dnssec: respect DNSKEY SEP flag only in the zone apex

src/knot/dnssec/zone-sign.c

@@ -93,23 +93,31 @@ static bool valid_signature_exists(const knot_rrset_t *covered,
 }
 
 /*!
- * \brief Check if key can be used to sign the RR type.
+ * \brief Check if key can be used to sign given RR.
  *
- * \param key           Zone key.
- * \param covered_type  Type of signed RR.
+ * \param key      Zone key.
+ * \param covered  RR to be checked.
  *
  * \return The RR should be signed.
  */
-static bool use_key(const knot_zone_key_t *key, uint16_t covered_type)
+static bool use_key(const knot_zone_key_t *key, const knot_rrset_t *covered)
 {
 	assert(key);
+	assert(covered);
 
 	if (!key->is_active) {
 		return false;
 	}
 
-	if (covered_type != KNOT_RRTYPE_DNSKEY && key->is_ksk) {
-		return false;
+	if (key->is_ksk) {
+		if (covered->type != KNOT_RRTYPE_DNSKEY) {
+			return false;
+		}
+
+		// use KSK only in the zone apex
+		if (knot_dname_cmp(key->dnssec_key.name, covered->owner) != 0) {
+			return false;
+		}
 	}
 
 	return true;
@@ -135,7 +143,7 @@ static bool all_signatures_exist(const knot_rrset_t *covered,
 
 	for (int i = 0; i < zone_keys->count; i++) {
 		const knot_zone_key_t *key = &zone_keys->keys[i];
-		if (!use_key(key, covered->type)) {
+		if (!use_key(key, covered)) {
 			continue;
 		}
 
@@ -304,7 +312,7 @@ static int add_missing_rrsigs(const knot_rrset_t *covered,
 
 	for (int i = 0; i < zone_keys->count; i++) {
 		const knot_zone_key_t *key = &zone_keys->keys[i];
-		if (!use_key(key, covered->type)) {
+		if (!use_key(key, covered)) {
 			continue;
 		}