continue;
}
- if (!REVOKE(keys[i])) {
- /*
- * Don't consider inactive keys, however the KSK may be
- * temporary offline, so do consider KSKs which private
- * key files are unavailable.
- */
- both = dst_key_have_ksk_and_zsk(
- keys, nkeys, i, false, KSK(keys[i]),
- !KSK(keys[i]), NULL, NULL);
- }
-
if (use_kasp) {
/*
* A dnssec-policy is found. Check what RRsets this
*/
continue;
}
-
- /*
- * If this key is revoked, it may only sign the
- * DNSKEY RRset.
- */
- if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey) {
- continue;
- }
- } else if (both) {
+ } else if (!REVOKE(keys[i])) {
/*
- * CDS and CDNSKEY are signed with KSK (RFC 7344, 4.1).
+ * Don't consider inactive keys, however the KSK may be
+ * temporary offline, so do consider KSKs which private
+ * key files are unavailable.
*/
- if (dns_rdatatype_iskeymaterial(type)) {
- if (!KSK(keys[i])) {
+ both = dst_key_have_ksk_and_zsk(
+ keys, nkeys, i, false, KSK(keys[i]),
+ !KSK(keys[i]), NULL, NULL);
+ if (both) {
+ /*
+ * CDS and CDNSKEY are signed with KSK (RFC
+ * 7344, 4.1).
+ */
+ if (dns_rdatatype_iskeymaterial(type)) {
+ if (!KSK(keys[i])) {
+ continue;
+ }
+ } else if (KSK(keys[i])) {
continue;
}
- } else if (KSK(keys[i])) {
- continue;
}
- } else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey) {
+ }
+
+ /*
+ * If this key is revoked, it may only sign the DNSKEY RRset.
+ */
+ if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey) {
continue;
}
continue;
}
- if (!REVOKE(keys[i])) {
- /*
- * Don't consider inactive keys, however the KSK may be
- * temporary offline, so do consider keys which private
- * key files are unavailable.
- */
- both = dst_key_have_ksk_and_zsk(
- keys, nkeys, i, false, KSK(keys[i]),
- !KSK(keys[i]), NULL, NULL);
- }
if (use_kasp) {
/*
* A dnssec-policy is found. Check what RRsets this
*/
continue;
}
-
- /*
- * If this key is revoked, it may only sign the
- * DNSKEY RRset.
- */
- if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey) {
- continue;
- }
- } else if (both) {
+ } else if (!REVOKE(keys[i])) {
/*
- * CDS and CDNSKEY are signed with KSK (RFC 7344, 4.1).
+ * Don't consider inactive keys, however the KSK may be
+ * temporary offline, so do consider keys which private
+ * key files are unavailable.
*/
- if (dns_rdatatype_iskeymaterial(type)) {
- if (!KSK(keys[i])) {
+ bool both = dst_key_have_ksk_and_zsk(
+ keys, nkeys, i, false, KSK(keys[i]),
+ !KSK(keys[i]), NULL, NULL);
+ if (both) {
+ /*
+ * CDS and CDNSKEY are signed with KSK (RFC
+ * 7344, 4.1).
+ */
+ if (dns_rdatatype_iskeymaterial(type)) {
+ if (!KSK(keys[i])) {
+ continue;
+ }
+ } else if (KSK(keys[i])) {
continue;
}
- } else if (KSK(keys[i])) {
- continue;
}
- } else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey) {
+ }
+
+ /*
+ * If this key is revoked, it may only sign the DNSKEY RRset.
+ */
+ if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey) {
continue;
}
/*
* We do KSK processing.
*/
- if (!REVOKE(zone_keys[i])) {
- /*
- * Don't consider inactive keys, however the key
- * may be temporary offline, so do consider KSKs
- * which private key files are unavailable.
- */
- both = dst_key_have_ksk_and_zsk(
- zone_keys, nkeys, i, false,
- KSK(zone_keys[i]), !KSK(zone_keys[i]),
- NULL, NULL);
- }
if (use_kasp) {
/*
* A dnssec-policy is found. Check what
projects / thirdparty / bind9.git / commitdiff
