-
Matthijs Mekking authored
Update the signing code in lib/dns/zone.c and lib/dns/update.c to use kasp logic if a dnssec-policy is enabled. This means zones with dnssec-policy should no longer follow 'update-check-ksk' and 'dnssec-dnskey-kskonly' logic, instead the KASP keys configured dictate which RRset gets signed with what key. Also use the next rekey event from the key manager rather than setting it to one hour. Mark the zone dynamic, as otherwise a zone with dnssec-policy is not eligble for automatic DNSSEC maintenance.
c125b721