A regression was introduced when adding the EDE code for unsupported
DNSKEY and DS algorithms. When the parent has both supported and
unsupported algorithm in the DS record, the validator would treat the
supported DS algorithm as insecure when validating DNSKEY records
instead of BOGUS. This has not security impact as the rest of the child
zone correctly ends with BOGUS status, but it is incorrect and thus the
regression has been fixed.
Closes #5757
Backport of MR !11580
Merge branch 'backport-5757-fix-mixed-algorithm-DS-handling-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11590
projects / thirdparty / bind9.git / commitdiff
