DNSSEC: DNSKEYs are not ordered correctly if the changes are in journal
Under some circumstances, the signatures for DNSKEY records in zone are recognized to be invalid, even if they are valid. This happens only if the signatures are in journal and not flushed into the zone file. I guess this is a problem with RDATA ordering.
- start knotd -> zone gets signed (OK)
- knotc reload -> zone gets signed (wrong)
- knotc reload -> zone gets signed (wrong)
- knotc flush -> OK
- knotc reload -> zone is not signed (OK)