From: Tony Finch <dot@dotat.at>
Date: Fri, 9 Mar 2018 17:55:58 +0000 (+0000)
Subject: Your CDS RR is not signed with your KSK as specified in RFC7344
X-Git-Tag: release-1.7.1-rc1~54
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f3c465b939544d36ab88aa5c27d40a19f503758a;p=thirdparty%2Fldns.git

Your CDS RR is not signed with your KSK as specified in RFC7344

Willem Toorop <willem@nlnetlabs.nl> wrote:

> Yes indeed!  I've created a bug report for it:
>
> https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=3437

I think the following patch fixes it. (I don't have an account on your bugzilla)
---

diff --git a/dnssec_sign.c b/dnssec_sign.c
index 4475b1b8..8403b651 100644
--- a/dnssec_sign.c
+++ b/dnssec_sign.c
@@ -1257,12 +1257,15 @@ ldns_dnssec_zone_create_rrsigs_flg( ldns_dnssec_zone *zone
 											key_list,
 											func,
 											arg);
-				if(!(flags&LDNS_SIGN_DNSKEY_WITH_ZSK) &&
-					cur_rrset->type == LDNS_RR_TYPE_DNSKEY)
-					ldns_key_list_filter_for_dnskey(key_list, flags);
-
-				if(cur_rrset->type != LDNS_RR_TYPE_DNSKEY)
+				if(cur_rrset->type == LDNS_RR_TYPE_DNSKEY ||
+				   cur_rrset->type == LDNS_RR_TYPE_CDNSKEY ||
+				   cur_rrset->type == LDNS_RR_TYPE_CDS) {
+					if(!(flags&LDNS_SIGN_DNSKEY_WITH_ZSK)) {
+						ldns_key_list_filter_for_dnskey(key_list, flags);
+					}
+				} else {
 					ldns_key_list_filter_for_non_dnskey(key_list, flags);
+				}
 
 				/* TODO: just set count to zero? */
 				rr_list = ldns_rr_list_new();