diff --git a/bin/named/config.c b/bin/named/config.c index b1d6c04b3f..56e58d285a 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -298,6 +298,7 @@ dnssec-policy \"default\" {\n\ publish-safety " DNS_KASP_PUBLISH_SAFETY "; \n\ retire-safety " DNS_KASP_RETIRE_SAFETY "; \n\ purge-keys " DNS_KASP_PURGE_KEYS "; \n\ + signatures-jitter " DNS_KASP_SIG_JITTER "; \n\ signatures-refresh " DNS_KASP_SIG_REFRESH "; \n\ signatures-validity " DNS_KASP_SIG_VALIDITY "; \n\ signatures-validity-dnskey " DNS_KASP_SIG_VALIDITY_DNSKEY "; \n\ diff --git a/bin/tests/system/checkconf/good-kasp.conf b/bin/tests/system/checkconf/good-kasp.conf index 95ba817b3b..42e2478f96 100644 --- a/bin/tests/system/checkconf/good-kasp.conf +++ b/bin/tests/system/checkconf/good-kasp.conf @@ -34,6 +34,7 @@ dnssec-policy "test" { parent-propagation-delay PT1H; publish-safety PT3600S; retire-safety PT3600S; + signatures-jitter PT12H; signatures-refresh P3D; signatures-validity P2W; signatures-validity-dnskey P14D; diff --git a/bin/tests/system/checkconf/good.conf.in b/bin/tests/system/checkconf/good.conf.in index 2fde415a40..076ecc432d 100644 --- a/bin/tests/system/checkconf/good.conf.in +++ b/bin/tests/system/checkconf/good.conf.in @@ -34,6 +34,7 @@ dnssec-policy "test" { publish-safety PT3600S; purge-keys P90D; retire-safety PT3600S; + signatures-jitter PT12H; signatures-refresh P3D; signatures-validity P2W; signatures-validity-dnskey P14D; diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index df24019828..e9341671cd 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -6479,6 +6479,16 @@ The following options can be specified in a :any:`dnssec-policy` statement: unforeseen events. This increases the time a key remains published after it is no longer active. The default is ``PT1H`` (1 hour). +.. namedconf:statement:: signatures-jitter + :tags: dnssec + :short: Specifies a range for signatures expirations. + + To prevent all signatures from expiring at the same moment, BIND 9 may + vary the validity interval of individual signatures. The validity of a + newly generated signatures is in range between :any:`signatures-validity` + (maximum) and :any:`signatures-validity` minus :any:`signatures-jitter` + (minimum). The default jitter is 12 hours. + .. namedconf:statement:: signatures-refresh :tags: dnssec :short: Specifies how frequently an RRSIG record is refreshed. diff --git a/doc/misc/dnssec-policy.default.conf b/doc/misc/dnssec-policy.default.conf index cd033c1760..a6f526c743 100644 --- a/doc/misc/dnssec-policy.default.conf +++ b/doc/misc/dnssec-policy.default.conf @@ -26,6 +26,7 @@ dnssec-policy "default" { purge-keys P90D; // Signature timings + signatures-jitter 12h; signatures-refresh 5d; signatures-validity 14d; signatures-validity-dnskey 14d; diff --git a/doc/misc/options b/doc/misc/options index 1142bb6f18..7c94dcd180 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -23,6 +23,7 @@ dnssec-policy { publish-safety ; purge-keys ; retire-safety ; + signatures-jitter ; signatures-refresh ; signatures-validity ; signatures-validity-dnskey ; diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h index 42fe126396..3b8c68e0f2 100644 --- a/lib/dns/include/dns/kasp.h +++ b/lib/dns/include/dns/kasp.h @@ -83,6 +83,7 @@ struct dns_kasp { ISC_LINK(struct dns_kasp) link; /* Configuration: signatures */ + uint32_t signatures_jitter; uint32_t signatures_refresh; uint32_t signatures_validity; uint32_t signatures_validity_dnskey; @@ -116,6 +117,7 @@ struct dns_kasp { #define DNS_KASP_VALID(kasp) ISC_MAGIC_VALID(kasp, DNS_KASP_MAGIC) /* Defaults */ +#define DNS_KASP_SIG_JITTER "PT12H" #define DNS_KASP_SIG_REFRESH "P5D" #define DNS_KASP_SIG_VALIDITY "P14D" #define DNS_KASP_SIG_VALIDITY_DNSKEY "P14D" @@ -244,6 +246,30 @@ dns_kasp_signdelay(dns_kasp_t *kasp); *\li signature refresh interval. */ +uint32_t +dns_kasp_sigjitter(dns_kasp_t *kasp); +/*%< + * Get signature jitter value. + * + * Requires: + * + *\li 'kasp' is a valid, frozen kasp. + * + * Returns: + * + *\li signature jitter value. + */ + +void +dns_kasp_setsigjitter(dns_kasp_t *kasp, uint32_t value); +/*%< + * Set signature jitter value. + * + * Requires: + * + *\li 'kasp' is a valid, thawed kasp. + */ + uint32_t dns_kasp_sigrefresh(dns_kasp_t *kasp); /*%< diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c index 8658fd629c..b6a54a1074 100644 --- a/lib/dns/kasp.c +++ b/lib/dns/kasp.c @@ -138,6 +138,22 @@ dns_kasp_signdelay(dns_kasp_t *kasp) { return (kasp->signatures_validity - kasp->signatures_refresh); } +uint32_t +dns_kasp_sigjitter(dns_kasp_t *kasp) { + REQUIRE(DNS_KASP_VALID(kasp)); + REQUIRE(kasp->frozen); + + return (kasp->signatures_jitter); +} + +void +dns_kasp_setsigjitter(dns_kasp_t *kasp, uint32_t value) { + REQUIRE(DNS_KASP_VALID(kasp)); + REQUIRE(!kasp->frozen); + + kasp->signatures_jitter = value; +} + uint32_t dns_kasp_sigrefresh(dns_kasp_t *kasp) { REQUIRE(DNS_KASP_VALID(kasp)); diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c index f756ed97da..9b65b63608 100644 --- a/lib/isccfg/kaspconf.c +++ b/lib/isccfg/kaspconf.c @@ -412,7 +412,7 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp, const char *kaspname = NULL; dns_kasp_t *kasp = NULL; size_t i = 0; - uint32_t sigrefresh = 0, sigvalidity = 0; + uint32_t sigjitter = 0, sigrefresh = 0, sigvalidity = 0; uint32_t dnskeyttl = 0, dsttl = 0, maxttl = 0; uint32_t publishsafety = 0, retiresafety = 0; uint32_t zonepropdelay = 0, parentpropdelay = 0; @@ -460,6 +460,10 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp, maps[i] = NULL; /* Configuration: Signatures */ + sigjitter = get_duration(maps, "signatures-jitter", + DNS_KASP_SIG_JITTER); + dns_kasp_setsigjitter(kasp, sigjitter); + sigrefresh = get_duration(maps, "signatures-refresh", DNS_KASP_SIG_REFRESH); dns_kasp_setsigrefresh(kasp, sigrefresh); diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 5c50c586f1..70bf565f19 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -2281,6 +2281,7 @@ static cfg_clausedef_t dnssecpolicy_clauses[] = { { "publish-safety", &cfg_type_duration, 0 }, { "purge-keys", &cfg_type_duration, 0 }, { "retire-safety", &cfg_type_duration, 0 }, + { "signatures-jitter", &cfg_type_duration, 0 }, { "signatures-refresh", &cfg_type_duration, 0 }, { "signatures-validity", &cfg_type_duration, 0 }, { "signatures-validity-dnskey", &cfg_type_duration, 0 },