Skip to content
GitLab
Menu
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
ISC Open Source Projects
BIND
Commits
6e8a8077
Commit
6e8a8077
authored
Mar 22, 2005
by
Mark Andrews
Browse files
1840. [func] dnssec-signzone can now randomize signature endtimes
(dnssec-signzone -j jitter). [RT #13609]
parent
1b66648a
Changes
3
Hide whitespace changes
Inline
Side-by-side
CHANGES
View file @
6e8a8077
1840. [func] dnssec-signzone can now randomize signature endtimes
(dnssec-signzone -j jitter). [RT #13609]
1839. [bug] <isc/hash.h> was not being installed.
1838. [placeholder] rt13707
...
...
bin/dnssec/dnssec-signzone.c
View file @
6e8a8077
...
...
@@ -16,7 +16,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-signzone.c,v 1.18
6
2005/03/
17 03:56
:0
9
marka Exp $ */
/* $Id: dnssec-signzone.c,v 1.18
7
2005/03/
22 02:20
:0
3
marka Exp $ */
#include <config.h>
...
...
@@ -33,6 +33,7 @@
#include <isc/mutex.h>
#include <isc/os.h>
#include <isc/print.h>
#include <isc/random.h>
#include <isc/serial.h>
#include <isc/stdio.h>
#include <isc/string.h>
...
...
@@ -96,6 +97,7 @@ static ISC_LIST(signer_key_t) keylist;
static
unsigned
int
keycount
=
0
;
static
isc_stdtime_t
starttime
=
0
,
endtime
=
0
,
now
;
static
int
cycle
=
-
1
;
static
int
jitter
=
0
;
static
isc_boolean_t
tryverify
=
ISC_FALSE
;
static
isc_boolean_t
printstats
=
ISC_FALSE
;
static
isc_mem_t
*
mctx
=
NULL
;
...
...
@@ -217,8 +219,10 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdata_t *rdata,
dst_key_t
*
key
,
isc_buffer_t
*
b
)
{
isc_result_t
result
;
isc_stdtime_t
jendtime
;
result
=
dns_dnssec_sign
(
name
,
rdataset
,
key
,
&
starttime
,
&
endtime
,
jendtime
=
(
jitter
!=
0
)
?
isc_random_jitter
(
endtime
,
jitter
)
:
endtime
;
result
=
dns_dnssec_sign
(
name
,
rdataset
,
key
,
&
starttime
,
&
jendtime
,
mctx
,
b
,
rdata
);
isc_entropy_stopcallbacksources
(
ectx
);
if
(
result
!=
ISC_R_SUCCESS
)
{
...
...
@@ -1653,6 +1657,8 @@ usage(void) {
fprintf
(
stderr
,
"
\t
-i interval:
\n
"
);
fprintf
(
stderr
,
"
\t\t
cycle interval - resign "
"if < interval from end ( (end-start)/4 )
\n
"
);
fprintf
(
stderr
,
"
\t
-j jitter:
\n
"
);
fprintf
(
stderr
,
"
\t\t
randomize signature end time up to jitter seconds
\n
"
);
fprintf
(
stderr
,
"
\t
-v debuglevel (0)
\n
"
);
fprintf
(
stderr
,
"
\t
-o origin:
\n
"
);
fprintf
(
stderr
,
"
\t\t
zone origin (name of zonefile)
\n
"
);
...
...
@@ -1745,7 +1751,7 @@ main(int argc, char *argv[]) {
dns_result_register
();
while
((
ch
=
isc_commandline_parse
(
argc
,
argv
,
"ac:d:e:f:ghi:k:l:n:o:pr:s:Stv:z"
))
"ac:d:e:f:ghi:
j:
k:l:n:o:pr:s:Stv:z"
))
!=
-
1
)
{
switch
(
ch
)
{
case
'a'
:
...
...
@@ -1785,6 +1791,13 @@ main(int argc, char *argv[]) {
"positive"
);
break
;
case
'j'
:
endp
=
NULL
;
jitter
=
strtol
(
isc_commandline_argument
,
&
endp
,
0
);
if
(
*
endp
!=
'\0'
||
jitter
<
0
)
fatal
(
"jitter must be numeric and positive"
);
break
;
case
'l'
:
dns_fixedname_init
(
&
dlv_fixed
);
len
=
strlen
(
isc_commandline_argument
);
...
...
bin/dnssec/dnssec-signzone.docbook
View file @
6e8a8077
...
...
@@ -16,7 +16,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-signzone.docbook,v 1.1
2
200
4
/0
6/11 01:12:40
marka Exp $ -->
<!-- $Id: dnssec-signzone.docbook,v 1.1
3
200
5
/0
3/22 02:20:03
marka Exp $ -->
<refentry>
<refentryinfo>
...
...
@@ -47,6 +47,7 @@
<arg><option>
-k
<replaceable
class=
"parameter"
>
key
</replaceable></option></arg>
<arg><option>
-l
<replaceable
class=
"parameter"
>
domain
</replaceable></option></arg>
<arg><option>
-i
<replaceable
class=
"parameter"
>
interval
</replaceable></option></arg>
<arg><option>
-j
<replaceable
class=
"parameter"
>
jitter
</replaceable></option></arg>
<arg><option>
-n
<replaceable
class=
"parameter"
>
nthreads
</replaceable></option></arg>
<arg><option>
-o
<replaceable
class=
"parameter"
>
origin
</replaceable></option></arg>
<arg><option>
-p
</option></arg>
...
...
@@ -210,6 +211,30 @@
</listitem>
</varlistentry>
<varlistentry>
<term>
<listitem>
<para>
When signing a zone with a fixed signature lifetime, all
RRSIG records issued at the time of signing expires
simultaneously. If the zone is incrementally signed, i.e.
a previously signed zone is passed as input to the signer,
all expired signatures has to be regenerated at about the
same time. The
<option>
jitter
</option>
option specifies a
jitter window that will be used to randomize the signature
expire time, thus spreading incremental signature
regeneration over time.
</para>
<para>
Signature lifetime jitter also to some extent benefits
validators and servers by spreading out cache expiration,
i.e. if large numbers of RRSIGs don't expire at the same time
from all caches there will be less congestion than if all
validators need to refetch at mostly the same time.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
-n
<replaceable
class=
"parameter"
>
ncpus
</replaceable></term>
<listitem>
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment