summaryrefslogtreecommitdiff
path: root/src/libknot/dnssec
diff options
context:
space:
mode:
Diffstat (limited to 'src/libknot/dnssec')
-rw-r--r--src/libknot/dnssec/zone-sign.c40
1 files changed, 27 insertions, 13 deletions
diff --git a/src/libknot/dnssec/zone-sign.c b/src/libknot/dnssec/zone-sign.c
index 8e4179f..4f1247c 100644
--- a/src/libknot/dnssec/zone-sign.c
+++ b/src/libknot/dnssec/zone-sign.c
@@ -92,23 +92,31 @@ static bool valid_signature_exists(const knot_rrset_t *covered,
}
/*!
- * \brief Check if key can be used to sign the RR type.
+ * \brief Check if key can be used to sign given RR.
*
- * \param key Zone key.
- * \param covered_type Type of signed RR.
+ * \param key Zone key.
+ * \param covered RR to be checked.
*
* \return The RR should be signed.
*/
-static bool use_key(const knot_zone_key_t *key, uint16_t covered_type)
+static bool use_key(const knot_zone_key_t *key, const knot_rrset_t *covered)
{
assert(key);
+ assert(covered);
if (!key->is_active) {
return false;
}
- if (covered_type != KNOT_RRTYPE_DNSKEY && key->is_ksk) {
- return false;
+ if (key->is_ksk) {
+ if (covered->type != KNOT_RRTYPE_DNSKEY) {
+ return false;
+ }
+
+ // use KSK only in the zone apex
+ if (!knot_dname_is_equal(key->dnssec_key.name, covered->owner)) {
+ return false;
+ }
}
return true;
@@ -134,7 +142,7 @@ static bool all_signatures_exist(const knot_rrset_t *covered,
for (int i = 0; i < zone_keys->count; i++) {
const knot_zone_key_t *key = &zone_keys->keys[i];
- if (!use_key(key, covered->type)) {
+ if (!use_key(key, covered)) {
continue;
}
@@ -291,7 +299,7 @@ static int add_missing_rrsigs(const knot_rrset_t *covered,
for (int i = 0; i < zone_keys->count; i++) {
const knot_zone_key_t *key = &zone_keys->keys[i];
- if (!use_key(key, covered->type)) {
+ if (!use_key(key, covered)) {
continue;
}
@@ -1241,14 +1249,20 @@ bool knot_zone_sign_rr_should_be_signed(const knot_node_t *node,
return false;
}
- // SOA entry is maintained separately
- if (rrset->type == KNOT_RRTYPE_SOA) {
+ // We do not want to sign RRSIGs
+ if (rrset->type == KNOT_RRTYPE_RRSIG) {
return false;
}
- // DNSKEYs are maintained separately
- if (rrset->type == KNOT_RRTYPE_DNSKEY) {
- return false;
+ // SOA and DNSKEYs are handled separately in the zone apex
+ if (knot_node_is_apex(node)) {
+ if (rrset->type == KNOT_RRTYPE_SOA) {
+ return false;
+ }
+
+ if (rrset->type == KNOT_RRTYPE_DNSKEY) {
+ return false;
+ }
}
// At delegation points we only want to sign NSECs and DSs
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-23 05:51:42 +0000