Signature expiration calculation backwards compatibility bug

The signatures-refresh option determines when RRSIG records need to be refreshed. Signatures that expire within this time are refreshed.

However, the code is also using this to determine the jitter. It uses a jitter range of 0 to signatures-validity - signatures-refresh) which is wrong: it should be using a range of 0 to signatures-refresh.

The sig-validity-interval that was used for auto-dnssec defined two parameters, the first being the signatures validity (same as dnssec-policy's signatures-validity), the optional second one being the minimum bound of the signatures validity. It also serves as a signatures refresh. Basically the refresh value is the difference between the first and second parameter.

So the second parameter actually has two meanings: It serves as a jitter and a refresh value.

With dnssec-policy there is not yet a way to define jitter. The signatures-refresh is actually defined as the.

Two things need to be done:

Add a configuration option to dnssec-policy to set desired jitter.
Ensure resign interval is used correctly.

Edited Feb 02, 2024 by Matthijs Mekking

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information