Do not sign non DNSKEY RRset with revoked keys

author Mark Andrews <marka@isc.org>

Fri, 29 Nov 2024 06:20:39 +0000 (17:20 +1100)

committer Mark Andrews <marka@isc.org>

Fri, 6 Dec 2024 00:25:09 +0000 (11:25 +1100)
author Mark Andrews <marka@isc.org>
Fri, 29 Nov 2024 06:20:39 +0000 (17:20 +1100)
committer Mark Andrews <marka@isc.org>
Fri, 6 Dec 2024 00:25:09 +0000 (11:25 +1100)
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c

index eece8554f94e4b9dd71ce2e3c21c373e8c0cc942..bb707b85d297e8e0dc1d80eda7eb5b62d46a9acc 100644 (file)
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -673,6 +673,10 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
         for (key = ISC_LIST_HEAD(keylist); key != NULL;
              key = ISC_LIST_NEXT(key, link))
         {
+               if (REVOKE(key->key) && set->type != dns_rdatatype_dnskey) {
+                       continue;
+               }
+
                 if (nowsignedby[key->index]) {
                         continue;
                 }
author	Mark Andrews <marka@isc.org>
	Fri, 29 Nov 2024 06:20:39 +0000 (17:20 +1100)
committer	Mark Andrews <marka@isc.org>
	Fri, 6 Dec 2024 00:25:09 +0000 (11:25 +1100)