Mirrors/coredns
1
0
Fork 0
mirror of https://github.com/coredns/coredns.git synced 2025-11-19 02:12:30 -05:00
Code Issues Packages Projects Releases Wiki Activity

sign: add expiration jitter (#3588)

Browse Source 
* add expiration jitter

Signed-off-by: Miek Gieben <miek@miek.nl>

* sign: add expiration jitter

This PR adds a expiration jitter to spread out zone re-signing even
more. The max is 5 extra days added when creating the signer for a
specific zone.

Also make the duration* constants private to clean up the godoc for this
plugin.

Signed-off-by: Miek Gieben <miek@miek.nl>
This commit is contained in:
Miek Gieben
2020-01-12 13:56:57 +01:00
committed by Yong Tang
parent d6669dee80
commit 2221b6160c
4 changed files with 32 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
plugin/sign/signer.go
View File

@@ -18,11 +18,12 @@ var log = clog.NewWithPlugin("sign")
// Signer holds the data needed to sign a zone file.
type Signer struct {
keys []Pair
origin string
dbfile string
directory string
jitter time.Duration
keys []Pair
origin string
dbfile string
directory string
jitterIncep time.Duration
jitterExpir time.Duration
signedfile string
stop chan struct{}
@@ -42,7 +43,7 @@ func (s *Signer) Sign(now time.Time) (*file.Zone, error) {
mttl := z.Apex.SOA.Minttl
ttl := z.Apex.SOA.Header().Ttl
inception, expiration := lifetime(now, s.jitter)
inception, expiration := lifetime(now, s.jitterIncep, s.jitterExpir)
z.Apex.SOA.Serial = uint32(now.Unix())
for _, pair := range s.keys {
@@ -143,8 +144,8 @@ func resign(rd io.Reader, now time.Time) (why error) {
}
incep, _ := time.Parse("20060102150405", dns.TimeToString(x.Inception))
// If too long ago, resign.
if now.Sub(incep) >= 0 && now.Sub(incep) > DurationResignDays {
return fmt.Errorf("inception %q was more than: %s ago from %s: %s", incep.Format(timeFmt), DurationResignDays, now.Format(timeFmt), now.Sub(incep))
if now.Sub(incep) >= 0 && now.Sub(incep) > durationResignDays {
return fmt.Errorf("inception %q was more than: %s ago from %s: %s", incep.Format(timeFmt), durationResignDays, now.Format(timeFmt), now.Sub(incep))
}
// Inception hasn't even start yet.
if now.Sub(incep) < 0 {
@@ -152,8 +153,8 @@ func resign(rd io.Reader, now time.Time) (why error) {
}
expire, _ := time.Parse("20060102150405", dns.TimeToString(x.Expiration))
if expire.Sub(now) < DurationExpireDays {
return fmt.Errorf("expiration %q is less than: %s away from %s: %s", expire.Format(timeFmt), DurationExpireDays, now.Format(timeFmt), expire.Sub(now))
if expire.Sub(now) < durationExpireDays {
return fmt.Errorf("expiration %q is less than: %s away from %s: %s", expire.Format(timeFmt), durationExpireDays, now.Format(timeFmt), expire.Sub(now))
}
}
i++
@@ -173,7 +174,7 @@ func signAndLog(s *Signer, why error) {
z, err := s.Sign(now)
log.Infof("Signing %q because %s", s.origin, why)
if err != nil {
log.Warningf("Error signing %q with key tags %q in %s: %s, next: %s", s.origin, keyTag(s.keys), time.Since(now), err, now.Add(DurationRefreshHours).Format(timeFmt))
log.Warningf("Error signing %q with key tags %q in %s: %s, next: %s", s.origin, keyTag(s.keys), time.Since(now), err, now.Add(durationRefreshHours).Format(timeFmt))
return
}
@@ -181,7 +182,7 @@ func signAndLog(s *Signer, why error) {
log.Warningf("Error signing %q: failed to move zone file into place: %s", s.origin, err)
return
}
log.Infof("Successfully signed zone %q in %q with key tags %q and %d SOA serial, elapsed %f, next: %s", s.origin, filepath.Join(s.directory, s.signedfile), keyTag(s.keys), z.Apex.SOA.Serial, time.Since(now).Seconds(), now.Add(DurationRefreshHours).Format(timeFmt))
log.Infof("Successfully signed zone %q in %q with key tags %q and %d SOA serial, elapsed %f, next: %s", s.origin, filepath.Join(s.directory, s.signedfile), keyTag(s.keys), z.Apex.SOA.Serial, time.Since(now).Seconds(), now.Add(durationRefreshHours).Format(timeFmt))
}
// refresh checks every val if some zones need to be resigned.
@@ -202,8 +203,8 @@ func (s *Signer) refresh(val time.Duration) {
}
}
func lifetime(now time.Time, jitter time.Duration) (uint32, uint32) {
incep := uint32(now.Add(DurationSignatureInceptionHours).Add(jitter).Unix())
expir := uint32(now.Add(DurationSignatureExpireDays).Unix())
func lifetime(now time.Time, jitterInception, jitterExpiration time.Duration) (uint32, uint32) {
incep := uint32(now.Add(durationSignatureInceptionHours).Add(jitterInception).Unix())
expir := uint32(now.Add(durationSignatureExpireDays).Add(jitterExpiration).Unix())
return incep, expir
}