From: Ondřej Surý <ondrej@isc.org>
Date: Tue, 4 Nov 2025 01:09:38 +0000 (+0100)
Subject: Skip unsupported algorithms when looking for signing key
X-Git-Tag: v9.21.15~4^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a94a7c1a1e6eecbead995a08bace33d23899a5da;p=thirdparty%2Fbind9.git

Skip unsupported algorithms when looking for signing key

When looking for a signing key in select_signing_key(), the result code
indicating unsupported algorithm would abort the search.  Instead, skip
such keys and continue searching for the right key.

Co-Authored-By: Aram Sargsyan <aram@isc.org>
Co-Authored-By: Petr Menšík <pemensik@redhat.com>
---

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index c6781544b96..52677fbd80f 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1092,8 +1092,14 @@ select_signing_key(dns_validator_t *val, dns_rdataset_t *rdataset) {
 			continue;
 		}
 
-		return dns_dnssec_keyfromrdata(&siginfo->signer, &rdata,
-					       val->view->mctx, &val->key);
+		result = dns_dnssec_keyfromrdata(&siginfo->signer, &rdata,
+						 val->view->mctx, &val->key);
+		/* Don't count unsupported algorithm towards max fails */
+		if (result == DST_R_UNSUPPORTEDALG) {
+			/* Continue with the next key */
+			continue;
+		}
+		return result;
 	}
 
 	return ISC_R_NOTFOUND;