Add signatures-jitter option

Add an option to speficy signatures jitter.

(cherry picked from commit 2a4daaedca)

bin/named/config.c

@@ -309,6 +309,7 @@ dnssec-policy \"default\" {\n\
 	publish-safety " DNS_KASP_PUBLISH_SAFETY "; \n\
 	retire-safety " DNS_KASP_RETIRE_SAFETY "; \n\
 	purge-keys " DNS_KASP_PURGE_KEYS "; \n\
+	signatures-jitter " DNS_KASP_SIG_JITTER "; \n\
 	signatures-refresh " DNS_KASP_SIG_REFRESH "; \n\
 	signatures-validity " DNS_KASP_SIG_VALIDITY "; \n\
 	signatures-validity-dnskey " DNS_KASP_SIG_VALIDITY_DNSKEY "; \n\

bin/tests/system/checkconf/good-kasp.conf

@@ -29,6 +29,7 @@ dnssec-policy "test" {
 	parent-propagation-delay PT1H;
 	publish-safety PT3600S;
 	retire-safety PT3600S;
+	signatures-jitter PT12H;
 	signatures-refresh P3D;
 	signatures-validity P2W;
 	signatures-validity-dnskey P14D;

bin/tests/system/checkconf/good.conf

@@ -30,6 +30,7 @@ dnssec-policy "test" {
 	publish-safety PT3600S;
 	purge-keys P90D;
 	retire-safety PT3600S;
+	signatures-jitter PT12H;
 	signatures-refresh P3D;
 	signatures-validity P2W;
 	signatures-validity-dnskey P14D;

doc/arm/reference.rst

@@ -6509,6 +6509,16 @@ The following options can be specified in a :any:`dnssec-policy` statement:
     unforeseen events.  This increases the time a key remains published
     after it is no longer active.  The default is ``PT1H`` (1 hour).
 
+.. namedconf:statement:: signatures-jitter
+   :tags: dnssec
+   :short: Specifies a range for signatures expirations.
+
+    To prevent all signatures from expiring at the same moment, BIND 9 may
+    vary the validity interval of individual signatures. The validity of a
+    newly generated signatures is in range between :any:`signatures-validity`
+    (maximum) and :any:`signatures-validity` minus :any:`signatures-jitter`
+    (minimum). The default jitter is 12 hours.
+
 .. namedconf:statement:: signatures-refresh
    :tags: dnssec
    :short: Specifies how frequently an RRSIG record is refreshed.

doc/misc/dnssec-policy.default.conf

@@ -24,6 +24,7 @@ dnssec-policy "default" {
 	purge-keys P90D;
 
 	// Signature timings
+	signatures-jitter 12h;
 	signatures-refresh 5d;
 	signatures-validity 14d;
 	signatures-validity-dnskey 14d;

doc/misc/options

@@ -21,6 +21,7 @@ dnssec-policy <string> {
 	publish-safety <duration>;
 	purge-keys <duration>;
 	retire-safety <duration>;
+	signatures-jitter <duration>;
 	signatures-refresh <duration>;
 	signatures-validity <duration>;
 	signatures-validity-dnskey <duration>;

lib/dns/include/dns/kasp.h

@@ -75,6 +75,7 @@ struct dns_kasp {
 	ISC_LINK(struct dns_kasp) link;
 
 	/* Configuration: signatures */
+	uint32_t signatures_jitter;
 	uint32_t signatures_refresh;
 	uint32_t signatures_validity;
 	uint32_t signatures_validity_dnskey;
@@ -105,6 +106,7 @@ struct dns_kasp {
 #define DNS_KASP_VALID(kasp) ISC_MAGIC_VALID(kasp, DNS_KASP_MAGIC)
 
 /* Defaults */
+#define DNS_KASP_SIG_JITTER	     "PT12H"
 #define DNS_KASP_SIG_REFRESH	     "P5D"
 #define DNS_KASP_SIG_VALIDITY	     "P14D"
 #define DNS_KASP_SIG_VALIDITY_DNSKEY "P14D"
@@ -233,6 +235,30 @@ dns_kasp_signdelay(dns_kasp_t *kasp);
  *\li   signature refresh interval.
  */
 
+uint32_t
+dns_kasp_sigjitter(dns_kasp_t *kasp);
+/*%<
+ * Get signature jitter value.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li   signature jitter value.
+ */
+
+void
+dns_kasp_setsigjitter(dns_kasp_t *kasp, uint32_t value);
+/*%<
+ * Set signature jitter value.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, thawed kasp.
+ */
+
 uint32_t
 dns_kasp_sigrefresh(dns_kasp_t *kasp);
 /*%<

lib/dns/kasp.c

@@ -127,6 +127,22 @@ dns_kasp_signdelay(dns_kasp_t *kasp) {
 	return (kasp->signatures_validity - kasp->signatures_refresh);
 }
 
+uint32_t
+dns_kasp_sigjitter(dns_kasp_t *kasp) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(kasp->frozen);
+
+	return (kasp->signatures_jitter);
+}
+
+void
+dns_kasp_setsigjitter(dns_kasp_t *kasp, uint32_t value) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(!kasp->frozen);
+
+	kasp->signatures_jitter = value;
+}
+
 uint32_t
 dns_kasp_sigrefresh(dns_kasp_t *kasp) {
 	REQUIRE(DNS_KASP_VALID(kasp));

lib/isccfg/kaspconf.c

@@ -312,7 +312,7 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
 	const char *kaspname = NULL;
 	dns_kasp_t *kasp = NULL;
 	size_t i = 0;
-	uint32_t sigrefresh = 0, sigvalidity = 0;
+	uint32_t sigjitter = 0, sigrefresh = 0, sigvalidity = 0;
 	uint32_t dnskeyttl = 0, dsttl = 0, maxttl = 0;
 	uint32_t publishsafety = 0, retiresafety = 0;
 	uint32_t zonepropdelay = 0, parentpropdelay = 0;
@@ -360,6 +360,10 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
 	maps[i] = NULL;
 
 	/* Configuration: Signatures */
+	sigjitter = get_duration(maps, "signatures-jitter",
+				 DNS_KASP_SIG_JITTER);
+	dns_kasp_setsigjitter(kasp, sigjitter);
+
 	sigrefresh = get_duration(maps, "signatures-refresh",
 				  DNS_KASP_SIG_REFRESH);
 	dns_kasp_setsigrefresh(kasp, sigrefresh);

lib/isccfg/namedconf.c

@@ -2211,6 +2211,7 @@ static cfg_clausedef_t dnssecpolicy_clauses[] = {
 	{ "publish-safety", &cfg_type_duration, 0 },
 	{ "purge-keys", &cfg_type_duration, 0 },
 	{ "retire-safety", &cfg_type_duration, 0 },
+	{ "signatures-jitter", &cfg_type_duration, 0 },
 	{ "signatures-refresh", &cfg_type_duration, 0 },
 	{ "signatures-validity", &cfg_type_duration, 0 },
 	{ "signatures-validity-dnskey", &cfg_type_duration, 0 },