Don't skip children of apex in RecordsIter if apex is not there #314
Conversation
|
Thank you for the PR! The intention of the current code was to only sign a complete zone. In particular, the code relies on that to create a correct NSEC chain. In this case, you always have to have the apex itself because this is where the DNSKEY records go. It looks like at least I think, however, it should be a separate check before the look rather than testing in every iteration. |
I chose to put it in every iteration because theoretically there could be records that would be before the apex, and then records that are children of the apex, but not the apex itself. However I'm not sure if that's actually something reasonable to consider. |
|
Ah yes, you are right – I forgot about that case. But then, shouldn’t just checking for |
achow101
force-pushed
the
rrset-sign-children-without-apex
branch
from
5c59696
to
07db82c
Compare
Yes. But I don't fully understand what the point of
I moved the class check to be done first at the top of the loop so it would just skip any records that don't have a class matching the apex. |
|
Apologies for the delay! This looks good now – I will merge it. |
If none of the records in the
RecordsIterhave the apex as their name, but they are in the apex's zone, don't skip those children. Otherwise rrsigs will not be created for any queries for just subdomains.