-
Evan Hunt authored
note: this also needs further refactoring. - when initializing RFC 5011 for a name, we populate the managed-keys zone with KEYDATA records derived from the initial-key trust anchors. however, with initial-ds trust anchors, there is no key. but the managed-keys zone still must have a KEYDATA record for the name, otherwise zone_refreshkeys() won't refresh that key. so, for initial-ds trust anchors, we now add an empty KEYDATA record and set the key refresh timer so that the real keys will be looked up as soon as possible. - when a key refresh query is done, we verify it against the trust anchor; this is done in two ways, one with the DS RRset set up during configuration if present, or with the keys linked from each keynode in the list if not. because there are two different verification methods, the loop structure is overly complex and should be simplified. - the keyfetch_done() and sync_keyzone() functions are both too long and should be broken into smaller functions.
a8f89e9a