From 558ff848c5f17594a63089ce722e2e15c02e2a47 Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Mon, 4 Apr 2016 10:39:17 +0200
Subject: [PATCH] allow common signing key

---
 pdns/pdnssec.cc | 67 +++++++++++++++++++++++++------------------------
 1 file changed, 34 insertions(+), 33 deletions(-)

diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc
index aea4a2790e..2b97d20605 100644
--- a/pdns/pdnssec.cc
+++ b/pdns/pdnssec.cc
@@ -1023,18 +1023,14 @@ bool secureZone(DNSSECKeeper& dk, const std::string& zone)
      throw runtime_error("KSK key size must be equal to or greater than 0");
   }
 
-  if (k_algos.size() < 1) {
-     throw runtime_error("No algorithm(s) given for KSK");
+  if (k_algos.size() < 1 && z_algos.size() < 1) {
+    throw runtime_error("Zero algorithms given for KSK+ZSK in total");
   }
 
   if (z_size < 0) {
      throw runtime_error("ZSK key size must be equal to or greater than 0");
   }
 
-  if (z_algos.size() < 1) {
-     throw runtime_error("No algorithm(s) given for ZSK");
-  }
-
   if(dk.isSecuredZone(zone)) {
     cerr << "Zone '"<<zone<<"' already secure, remove keys with pdnssec remove-zone-key if needed"<<endl;
     return false;
@@ -1054,42 +1050,47 @@ bool secureZone(DNSSECKeeper& dk, const std::string& zone)
   }
 
   if (k_size)
-    cout << "Securing zone with " << k_algos[0] << " algorithm with key size " << k_size << endl;
+    cout << "Securing zone with key size " << k_size << endl;
   else
-    cout << "Securing zone with " << k_algos[0] << " algorithm with default key size" << endl;
-
-  // run secure-zone with first default algorith, then add keys
-  if(!dk.secureZone(zone, shorthand2algorithm(k_algos[0]), k_size)) {
-    cerr<<"No backend was able to secure '"<<zone<<"', most likely because no DNSSEC"<<endl;
-    cerr<<"capable backends are loaded, or because the backends have DNSSEC disabled."<<endl;
-    cerr<<"For the Generic SQL backends, set the 'gsqlite3-dnssec', 'gmysql-dnssec' or"<<endl;
-    cerr<<"'gpgsql-dnssec' flag. Also make sure the schema has been updated for DNSSEC!"<<endl;
-    return false;
-  }
+    cout << "Securing zone with default key size" << endl;
 
-  if(!dk.isSecuredZone(zone)) {
-    cerr<<"Failed to secure zone. Is your backend dnssec enabled? (set "<<endl;
-    cerr<<"gsqlite3-dnssec, or gmysql-dnssec etc). Check this first."<<endl;
-    cerr<<"If you run with the BIND backend, make sure you have configured"<<endl;
-    cerr<<"it to use DNSSEC with 'bind-dnssec-db=/path/fname' and"<<endl;
-    cerr<<"'pdnssec create-bind-db /path/fname'!"<<endl;
-    return false;
-  }
+  BOOST_FOREACH(string k_algo, k_algos)
+  {
+    cout << "Adding KSK with algorithm " << k_algo << endl;
 
-  DNSSECKeeper::keyset_t zskset=dk.getKeys(zone, false);
+    int algo = shorthand2algorithm(k_algo);
 
-  if(!zskset.empty())  {
-    cerr<<"There were ZSKs already for zone '"<<zone<<"', no need to add more"<<endl;
-    return false;
+    if(!dk.addKey(zone, true, algo, k_size, true)) {
+      cerr<<"No backend was able to secure '"<<zone<<"', most likely because no DNSSEC"<<endl;
+      cerr<<"capable backends are loaded, or because the backends have DNSSEC disabled."<<endl;
+      cerr<<"For the Generic SQL backends, set the 'gsqlite3-dnssec', 'gmysql-dnssec' or"<<endl;
+      cerr<<"'gpgsql-dnssec' flag. Also make sure the schema has been updated for DNSSEC!"<<endl;
+      return false;
+    }
   }
-  
-  for(vector<string>::iterator i = k_algos.begin()+1; i != k_algos.end(); i++)
-    dk.addKey(zone, true, shorthand2algorithm(*i), k_size, true); // obvious errors will have been caught above
 
   BOOST_FOREACH(string z_algo, z_algos)
   {
+    cout << "Adding ZSK with algorithm " << z_algo << endl;
+
     int algo = shorthand2algorithm(z_algo);
-    dk.addKey(zone, false, algo, z_size);
+
+    if(!dk.addKey(zone, false, algo, z_size, true)) {
+      cerr<<"No backend was able to secure '"<<zone<<"', most likely because no DNSSEC"<<endl;
+      cerr<<"capable backends are loaded, or because the backends have DNSSEC disabled."<<endl;
+      cerr<<"For the Generic SQL backends, set the 'gsqlite3-dnssec', 'gmysql-dnssec' or"<<endl;
+      cerr<<"'gpgsql-dnssec' flag. Also make sure the schema has been updated for DNSSEC!"<<endl;
+      return false;
+    }
+  }
+
+  if(!dk.isSecuredZone(zone)) {
+    cerr<<"Failed to secure zone. Is your backend dnssec enabled? (set "<<endl;
+    cerr<<"gsqlite3-dnssec, or gmysql-dnssec etc). Check this first."<<endl;
+    cerr<<"If you run with the BIND backend, make sure you have configured"<<endl;
+    cerr<<"it to use DNSSEC with 'bind-dnssec-db=/path/fname' and"<<endl;
+    cerr<<"'pdnsutil create-bind-db /path/fname'!"<<endl;
+    return false;
   }
 
   // rectifyZone(dk, zone);
-- 
2.47.2