5 files changed, 66 insertions, 20 deletions
diff --git a/src/libknot/dnssec/zone-sign.c b/src/libknot/dnssec/zone-sign.c
index 8e4179f..4f1247c 100644
--- a/src/libknot/dnssec/zone-sign.c
+++ b/src/libknot/dnssec/zone-sign.c
@@ -92,23 +92,31 @@ static bool valid_signature_exists(const knot_rrset_t *covered,
 }
 
 /*!
- * \brief Check if key can be used to sign the RR type.
+ * \brief Check if key can be used to sign given RR.
  *
- * \param key           Zone key.
- * \param covered_type  Type of signed RR.
+ * \param key      Zone key.
+ * \param covered  RR to be checked.
  *
  * \return The RR should be signed.
  */
-static bool use_key(const knot_zone_key_t *key, uint16_t covered_type)
+static bool use_key(const knot_zone_key_t *key, const knot_rrset_t *covered)
 {
 	assert(key);
+	assert(covered);
 
 	if (!key->is_active) {
 		return false;
 	}
 
-	if (covered_type != KNOT_RRTYPE_DNSKEY && key->is_ksk) {
-		return false;
+	if (key->is_ksk) {
+		if (covered->type != KNOT_RRTYPE_DNSKEY) {
+			return false;
+		}
+
+		// use KSK only in the zone apex
+		if (!knot_dname_is_equal(key->dnssec_key.name, covered->owner)) {
+			return false;
+		}
 	}
 
 	return true;
@@ -134,7 +142,7 @@ static bool all_signatures_exist(const knot_rrset_t *covered,
 
 	for (int i = 0; i < zone_keys->count; i++) {
 		const knot_zone_key_t *key = &zone_keys->keys[i];
-		if (!use_key(key, covered->type)) {
+		if (!use_key(key, covered)) {
 			continue;
 		}
 
@@ -291,7 +299,7 @@ static int add_missing_rrsigs(const knot_rrset_t *covered,
 
 	for (int i = 0; i < zone_keys->count; i++) {
 		const knot_zone_key_t *key = &zone_keys->keys[i];
-		if (!use_key(key, covered->type)) {
+		if (!use_key(key, covered)) {
 			continue;
 		}
 
@@ -1241,14 +1249,20 @@ bool knot_zone_sign_rr_should_be_signed(const knot_node_t *node,
 		return false;
 	}
 
-	// SOA entry is maintained separately
-	if (rrset->type == KNOT_RRTYPE_SOA) {
+	// We do not want to sign RRSIGs
+	if (rrset->type == KNOT_RRTYPE_RRSIG) {
 		return false;
 	}
 
-	// DNSKEYs are maintained separately
-	if (rrset->type == KNOT_RRTYPE_DNSKEY) {
-		return false;
+	// SOA and DNSKEYs are handled separately in the zone apex
+	if (knot_node_is_apex(node)) {
+		if (rrset->type == KNOT_RRTYPE_SOA) {
+			return false;
+		}
+
+		if (rrset->type == KNOT_RRTYPE_DNSKEY) {
+			return false;
+		}
 	}
 
 	// At delegation points we only want to sign NSECs and DSs
diff --git a/src/libknot/zone/node.c b/src/libknot/zone/node.c
index 318f1ed..92e0fb4 100644
--- a/src/libknot/zone/node.c
+++ b/src/libknot/zone/node.c
@@ -605,6 +605,29 @@ void knot_node_clear_replaced_nsec(knot_node_t *node)
 
 /*----------------------------------------------------------------------------*/
 
+void knot_node_set_apex(knot_node_t *node)
+{
+	if (node == NULL) {
+		return;
+	}
+
+	knot_node_flags_set(node, KNOT_NODE_FLAGS_APEX);
+}
+
+/*----------------------------------------------------------------------------*/
+
+int knot_node_is_apex(const knot_node_t *node)
+{
+	if (node == NULL) {
+		return KNOT_EINVAL;
+	}
+
+	return knot_node_flags_get(node, KNOT_NODE_FLAGS_APEX);
+}
+
+
+/*----------------------------------------------------------------------------*/
+
 void knot_node_free_rrsets(knot_node_t *node)
 {
 	if (node == NULL) {
diff --git a/src/libknot/zone/node.h b/src/libknot/zone/node.h
index 2e1dd25..6ea06a2 100644
--- a/src/libknot/zone/node.h
+++ b/src/libknot/zone/node.h
@@ -93,14 +93,16 @@ typedef struct knot_node knot_node_t;
 /*! \brief Flags used to mark nodes with some property. */
 typedef enum {
 	/*! \brief Node is a delegation point (i.e. marking a zone cut). */
-	KNOT_NODE_FLAGS_DELEG = (uint8_t)0x01,
+	KNOT_NODE_FLAGS_DELEG = 1 << 0,
 	/*! \brief Node is not authoritative (i.e. below a zone cut). */
-	KNOT_NODE_FLAGS_NONAUTH = (uint8_t)0x02,
+	KNOT_NODE_FLAGS_NONAUTH = 1 << 1,
+	/*! \brief Node is an apex node. */
+	KNOT_NODE_FLAGS_APEX = 1 << 2,
 	/*! \brief Node is empty and will be deleted after update.
 	 *  \todo Remove after dname refactoring, update description in node. */
-	KNOT_NODE_FLAGS_EMPTY = (uint8_t)0x10,
+	KNOT_NODE_FLAGS_EMPTY = 1 << 3,
 	/*! \brief NSEC in this node needs new RRSIGs. Used for signing. */
-	KNOT_NODE_FLAGS_REPLACED_NSEC = (uint8_t)0x20
+	KNOT_NODE_FLAGS_REPLACED_NSEC = 1 << 4,
 } knot_node_flags_t;
 
 /*----------------------------------------------------------------------------*/
@@ -377,6 +379,10 @@ void knot_node_set_replaced_nsec(knot_node_t *node);
 
 void knot_node_clear_replaced_nsec(knot_node_t *node);
 
+void knot_node_set_apex(knot_node_t *node);
+
+int knot_node_is_apex(const knot_node_t *node);
+
 //! \todo remove after dname refactoring
 int knot_node_is_empty(const knot_node_t *node);
 
diff --git a/src/libknot/zone/zone-contents.c b/src/libknot/zone/zone-contents.c
index d6ca533..0e1c80c 100644
--- a/src/libknot/zone/zone-contents.c
+++ b/src/libknot/zone/zone-contents.c
@@ -1319,6 +1319,7 @@ int knot_zone_contents_adjust(knot_zone_contents_t *zone,
 	}
 
 	assert(zone->apex == adjust_arg.first_node);
+	knot_node_set_apex(zone->apex);
 
 	return KNOT_EOK;
 }
diff --git a/src/libknot/zone/zone.h b/src/libknot/zone/zone.h
index 90cdf87..7bd5f83 100644
--- a/src/libknot/zone/zone.h
+++ b/src/libknot/zone/zone.h
@@ -55,9 +55,11 @@ typedef enum knot_zone_retvals knot_zone_retvals_t;
  * \brief Zone flags.
  */
 typedef enum knot_zone_flag_t {
-	KNOT_ZONE_SLAVE     = 0 << 0, /*! Slave zone */
-	KNOT_ZONE_MASTER    = 1 << 0, /*! Master zone. */
-	KNOT_ZONE_DISCARDED = 1 << 1  /*! Zone waiting to be discarded. */
+	KNOT_ZONE_SLAVE      = 0 << 0, /*! Slave zone */
+	KNOT_ZONE_MASTER     = 1 << 0, /*! Master zone. */
+	KNOT_ZONE_DISCARDED  = 1 << 1, /*! Zone waiting to be discarded. */
+	KNOT_ZONE_UPDATED    = 1 << 2, /*! Zone is updated in this cycle. */
+	KNOT_ZONE_OBSOLETE   = 1 << 3  /*! Zone is obsolete (forces retransfer). */
 } knot_zone_flag_t;
 
 /*----------------------------------------------------------------------------*/