Commit 460ef628 authored by Libor Peltan's avatar Libor Peltan Committed by Daniel Salzman
Browse files

dnssec: separated dnssec_sign_ctx_t from inside zone_key_t

this fixes some race conditions in onlinesign touching zone_keyset in parallel
parent fdfcc172
/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -16,6 +16,8 @@
#include "knot/dnssec/key_records.h"
#include "libdnssec/error.h"
#include "libdnssec/sign.h"
#include "knot/dnssec/rrset-sign.h"
#include "knot/dnssec/zone-sign.h"
#include "knot/journal/serialization.h"
......@@ -134,16 +136,23 @@ int key_records_sign(const zone_key_t *key, key_records_t *r, const kdnssec_ctx_
return KNOT_EOK;
}
int ret = KNOT_EOK;
dnssec_sign_ctx_t *sign_ctx;
int ret = dnssec_sign_new(&sign_ctx, key->key);
if (ret != DNSSEC_EOK) {
knot_error_from_libdnssec(ret);
}
if (!knot_rrset_empty(&r->dnskey) && knot_zone_sign_use_key(key, &r->dnskey)) {
ret = knot_sign_rrset(&r->rrsig, &r->dnskey, key->key, key->ctx, kctx, NULL, NULL);
ret = knot_sign_rrset(&r->rrsig, &r->dnskey, key->key, sign_ctx, kctx, NULL, NULL);
}
if (ret == KNOT_EOK && !knot_rrset_empty(&r->cdnskey) && knot_zone_sign_use_key(key, &r->cdnskey)) {
ret = knot_sign_rrset(&r->rrsig, &r->cdnskey, key->key, key->ctx, kctx, NULL, NULL);
ret = knot_sign_rrset(&r->rrsig, &r->cdnskey, key->key, sign_ctx, kctx, NULL, NULL);
}
if (ret == KNOT_EOK && !knot_rrset_empty(&r->cds) && knot_zone_sign_use_key(key, &r->cds)) {
ret = knot_sign_rrset(&r->rrsig, &r->cds, key->key, key->ctx, kctx, NULL, NULL);
ret = knot_sign_rrset(&r->rrsig, &r->cds, key->key, sign_ctx, kctx, NULL, NULL);
}
dnssec_sign_free(sign_ctx);
return ret;
}
......
/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -19,6 +19,7 @@
#include "contrib/wire_ctx.h"
#include "libdnssec/error.h"
#include "knot/dnssec/rrset-sign.h"
#include "knot/dnssec/zone-sign.h"
#include "libknot/libknot.h"
#define RRSIG_RDATA_SIGNER_OFFSET 18
......@@ -278,6 +279,30 @@ int knot_sign_rrset(knot_rrset_t *rrsigs, const knot_rrset_t *covered,
return ret;
}
int knot_sign_rrset2(knot_rrset_t *rrsigs, const knot_rrset_t *rrset,
zone_sign_ctx_t *sign_ctx, knot_mm_t *mm)
{
if (rrsigs == NULL || rrset == NULL || sign_ctx == NULL) {
return KNOT_EINVAL;
}
for (size_t i = 0; i < sign_ctx->count; i++) {
zone_key_t *key = &sign_ctx->keys[i];
if (!knot_zone_sign_use_key(key, rrset)) {
continue;
}
int ret = knot_sign_rrset(rrsigs, rrset, key->key, sign_ctx->sign_ctxs[i],
sign_ctx->dnssec_ctx, mm, NULL);
if (ret != KNOT_EOK) {
return ret;
}
}
return KNOT_EOK;
}
int knot_synth_rrsig(uint16_t type, const knot_rdataset_t *rrsig_rrs,
knot_rdataset_t *out_sig, knot_mm_t *mm)
{
......
/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -19,6 +19,7 @@
#include "libdnssec/key.h"
#include "libdnssec/sign.h"
#include "knot/dnssec/context.h"
#include "knot/dnssec/zone-keys.h"
#include "libknot/rrset.h"
/*!
......@@ -42,6 +43,21 @@ int knot_sign_rrset(knot_rrset_t *rrsigs,
knot_mm_t *mm,
knot_time_t *expires);
/*!
* \brief Create RRSIG RR for given RR set, choose which key to use.
*
* \param rrsigs RR set with RRSIGs into which the result will be added.
* \param rrset RR set to create a new signature for.
* \param sign_ctx Zone signing context.
* \param mm Memory context.
*
* \return Error code, KNOT_EOK if successful.
*/
int knot_sign_rrset2(knot_rrset_t *rrsigs,
const knot_rrset_t *rrset,
zone_sign_ctx_t *sign_ctx,
knot_mm_t *mm);
/*!
* \brief Add all data covered by signature into signing context.
*
......
/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -177,24 +177,15 @@ int kdnssec_delete_key(kdnssec_ctx_t *ctx, knot_kasp_key_t *key_ptr)
/*!
* \brief Get key feature flags from key parameters.
*/
static int set_key(knot_kasp_key_t *kasp_key, knot_time_t now, zone_key_t *zone_key)
static void set_key(knot_kasp_key_t *kasp_key, knot_time_t now, zone_key_t *zone_key)
{
assert(kasp_key);
assert(zone_key);
knot_kasp_key_timing_t *timing = &kasp_key->timing;
// cryptographic context
dnssec_sign_ctx_t *ctx = NULL;
int r = dnssec_sign_new(&ctx, kasp_key->key);
if (r != DNSSEC_EOK) {
return r;
}
zone_key->id = kasp_key->id;
zone_key->key = kasp_key->key;
zone_key->ctx = ctx;
// next event computation
......@@ -238,8 +229,6 @@ static int set_key(knot_kasp_key_t *kasp_key, knot_time_t now, zone_key_t *zone_
(knot_time_cmp(timing->active, now) <= 0) ? (
(knot_time_cmp(timing->retire_active, now) <= 0 ||
knot_time_cmp(timing->retire, now) <= 0) ? 0 : 1) : 2) : 0);
return KNOT_EOK;
}
/*!
......@@ -440,7 +429,6 @@ void free_zone_keys(zone_keyset_t *keyset)
}
for (size_t i = 0; i < keyset->count; i++) {
dnssec_sign_free(keyset->keys[i].ctx);
dnssec_binary_free(&keyset->keys[i].precomputed_ds);
}
......@@ -449,23 +437,6 @@ void free_zone_keys(zone_keyset_t *keyset)
memset(keyset, '\0', sizeof(*keyset));
}
/*!
* \brief Get zone keys by keytag.
*/
struct keyptr_dynarray get_zone_keys(const zone_keyset_t *keyset, uint16_t search)
{
struct keyptr_dynarray res = { 0 };
for (size_t i = 0; keyset && i < keyset->count; i++) {
zone_key_t *key = &keyset->keys[i];
if (key != NULL && dnssec_key_get_keytag(key->key) == search) {
keyptr_dynarray_add(&res, &key);
}
}
return res;
}
/*!
* \brief Get timestamp of next key event.
*/
......@@ -504,3 +475,35 @@ int zone_key_calculate_ds(zone_key_t *for_key, dnssec_binary_t *out_donotfree)
*out_donotfree = for_key->precomputed_ds;
return ret;
}
zone_sign_ctx_t *zone_sign_ctx(const zone_keyset_t *keyset, const kdnssec_ctx_t *dnssec_ctx)
{
zone_sign_ctx_t *ctx = calloc(1, sizeof(*ctx) + keyset->count * sizeof(*ctx->sign_ctxs));
if (ctx == NULL) {
return NULL;
}
ctx->sign_ctxs = (dnssec_sign_ctx_t **)(ctx + 1);
ctx->count = keyset->count;
ctx->keys = keyset->keys;
ctx->dnssec_ctx = dnssec_ctx;
for (size_t i = 0; i < ctx->count; i++) {
int ret = dnssec_sign_new(&ctx->sign_ctxs[i], ctx->keys[i].key);
if (ret != DNSSEC_EOK) {
zone_sign_ctx_free(ctx);
return NULL;
}
}
return ctx;
}
void zone_sign_ctx_free(zone_sign_ctx_t *ctx)
{
if (ctx != NULL) {
for (size_t i = 0; i < ctx->count; i++) {
dnssec_sign_free(ctx->sign_ctxs[i]);
}
free(ctx);
}
}
/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -29,7 +29,6 @@
typedef struct {
const char *id;
dnssec_key_t *key;
dnssec_sign_ctx_t *ctx;
dnssec_binary_t precomputed_ds;
......@@ -49,6 +48,16 @@ typedef struct {
zone_key_t *keys;
} zone_keyset_t;
/*!
* \brief Signing context used for single signing thread.
*/
typedef struct {
size_t count; // number of keys in keyset
zone_key_t *keys; // keys in keyset
dnssec_sign_ctx_t **sign_ctxs; // signing buffers for keys in keyset
const kdnssec_ctx_t *dnssec_ctx; // dnssec context
} zone_sign_ctx_t;
/*!
* \brief Flags determining key type
*/
......@@ -119,16 +128,6 @@ int kdnssec_delete_key(kdnssec_ctx_t *ctx, knot_kasp_key_t *key_ptr);
*/
int load_zone_keys(kdnssec_ctx_t *ctx, zone_keyset_t *keyset_ptr, bool verbose);
/*!
* \brief Get zone keys by a keytag.
*
* \param keyset Zone keyset.
* \param search Keytag to lookup a key for.
*
* \return Dynarray of pointers to keys.
*/
struct keyptr_dynarray get_zone_keys(const zone_keyset_t *keyset, uint16_t search);
/*!
* \brief Free structure with zone keys and associated DNSSEC contexts.
*
......@@ -156,3 +155,22 @@ knot_time_t knot_get_next_zone_key_event(const zone_keyset_t *keyset);
* \return Error code, KNOT_EOK if successful.
*/
int zone_key_calculate_ds(zone_key_t *for_key, dnssec_binary_t *out_donotfree);
/*!
* \brief Initialize local signing context.
*
* \param keyset Key set.
* \param dnssec_ctx DNSSEC context.
*
* \return New local signing context or NULL.
*/
zone_sign_ctx_t *zone_sign_ctx(const zone_keyset_t *keyset, const kdnssec_ctx_t *dnssec_ctx);
/*!
* \brief Free local signing context.
*
* \note This doesn't free the underlying keyset.
*
* \param ctx Local context to be freed.
*/
void zone_sign_ctx_free(zone_sign_ctx_t *ctx);
/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -140,31 +140,29 @@ static bool valid_signature_exists(const knot_rrset_t *covered,
}
/*!
* \brief Check if valid signature exist for all keys for a given RR set.
* \brief Check if valid signature exists for all keys for a given RR set.
*
* \param covered RR set with covered records.
* \param rrsigs RR set with RRSIGs.
* \param zone_keys Zone keys.
* \param policy DNSSEC policy.
* \param sign_ctx Local zone signing context.
*
* \return Valid signature exists for every key.
*/
static bool all_signatures_exist(const knot_rrset_t *covered,
const knot_rrset_t *rrsigs,
const zone_keyset_t *zone_keys,
const kdnssec_ctx_t *dnssec_ctx)
zone_sign_ctx_t *sign_ctx)
{
assert(!knot_rrset_empty(covered));
assert(zone_keys);
assert(sign_ctx);
for (int i = 0; i < zone_keys->count; i++) {
zone_key_t *key = &zone_keys->keys[i];
for (int i = 0; i < sign_ctx->count; i++) {
zone_key_t *key = &sign_ctx->keys[i];
if (!knot_zone_sign_use_key(key, covered)) {
continue;
}
if (!valid_signature_exists(covered, rrsigs, key->key,
key->ctx, dnssec_ctx, NULL)) {
sign_ctx->sign_ctxs[i],
sign_ctx->dnssec_ctx, NULL)) {
return false;
}
}
......@@ -193,8 +191,7 @@ static void note_earliest_expiration(const knot_rdata_t *rrsig, knot_time_t *exp
*
* \param covered RR set with covered records.
* \param rrsigs RR set with RRSIGs.
* \param zone_keys Zone keys.
* \param policy DNSSEC policy.
* \param sign_ctx Local zone signing context.
* \param changeset Changeset to be updated.
* \param expires_at Earliest RRSIG expiration.
*
......@@ -202,8 +199,7 @@ static void note_earliest_expiration(const knot_rdata_t *rrsig, knot_time_t *exp
*/
static int remove_expired_rrsigs(const knot_rrset_t *covered,
const knot_rrset_t *rrsigs,
const zone_keyset_t *zone_keys,
const kdnssec_ctx_t *dnssec_ctx,
zone_sign_ctx_t *sign_ctx,
changeset_t *changeset,
knot_time_t *expires_at)
{
......@@ -232,16 +228,17 @@ static int remove_expired_rrsigs(const knot_rrset_t *covered,
for (uint16_t i = 0; i < rrsig_rdata_count; i++) {
knot_rdata_t *rr = knot_rdataset_at(&synth_rrsig.rrs, i);
uint16_t keytag = knot_rrsig_key_tag(rr);
struct keyptr_dynarray keys = get_zone_keys(zone_keys, keytag);
int endloop = 0; // 1 - continue; 2 - break
dynarray_foreach(keyptr, zone_key_t *, key, keys) {
if (!(*key)->is_active) {
for (size_t j = 0; j < sign_ctx->count; j++) {
zone_key_t *key = &sign_ctx->keys[j];
if (!key->is_active || dnssec_key_get_keytag(key->key) != keytag) {
continue;
}
result = knot_check_signature(covered, &synth_rrsig, i,
(*key)->key, (*key)->ctx, dnssec_ctx);
result = knot_check_signature(covered, &synth_rrsig, i, key->key,
sign_ctx->sign_ctxs[j], sign_ctx->dnssec_ctx);
if (result == KNOT_EOK) {
// valid signature
note_earliest_expiration(rr, expires_at);
......@@ -252,7 +249,6 @@ static int remove_expired_rrsigs(const knot_rrset_t *covered,
break;
}
}
keyptr_dynarray_free(&keys);
if (endloop == 2) {
break;
......@@ -285,8 +281,7 @@ static int remove_expired_rrsigs(const knot_rrset_t *covered,
*
* \param covered RR set with covered records.
* \param rrsigs RR set with RRSIGs.
* \param zone_keys Zone keys.
* \param dnssec_ctx DNSSEC signing context
* \param sign_ctx Local zone signing context.
* \param changeset Changeset to be updated.
* \param expires_at Earliest RRSIG expiration.
*
......@@ -294,13 +289,12 @@ static int remove_expired_rrsigs(const knot_rrset_t *covered,
*/
static int add_missing_rrsigs(const knot_rrset_t *covered,
const knot_rrset_t *rrsigs,
const zone_keyset_t *zone_keys,
const kdnssec_ctx_t *dnssec_ctx,
zone_sign_ctx_t *sign_ctx,
changeset_t *changeset,
knot_time_t *expires_at)
{
assert(!knot_rrset_empty(covered));
assert(zone_keys);
assert(sign_ctx);
assert(changeset);
int result = KNOT_EOK;
......@@ -308,18 +302,19 @@ static int add_missing_rrsigs(const knot_rrset_t *covered,
knot_rrset_init_empty(&to_add);
if (covered->type == KNOT_RRTYPE_DNSKEY &&
knot_dname_cmp(covered->owner, dnssec_ctx->zone->dname) == 0 &&
dnssec_ctx->offline_rrsig != NULL) {
return changeset_add_addition(changeset, dnssec_ctx->offline_rrsig, CHANGESET_CHECK);
knot_dname_cmp(covered->owner, sign_ctx->dnssec_ctx->zone->dname) == 0 &&
sign_ctx->dnssec_ctx->offline_rrsig != NULL) {
return changeset_add_addition(changeset, sign_ctx->dnssec_ctx->offline_rrsig, CHANGESET_CHECK);
}
for (int i = 0; i < zone_keys->count; i++) {
const zone_key_t *key = &zone_keys->keys[i];
for (size_t i = 0; i < sign_ctx->count; i++) {
const zone_key_t *key = &sign_ctx->keys[i];
if (!knot_zone_sign_use_key(key, covered)) {
continue;
}
if (valid_signature_exists(covered, rrsigs, key->key, key->ctx, dnssec_ctx, NULL)) {
if (valid_signature_exists(covered, rrsigs, key->key, sign_ctx->sign_ctxs[i],
sign_ctx->dnssec_ctx, NULL)) {
continue;
}
......@@ -327,8 +322,8 @@ static int add_missing_rrsigs(const knot_rrset_t *covered,
to_add = create_empty_rrsigs_for(covered);
}
result = knot_sign_rrset(&to_add, covered, key->key, key->ctx,
dnssec_ctx, NULL, expires_at);
result = knot_sign_rrset(&to_add, covered, key->key, sign_ctx->sign_ctxs[i],
sign_ctx->dnssec_ctx, NULL, expires_at);
if (result != KNOT_EOK) {
break;
}
......@@ -378,16 +373,15 @@ static int remove_rrset_rrsigs(const knot_dname_t *owner, uint16_t type,
* \brief Drop all existing and create new RRSIGs for covered records.
*
* \param covered RR set with covered records.
* \param zone_keys Zone keys.
* \param policy DNSSEC policy.
* \param rrsigs Existing RRSIGs for covered RR set.
* \param sign_ctx Local zone signing context.
* \param changeset Changeset to be updated.
*
* \return Error code, KNOT_EOK if successful.
*/
static int force_resign_rrset(const knot_rrset_t *covered,
const knot_rrset_t *rrsigs,
const zone_keyset_t *zone_keys,
const kdnssec_ctx_t *dnssec_ctx,
zone_sign_ctx_t *sign_ctx,
changeset_t *changeset)
{
assert(!knot_rrset_empty(covered));
......@@ -400,15 +394,15 @@ static int force_resign_rrset(const knot_rrset_t *covered,
}
}
return add_missing_rrsigs(covered, NULL, zone_keys, dnssec_ctx, changeset, NULL);
return add_missing_rrsigs(covered, NULL, sign_ctx, changeset, NULL);
}
/*!
* \brief Drop all expired and create new RRSIGs for covered records.
*
* \param covered RR set with covered records.
* \param zone_keys Zone keys.
* \param policy DNSSEC policy.
* \param rrsigs Existing RRSIGs for covered RR set.
* \param sign_ctx Local zone signing context.
* \param changeset Changeset to be updated.
* \param expires_at Current earliest expiration, will be updated.
*
......@@ -416,22 +410,20 @@ static int force_resign_rrset(const knot_rrset_t *covered,
*/
static int resign_rrset(const knot_rrset_t *covered,
const knot_rrset_t *rrsigs,
const zone_keyset_t *zone_keys,
const kdnssec_ctx_t *dnssec_ctx,
zone_sign_ctx_t *sign_ctx,
changeset_t *changeset,
knot_time_t *expires_at)
{
assert(!knot_rrset_empty(covered));
// TODO this function creates some signatures twice (for checking)
int result = remove_expired_rrsigs(covered, rrsigs, zone_keys,
dnssec_ctx, changeset, expires_at);
int result = remove_expired_rrsigs(covered, rrsigs, sign_ctx,
changeset, expires_at);
if (result != KNOT_EOK) {
return result;
}
return add_missing_rrsigs(covered, rrsigs, zone_keys, dnssec_ctx,
changeset, expires_at);
return add_missing_rrsigs(covered, rrsigs, sign_ctx, changeset, expires_at);
}
static int remove_standalone_rrsigs(const zone_node_t *node,
......@@ -470,21 +462,19 @@ static int remove_standalone_rrsigs(const zone_node_t *node,
* \brief Update RRSIGs in a given node by updating changeset.
*
* \param node Node to be signed.
* \param zone_keys Zone keys.
* \param policy DNSSEC policy.
* \param sign_ctx Local zone signing context.
* \param changeset Changeset to be updated.
* \param expires_at Current earliest expiration, will be updated.
*
* \return Error code, KNOT_EOK if successful.
*/
static int sign_node_rrsets(const zone_node_t *node,
const zone_keyset_t *zone_keys,
const kdnssec_ctx_t *dnssec_ctx,
zone_sign_ctx_t *sign_ctx,
changeset_t *changeset,
knot_time_t *expires_at)
{
assert(node);
assert(dnssec_ctx);
assert(sign_ctx);
int result = KNOT_EOK;
knot_rrset_t rrsigs = node_rrset(node, KNOT_RRTYPE_RRSIG);
......@@ -499,12 +489,12 @@ static int sign_node_rrsets(const zone_node_t *node,
continue;
}
if (dnssec_ctx->rrsig_drop_existing) {
result = force_resign_rrset(&rrset, &rrsigs, zone_keys,
dnssec_ctx, changeset);
if (sign_ctx->dnssec_ctx->rrsig_drop_existing) {
result = force_resign_rrset(&rrset, &rrsigs,
sign_ctx, changeset);
} else {
result = resign_rrset(&rrset, &rrsigs, zone_keys,
dnssec_ctx, changeset, expires_at);
result = resign_rrset(&rrset, &rrsigs, sign_ctx,
changeset, expires_at);
}
if (result != KNOT_EOK) {
......@@ -519,8 +509,7 @@ static int sign_node_rrsets(const zone_node_t *node,
* \brief Struct to carry data for 'sign_data' callback function.
*/
typedef struct node_sign_args {
const zone_keyset_t *zone_keys;
const kdnssec_ctx_t *dnssec_ctx;
zone_sign_ctx_t *sign_ctx;
changeset_t *changeset;
knot_time_t expires_at;
} node_sign_args_t;
......@@ -546,7 +535,7 @@ static int sign_node(zone_node_t **node, void *data)
return KNOT_EOK;
}
int result = sign_node_rrsets(*node, args->zone_keys, args->dnssec_ctx,
int result = sign_node_rrsets(*node, args->sign_ctx,
args->changeset, &args->expires_at);
return result;
......@@ -564,7 +553,7 @@ static int sign_node(zone_node_t **node, void *data)
* \return Error code, KNOT_EOK if successful.
*/
static int zone_tree_sign(zone_tree_t *tree,
const zone_keyset_t *zone_keys,
zone_keyset_t *zone_keys,
const kdnssec_ctx_t *dnssec_ctx,
changeset_t *changeset,
knot_time_t *expires_at)
......@@ -574,8 +563,7 @@ static int zone_tree_sign(zone_tree_t *tree,
assert(changeset);
node_sign_args_t args = {
.zone_keys = zone_keys,
.dnssec_ctx = dnssec_ctx,
.sign_ctx = zone_sign_ctx(zone_keys, dnssec_ctx),
.changeset = changeset,
.expires_at = knot_time_add(dnssec_ctx->now, dnssec_ctx->policy->rrsig_lifetime),
};
......@@ -583,6 +571,7 @@ static int zone_tree_sign(zone_tree_t *tree,
int result = zone_tree_apply(tree, sign_node, &args);
*expires_at = args.expires_at;
zone_sign_ctx_free(args.sign_ctx);
return result;
}
......@@ -593,8 +582,7 @@ static int zone_tree_sign(zone_tree_t *tree,
*/
typedef struct {
const zone_contents_t *zone;
const zone_keyset_t *zone_keys;
const kdnssec_ctx_t *dnssec_ctx;
zone_sign_ctx_t *sign_ctx;
changeset_t *changeset;
trie_t *signed_tree;
} changeset_signing_data_t;
......@@ -775,8 +763,8 @@ static int sign_changeset_wrap(knot_rrset_t *chg_rrset,
}
if (should_sign) {
return resign_rrset(&zone_rrset, &rrsigs, args->zone_keys,
args->dnssec_ctx, args->changeset, expire_at);
return resign_rrset(&zone_rrset, &rrsigs, args->sign_ctx,
args->changeset, expire_at);
} else {