New option to dnssec-signzone to ignore sync rrs

By default, CDS and CDNSKEY records are generated from the given
key list. In some cases you don't want that.

bin/dnssec/dnssec-signzone.c

@@ -65,6 +65,7 @@
 #include <dns/dnssec.h>
 #include <dns/ds.h>
 #include <dns/fixedname.h>
+#include <dns/kasp.h>
 #include <dns/keyvalues.h>
 #include <dns/log.h>
 #include <dns/master.h>
@@ -172,6 +173,7 @@ static bool output_stdout = false;
 static bool set_maxttl = false;
 static dns_ttl_t maxttl = 0;
 static bool no_max_check = false;
+static bool ignore_sync = false;
 
 #define INCSTAT(counter)            \
 	if (printstats) {           \
@@ -2740,10 +2742,20 @@ build_final_keylist(void) {
 	dns_dnsseckeylist_t rmkeys, matchkeys;
 	char name[DNS_NAME_FORMATSIZE];
 	dns_rdataset_t cdsset, cdnskeyset, soaset;
+	dns_kasp_digestlist_t digests;
+	dns_kasp_digest_t digest = {
+		.digest = DNS_DSDIGEST_SHA256,
+		.link = ISC_LINK_INITIALIZER,
+	};
 
 	ISC_LIST_INIT(rmkeys);
 	ISC_LIST_INIT(matchkeys);
 
+	ISC_LIST_INIT(digests);
+	if (!ignore_sync) {
+		ISC_LIST_APPEND(digests, &digest, link);
+	}
+
 	dns_rdataset_init(&soaset);
 	dns_rdataset_init(&cdsset);
 	dns_rdataset_init(&cdnskeyset);
@@ -2789,8 +2801,9 @@ build_final_keylist(void) {
 	/*
 	 * Update keylist with sync records.
 	 */
+
 	dns_dnssec_syncupdate(&keylist, &rmkeys, &cdsset, &cdnskeyset, now,
-			      DNS_DSDIGEST_SHA256, keyttl, &diff, mctx);
+			      &digests, keyttl, &diff, mctx);
 
 	dns_name_format(gorigin, name, sizeof(name));
 
@@ -2814,6 +2827,11 @@ build_final_keylist(void) {
 
 	clear_keylist(&rmkeys);
 	clear_keylist(&matchkeys);
+
+	if (!ignore_sync) {
+		ISC_LIST_UNLINK(digests, &digest, link);
+	}
+	INSIST(ISC_LIST_EMPTY(digests));
 }
 
 static void
@@ -3285,8 +3303,8 @@ main(int argc, char *argv[]) {
 	atomic_init(&finished, false);
 
 	/* Unused letters: Bb G J q Yy (and F is reserved). */
-#define CMDLINE_FLAGS                                                        \
-	"3:AaCc:Dd:E:e:f:FghH:i:I:j:J:K:k:L:l:m:M:n:N:o:O:PpQqRr:s:ST:tuUv:" \
+#define CMDLINE_FLAGS                                                         \
+	"3:AaCc:Dd:E:e:f:FgGhH:i:I:j:J:K:k:L:l:m:M:n:N:o:O:PpQqRr:s:ST:tuUv:" \
 	"VX:xzZ:"
 
 	/*
@@ -3392,6 +3410,10 @@ main(int argc, char *argv[]) {
 			generateds = true;
 			break;
 
+		case 'G':
+			ignore_sync = true;
+			break;
+
 		case 'H':
 			set_iter = true;
 			/* too-many is NOT DOCUMENTED */

bin/dnssec/dnssec-signzone.rst

@@ -21,7 +21,7 @@ dnssec-signzone - DNSSEC zone signing tool
 Synopsis
 ~~~~~~~~
 
-:program:`dnssec-signzone` [**-a**] [**-c** class] [**-d** directory] [**-D**] [**-E** engine] [**-e** end-time] [**-f** output-file] [**-g**] [**-h**] [**-i** interval] [**-I** input-format] [**-j** jitter] [**-K** directory] [**-k** key] [**-L** serial] [**-M** maxttl] [**-N** soa-serial-format] [**-o** origin] [**-O** output-format] [**-P**] [**-Q**] [**-q**] [**-R**] [**-S**] [**-s** start-time] [**-T** ttl] [**-t**] [**-u**] [**-v** level] [**-V**] [**-X** extended end-time] [**-x**] [**-z**] [**-3** salt] [**-H** iterations] [**-A**] {zonefile} [key...]
+:program:`dnssec-signzone` [**-a**] [**-c** class] [**-d** directory] [**-D**] [**-E** engine] [**-e** end-time] [**-f** output-file] [**-g**] [**-G**] [**-h**] [**-i** interval] [**-I** input-format] [**-j** jitter] [**-K** directory] [**-k** key] [**-L** serial] [**-M** maxttl] [**-N** soa-serial-format] [**-o** origin] [**-O** output-format] [**-P**] [**-Q**] [**-q**] [**-R**] [**-S**] [**-s** start-time] [**-T** ttl] [**-t**] [**-u**] [**-v** level] [**-V**] [**-X** extended end-time] [**-x**] [**-z**] [**-3** salt] [**-H** iterations] [**-A**] {zonefile} [key...]
 
 Description
 ~~~~~~~~~~~
@@ -76,6 +76,10 @@ Options
    This option indicates that DS records for child zones should be generated from a ``dsset-`` or ``keyset-``
    file. Existing DS records are removed.
 
+.. option:: -G
+
+   This option indicates that CDS and CDNSKEY records should not be generated from the given key set.
+
 .. option:: -K directory
 
    This option specifies the directory to search for DNSSEC keys. If not