Do not sign non DNSKEY RRset with revoked keys

It does not make sense to sign RRsets other than DNSKEY with revoked keys. (cherry picked from commit 23775c6006)
2026-05-28 04:34:54 -04:00 · 2024-11-29 17:20:39 +11:00 · 2024-11-29 17:20:39 +11:00 · 5de305195b
commit 5de305195b
parent 55475d9357
1 changed files with 4 additions and 0 deletions
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@ -679,6 +679,10 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
 	for (key = ISC_LIST_HEAD(keylist); key != NULL;
 	     key = ISC_LIST_NEXT(key, link))
 	{
+		if (REVOKE(key->key) && set->type != dns_rdatatype_dnskey) {
+			continue;
+		}
+
 		if (nowsignedby[key->index]) {
 			continue;
 		}