Skip to content

Only keys with key files should be used for signing

The find_zone_keys() function iss not working properly for zones that use inline-signing. It only works if the DNSKEY records were also published in the unsigned version of the zone. But this is not the case when you use dnssec-policy: the DNSKEY records will only occur in the signed version of the zone. Therefor, when looking for keys to sign the zone, only the newly added keys in the dynamic update were found (which could be zero), ignoring existing keys.

Also, if a DNSKEY was added, it would try to sign the zone with just this new key, and this would only work if the key files for that key were imported into the key-directory.

Instead of looking for DNSKEY records to then search for the matching key files, call dns_dnssec_findmatchingkeys() which just looks for the keys we have on disk for the given zone. It will also set the correct DNSSEC signing hints.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information