mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-02 15:45:25 +00:00
Code Issues Releases Wiki Activity

increase jitter to cover the entire potential steady state expire range when initially signing the zone

Browse Source
This commit is contained in:
Mark Andrews
2018-08-17 10:56:02 +10:00
parent c5b4948db3
commit 050fca2139
1 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
lib/dns/zone.c
View File

@@ -8419,7 +8419,7 @@ zone_sign(dns_zone_t *zone) {
bool first; bool first;
isc_result_t result; isc_result_t result;
isc_stdtime_t now, inception, soaexpire, expire; isc_stdtime_t now, inception, soaexpire, expire;
uint32_t jitter, sigvalidityinterval; uint32_t jitter, sigvalidityinterval, expiryinterval;
unsigned int i, j; unsigned int i, j;
unsigned int nkeys = 0; unsigned int nkeys = 0;
uint32_t nodes; uint32_t nodes;
@@ -8473,6 +8473,12 @@ zone_sign(dns_zone_t *zone) {
sigvalidityinterval = dns_zone_getsigvalidityinterval(zone); sigvalidityinterval = dns_zone_getsigvalidityinterval(zone);
inception = now - 3600; /* Allow for clock skew. */ inception = now - 3600; /* Allow for clock skew. */
soaexpire = now + sigvalidityinterval; soaexpire = now + sigvalidityinterval;
expiryinterval = dns_zone_getsigresigninginterval(zone);
if (expiryinterval > sigvalidityinterval) {
expiryinterval = sigvalidityinterval;
} else {
expiryinterval = sigvalidityinterval - expiryinterval;
}
/* /*
* Spread out signatures over time if they happen to be * Spread out signatures over time if they happen to be
@@ -8481,7 +8487,7 @@ zone_sign(dns_zone_t *zone) {
*/ */
if (sigvalidityinterval >= 3600U) { if (sigvalidityinterval >= 3600U) {
if (sigvalidityinterval > 7200U) { if (sigvalidityinterval > 7200U) {
jitter = isc_random_uniform(3600); jitter = isc_random_uniform(expiryinterval);
} else { } else {
jitter = isc_random_uniform(1200); jitter = isc_random_uniform(1200);
} }