From b47d410f8409294863f214542a05c92cbe86cf04 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Thu, 14 Jan 2010 23:27:38 +0000
Subject: [PATCH] 2840.	[bug]		Change 2836 was not complete. [RT
 #20883]

---
 CHANGES        |  2 ++
 lib/dns/zone.c | 32 +++++++++++++++++---------------
 2 files changed, 19 insertions(+), 15 deletions(-)

diff --git a/CHANGES b/CHANGES
index 8ad5fc7162..675ba7b777 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+2840.	[bug]		Change 2836 was not complete. [RT #20883]
+
 2839.	[bug]		Temporary fixed pkcs11-destroy usage check.
 			[RT #20760]
 
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 924d17cd2e..f00c14799e 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.553 2010/01/12 23:56:12 fdupont Exp $ */
+/* $Id: zone.c,v 1.554 2010/01/14 23:27:38 each Exp $ */
 
 /*! \file */
 
@@ -6559,6 +6559,10 @@ zone_sign(dns_zone_t *zone) {
 	CHECK(dns_private_chains(db, version, zone->privatetype,
 				 &build_nsec, &build_nsec3));
 
+	/* If neither chain is found, default to NSEC */
+	if (!build_nsec && !build_nsec3)
+		build_nsec = ISC_TRUE;
+
 	while (signing != NULL && nodes-- > 0 && signatures > 0) {
 		nextsigning = ISC_LIST_NEXT(signing, link);
 
@@ -13695,7 +13699,7 @@ zone_rekey(dns_zone_t *zone) {
 	dns_dnsseckeylist_t dnskeys, keys, rmkeys;
 	dns_dnsseckey_t *key;
 	dns_diff_t diff;
-	isc_boolean_t commit = ISC_FALSE;
+	isc_boolean_t commit = ISC_FALSE, newactive = ISC_FALSE;
 	dns_ttl_t ttl = 3600;
 	const char *dir;
 	isc_mem_t *mctx;
@@ -13759,7 +13763,17 @@ zone_rekey(dns_zone_t *zone) {
 			goto failure;
 		}
 
-		if (!ISC_LIST_EMPTY(diff.tuples) &&
+		/* See if any pre-existing keys have newly become active */
+		for (key = ISC_LIST_HEAD(dnskeys);
+		     key != NULL;
+		     key = ISC_LIST_NEXT(key, link)) {
+			if (key->first_sign) {
+				newactive = ISC_TRUE;
+				break;
+			}
+		}
+
+		if ((newactive || !ISC_LIST_EMPTY(diff.tuples)) &&
 		    dnskey_sane(zone, db, ver, &diff)) {
 			commit = ISC_TRUE;
 			dns_diff_apply(&diff, db, ver);
@@ -13773,18 +13787,6 @@ zone_rekey(dns_zone_t *zone) {
 
 	dns_db_closeversion(db, &ver, commit);
 
-	/* See if any pre-existing keys have newly become active */
-	if (!commit) {
-		for (key = ISC_LIST_HEAD(dnskeys);
-		     key != NULL;
-		     key = ISC_LIST_NEXT(key, link)) {
-			if (key->first_sign) {
-				commit = ISC_TRUE;
-				break;
-			}
-		}
-	}
-
 	/* Update signatures */
 	if (commit) {
 		LOCK_ZONE(zone);