dnssec: sign CDS/CDNSKEY with KSK instead of ZSK

...this is according to RFC 7344 section 4.1 however, this may do problems with offline-KSK setup

dnssec: sign CDS/CDNSKEY with KSK instead of ZSK
0751f87e · Libor Peltan · d2b4dc10 · 0751f87e
Commit 0751f87e authored 7 years ago by Libor Peltan
--- a/src/knot/dnssec/zone-sign.c
+++ b/src/knot/dnssec/zone-sign.c
@@ -146,12 +146,25 @@ static bool use_key(const zone_key_t *key, const knot_rrset_t *covered)
 		return false;
 	}

+	// this may be a problem with offline KSK
+	bool cds_sign_by_ksk = true;
+
+	assert(key->is_zsk || key->is_ksk);
 	bool is_apex = knot_dname_is_equal(covered->owner,
 	                                   dnssec_key_get_dname(key->key));
+	if (!is_apex) {
+		return key->is_zsk;
+	}

-	bool is_zone_key = is_apex && covered->type == KNOT_RRTYPE_DNSKEY;
-
-	return (key->is_ksk && is_zone_key) || (key->is_zsk && !is_zone_key);
+	switch (covered->type) {
+	case KNOT_RRTYPE_DNSKEY:
+		return key->is_ksk;
+	case KNOT_RRTYPE_CDS:
+	case KNOT_RRTYPE_CDNSKEY:
+		return (cds_sign_by_ksk ? key->is_ksk : key->is_zsk);
+	default:
+		return key->is_zsk;
+	}
 }

 /*!