Do not sign non DNSKEY RRset with revoked keys

It does not make sense to sign RRsets other than DNSKEY with revoked keys.
2026-05-28 04:34:54 -04:00 · 2024-11-29 17:20:39 +11:00 · 2024-11-29 17:20:39 +11:00 · 23775c6006
commit 23775c6006
parent bd0cf07e88
1 changed files with 4 additions and 0 deletions
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@ -673,6 +673,10 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
 	for (key = ISC_LIST_HEAD(keylist); key != NULL;
 	     key = ISC_LIST_NEXT(key, link))
 	{
+		if (REVOKE(key->key) && set->type != dns_rdatatype_dnskey) {
+			continue;
+		}
+
 		if (nowsignedby[key->index]) {
 			continue;
 		}