4847. [bug] dnssec-dnskey-kskonly was not being honoured for

CDS and CDNSKEY. [RT #46755]
2025-08-31 06:25:31 +00:00 · 2017-12-13 12:40:36 +11:00
parent e5ac12b76d
commit 4d1bbe308d
9 changed files with 119 additions and 17 deletions
--- a/lib/dns/update.c
+++ b/lib/dns/update.c
@@ -1137,20 +1137,21 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 		}

 		if (both) {
-			if (type == dns_rdatatype_dnskey) {
+			/*
+			 * CDS and CDNSKEY are signed with KSK (RFC 7344, 4.1).
+			 */
+			if (type == dns_rdatatype_dnskey ||
+			    type == dns_rdatatype_cdnskey ||
+			    type == dns_rdatatype_cds)
+			{
 				if (!KSK(keys[i]) && keyset_kskonly)
 					continue;
 			} else if (KSK(keys[i])) {
-				/*
-				 * CDS and CDNSKEY are signed with KSK
-				 * (RFC 7344, 4.1).
-				*/
-				if (type != dns_rdatatype_cds &&
-				    type != dns_rdatatype_cdnskey)
-					continue;
+				continue;
 			}
-		} else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey)
+		} else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey) {
 			continue;
+		}

 		/* Calculate the signature, creating a RRSIG RDATA. */
 		CHECK(dns_dnssec_sign(name, &rdataset, keys[i],