configurable extension for RRSIG expiry

Habbie · Habbie · commit b1d5faa3226a · 2026-05-11T16:17:12.000+02:00
diff --git a/pdns/auth-main.cc b/pdns/auth-main.cc
@@ -274,6 +274,7 @@ static void declareArguments()
   ::arg().set("default-soa-edit", "Default SOA-EDIT value") = "";
   ::arg().set("default-soa-edit-signed", "Default SOA-EDIT value for signed zones") = "";
   ::arg().set("default-soa-edit-api", "Default SOA-EDIT-API value for new zones") = "DEFAULT";
+  ::arg().set("rrsig-expiry-extend", "Seconds to extend RRSIG expiry by") = "0";
   ::arg().set("dnssec-key-cache-ttl", "Seconds to cache DNSSEC keys from the database") = "30";
   ::arg().set("domain-metadata-cache-ttl", "Seconds to cache zone metadata from the database") = "";
   ::arg().set("zone-metadata-cache-ttl", "Seconds to cache zone metadata from the database") = "60";
@@ -773,6 +774,7 @@ static void mainthread()
 
   g_anyToTcp = ::arg().mustDo("any-to-tcp");
   g_8bitDNS = ::arg().mustDo("8bit-dns");
+  g_rrsig_expiry_extend = ::arg().asNum("rrsig-expiry-extend");
 #ifdef HAVE_LUA_RECORDS
   g_doLuaRecord = ::arg().mustDo("enable-lua-records");
   g_LuaRecordSharedState = (::arg()["enable-lua-records"] == "shared");
diff --git a/pdns/dnssecinfra.cc b/pdns/dnssecinfra.cc
@@ -50,6 +50,8 @@
 
 using namespace boost::assign;
 
+int32_t g_rrsig_expiry_extend{0}; // not uint, so negative numbers are legal too
+
 std::unique_ptr<DNSCryptoKeyEngine> DNSCryptoKeyEngine::makeFromISCFile(Logr::log_t slog, DNSKEYRecordContent& drc, const char* fname)
 {
   string sline, isc;
diff --git a/pdns/dnssecinfra.hh b/pdns/dnssecinfra.hh
@@ -299,3 +299,5 @@ void addTSIG(Logr::log_t slog, DNSPacketWriter& pw, TSIGRecordContent& trc, cons
 bool validateTSIG(Logr::log_t slog, const std::string& packet, size_t sigPos, const TSIGTriplet& tt, const TSIGRecordContent& trc, const std::string& previousMAC, const std::string& theirMAC, bool timersOnly, unsigned int dnsHeaderOffset=0);
 
 uint64_t signatureCacheSize(const std::string& str);
+
+extern int32_t g_rrsig_expiry_extend;
diff --git a/pdns/dnssecsigner.cc b/pdns/dnssecsigner.cc
@@ -122,7 +122,7 @@ static int getRRSIGsForRRSET(DNSSECKeeper& dsk, const ZoneName& signer, const DN
   rrc.d_labels=signQName.countLabels()-signQName.isWildcard();
   rrc.d_originalttl=signTTL;
   rrc.d_siginception=startOfWeek - 7*86400; // XXX should come from zone metadata
-  rrc.d_sigexpire=startOfWeek + 14*86400;
+  rrc.d_sigexpire=startOfWeek + 14*86400 + g_rrsig_expiry_extend;
   rrc.d_signer = signer.operator const DNSName&();
   rrc.d_tag = 0;
 

Original file line number	Diff line number	Diff line change
`@@ -50,6 +50,8 @@`
`50`	`50`
`51`	`51`	`using namespace boost::assign;`
`52`	`52`
	`53`	`+int32_t g_rrsig_expiry_extend{0}; // not uint, so negative numbers are legal too`
	`54`	`+`
`53`	`55`	`std::unique_ptr<DNSCryptoKeyEngine> DNSCryptoKeyEngine::makeFromISCFile(Logr::log_t slog, DNSKEYRecordContent& drc, const char* fname)`
`54`	`56`	`{`
`55`	`57`	`string sline, isc;`