When signing with a new algorithm preserve NSEC/NSEC3 chains

If the zone already has existing NSEC/NSEC3 chains then zone_sign
needs to continue to use them.  If there are no chains then use
kasp setting otherwise generate an NSEC chain.

(cherry picked from commit 4b5520145969222e6482e4552e49e96cc7d9bd97)

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 702f712160bf8b87aa55e9bae49ea109ac1e5e06..cf64b78230ef5c0897652c5a4ff9f89966b1cf23 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -9599,14 +9599,14 @@ zone_sign(dns_zone_t *zone) {
                   use_kasp ? "yes" : "no");
 
        /* Determine which type of chain to build */
-       if (use_kasp) {
-               build_nsec3 = dns_kasp_nsec3(kasp);
-               build_nsec = !build_nsec3;
-       } else {
-               CHECK(dns_private_chains(db, version, zone->privatetype,
-                                        &build_nsec, &build_nsec3));
-               /* If neither chain is found, default to NSEC */
-               if (!build_nsec && !build_nsec3) {
+       CHECK(dns_private_chains(db, version, zone->privatetype, &build_nsec,
+                                &build_nsec3));
+       if (!build_nsec && !build_nsec3) {
+               if (use_kasp) {
+                       build_nsec3 = dns_kasp_nsec3(kasp);
+                       build_nsec = !build_nsec3;
+               } else {
+                       /* If neither chain is found, default to NSEC */
                        build_nsec = true;
                }
        }