sign_apex() should also consider CDS/CDNSKEY
The 'sign_apex()' function has special processing for signing the DNSKEY RRset such that it will always be signed with the active KSK. Since CDS and CDNSKEY are also signed with the KSK, it should have the same special processing. The special processing is moved into a new function 'tickle_apex_rrset()' and is applied to all three RR types (DNSKEY, CDS, CDNSKEY). In addition, when kasp is involved, update the DNSKEY TTL accordingly to what is in the policy.
Showing with 77 additions and 36 deletions