From 7dc95f99c6aaafb9d1856a9ef85896022de04f93 Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Wed, 11 Feb 2015 22:54:08 +0100
Subject: [PATCH] evaluate KSK ZSK pairs per algorithm

---
 pdns/dnssecsigner.cc | 48 +++++++++++++++++++++++---------------------
 1 file changed, 25 insertions(+), 23 deletions(-)

diff --git a/pdns/dnssecsigner.cc b/pdns/dnssecsigner.cc
index dcf0cc90c..c84073aab 100644
--- a/pdns/dnssecsigner.cc
+++ b/pdns/dnssecsigner.cc
@@ -51,34 +51,36 @@ int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::st
   // we sign the RRSET in toSign + the rrc w/o hash
   
   DNSSECKeeper::keyset_t keys = dk.getKeys(signer); // we don't want the . for the root!
-  vector<DNSSECPrivateKey> KSKs, ZSKs;
-  vector<DNSSECPrivateKey>* signingKeys;
-  
-  // if ksk==1, only get KSKs
-  // if ksk==0, get ZSKs, unless there is no ZSK, then get KSK
+  set<int> algoHasKSK, algoHasZSK;
+  vector<DNSSECPrivateKey> signingKeys;
+
+  BOOST_FOREACH(DNSSECKeeper::keyset_t::value_type& keymeta, keys) {
+    if(keymeta.second.active) {
+      if(keymeta.second.keyOrZone)
+        algoHasKSK.insert(keymeta.first.d_algorithm);
+      else
+        algoHasZSK.insert(keymeta.first.d_algorithm);
+    }
+  }
+
   BOOST_FOREACH(DNSSECKeeper::keyset_t::value_type& keymeta, keys) {
-    rrc.d_algorithm = keymeta.first.d_algorithm;
-    if(!keymeta.second.active) 
+    if(!keymeta.second.active)
       continue;
 
-    if(keymeta.second.keyOrZone)
-      KSKs.push_back(keymeta.first);
-    else
-      ZSKs.push_back(keymeta.first);
-  }
-  if(signQType == QType::DNSKEY) {
-    if(KSKs.empty())
-      signingKeys = &ZSKs;
-    else
-      signingKeys = &KSKs;
-  } else {
-    if(ZSKs.empty())
-      signingKeys = &KSKs;
-    else
-      signingKeys = &ZSKs;
+    if(signQType == QType::DNSKEY) {
+      // skip ZSK, if this algorithm has a KSK
+      if(!keymeta.second.keyOrZone && algoHasKSK.count(keymeta.first.d_algorithm))
+        continue;
+    } else {
+      // skip KSK, if this algorithm has a ZSK
+      if(keymeta.second.keyOrZone && algoHasZSK.count(keymeta.first.d_algorithm))
+        continue;
+    }
+
+    signingKeys.push_back(keymeta.first);
   }
 
-  BOOST_FOREACH(DNSSECPrivateKey& dpk, *signingKeys) {
+  BOOST_FOREACH(DNSSECPrivateKey& dpk, signingKeys) {
     fillOutRRSIG(dpk, signQName, rrc, toSign);
     rrcs.push_back(rrc);
   }
-- 
2.50.1