From b1f7a20df54fe1f2f3c33cc9c926adc033dd30a9 Mon Sep 17 00:00:00 2001
From: Ximon Eighteen <3304436+ximon18@users.noreply.github.com>
Date: Thu, 9 Jan 2025 13:34:48 +0100
Subject: [PATCH] As zone signing assumes, but does not check, that the zone is
 ordered, add a check in debug builds (not in release builds as it is too
 costly) if the zone is correctly sorted before signing.

---
 src/sign/mod.rs | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/sign/mod.rs b/src/sign/mod.rs
index 4a4e3a0a9..5173d4a84 100644
--- a/src/sign/mod.rs
+++ b/src/sign/mod.rs
@@ -392,6 +392,15 @@ where
 
 //------------ sign_zone() ---------------------------------------------------
 
+/// DNSSEC sign the given zone records.
+///
+/// Assumes that the given zone records are sorted according to
+/// [`CanonicalOrd`]. The behaviour is undefined otherwise.
+///
+/// # Panics
+///
+/// This function will panic in debug builds if the given zone is not sorted
+/// according to [`CanonicalOrd`].
 pub fn sign_zone<N, Octs, S, DSK, Inner, KeyStrat, Sort, HP, T>(
     mut in_out: SignableZoneInOut<N, Octs, S, T, Sort>,
     apex: &N,
@@ -435,6 +444,8 @@ where
         return Err(SigningError::NoSoaFound);
     };
 
+    debug_assert!(in_out.as_slice().is_sorted_by(CanonicalOrd::canonical_le));
+
     // RFC 9077 updated RFC 4034 (NSEC) and RFC 5155 (NSEC3) to say that
     // the "TTL of the NSEC(3) RR that is returned MUST be the lesser of
     // the MINIMUM field of the SOA record and the TTL of the SOA itself".