1840. [func] dnssec-signzone can now randomize signature endtimes

(dnssec-signzone -j jitter). [RT #13609]

1840. [func] dnssec-signzone can now randomize signature endtimes
(dnssec-signzone -j jitter). [RT #13609]
6e8a8077 · Mark Andrews · 1b66648a · 6e8a8077 · 6e8a8077 · 6e8a8077
Commit 6e8a8077 authored Mar 22, 2005 by Mark Andrews
--- a/CHANGES
+++ b/CHANGES
+1840.	[func]		dnssec-signzone can now randomize signature endtimes
+			(dnssec-signzone -j jitter). [RT #13609]
+
 1839.	[bug]		<isc/hash.h> was not being installed.

 1838.	[placeholder]	rt13707

--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -16,7 +16,7 @@
 * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: dnssec-signzone.c,v 1.186 2005/03/17 03:56:09 marka Exp $ */
+/* $Id: dnssec-signzone.c,v 1.187 2005/03/22 02:20:03 marka Exp $ */

 #include <config.h>

@@ -33,6 +33,7 @@
 #include <isc/mutex.h>
 #include <isc/os.h>
 #include <isc/print.h>
+#include <isc/random.h>
 #include <isc/serial.h>
 #include <isc/stdio.h>
 #include <isc/string.h>
@@ -96,6 +97,7 @@ static ISC_LIST(signer_key_t) keylist;
 static unsigned int keycount = 0;
 static isc_stdtime_t starttime = 0, endtime = 0, now;
 static int cycle = -1;
+static int jitter = 0;
 static isc_boolean_t tryverify = ISC_FALSE;
 static isc_boolean_t printstats = ISC_FALSE;
 static isc_mem_t *mctx = NULL;
@@ -217,8 +219,10 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdata_t *rdata,
 	    dst_key_t *key, isc_buffer_t *b)
 {
 	isc_result_t result;
+	isc_stdtime_t jendtime;

-	result = dns_dnssec_sign(name, rdataset, key, &starttime, &endtime,
+	jendtime = (jitter != 0) ? isc_random_jitter(endtime, jitter) : endtime;
+	result = dns_dnssec_sign(name, rdataset, key, &starttime, &jendtime,
 				 mctx, b, rdata);
 	isc_entropy_stopcallbacksources(ectx);
 	if (result != ISC_R_SUCCESS) {
@@ -1653,6 +1657,8 @@ usage(void) {
 	fprintf(stderr, "\t-i interval:\n");
 	fprintf(stderr, "\t\tcycle interval - resign "
 				"if < interval from end ( (end-start)/4 )\n");
+	fprintf(stderr, "\t-j jitter:\n");
+	fprintf(stderr, "\t\trandomize signature end time up to jitter seconds\n");
 	fprintf(stderr, "\t-v debuglevel (0)\n");
 	fprintf(stderr, "\t-o origin:\n");
 	fprintf(stderr, "\t\tzone origin (name of zonefile)\n");
@@ -1745,7 +1751,7 @@ main(int argc, char *argv[]) {
 	dns_result_register();

 	while ((ch = isc_commandline_parse(argc, argv,
-					   "ac:d:e:f:ghi:k:l:n:o:pr:s:Stv:z"))
+					   "ac:d:e:f:ghi:j:k:l:n:o:pr:s:Stv:z"))
 	       != -1) {
 		switch (ch) {
 		case 'a':
@@ -1785,6 +1791,13 @@ main(int argc, char *argv[]) {
 				      "positive");
 			break;

+		case 'j':
+			endp = NULL;
+			jitter = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0' || jitter < 0)
+				fatal("jitter must be numeric and positive");
+			break;
+
 		case 'l': 
 			dns_fixedname_init(&dlv_fixed);
 			len = strlen(isc_commandline_argument);

--- a/bin/dnssec/dnssec-signzone.docbook
+++ b/bin/dnssec/dnssec-signzone.docbook
@@ -16,7 +16,7 @@
 - PERFORMANCE OF THIS SOFTWARE.
 -->

-<!-- $Id: dnssec-signzone.docbook,v 1.12 2004/06/11 01:12:40 marka Exp $ -->
+<!-- $Id: dnssec-signzone.docbook,v 1.13 2005/03/22 02:20:03 marka Exp $ -->

 <refentry>
  <refentryinfo>
@@ -47,6 +47,7 @@
      <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
      <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
      <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
+      <arg><option>-j <replaceable class="parameter">jitter</replaceable></option></arg>
      <arg><option>-n <replaceable class="parameter">nthreads</replaceable></option></arg>
      <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
      <arg><option>-p</option></arg>
@@ -210,6 +211,30 @@
 	</listitem>
      </varlistentry>

+      <varlistentry>
+        <term>
+	<listitem>
+	  <para>
+	       When signing a zone with a fixed signature lifetime, all
+	       RRSIG records issued at the time of signing expires
+	       simultaneously.  If the zone is incrementally signed, i.e.
+	       a previously signed zone is passed as input to the signer,
+	       all expired signatures has to be regenerated at about the
+	       same time.  The <option>jitter</option> option specifies a
+	       jitter window that will be used to randomize the signature
+	       expire time, thus spreading incremental signature
+	       regeneration over time.
+	  </para>
+	  <para>
+	       Signature lifetime jitter also to some extent benefits
+	       validators and servers by spreading out cache expiration,
+	       i.e. if large numbers of RRSIGs don't expire at the same time
+	       from all caches there will be less congestion than if all
+	       validators need to refetch at mostly the same time.
+	  </para>
+	</listitem>
+      </varlistentry>
+
      <varlistentry>
        <term>-n <replaceable class="parameter">ncpus</replaceable></term>
 	<listitem>