From f3c465b939544d36ab88aa5c27d40a19f503758a Mon Sep 17 00:00:00 2001
From: Tony Finch <dot@dotat.at>
Date: Fri, 9 Mar 2018 17:55:58 +0000
Subject: [PATCH] Your CDS RR is not signed with your KSK as specified in
 RFC7344

Willem Toorop <willem@nlnetlabs.nl> wrote:

> Yes indeed!  I've created a bug report for it:
>
> https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=3437

I think the following patch fixes it. (I don't have an account on your bugzilla)
---
 dnssec_sign.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/dnssec_sign.c b/dnssec_sign.c
index 4475b1b8..8403b651 100644
--- a/dnssec_sign.c
+++ b/dnssec_sign.c
@@ -1257,12 +1257,15 @@ ldns_dnssec_zone_create_rrsigs_flg( ldns_dnssec_zone *zone
 											key_list,
 											func,
 											arg);
-				if(!(flags&LDNS_SIGN_DNSKEY_WITH_ZSK) &&
-					cur_rrset->type == LDNS_RR_TYPE_DNSKEY)
-					ldns_key_list_filter_for_dnskey(key_list, flags);
-
-				if(cur_rrset->type != LDNS_RR_TYPE_DNSKEY)
+				if(cur_rrset->type == LDNS_RR_TYPE_DNSKEY ||
+				   cur_rrset->type == LDNS_RR_TYPE_CDNSKEY ||
+				   cur_rrset->type == LDNS_RR_TYPE_CDS) {
+					if(!(flags&LDNS_SIGN_DNSKEY_WITH_ZSK)) {
+						ldns_key_list_filter_for_dnskey(key_list, flags);
+					}
+				} else {
 					ldns_key_list_filter_for_non_dnskey(key_list, flags);
+				}
 
 				/* TODO: just set count to zero? */
 				rr_list = ldns_rr_list_new();
-- 
2.47.3