From a94a7c1a1e6eecbead995a08bace33d23899a5da Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Tue, 4 Nov 2025 02:09:38 +0100
Subject: [PATCH] Skip unsupported algorithms when looking for signing key
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When looking for a signing key in select_signing_key(), the result code
indicating unsupported algorithm would abort the search.  Instead, skip
such keys and continue searching for the right key.

Co-Authored-By: Aram Sargsyan <aram@isc.org>
Co-Authored-By: Petr Menšík <pemensik@redhat.com>
---
 lib/dns/validator.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index c6781544b9..52677fbd80 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1092,8 +1092,14 @@ select_signing_key(dns_validator_t *val, dns_rdataset_t *rdataset) {
 			continue;
 		}
 
-		return dns_dnssec_keyfromrdata(&siginfo->signer, &rdata,
-					       val->view->mctx, &val->key);
+		result = dns_dnssec_keyfromrdata(&siginfo->signer, &rdata,
+						 val->view->mctx, &val->key);
+		/* Don't count unsupported algorithm towards max fails */
+		if (result == DST_R_UNSUPPORTEDALG) {
+			/* Continue with the next key */
+			continue;
+		}
+		return result;
 	}
 
 	return ISC_R_NOTFOUND;