From e47f8104669ca9d3c608e2c6a76357326d482799 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Tue, 4 Nov 2025 02:09:38 +0100
Subject: [PATCH] Skip unsupported algorithms when looking for signing key
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When looking for a signing key in select_signing_key(), the result code
indicating unsupported algorithm would abort the search.  Instead, skip
such keys and continue searching for the right key.

Co-Authored-By: Aram Sargsyan <aram@isc.org>
Co-Authored-By: Petr Menšík <pemensik@redhat.com>
(cherry picked from commit a94a7c1a1e6eecbead995a08bace33d23899a5da)
---
 lib/dns/validator.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 12b2aed57c..809b7be911 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1176,7 +1176,13 @@ select_signing_key(dns_validator_t *val, dns_rdataset_t *rdataset) {
 				goto done;
 			}
 			dst_key_free(&val->key);
-		} else {
+		} else if (result != DST_R_UNSUPPORTEDALG) {
+			/*
+			 * We can encounter unsupported algorithm when the zone
+			 * is signed with both supported and unsupported
+			 * algorithm at the same time.  Stop looking in all
+			 * other failure cases.
+			 */
 			break;
 		}
 		dns_rdata_reset(&rdata);