support single-type ZSK signing

diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc
index 4f0e49ba3fef4e6e1e3283852c200590ed82fe65..4f10bce1241c905c1ec57d124a314c6ae41b2d54 100644 (file)
--- a/pdns/dbdnsseckeeper.cc
+++ b/pdns/dbdnsseckeeper.cc
@@ -54,8 +54,8 @@ bool DNSSECKeeper::isSecuredZone(const std::string& zone)
   if(isPresigned(zone))
     return true;
 
-  keyset_t keys = getKeys(zone, true); // does the cache
-  
+  keyset_t keys = getKeys(zone); // does the cache
+
   BOOST_FOREACH(keyset_t::value_type& val, keys) {
     if(val.second.active) {
       return true;

diff --git a/pdns/dnssecinfra.hh b/pdns/dnssecinfra.hh
index cbf4749541f013b92d0a6b7e03f6b1136f93d63b..7bffd979ae5a77d1dab169cfbb04bae20af08d1a 100644 (file)
--- a/pdns/dnssecinfra.hh
+++ b/pdns/dnssecinfra.hh
@@ -121,8 +121,8 @@ void fillOutRRSIG(DNSSECPrivateKey& dpk, const std::string& signQName, RRSIGReco
 uint32_t getStartOfWeek();
 void addSignature(DNSSECKeeper& dk, DNSBackend& db, const std::string& signer, const std::string signQName, const std::string& wildcardname, uint16_t signQType, uint32_t signTTL, DNSPacketWriter::Place signPlace, 
   vector<shared_ptr<DNSRecordContent> >& toSign, vector<DNSResourceRecord>& outsigned, uint32_t origTTL);
-int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::string signQName, uint16_t signQType, uint32_t signTTL, 
-                    vector<shared_ptr<DNSRecordContent> >& toSign, vector<RRSIGRecordContent> &rrc, bool ksk);
+int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::string signQName, uint16_t signQType, uint32_t signTTL,
+  vector<shared_ptr<DNSRecordContent> >& toSign, vector<RRSIGRecordContent> &rrc);
 
 std::string hashQNameWithSalt(unsigned int times, const std::string& salt, const std::string& qname);
 void decodeDERIntegerSequence(const std::string& input, vector<string>& output);

diff --git a/pdns/dnssecsigner.cc b/pdns/dnssecsigner.cc
index 89e9b303d3396ea74f068ea4e54a28bfbe7b54a0..f21fb37bb99ff6a1822e89bb4d6495adf84c031c 100644 (file)
--- a/pdns/dnssecsigner.cc
+++ b/pdns/dnssecsigner.cc
@@ -32,8 +32,8 @@ extern StatBag S;
 
 /* this is where the RRSIGs begin, keys are retrieved,
    but the actual signing happens in fillOutRRSIG */
-int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::string signQName, uint16_t signQType, uint32_t signTTL, 
-                     vector<shared_ptr<DNSRecordContent> >& toSign, vector<RRSIGRecordContent>& rrcs, bool ksk)
+int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::string signQName, uint16_t signQType, uint32_t signTTL,
+                     vector<shared_ptr<DNSRecordContent> >& toSign, vector<RRSIGRecordContent>& rrcs)
 {
   if(toSign.empty())
     return -1;
@@ -60,21 +60,24 @@ int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::st
     rrc.d_algorithm = keymeta.first.d_algorithm;
     if(!keymeta.second.active) 
       continue;
-      
+
     if(keymeta.second.keyOrZone)
       KSKs.push_back(keymeta.first);
-    else if(!ksk)
+    else
       ZSKs.push_back(keymeta.first);
   }
-  if(ksk)
-    signingKeys = &KSKs;
-  else {
+  if(signQType == QType::DNSKEY) {
+    if(KSKs.empty())
+      signingKeys = &ZSKs;
+    else
+      signingKeys = &KSKs;
+  } else {
     if(ZSKs.empty())
       signingKeys = &KSKs;
     else
-      signingKeys =&ZSKs;
+      signingKeys = &ZSKs;
   }
-  
+
   BOOST_FOREACH(DNSSECPrivateKey& dpk, *signingKeys) {
     fillOutRRSIG(dpk, signQName, rrc, toSign);
     rrcs.push_back(rrc);
@@ -96,7 +99,7 @@ void addSignature(DNSSECKeeper& dk, DNSBackend& db, const std::string& signer, c
     dk.getPreRRSIGs(db, signer, signQName, wildcardname, QType(signQType), signPlace, outsigned, origTTL); // does it all
   }
   else {
-    if(getRRSIGsForRRSET(dk, signer, wildcardname.empty() ? signQName : wildcardname, signQType, signTTL, toSign, rrcs, signQType == QType::DNSKEY) < 0)  {
+    if(getRRSIGsForRRSET(dk, signer, wildcardname.empty() ? signQName : wildcardname, signQType, signTTL, toSign, rrcs) < 0)  {
       // cerr<<"Error signing a record!"<<endl;
       return;
     }