Fix -U flag with ldns-signzone.

Thanks Ulrich and Jonathan

diff --git a/Changelog b/Changelog
index dfee2106735652793020094ab67a605ddc9a62b4..538ba2b739cc226356b39bc794835302ad5f5aca 100644 (file)
--- a/Changelog
+++ b/Changelog
@@ -4,6 +4,7 @@
        * bugfix #149: Add some missing [out] annotations to doxygen
          parameters. Thanks aldot.
        * Fix build error on Solaris 10 with inet_ntop redeclaration error.
+       * Fix -U flag with ldns-signzone. Thanks Ulrich and Jonathan
 
 1.8.1  2021-12-03
        * bugfix #146: ldns-1.7.1 had soname 3.0, so ldns-1.8.x soname

diff --git a/dnssec_sign.c b/dnssec_sign.c
index 61137807ebabddede23f009857c3d13a915ff55b..41d845f3fa8f7484b6601da08ea77b298904e8a8 100644 (file)
--- a/dnssec_sign.c
+++ b/dnssec_sign.c
@@ -1133,17 +1133,22 @@ ldns_key_list_filter_for_dnskey(ldns_key_list *key_list, int flags)
        if (!ldns_key_list_key_count(key_list))
                return;
 
+       /* Mark all KSKs */
        for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
                key = ldns_key_list_key(key_list, i);
-               if ((ldns_key_flags(key) & LDNS_KEY_SEP_KEY) && !saw_ksk)
-                       saw_ksk = ldns_key_algorithm(key);
-               algos[ldns_key_algorithm(key)] = true;
+               if ((ldns_key_flags(key) & LDNS_KEY_SEP_KEY)) {
+                       if (!saw_ksk)
+                               saw_ksk = ldns_key_algorithm(key);
+                       algos[ldns_key_algorithm(key)] = true;
+               }
        }
        if (!saw_ksk)
-               return;
-       else
-               algos[saw_ksk] = 0;
+               return; /* No KSKs means sign using all ZSKs */
 
+       /* Deselect the ZSKs so they do not sign DNSKEY RRs.
+        * Except with the LDNS_SIGN_WITH_ALL_ALGORITHMS flag, then use it,
+        * but only if it has an algorithm for which there is no KSK
+        */
        for (i =0; i < ldns_key_list_key_count(key_list); i++) {
                key = ldns_key_list_key(key_list, i);
                if (!(ldns_key_flags(key) & LDNS_KEY_SEP_KEY)) {
@@ -1151,15 +1156,15 @@ ldns_key_list_filter_for_dnskey(ldns_key_list *key_list, int flags)
                         * Still use it if it has a unique algorithm though!
                         */
                        if ((flags & LDNS_SIGN_WITH_ALL_ALGORITHMS) &&
-                           algos[ldns_key_algorithm(key)])
-                               algos[ldns_key_algorithm(key)] = false;
+                           !algos[ldns_key_algorithm(key)])
+                               algos[ldns_key_algorithm(key)] = true;
                        else
                                ldns_key_set_use(key, 0);
                }
        }
 }
 
-/** If there are no ZSKs use KSK as ZSK */
+/** If there are no ZSKs use KSKs as ZSK too */
 static void
 ldns_key_list_filter_for_non_dnskey(ldns_key_list *key_list, int flags)
 {
@@ -1175,17 +1180,22 @@ ldns_key_list_filter_for_non_dnskey(ldns_key_list *key_list, int flags)
        if (!ldns_key_list_key_count(key_list))
                return;
 
+       /* Mark all ZSKs */
        for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
                key = ldns_key_list_key(key_list, i);
-               if (!(ldns_key_flags(key) & LDNS_KEY_SEP_KEY) && !saw_zsk)
-                       saw_zsk = ldns_key_algorithm(key);
-               algos[ldns_key_algorithm(key)] = true;
+               if (!(ldns_key_flags(key) & LDNS_KEY_SEP_KEY)) {
+                       if (!saw_zsk)
+                               saw_zsk = ldns_key_algorithm(key);
+                       algos[ldns_key_algorithm(key)] = true;
+               }
        }
        if (!saw_zsk)
-               return;
-       else
-               algos[saw_zsk] = 0;
+               return; /* No ZSKs means sign using all KSKs */
 
+       /* Deselect the KSKs so they do not sign non DNSKEY RRs.
+        * Except with the LDNS_SIGN_WITH_ALL_ALGORITHMS flag, then use it,
+        * but only if it has an algorithm for which there is no ZSK
+        */
        for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
                key = ldns_key_list_key(key_list, i);
                if((ldns_key_flags(key) & LDNS_KEY_SEP_KEY)) {
@@ -1193,8 +1203,8 @@ ldns_key_list_filter_for_non_dnskey(ldns_key_list *key_list, int flags)
                         * Still use it if it has a unique algorithm though!
                         */
                        if ((flags & LDNS_SIGN_WITH_ALL_ALGORITHMS) &&
-                           algos[ldns_key_algorithm(key)])
-                               algos[ldns_key_algorithm(key)] = false;
+                           !algos[ldns_key_algorithm(key)])
+                               algos[ldns_key_algorithm(key)] = true;
                        else
                                ldns_key_set_use(key, 0);
                }