
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 214f64edfe..cb2f5126af 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -6517,7 +6517,9 @@ The following options can be specified in a :any:`dnssec-policy` statement:
     vary the validity interval of individual signatures. The validity of a
     newly generated signatures is in range between :any:`signatures-validity`
     (maximum) and :any:`signatures-validity` minus :any:`signatures-jitter`
-    (minimum). The default jitter is 12 hours.
+    (minimum). The default jitter is 12 hours and the configured value must
+    be lower than :any:`signatures-validity` and
+    :any:`signatures-validity-dnskey`.
 
 .. namedconf:statement:: signatures-refresh
    :tags: dnssec
diff --git a/lib/dns/update.c b/lib/dns/update.c
index d3c449e83d..f062e8aff6 100644
--- a/lib/dns/update.c
+++ b/lib/dns/update.c
@@ -1501,6 +1501,11 @@ dns__jitter_expire(dns_zone_t *zone) {
 	if (kasp != NULL) {
 		jitter = dns_kasp_sigjitter(kasp);
 		sigvalidity = dns_kasp_sigvalidity(kasp);
+		INSIST(jitter <= sigvalidity);
+	}
+
+	if (jitter > sigvalidity) {
+		jitter = sigvalidity;
 	}
 
 	if (sigvalidity >= 3600U) {
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 1ad55e3c43..4cbb3d316a 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -7199,6 +7199,11 @@ calculate_rrsig_validity(dns_zone_t *zone, isc_stdtime_t now,
 	if (zone->kasp != NULL) {
 		jitter = dns_kasp_sigjitter(zone->kasp);
 		sigvalidity = dns_kasp_sigvalidity(zone->kasp);
+		INSIST(jitter <= sigvalidity);
+	}
+
+	if (jitter > sigvalidity) {
+		jitter = sigvalidity;
 	}
 
 	*inception = now - 3600; /* Allow for clock skew. */
diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c
index db0a382324..a482062a2b 100644
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@@ -380,6 +380,15 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
 	}
 	dns_kasp_setsigvalidity_dnskey(kasp, sigvalidity);
 
+	if (sigjitter > sigvalidity) {
+		cfg_obj_log(
+			config, logctx, ISC_LOG_ERROR,
+			"dnssec-policy: policy '%s' signatures-jitter cannot "
+			"be larger than signatures-validity-dnskey",
+			kaspname);
+		result = ISC_R_FAILURE;
+	}
+
 	sigvalidity = get_duration(maps, "signatures-validity",
 				   DNS_KASP_SIG_VALIDITY);
 	if (sigrefresh >= (sigvalidity * 0.9)) {
@@ -392,6 +401,15 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
 	}
 	dns_kasp_setsigvalidity(kasp, sigvalidity);
 
+	if (sigjitter > sigvalidity) {
+		cfg_obj_log(
+			config, logctx, ISC_LOG_ERROR,
+			"dnssec-policy: policy '%s' signatures-jitter cannot "
+			"be larger than signatures-validity",
+			kaspname);
+		result = ISC_R_FAILURE;
+	}
+
 	if (result != ISC_R_SUCCESS) {
 		goto cleanup;
 	}