Skip unsupported algorithms when looking for signing key

When looking for a signing key in select_signing_key(), the result code
indicating unsupported algorithm would abort the search.  Instead, skip
such keys and continue searching for the right key.

Co-Authored-By: Aram Sargsyan <aram@isc.org>
Co-Authored-By: Petr Menšík <pemensik@redhat.com>
(cherry picked from commit a94a7c1a1e6eecbead995a08bace33d23899a5da)

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 12b2aed57cf0bc98a0fff68f4ce4133a2a826c72..809b7be91103b90ac18783788b7a26da28e85ecd 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1176,7 +1176,13 @@ select_signing_key(dns_validator_t *val, dns_rdataset_t *rdataset) {
                                goto done;
                        }
                        dst_key_free(&val->key);
-               } else {
+               } else if (result != DST_R_UNSUPPORTEDALG) {
+                       /*
+                        * We can encounter unsupported algorithm when the zone
+                        * is signed with both supported and unsupported
+                        * algorithm at the same time.  Stop looking in all
+                        * other failure cases.
+                        */
                        break;
                }
                dns_rdata_reset(&rdata);