Use signer name when disabling DNSSEC algorithms

When disabling algorithms, use the signer name to determine if the
algorithm is disabled or not.  This allows for algorithms to be
cleanly disabled on a zone level basis.  Previously, just using the
records owner name, "disable-algorithms" could impact resolution of
names that where not disabled.  This does now mean that
"disable-algorithms" can not be used to disable part of a zone anymore.

bin/tests/system/dnssec/ns3/badalg.secure.example.db.in

@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns3
+			A	10.53.0.4
+ns3			A	10.53.0.3

bin/tests/system/dnssec/ns3/named.conf.j2

@@ -93,6 +93,12 @@ zone "secure.example" {
 	allow-update { any; };
 };
 
+zone "badalg.secure.example" {
+	type primary;
+	file "badalg.secure.example.db.signed";
+	allow-update { any; };
+};
+
 zone "bogus.example" {
 	type primary;
 	file "bogus.example.db.signed";

bin/tests/system/dnssec/ns3/secure.example.db.in

@@ -30,7 +30,9 @@ g			A	10.0.0.7
 z			A	10.0.0.26
 a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
 x			CNAME	a
-badalg			A	10.53.0.4
+
+badalg			NS	ns3.badalg
+ns3.badalg		A	10.53.0.3
 
 private			NS	ns.private
 ns.private		A	10.53.0.2

bin/tests/system/dnssec/ns3/sign.sh

@@ -85,6 +85,20 @@ cp template.db.in insecure.optout.example.db
 cp extrakey.example.db.in extrakey.example.db
 
 # now the signed zones:
+
+# A zone that will be treated as insecure as the DEFAULT_ALGORITHM is
+# disabled for it.
+zone=badalg.secure.example.
+infile=badalg.secure.example.db.in
+zonefile=badalg.secure.example.db
+
+keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+
+cat "$infile" "$keyname.key" >"$zonefile"
+
+"$SIGNER" -z -o "$zone" "$zonefile" >/dev/null
+
+#
 zone=secure.example.
 infile=secure.example.db.in
 zonefile=secure.example.db
@@ -93,7 +107,7 @@ cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "cn
 dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "dnameandkey.$zone")
 keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
 
-cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" >"$zonefile"
+cat "$infile" dsset-badalg.secure.example. "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" >"$zonefile"
 
 "$SIGNER" -z -D -o "$zone" "$zonefile" >/dev/null
 cat "$zonefile" "$zonefile".signed >"$zonefile".tmp

bin/tests/system/dnssec/tests_validation.py

@@ -1326,6 +1326,14 @@ def test_unknown_algorithms():
             res.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM
         )
 
+    # check that DS records are still treated as secure at the
+    # disable-algorithm name
+    msg = isctest.query.create("badalg.secure.example", "DS")
+    res = isctest.query.tcp(msg, "10.53.0.4")
+    isctest.check.rr_count_eq(res.answer, 2)
+    isctest.check.noerror(res)
+    isctest.check.adflag(res)
+
     # check both EDE code 1 and 2 for unsupported digest on one DNSKEY
     # and unsupported algorithm on the other
     msg = isctest.query.create("a.digest-alg-unsupported.example", "A")

lib/dns/validator.c

@@ -1675,8 +1675,9 @@ validate_answer_process(void *arg) {
 	 * was known and "sufficiently good".
 	 */
 	if (!dns_resolver_algorithm_supported(
-		    val->view->resolver, val->name, val->siginfo->algorithm,
-		    val->siginfo->signature, val->siginfo->siglen))
+		    val->view->resolver, &val->siginfo->signer,
+		    val->siginfo->algorithm, val->siginfo->signature,
+		    val->siginfo->siglen))
 	{
 		if (val->unsupported_algorithm == 0) {
 			val->unsupported_algorithm = val->siginfo->algorithm;

lib/ns/query.c

@@ -2541,8 +2541,8 @@ validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
 		result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		if (!dns_resolver_algorithm_supported(
-			    client->inner.view->resolver, name, rrsig.algorithm,
-			    rrsig.signature, rrsig.siglen))
+			    client->inner.view->resolver, &rrsig.signer,
+			    rrsig.algorithm, rrsig.signature, rrsig.siglen))
 		{
 			char txt[DNS_NAME_FORMATSIZE + 32];
 			isc_buffer_t buffer;