rec: do not count RRSIGs using unsupported algorithms toward RRSIGs limit

(cherry picked from commit 834660b5c62fe7a8bcf93b0182f26fbfa5464ecc)

diff --git a/pdns/validate.cc b/pdns/validate.cc
index 120452e98c805014531ac1ba09ac85d015193448..8b151f91d6ca3ec92f1a27ba160ca4dc01aede38 100644 (file)
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -1022,6 +1022,9 @@ vState validateWithKeySet(time_t now, const DNSName& name, const sortedRecords_t
     }
 
     vState ede = vState::Indeterminate;
+    if (!DNSCryptoKeyEngine::isAlgorithmSupported(signature->d_algorithm)) {
+        continue;
+    }
     if (!checkSignatureInceptionAndExpiry(name, now, signature, ede)) {
       if (isRRSIGIncepted(now, signature)) {
         noneIncepted = false;
@@ -1151,7 +1154,7 @@ bool haveNegativeTrustAnchor(const map<DNSName,std::string>& negAnchors, const D
   return true;
 }
 
-vState validateDNSKeysAgainstDS(time_t now, const DNSName& zone, const dsmap_t& dsmap, const skeyset_t& tkeys, const sortedRecords_t& toSign, const vector<shared_ptr<RRSIGRecordContent> >& sigs, skeyset_t& validkeys, pdns::validation::ValidationContext& context)
+vState validateDNSKeysAgainstDS(time_t now, const DNSName& zone, const dsmap_t& dsmap, const skeyset_t& tkeys, const sortedRecords_t& toSign, const vector<shared_ptr<RRSIGRecordContent> >& sigs, skeyset_t& validkeys, pdns::validation::ValidationContext& context) // NOLINT(readability-function-cognitive-complexity): FIXME
 {
   /*
    * Check all DNSKEY records against all DS records and place all DNSKEY records
@@ -1217,6 +1220,9 @@ vState validateDNSKeysAgainstDS(time_t now, const DNSName& zone, const dsmap_t&
     // whole set
     uint16_t signaturesConsidered = 0;
     for (const auto& sig : sigs) {
+      if (!DNSCryptoKeyEngine::isAlgorithmSupported(sig->d_algorithm)) {
+        continue;
+      }
       if (!checkSignatureInceptionAndExpiry(zone, now, sig, ede)) {
         continue;
       }