"cds-cdnskey-publish: always" ignored for manually created keys

Problem description

I'm using knot 2.7.1 with automatic DNSSEC signing and key management.

When adding a new zone e.g. example.ch with dnssec-signing: on, keys are created, zone is signed and CDS/CDNSKEY is published for the current KSK.

If one manually adds another key using keymgr and uses it for signing, then this key is not published in the CDS/CDNSKEY record. The reason seems to be that the new key has the flag ready=0. If one were to change the value of ready then the key is included in the CDS/CDNSKEY RRset.

Expected result

• Manually created keys that are used for signing are also included in the CDS/CDNSKEY RRset

Note also:

• Depending on your solution, it may makes sense to document the behaviour of when cds-cdnskey-publish: always applies more clearly in https://www.knot-dns.cz/docs/2.7/singlehtml/index.html#policy-cds-cdnskey-publish.
• It is not clear how one could publish a CDS/CDNSKEY key record for a stand-by key which is not listed (active/published) in the zone. Not sure if this use case is supported.

Steps to reproduce

List initial keys:

keymgr example.ch list
fc16b55914c1f1dad05cfe00589a45e38aaf1f0c ksk=yes zsk=yes tag=22219 algorithm=13 public-only=no  created=1533562014 pre-active=0 publish=1533562014 ready=1533562014 active=0 retire-active=0 retire=0 post-active=0 remove=0

Add another CSK:

keymgr example.ch generate algorithm=13 ksk=yes zsk=yes
2b281a509087ed2eb75d30b864dfa88c552eae3a
keymgr example.ch list
2b281a509087ed2eb75d30b864dfa88c552eae3a ksk=yes zsk=yes tag=26185 algorithm=13 public-only=no  created=1534405064 pre-active=0 publish=1534405064 ready=0 active=1534405064 retire-active=0 retire=0 post-active=0 remove=0
fc16b55914c1f1dad05cfe00589a45e38aaf1f0c ksk=yes zsk=yes tag=22219 algorithm=13 public-only=no  created=1533562014 pre-active=0 publish=1533562014 ready=1533562014 active=0 retire-active=0 retire=0 post-active=0 remove=0

Force resign of zone:

knotc zone-sign example.ch

Verify signed zone:

kdig @::1 example.ch soa +dnssec +short
ns.example.ch. hostmaster.example.ch. 1534405086 10800 1800 1209600 3600
SOA 13 2 3600 20180905073806 20180816060806 22219 example.ch. 5NADJSzfJDXL6I0F6iAzwDsfPkYRWkuTAoqVFJVDPpaz7AdTCdZnSL7AvJ2tRfnBGYnmRLtWfQVd0IdQKxsbCQ==
SOA 13 2 3600 20180905073806 20180816060806 26185 example.ch. gLtlQdl3+Poh74ukSQfRMjA4KtgmSROMZyW6nKSdA8muA1FclJextOqAxyzVHqPjmHqdbk9EnhuWCqOLYxdUCQ==

Verify CDS publication:

kdig @::1 example.ch CDS  +short
22219 13 2 B0916BD21266423C46A16CDFB3BEA2520FD6EBD292BD0EE69C87A242B34C3372

Expected result:

• both CSK are listed in the CDS record