Do not sign non DNSKEY RRset with revoked keys

It does not make sense to sign RRsets other than DNSKEY with revoked
keys.

(cherry picked from commit 23775c6006ecf68d1da6b08488dd8242173bbd4d)

diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 18d0c1ac89617f8693b3d67ca2cf630902f8fa63..b2c77d497a44b396e83e716e1706f4c2b5b92a16 100644 (file)
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -679,6 +679,10 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
        for (key = ISC_LIST_HEAD(keylist); key != NULL;
             key = ISC_LIST_NEXT(key, link))
        {
+               if (REVOKE(key->key) && set->type != dns_rdatatype_dnskey) {
+                       continue;
+               }
+
                if (nowsignedby[key->index]) {
                        continue;
                }