From 5bc1f789d73c71dc6814d82d171e5b0010aed40b Mon Sep 17 00:00:00 2001
From: Daniel Akulenok <dak@keepit.com>
Date: Thu, 29 Jan 2026 21:59:50 +0100
Subject: [PATCH] Add CDNSKEY, CDS, and TYPE65534 to ignored DNSSEC record
 types

- Extend ignore_dnssec_records to include CDNSKEY, CDS, and TYPE65534
- These are DNSSEC-related record types that are often managed by DNS servers
- Update documentation to reflect all ignored DNSSEC types
---
 plugins/modules/nsupdate_zone.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/plugins/modules/nsupdate_zone.py b/plugins/modules/nsupdate_zone.py
index f43f0a0..d983ff4 100644
--- a/plugins/modules/nsupdate_zone.py
+++ b/plugins/modules/nsupdate_zone.py
@@ -132,7 +132,7 @@ options:
   ignore_dnssec_records:
     description:
       - Automatically ignore DNSSEC-managed record types.
-      - When enabled, DNSKEY, RRSIG, NSEC, NSEC3, and NSEC3PARAM records are added to the ignore list.
+      - When enabled, DNSKEY, RRSIG, NSEC, NSEC3, NSEC3PARAM, CDNSKEY, CDS, and TYPE65534 records are added to the ignore list.
       - Useful when DNS servers manage DNSSEC records automatically and they should not be modified.
     type: bool
     default: true
@@ -365,7 +365,7 @@ class DNSZoneManager:
         
         # Add DNSSEC record types to ignore list if enabled
         if module.params.get('ignore_dnssec_records', True):
-            dnssec_types = {'DNSKEY', 'RRSIG', 'NSEC', 'NSEC3', 'NSEC3PARAM'}
+            dnssec_types = {'DNSKEY', 'RRSIG', 'NSEC', 'NSEC3', 'NSEC3PARAM', 'CDNSKEY', 'CDS', 'TYPE65534'}
             self.ignore_types.update(dnssec_types)
         
         # Add SOA record type to ignore list if enabled