Commit 6e8a8077 authored by Mark Andrews's avatar Mark Andrews

1840. [func] dnssec-signzone can now randomize signature endtimes

			(dnssec-signzone -j jitter). [RT #13609]
parent 1b66648a
1840. [func] dnssec-signzone can now randomize signature endtimes
(dnssec-signzone -j jitter). [RT #13609]
1839. [bug] <isc/hash.h> was not being installed.
1838. [placeholder] rt13707
......
......@@ -16,7 +16,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-signzone.c,v 1.186 2005/03/17 03:56:09 marka Exp $ */
/* $Id: dnssec-signzone.c,v 1.187 2005/03/22 02:20:03 marka Exp $ */
#include <config.h>
......@@ -33,6 +33,7 @@
#include <isc/mutex.h>
#include <isc/os.h>
#include <isc/print.h>
#include <isc/random.h>
#include <isc/serial.h>
#include <isc/stdio.h>
#include <isc/string.h>
......@@ -96,6 +97,7 @@ static ISC_LIST(signer_key_t) keylist;
static unsigned int keycount = 0;
static isc_stdtime_t starttime = 0, endtime = 0, now;
static int cycle = -1;
static int jitter = 0;
static isc_boolean_t tryverify = ISC_FALSE;
static isc_boolean_t printstats = ISC_FALSE;
static isc_mem_t *mctx = NULL;
......@@ -217,8 +219,10 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdata_t *rdata,
dst_key_t *key, isc_buffer_t *b)
{
isc_result_t result;
isc_stdtime_t jendtime;
result = dns_dnssec_sign(name, rdataset, key, &starttime, &endtime,
jendtime = (jitter != 0) ? isc_random_jitter(endtime, jitter) : endtime;
result = dns_dnssec_sign(name, rdataset, key, &starttime, &jendtime,
mctx, b, rdata);
isc_entropy_stopcallbacksources(ectx);
if (result != ISC_R_SUCCESS) {
......@@ -1653,6 +1657,8 @@ usage(void) {
fprintf(stderr, "\t-i interval:\n");
fprintf(stderr, "\t\tcycle interval - resign "
"if < interval from end ( (end-start)/4 )\n");
fprintf(stderr, "\t-j jitter:\n");
fprintf(stderr, "\t\trandomize signature end time up to jitter seconds\n");
fprintf(stderr, "\t-v debuglevel (0)\n");
fprintf(stderr, "\t-o origin:\n");
fprintf(stderr, "\t\tzone origin (name of zonefile)\n");
......@@ -1745,7 +1751,7 @@ main(int argc, char *argv[]) {
dns_result_register();
while ((ch = isc_commandline_parse(argc, argv,
"ac:d:e:f:ghi:k:l:n:o:pr:s:Stv:z"))
"ac:d:e:f:ghi:j:k:l:n:o:pr:s:Stv:z"))
!= -1) {
switch (ch) {
case 'a':
......@@ -1785,6 +1791,13 @@ main(int argc, char *argv[]) {
"positive");
break;
case 'j':
endp = NULL;
jitter = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0' || jitter < 0)
fatal("jitter must be numeric and positive");
break;
case 'l':
dns_fixedname_init(&dlv_fixed);
len = strlen(isc_commandline_argument);
......
......@@ -16,7 +16,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-signzone.docbook,v 1.12 2004/06/11 01:12:40 marka Exp $ -->
<!-- $Id: dnssec-signzone.docbook,v 1.13 2005/03/22 02:20:03 marka Exp $ -->
<refentry>
<refentryinfo>
......@@ -47,6 +47,7 @@
<arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
<arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
<arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
<arg><option>-j <replaceable class="parameter">jitter</replaceable></option></arg>
<arg><option>-n <replaceable class="parameter">nthreads</replaceable></option></arg>
<arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
<arg><option>-p</option></arg>
......@@ -210,6 +211,30 @@
</listitem>
</varlistentry>
<varlistentry>
<term>
<listitem>
<para>
When signing a zone with a fixed signature lifetime, all
RRSIG records issued at the time of signing expires
simultaneously. If the zone is incrementally signed, i.e.
a previously signed zone is passed as input to the signer,
all expired signatures has to be regenerated at about the
same time. The <option>jitter</option> option specifies a
jitter window that will be used to randomize the signature
expire time, thus spreading incremental signature
regeneration over time.
</para>
<para>
Signature lifetime jitter also to some extent benefits
validators and servers by spreading out cache expiration,
i.e. if large numbers of RRSIGs don't expire at the same time
from all caches there will be less congestion than if all
validators need to refetch at mostly the same time.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-n <replaceable class="parameter">ncpus</replaceable></term>
<listitem>
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment