mirror of
https://github.com/isc-projects/bind9.git
synced 2026-04-28 09:37:10 -04:00
c3bdc06278
When signing with a ZSK, check if it has a predecessor. If so, and if
the predecessor key is sane (same algorithm, key id matches predecessor
value, is zsk), check if the RRset is signed with this key. If so, skip
signing with this successor key. Otherwise, do sign with the successor
key.
This change means we also need to apply the interval to keys that are
not actively signing. In other words, 'expired' is always
'isc_serial_gt(now + cycle, rrsig.timeexpire)'.
Fix a print style issue ("removing signature by ..." was untabbed).
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| win32 | ||
| .gitignore | ||
| dnssec-cds.c | ||
| dnssec-cds.rst | ||
| dnssec-dsfromkey.c | ||
| dnssec-dsfromkey.rst | ||
| dnssec-importkey.c | ||
| dnssec-importkey.rst | ||
| dnssec-keyfromlabel.c | ||
| dnssec-keyfromlabel.rst | ||
| dnssec-keygen.c | ||
| dnssec-keygen.rst | ||
| dnssec-revoke.c | ||
| dnssec-revoke.rst | ||
| dnssec-settime.c | ||
| dnssec-settime.rst | ||
| dnssec-signzone.c | ||
| dnssec-signzone.rst | ||
| dnssec-verify.c | ||
| dnssec-verify.rst | ||
| dnssectool.c | ||
| dnssectool.h | ||
| Makefile.in | ||