Be more precise with the stopping conditions in zone_resigninc

If there happens to be a RRSIG(SOA) that is not at the zone apex
for any reason it should not be considered as a stopping condition
for incremental zone signing.

(cherry picked from commit b7cdc3583e3643c2177a62bd94ca598360a83fc3)

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index a742bcb9cf23cb1a8e23a96c33b5b9a02b28dd32..7bd57067a4c51f8686db4aaa089e76bdff8b3555 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -7024,8 +7024,10 @@ zone_resigninc(dns_zone_t *zone) {
                 * recent signature.
                 */
                /* XXXMPA increase number of RRsets signed pre call */
-               if (covers == dns_rdatatype_soa || i++ > zone->signatures ||
-                   resign > stop) {
+               if ((covers == dns_rdatatype_soa &&
+                    dns_name_equal(name, &zone->origin)) ||
+                   i++ > zone->signatures || resign > stop)
+               {
                        break;
                }