Add signatures-jitter option

Add an option to speficy signatures jitter.
2025-08-29 13:38:26 +00:00 · 2024-01-31 16:52:32 +01:00 · 2024-01-31 16:52:32 +01:00 · 2a4daaedca
commit 2a4daaedca
parent c9ff77c067
10 changed files with 63 additions and 1 deletions
--- a/bin/named/config.c
+++ b/bin/named/config.c
@ -298,6 +298,7 @@ dnssec-policy \"default\" {\n\
 	publish-safety " DNS_KASP_PUBLISH_SAFETY "; \n\
 	retire-safety " DNS_KASP_RETIRE_SAFETY "; \n\
 	purge-keys " DNS_KASP_PURGE_KEYS "; \n\
 	signatures-jitter " DNS_KASP_SIG_JITTER "; \n\
 	signatures-refresh " DNS_KASP_SIG_REFRESH "; \n\
 	signatures-validity " DNS_KASP_SIG_VALIDITY "; \n\
 	signatures-validity-dnskey " DNS_KASP_SIG_VALIDITY_DNSKEY "; \n\
--- a/bin/tests/system/checkconf/good-kasp.conf
+++ b/bin/tests/system/checkconf/good-kasp.conf
@ -34,6 +34,7 @@ dnssec-policy "test" {
 	parent-propagation-delay PT1H;
 	publish-safety PT3600S;
 	retire-safety PT3600S;
 	signatures-jitter PT12H;
 	signatures-refresh P3D;
 	signatures-validity P2W;
 	signatures-validity-dnskey P14D;
--- a/bin/tests/system/checkconf/good.conf.in
+++ b/bin/tests/system/checkconf/good.conf.in
@ -34,6 +34,7 @@ dnssec-policy "test" {
 	publish-safety PT3600S;
 	purge-keys P90D;
 	retire-safety PT3600S;
 	signatures-jitter PT12H;
 	signatures-refresh P3D;
 	signatures-validity P2W;
 	signatures-validity-dnskey P14D;
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@ -6479,6 +6479,16 @@ The following options can be specified in a :any:`dnssec-policy` statement:
    unforeseen events.  This increases the time a key remains published
    after it is no longer active.  The default is ``PT1H`` (1 hour).
 .. namedconf:statement:: signatures-jitter
   :tags: dnssec
   :short: Specifies a range for signatures expirations.
    To prevent all signatures from expiring at the same moment, BIND 9 may
    vary the validity interval of individual signatures. The validity of a
    newly generated signatures is in range between :any:`signatures-validity`
    (maximum) and :any:`signatures-validity` minus :any:`signatures-jitter`
    (minimum). The default jitter is 12 hours.
 .. namedconf:statement:: signatures-refresh
   :tags: dnssec
   :short: Specifies how frequently an RRSIG record is refreshed.
--- a/doc/misc/dnssec-policy.default.conf
+++ b/doc/misc/dnssec-policy.default.conf
@ -26,6 +26,7 @@ dnssec-policy "default" {
 	purge-keys P90D;
 	// Signature timings
 	signatures-jitter 12h;
 	signatures-refresh 5d;
 	signatures-validity 14d;
 	signatures-validity-dnskey 14d;
--- a/doc/misc/options
+++ b/doc/misc/options
@ -23,6 +23,7 @@ dnssec-policy <string> {
 	publish-safety <duration>;
 	purge-keys <duration>;
 	retire-safety <duration>;
 	signatures-jitter <duration>;
 	signatures-refresh <duration>;
 	signatures-validity <duration>;
 	signatures-validity-dnskey <duration>;
--- a/lib/dns/include/dns/kasp.h
+++ b/lib/dns/include/dns/kasp.h
@ -83,6 +83,7 @@ struct dns_kasp {
 	ISC_LINK(struct dns_kasp) link;
 	/* Configuration: signatures */
 	uint32_t signatures_jitter;
 	uint32_t signatures_refresh;
 	uint32_t signatures_validity;
 	uint32_t signatures_validity_dnskey;
@ -116,6 +117,7 @@ struct dns_kasp {
 #define DNS_KASP_VALID(kasp) ISC_MAGIC_VALID(kasp, DNS_KASP_MAGIC)
 /* Defaults */
 #define DNS_KASP_SIG_JITTER	     "PT12H"
 #define DNS_KASP_SIG_REFRESH	     "P5D"
 #define DNS_KASP_SIG_VALIDITY	     "P14D"
 #define DNS_KASP_SIG_VALIDITY_DNSKEY "P14D"
@ -244,6 +246,30 @@ dns_kasp_signdelay(dns_kasp_t *kasp);
 *\li   signature refresh interval.
 */
 uint32_t
 dns_kasp_sigjitter(dns_kasp_t *kasp);
 /*%<
 * Get signature jitter value.
 *
 * Requires:
 *
 *\li   'kasp' is a valid, frozen kasp.
 *
 * Returns:
 *
 *\li   signature jitter value.
 */
 void
 dns_kasp_setsigjitter(dns_kasp_t *kasp, uint32_t value);
 /*%<
 * Set signature jitter value.
 *
 * Requires:
 *
 *\li   'kasp' is a valid, thawed kasp.
 */
 uint32_t
 dns_kasp_sigrefresh(dns_kasp_t *kasp);
 /*%<
--- a/lib/dns/kasp.c
+++ b/lib/dns/kasp.c
@ -138,6 +138,22 @@ dns_kasp_signdelay(dns_kasp_t *kasp) {
 	return (kasp->signatures_validity - kasp->signatures_refresh);
 }
 uint32_t
 dns_kasp_sigjitter(dns_kasp_t *kasp) {
 	REQUIRE(DNS_KASP_VALID(kasp));
 	REQUIRE(kasp->frozen);
 	return (kasp->signatures_jitter);
 }
 void
 dns_kasp_setsigjitter(dns_kasp_t *kasp, uint32_t value) {
 	REQUIRE(DNS_KASP_VALID(kasp));
 	REQUIRE(!kasp->frozen);
 	kasp->signatures_jitter = value;
 }
 uint32_t
 dns_kasp_sigrefresh(dns_kasp_t *kasp) {
 	REQUIRE(DNS_KASP_VALID(kasp));
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@ -412,7 +412,7 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
 	const char *kaspname = NULL;
 	dns_kasp_t *kasp = NULL;
 	size_t i = 0;
-	uint32_t sigrefresh = 0, sigvalidity = 0;
+	uint32_t sigjitter = 0, sigrefresh = 0, sigvalidity = 0;
 	uint32_t dnskeyttl = 0, dsttl = 0, maxttl = 0;
 	uint32_t publishsafety = 0, retiresafety = 0;
 	uint32_t zonepropdelay = 0, parentpropdelay = 0;
@ -460,6 +460,10 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
 	maps[i] = NULL;
 	/* Configuration: Signatures */
 	sigjitter = get_duration(maps, "signatures-jitter",
 				 DNS_KASP_SIG_JITTER);
 	dns_kasp_setsigjitter(kasp, sigjitter);
 	sigrefresh = get_duration(maps, "signatures-refresh",
 				  DNS_KASP_SIG_REFRESH);
 	dns_kasp_setsigrefresh(kasp, sigrefresh);
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@ -2281,6 +2281,7 @@ static cfg_clausedef_t dnssecpolicy_clauses[] = {
 	{ "publish-safety", &cfg_type_duration, 0 },
 	{ "purge-keys", &cfg_type_duration, 0 },
 	{ "retire-safety", &cfg_type_duration, 0 },
 	{ "signatures-jitter", &cfg_type_duration, 0 },
 	{ "signatures-refresh", &cfg_type_duration, 0 },
 	{ "signatures-validity", &cfg_type_duration, 0 },
 	{ "signatures-validity-dnskey", &cfg_type_duration, 0 },