Commit dd05287a authored by Mark Andrews's avatar Mark Andrews

add support -T sigvalinsecs

(cherry picked from commit 87a3dc8a)
(cherry picked from commit 69340b5a)
parent 298372d8
......@@ -182,6 +182,7 @@ EXTERN isc_boolean_t ns_g_disable6 INIT(ISC_FALSE);
EXTERN isc_boolean_t ns_g_disable4 INIT(ISC_FALSE);
EXTERN unsigned int ns_g_tat_interval INIT(24*3600);
EXTERN isc_boolean_t ns_g_fixedlocal INIT(ISC_FALSE);
EXTERN isc_boolean_t ns_g_sigvalinsecs INIT(ISC_FALSE);
#ifdef HAVE_GEOIP
EXTERN dns_geoip_databases_t *ns_g_geoip INIT(NULL);
......
......@@ -532,6 +532,8 @@ parse_T_opt(char *option) {
if (dns_zone_mkey_month < dns_zone_mkey_day) {
ns_main_earlyfatal("bad mkeytimer");
}
} else if (!strcmp(option, "sigvalinsecs")) {
ns_g_sigvalinsecs = ISC_TRUE;
} else if (!strncmp(option, "tat=", 4)) {
ns_g_tat_interval = atoi(option + 4);
} else {
......
......@@ -1349,31 +1349,33 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
}
if (ztype == dns_zone_master || raw != NULL) {
const cfg_obj_t *validity, *resign;
isc_boolean_t allow = ISC_FALSE, maint = ISC_FALSE;
obj = NULL;
result = ns_config_get(maps, "sig-validity-interval", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
{
const cfg_obj_t *validity, *resign;
validity = cfg_tuple_get(obj, "validity");
seconds = cfg_obj_asuint32(validity) * 86400;
dns_zone_setsigvalidityinterval(zone, seconds);
resign = cfg_tuple_get(obj, "re-sign");
if (cfg_obj_isvoid(resign)) {
seconds /= 4;
validity = cfg_tuple_get(obj, "validity");
seconds = cfg_obj_asuint32(validity);
if (!ns_g_sigvalinsecs) {
seconds *= 86400;
}
dns_zone_setsigvalidityinterval(zone, seconds);
resign = cfg_tuple_get(obj, "re-sign");
if (cfg_obj_isvoid(resign)) {
seconds /= 4;
} else if (!ns_g_sigvalinsecs) {
if (seconds > 7 * 86400) {
seconds = cfg_obj_asuint32(resign) * 86400;
} else {
if (seconds > 7 * 86400)
seconds = cfg_obj_asuint32(resign) *
86400;
else
seconds = cfg_obj_asuint32(resign) *
3600;
seconds = cfg_obj_asuint32(resign) * 3600;
}
dns_zone_setsigresigninginterval(zone, seconds);
} else {
seconds = cfg_obj_asuint32(resign);
}
dns_zone_setsigresigninginterval(zone, seconds);
obj = NULL;
result = ns_config_get(maps, "key-directory", &obj);
......
......@@ -6435,7 +6435,7 @@ zone_resigninc(dns_zone_t *zone) {
isc_boolean_t check_ksk, keyset_kskonly = ISC_FALSE;
isc_result_t result;
isc_stdtime_t now, inception, soaexpire, expire, stop;
isc_uint32_t jitter;
isc_uint32_t jitter, sigvalidityinterval;
unsigned int i;
unsigned int nkeys = 0;
unsigned int resign;
......@@ -6480,15 +6480,25 @@ zone_resigninc(dns_zone_t *zone) {
goto failure;
}
sigvalidityinterval = zone->sigvalidityinterval;
inception = now - 3600; /* Allow for clock skew. */
soaexpire = now + dns_zone_getsigvalidityinterval(zone);
soaexpire = now + sigvalidityinterval;
/*
* Spread out signatures over time if they happen to be
* clumped. We don't do this for each add_sigs() call as
* we still want some clustering to occur.
*/
isc_random_get(&jitter);
expire = soaexpire - jitter % 3600 - 1;
if (sigvalidityinterval >= 3600U) {
isc_random_get(&jitter);
if (sigvalidityinterval > 7200U) {
jitter %= 3600;
} else {
jitter %= 1200;
}
expire = soaexpire - jitter - 1;
} else {
expire = soaexpire - 1;
}
stop = now + 5;
check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
......@@ -7382,7 +7392,7 @@ zone_nsec3chain(dns_zone_t *zone) {
isc_boolean_t first;
isc_result_t result;
isc_stdtime_t now, inception, soaexpire, expire;
isc_uint32_t jitter;
isc_uint32_t jitter, sigvalidityinterval;
unsigned int i;
unsigned int nkeys = 0;
isc_uint32_t nodes;
......@@ -7451,16 +7461,26 @@ zone_nsec3chain(dns_zone_t *zone) {
goto failure;
}
sigvalidityinterval = dns_zone_getsigvalidityinterval(zone);
inception = now - 3600; /* Allow for clock skew. */
soaexpire = now + dns_zone_getsigvalidityinterval(zone);
soaexpire = now + sigvalidityinterval;
/*
* Spread out signatures over time if they happen to be
* clumped. We don't do this for each add_sigs() call as
* we still want some clustering to occur.
*/
isc_random_get(&jitter);
expire = soaexpire - jitter % 3600;
if (sigvalidityinterval >= 3600U) {
isc_random_get(&jitter);
if (sigvalidityinterval > 7200U) {
jitter %= 3600;
} else {
jitter %= 1200;
}
expire = soaexpire - jitter - 1;
} else {
expire = soaexpire - 1;
}
check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
......@@ -8320,7 +8340,7 @@ zone_sign(dns_zone_t *zone) {
isc_boolean_t first;
isc_result_t result;
isc_stdtime_t now, inception, soaexpire, expire;
isc_uint32_t jitter;
isc_uint32_t jitter, sigvalidityinterval;
unsigned int i, j;
unsigned int nkeys = 0;
isc_uint32_t nodes;
......@@ -8371,16 +8391,26 @@ zone_sign(dns_zone_t *zone) {
goto failure;
}
sigvalidityinterval = dns_zone_getsigvalidityinterval(zone);
inception = now - 3600; /* Allow for clock skew. */
soaexpire = now + dns_zone_getsigvalidityinterval(zone);
soaexpire = now + sigvalidityinterval;
/*
* Spread out signatures over time if they happen to be
* clumped. We don't do this for each add_sigs() call as
* we still want some clustering to occur.
*/
isc_random_get(&jitter);
expire = soaexpire - jitter % 3600;
if (sigvalidityinterval >= 3600U) {
isc_random_get(&jitter);
if (sigvalidityinterval > 7200U) {
jitter %= 3600;
} else {
jitter %= 1200;
}
expire = soaexpire - jitter - 1;
} else {
expire = soaexpire - 1;
}
/*
* We keep pulling nodes off each iterator in turn until
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment