From: Mark Andrews <marka@isc.org>
Date: Thu, 25 Sep 2025 14:13:38 +0000 (+1000)
Subject: fix: usr: Use signer name when disabling DNSSEC algorithms
X-Git-Tag: v9.21.14~22
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7e0318df857319508338e5853d10d785abf196b1;p=thirdparty%2Fbind9.git

fix: usr: Use signer name when disabling DNSSEC algorithms

``disable-algorithms`` could cause DNSSEC validation failures when the parent zone was
signed with the algorithms that were being disabled for the child zone.
This has been fixed; `disable-algorithms` now works
on a whole-of-zone basis.

If the zone's name is at or below the ``disable-algorithms`` name the algorithm
is disabled for that zone, using deepest match when there are multiple
``disable-algorithms`` clauses.

Closes #5165

Merge branch '5165-use-signer-name-when-disabling-dnssec-algorithms' into 'main'

See merge request isc-projects/bind9!10837
---

7e0318df857319508338e5853d10d785abf196b1