When inline signing is enabled for a zone without creating signing keys
for it, changes subsequently applied to the raw zone will not be
reflected in the secure zone due to the dns_update_signaturesinc() call
inside receive_secure_serial() failing. Given that an inline zone will
be served (without any signatures) even with no associated signing keys
being present, keep applying raw zone deltas to the secure zone until
keys become available in an attempt to follow the principle of least
astonishment.
(cherry picked from commit 6acf326969)
(cherry picked from commit 8a58a60772)
(cherry picked from commit fcbdeed802)
properly determining if there were active KSK and
ZSK keys for a algorithm when update-check-ksk is
true (default) leaving records unsigned. [RT #46743]
(cherry picked from commit 196e01da5f)
(cherry picked from commit bf459d24a1)
(cherry picked from commit 5623f65cc4)
4727. [bug] Retransferring an inline-signed slave using NSEC3
around the time its NSEC3 salt was changed could result
in an infinite signing loop. [RT #45080]
(cherry picked from commit 4ceebc8874)
3839. [test] Use only posix-compatible shell in system tests.
[RT #35625]
(cherry picked from commit 60988462e5)
(cherry picked from commit 812cf443bb)
inline-signing zone could stall when the server
was restarted. [RT #27344]
3263. [bug] "rndc sync" did not affect the unsigned side of an
inline-signing zone. [RT #27337]