From: Mark Andrews <marka@isc.org>
Date: Fri, 29 Nov 2024 06:20:39 +0000 (+1100)
Subject: Do not sign non DNSKEY RRset with revoked keys
X-Git-Tag: v9.21.4~54^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=23775c6006ecf68d1da6b08488dd8242173bbd4d;p=thirdparty%2Fbind9.git

Do not sign non DNSKEY RRset with revoked keys

It does not make sense to sign RRsets other than DNSKEY with revoked
keys.
---

diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index eece8554f94..bb707b85d29 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -673,6 +673,10 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
 	for (key = ISC_LIST_HEAD(keylist); key != NULL;
 	     key = ISC_LIST_NEXT(key, link))
 	{
+		if (REVOKE(key->key) && set->type != dns_rdatatype_dnskey) {
+			continue;
+		}
+
 		if (nowsignedby[key->index]) {
 			continue;
 		}