Fix sig incept and expir
This commit is contained in:
parent
1751b8d753
commit
daab0d1d80
35
zone.go
35
zone.go
|
@ -4,6 +4,7 @@ package dns
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"github.com/miekg/radix"
|
"github.com/miekg/radix"
|
||||||
|
"math/rand"
|
||||||
"sort"
|
"sort"
|
||||||
"strings"
|
"strings"
|
||||||
"sync"
|
"sync"
|
||||||
|
@ -17,8 +18,8 @@ type Zone struct {
|
||||||
Wildcard int // Whenever we see a wildcard name, this is incremented
|
Wildcard int // Whenever we see a wildcard name, this is incremented
|
||||||
*radix.Radix // Zone data
|
*radix.Radix // Zone data
|
||||||
mutex *sync.RWMutex
|
mutex *sync.RWMutex
|
||||||
// timemodified?
|
expired bool // Slave zone is expired
|
||||||
expired bool // Slave zone is expired
|
// Do we need a timemodified?
|
||||||
}
|
}
|
||||||
|
|
||||||
// SignatureConfig holds the parameters for zone (re)signing. This
|
// SignatureConfig holds the parameters for zone (re)signing. This
|
||||||
|
@ -30,15 +31,16 @@ type SignatureConfig struct {
|
||||||
// When the end of the validity approaches, how much time should remain
|
// When the end of the validity approaches, how much time should remain
|
||||||
// before we start to resign. Typical value is 3 days.
|
// before we start to resign. Typical value is 3 days.
|
||||||
Refresh time.Duration
|
Refresh time.Duration
|
||||||
// Jitter is an amount of time added or subtracted from the
|
// Jitter is an random amount of time added or subtracted from the
|
||||||
// expiration time to ensure not all signatures expire a the same time.
|
// expiration time to ensure not all signatures expire a the same time.
|
||||||
// Typical value is 12 hours.
|
// Typical value is 12 hours, which means the actual jitter value is
|
||||||
|
// between -12..0..+12.
|
||||||
Jitter time.Duration
|
Jitter time.Duration
|
||||||
// InceptionOffset is subtracted from the inception time to ensure badly
|
// InceptionOffset is subtracted from the inception time to ensure badly
|
||||||
// calibrated clocks on the internet can still validate a signature.
|
// calibrated clocks on the internet can still validate a signature.
|
||||||
// Typical value is 300 seconds.
|
// Typical value is 300 seconds.
|
||||||
InceptionOffset time.Duration
|
InceptionOffset time.Duration
|
||||||
// SOA MINTTL value
|
// SOA MINTTL value used as the TTL on NSEC/NSEC3 -- no override
|
||||||
minttl uint32
|
minttl uint32
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -71,11 +73,11 @@ type ZoneData struct {
|
||||||
RR map[uint16][]RR // Map of the RR type to the RR
|
RR map[uint16][]RR // Map of the RR type to the RR
|
||||||
Signatures map[uint16][]*RR_RRSIG // DNSSEC signatures for the RRs, stored under type covered
|
Signatures map[uint16][]*RR_RRSIG // DNSSEC signatures for the RRs, stored under type covered
|
||||||
NonAuth bool // Always false, except for NSsets that differ from z.Origin
|
NonAuth bool // Always false, except for NSsets that differ from z.Origin
|
||||||
mutex *sync.RWMutex // For locking
|
mutex *sync.RWMutex
|
||||||
}
|
}
|
||||||
|
|
||||||
// newZoneData creates a new zone data element
|
// NewZoneData creates a new zone data element.
|
||||||
func newZoneData(s string) *ZoneData {
|
func NewZoneData(s string) *ZoneData {
|
||||||
zd := new(ZoneData)
|
zd := new(ZoneData)
|
||||||
zd.Name = s
|
zd.Name = s
|
||||||
zd.RR = make(map[uint16][]RR)
|
zd.RR = make(map[uint16][]RR)
|
||||||
|
@ -86,7 +88,7 @@ func newZoneData(s string) *ZoneData {
|
||||||
|
|
||||||
// toRadixName reverses a domain name so that when we store it in the radix tree
|
// toRadixName reverses a domain name so that when we store it in the radix tree
|
||||||
// we preserve the nsec ordering of the zone (this idea was stolen from NSD).
|
// we preserve the nsec ordering of the zone (this idea was stolen from NSD).
|
||||||
// each label is also lowercased.
|
// Each label is also lowercased.
|
||||||
func toRadixName(d string) string {
|
func toRadixName(d string) string {
|
||||||
if d == "." {
|
if d == "." {
|
||||||
return "."
|
return "."
|
||||||
|
@ -162,7 +164,7 @@ func (z *Zone) Insert(r RR) error {
|
||||||
if len(r.Header().Name) > 1 && r.Header().Name[0] == '*' && r.Header().Name[1] == '.' {
|
if len(r.Header().Name) > 1 && r.Header().Name[0] == '*' && r.Header().Name[1] == '.' {
|
||||||
z.Wildcard++
|
z.Wildcard++
|
||||||
}
|
}
|
||||||
zd := newZoneData(r.Header().Name)
|
zd := NewZoneData(r.Header().Name)
|
||||||
switch t := r.Header().Rrtype; t {
|
switch t := r.Header().Rrtype; t {
|
||||||
case TypeRRSIG:
|
case TypeRRSIG:
|
||||||
sigtype := r.(*RR_RRSIG).TypeCovered
|
sigtype := r.(*RR_RRSIG).TypeCovered
|
||||||
|
@ -357,8 +359,8 @@ func signZoneData(node, next *ZoneData, keys map[*RR_DNSKEY]PrivateKey, keytags
|
||||||
s.Hdr.Ttl = k.Hdr.Ttl
|
s.Hdr.Ttl = k.Hdr.Ttl
|
||||||
s.Algorithm = k.Algorithm
|
s.Algorithm = k.Algorithm
|
||||||
s.KeyTag = keytags[k]
|
s.KeyTag = keytags[k]
|
||||||
s.Inception = 0 // TODO(mg)
|
s.Inception = TimeToUint32(time.Now().UTC().Add(-config.InceptionOffset))
|
||||||
s.Expiration = 0
|
s.Expiration = TimeToUint32(time.Now().UTC().Add(jitterDuration(config.Jitter)).Add(config.Validity))
|
||||||
s.Sign(p, []RR{nsec}) // discard error, TODO(mg)
|
s.Sign(p, []RR{nsec}) // discard error, TODO(mg)
|
||||||
node.Signatures[TypeNSEC] = append(node.Signatures[TypeNSEC], s)
|
node.Signatures[TypeNSEC] = append(node.Signatures[TypeNSEC], s)
|
||||||
}
|
}
|
||||||
|
@ -379,3 +381,12 @@ func TimeToUint32(t time.Time) uint32 {
|
||||||
}
|
}
|
||||||
return uint32(t.Unix() - (mod * year68))
|
return uint32(t.Unix() - (mod * year68))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// jitterTime returns a random +/- jitter
|
||||||
|
func jitterDuration(d time.Duration) time.Duration {
|
||||||
|
jitter := rand.Intn(int(d))
|
||||||
|
if rand.Intn(1) == 1 {
|
||||||
|
return time.Duration(jitter)
|
||||||
|
}
|
||||||
|
return -time.Duration(jitter)
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue