Your CDS RR is not signed with your KSK as specified in RFC7344

Willem Toorop <willem@nlnetlabs.nl> wrote:

> Yes indeed!  I've created a bug report for it:
>
> https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=3437

I think the following patch fixes it. (I don't have an account on your bugzilla)

diff --git a/dnssec_sign.c b/dnssec_sign.c
index 4475b1b81a8a9f60041a0fd282defeca006f4da7..8403b6511dce83493d97afe4846dd33a2e57bb7d 100644 (file)
--- a/dnssec_sign.c
+++ b/dnssec_sign.c
@@ -1257,12 +1257,15 @@ ldns_dnssec_zone_create_rrsigs_flg( ldns_dnssec_zone *zone
                                                                                        key_list,
                                                                                        func,
                                                                                        arg);
-                               if(!(flags&LDNS_SIGN_DNSKEY_WITH_ZSK) &&
-                                       cur_rrset->type == LDNS_RR_TYPE_DNSKEY)
-                                       ldns_key_list_filter_for_dnskey(key_list, flags);
-
-                               if(cur_rrset->type != LDNS_RR_TYPE_DNSKEY)
+                               if(cur_rrset->type == LDNS_RR_TYPE_DNSKEY ||
+                                  cur_rrset->type == LDNS_RR_TYPE_CDNSKEY ||
+                                  cur_rrset->type == LDNS_RR_TYPE_CDS) {
+                                       if(!(flags&LDNS_SIGN_DNSKEY_WITH_ZSK)) {
+                                               ldns_key_list_filter_for_dnskey(key_list, flags);
+                                       }
+                               } else {
                                        ldns_key_list_filter_for_non_dnskey(key_list, flags);
+                               }
 
                                /* TODO: just set count to zero? */
                                rr_list = ldns_rr_list_new();