From b7cdc3583e3643c2177a62bd94ca598360a83fc3 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 8 Apr 2021 10:49:28 +1000
Subject: [PATCH] Be more precise with the stopping conditions in
 zone_resigninc

If there happens to be a RRSIG(SOA) that is not at the zone apex
for any reason it should not be considered as a stopping condition
for incremental zone signing.
---
 lib/dns/zone.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 261c6242a7..031fa4827c 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -7089,8 +7089,10 @@ zone_resigninc(dns_zone_t *zone) {
 		 * recent signature.
 		 */
 		/* XXXMPA increase number of RRsets signed pre call */
-		if (covers == dns_rdatatype_soa || i++ > zone->signatures ||
-		    resign > stop) {
+		if ((covers == dns_rdatatype_soa &&
+		     dns_name_equal(name, &zone->origin)) ||
+		    i++ > zone->signatures || resign > stop)
+		{
 			break;
 		}