From: Kees Monshouwer <mind04@monshouwer.org>
Date: Mon, 5 Jan 2015 10:26:08 +0000 (+0100)
Subject: support single-type ZSK signing
X-Git-Tag: rec-3.7.0-rc1~60^2~4^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8a95b04cc023f86f7f5f62d12ff573927d84d0aa;p=pdns

support single-type ZSK signing
---

diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc
index 4f0e49ba3..4f10bce12 100644
--- a/pdns/dbdnsseckeeper.cc
+++ b/pdns/dbdnsseckeeper.cc
@@ -54,8 +54,8 @@ bool DNSSECKeeper::isSecuredZone(const std::string& zone)
   if(isPresigned(zone))
     return true;
 
-  keyset_t keys = getKeys(zone, true); // does the cache
-  
+  keyset_t keys = getKeys(zone); // does the cache
+
   BOOST_FOREACH(keyset_t::value_type& val, keys) {
     if(val.second.active) {
       return true;
diff --git a/pdns/dnssecinfra.hh b/pdns/dnssecinfra.hh
index cbf474954..7bffd979a 100644
--- a/pdns/dnssecinfra.hh
+++ b/pdns/dnssecinfra.hh
@@ -121,8 +121,8 @@ void fillOutRRSIG(DNSSECPrivateKey& dpk, const std::string& signQName, RRSIGReco
 uint32_t getStartOfWeek();
 void addSignature(DNSSECKeeper& dk, DNSBackend& db, const std::string& signer, const std::string signQName, const std::string& wildcardname, uint16_t signQType, uint32_t signTTL, DNSPacketWriter::Place signPlace, 
   vector<shared_ptr<DNSRecordContent> >& toSign, vector<DNSResourceRecord>& outsigned, uint32_t origTTL);
-int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::string signQName, uint16_t signQType, uint32_t signTTL, 
-		     vector<shared_ptr<DNSRecordContent> >& toSign, vector<RRSIGRecordContent> &rrc, bool ksk);
+int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::string signQName, uint16_t signQType, uint32_t signTTL,
+  vector<shared_ptr<DNSRecordContent> >& toSign, vector<RRSIGRecordContent> &rrc);
 
 std::string hashQNameWithSalt(unsigned int times, const std::string& salt, const std::string& qname);
 void decodeDERIntegerSequence(const std::string& input, vector<string>& output);
diff --git a/pdns/dnssecsigner.cc b/pdns/dnssecsigner.cc
index 3ecbf3548..dcf0cc90c 100644
--- a/pdns/dnssecsigner.cc
+++ b/pdns/dnssecsigner.cc
@@ -32,8 +32,8 @@ extern StatBag S;
 
 /* this is where the RRSIGs begin, keys are retrieved,
    but the actual signing happens in fillOutRRSIG */
-int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::string signQName, uint16_t signQType, uint32_t signTTL, 
-                     vector<shared_ptr<DNSRecordContent> >& toSign, vector<RRSIGRecordContent>& rrcs, bool ksk)
+int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::string signQName, uint16_t signQType, uint32_t signTTL,
+                     vector<shared_ptr<DNSRecordContent> >& toSign, vector<RRSIGRecordContent>& rrcs)
 {
   if(toSign.empty())
     return -1;
@@ -60,21 +60,24 @@ int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::st
     rrc.d_algorithm = keymeta.first.d_algorithm;
     if(!keymeta.second.active) 
       continue;
-      
+
     if(keymeta.second.keyOrZone)
       KSKs.push_back(keymeta.first);
-    else if(!ksk)
+    else
       ZSKs.push_back(keymeta.first);
   }
-  if(ksk)
-    signingKeys = &KSKs;
-  else {
+  if(signQType == QType::DNSKEY) {
+    if(KSKs.empty())
+      signingKeys = &ZSKs;
+    else
+      signingKeys = &KSKs;
+  } else {
     if(ZSKs.empty())
       signingKeys = &KSKs;
     else
-      signingKeys =&ZSKs;
+      signingKeys = &ZSKs;
   }
-  
+
   BOOST_FOREACH(DNSSECPrivateKey& dpk, *signingKeys) {
     fillOutRRSIG(dpk, signQName, rrc, toSign);
     rrcs.push_back(rrc);
@@ -96,7 +99,7 @@ void addSignature(DNSSECKeeper& dk, DNSBackend& db, const std::string& signer, c
     dk.getPreRRSIGs(db, signer, signQName, wildcardname, QType(signQType), signPlace, outsigned, origTTL); // does it all
   }
   else {
-    if(getRRSIGsForRRSET(dk, signer, wildcardname.empty() ? signQName : wildcardname, signQType, signTTL, toSign, rrcs, signQType == QType::DNSKEY) < 0)  {
+    if(getRRSIGsForRRSET(dk, signer, wildcardname.empty() ? signQName : wildcardname, signQType, signTTL, toSign, rrcs) < 0)  {
       // cerr<<"Error signing a record!"<<endl;
       return;
     }