sign: add expiration jitter (#3588)

* add expiration jitter Signed-off-by: Miek Gieben <miek@miek.nl> * sign: add expiration jitter This PR adds a expiration jitter to spread out zone re-signing even more. The max is 5 extra days added when creating the signer for a specific zone. Also make the duration* constants private to clean up the godoc for this plugin. Signed-off-by: Miek Gieben <miek@miek.nl>
2025-12-04 01:15:11 -05:00 · 2020-01-12 13:56:57 +01:00
parent d6669dee80
commit 2221b6160c
4 changed files with 32 additions and 29 deletions
--- a/plugin/sign/README.md
+++ b/plugin/sign/README.md
@@ -32,7 +32,7 @@ it do key or algorithm rollovers - it just signs.
    Both these dates are only checked on the SOA's signature(s).

 *  Create RRSIGs that have an inception of -3 hours (minus a jitter between 0 and 18 hours)
-    and a expiration of +32 days for every given DNSKEY.
+    and a expiration of +32 (plus a jitter between 0 and 5 days) days for every given DNSKEY.

 *  Add NSEC records for all names in the zone. The TTL for these is the negative cache TTL from the
    SOA record.