With update-check-ksk also consider offline keys

The option `update-check-ksk` will look if both KSK and ZSK are
available before signing records.  It will make sure the keys are
active and available.  However, for operational practices keys may
be offline.  This commit relaxes the update-check-ksk check and will
mark a key that is offline to be available when adding signature
tasks.

(cherry picked from commit 3cb8c49c73)

CHANGES

@@ -4,6 +4,10 @@
 			recursion was requested by the client, not on
 			whether recursion was available. [GL #963]
 
+5209.	[bug]		When update-check-ksk is true, add_sigs was not
+			considering offline keys, leaving record sets signed
+			with the incorrect type key. [GL #763]
+
 5208.	[test]		Run valid rdata wire encodings through totext+fromtext
 			and tofmttext+fromtext methods to check these methods.
 			[GL #899]

lib/dns/zone.c

@@ -8869,9 +8869,6 @@ zone_sign(dns_zone_t *zone) {
 			if (!dst_key_isprivate(zone_keys[i])) {
 				continue;
 			}
-			/*
-			 * Should be redundant.
-			 */
 			if (dst_key_inactive(zone_keys[i])) {
 				continue;
 			}
@@ -8915,11 +8912,10 @@ zone_sign(dns_zone_t *zone) {
 					{
 						continue;
 					}
-					if (!dst_key_isprivate(zone_keys[j])) {
-						continue;
-					}
-					/*
-					 * Should be redundant.
+					/* Don't consider inactive keys, however
+					 * the key may be temporary offline, so do
+					 * consider keys which private key files are
+					 * unavailable.
 					 */
 					if (dst_key_inactive(zone_keys[j])) {
 						continue;