Commit c0c80df2 authored by Mark Andrews's avatar Mark Andrews

Merge branch...

Merge branch '418-bind-in-auto-dnssec-mode-should-support-signature-expiration-jitter' into 'master'

Resolve "BIND in auto-dnssec mode should support signature expiration jitter"

Closes #418

See merge request !662
parents c5b4948d d68499e1
Pipeline #4541 passed with stages
in 8 minutes and 52 seconds
5028. [bug] Spread the initial RRSIG expiration times over the
entire working sig-validity-interval when signing a
zone in named to even out re-signing and transfer
loads. [GL #418]
5027. [func] Set SO_SNDBUF size on sockets. [GL #74]
5026. [bug] rndc reconfig should not touch already loaded zones.
......
......@@ -78,7 +78,7 @@ do
done
for z in bar. example. inacksk2.example. inacksk3.example \
inaczsk2.example. inaczsk3.example
do
do
$DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n || ret=1
grep "NS SOA" dig.out.ns3.test$n > /dev/null || ret=1
done
......@@ -91,6 +91,23 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "done"; fi
status=`expr $status + $ret`
echo_i "Initial counts of RRSIG expiry fields values for auto signed zones"
for z in .
do
echo_i zone $z
$DIG $DIGOPTS $z @10.53.0.1 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i
done
for z in bar. example. private.secure.example.
do
echo_i zone $z
$DIG $DIGOPTS $z @10.53.0.2 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i
done
for z in inacksk2.example. inacksk3.example inaczsk2.example. inaczsk3.example
do
echo_i zone $z
$DIG $DIGOPTS $z @10.53.0.3 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i
done
#
# Check that DNSKEY is initially signed with a KSK and not a ZSK.
#
......@@ -1147,7 +1164,7 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
# this confirms that key events are never scheduled more than
# 'dnssec-loadkeys-interval' minutes in the future, and that the
# 'dnssec-loadkeys-interval' minutes in the future, and that the
# event scheduled is within 10 seconds of expected interval.
check_interval () {
awk '/next key event/ {print $2 ":" $9}' $1/named.run |
......
......@@ -8419,7 +8419,7 @@ zone_sign(dns_zone_t *zone) {
bool first;
isc_result_t result;
isc_stdtime_t now, inception, soaexpire, expire;
uint32_t jitter, sigvalidityinterval;
uint32_t jitter, sigvalidityinterval, expiryinterval;
unsigned int i, j;
unsigned int nkeys = 0;
uint32_t nodes;
......@@ -8473,6 +8473,12 @@ zone_sign(dns_zone_t *zone) {
sigvalidityinterval = dns_zone_getsigvalidityinterval(zone);
inception = now - 3600; /* Allow for clock skew. */
soaexpire = now + sigvalidityinterval;
expiryinterval = dns_zone_getsigresigninginterval(zone);
if (expiryinterval > sigvalidityinterval) {
expiryinterval = sigvalidityinterval;
} else {
expiryinterval = sigvalidityinterval - expiryinterval;
}
/*
* Spread out signatures over time if they happen to be
......@@ -8481,7 +8487,7 @@ zone_sign(dns_zone_t *zone) {
*/
if (sigvalidityinterval >= 3600U) {
if (sigvalidityinterval > 7200U) {
jitter = isc_random_uniform(3600);
jitter = isc_random_uniform(expiryinterval);
} else {
jitter = isc_random_uniform(1200);
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment