From: Ondřej Surý <ondrej@isc.org>
Date: Mon, 23 Feb 2026 19:57:50 +0000 (+0100)
Subject: fix: usr: Fail DNSKEY validation when supported but invalid DS is found
X-Git-Tag: v9.21.19~10
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d4ec8ebee84b15702d4c3f01d80c91ba2c19e2a7;p=thirdparty%2Fbind9.git

fix: usr: Fail DNSKEY validation when supported but invalid DS is found

A regression was introduced when adding the EDE code for unsupported
DNSKEY and DS algorithms.  When the parent has both supported and
unsupported algorithm in the DS record, the validator would treat the
supported DS algorithm as insecure when validating DNSKEY records
instead of BOGUS.  This has not security impact as the rest of the child
zone correctly ends with BOGUS status, but it is incorrect and thus the
regression has been fixed.

Closes #5757

Merge branch '5757-fix-mixed-algorithm-DS-handling' into 'main'

See merge request isc-projects/bind9!11580
---

d4ec8ebee84b15702d4c3f01d80c91ba2c19e2a7