Commit ce50b6a1 authored by Libor Peltan's avatar Libor Peltan Committed by Daniel Salzman

dnssec: don't sign whole zone when empty update

parent 65c54f81
......@@ -1170,8 +1170,7 @@ int knot_zone_sign_update(zone_update_t *update,
/* Check if the UPDATE changed DNSKEYs or NSEC3PARAM.
* If so, we have to sign the whole zone. */
const bool full_sign = changeset_empty(&update->change) ||
const bool full_sign = apex_dnssec_changed(update);
if (full_sign) {
ret = knot_zone_sign(update, zone_keys, dnssec_ctx, expire_at);
} else {
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment