mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 14:35:26 +00:00
Code Issues Releases Wiki Activity

increase jitter to cover the entire potential steady state expire range when initially signing the zone

Browse Source
This commit is contained in:
Mark Andrews
2018-08-17 10:56:02 +10:00
parent c5b4948db3
commit 050fca2139
1 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
lib/dns/zone.c
View File

@@ -8419,7 +8419,7 @@ zone_sign(dns_zone_t *zone) {
bool first;
isc_result_t result;
isc_stdtime_t now, inception, soaexpire, expire;
uint32_t jitter, sigvalidityinterval;
uint32_t jitter, sigvalidityinterval, expiryinterval;
unsigned int i, j;
unsigned int nkeys = 0;
uint32_t nodes;
@@ -8473,6 +8473,12 @@ zone_sign(dns_zone_t *zone) {
sigvalidityinterval = dns_zone_getsigvalidityinterval(zone);
inception = now - 3600; /* Allow for clock skew. */
soaexpire = now + sigvalidityinterval;
expiryinterval = dns_zone_getsigresigninginterval(zone);
if (expiryinterval > sigvalidityinterval) {
expiryinterval = sigvalidityinterval;
} else {
expiryinterval = sigvalidityinterval - expiryinterval;
}
/*
* Spread out signatures over time if they happen to be
@@ -8481,7 +8487,7 @@ zone_sign(dns_zone_t *zone) {
*/
if (sigvalidityinterval >= 3600U) {
if (sigvalidityinterval > 7200U) {
jitter = isc_random_uniform(3600);
jitter = isc_random_uniform(expiryinterval);
} else {
jitter = isc_random_uniform(1200);
}