Report when dnssec-policy has an unsupported algorithn

diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c
index e51d2a142619a80342697d336fc4c01c044f5ec9..2b9eeb5c153e90c819fda492554bf28e30807eb4 100644 (file)
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@@ -183,6 +183,14 @@ cfg_kaspkey_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp,
                        goto cleanup;
                }
 
+               if (!dst_algorithm_supported(key->algorithm)) {
+                       cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+                                   "dnssec-policy: algorithm %s not supported",
+                                   alg.base);
+                       result = DNS_R_BADALG;
+                       goto cleanup;
+               }
+
                obj = cfg_tuple_get(config, "length");
                if (cfg_obj_isuint32(obj)) {
                        uint32_t min, size;