Fail DNSKEY validation when supported but invalid DS is found

A regression was introduced when adding the EDE code for unsupported
DNSKEY and DS algorithms.  When the parent has both supported and
unsupported algorithm in the DS record, the validator would treat the
supported DS algorithm as insecure when validating DNSKEY records
instead of BOGUS.  This has not security impact as the rest of the child
zone correctly ends with BOGUS status, but it is incorrect and thus the
regression has been fixed.

bin/tests/system/dnssec/tests_validation.py

@@ -408,7 +408,7 @@ def test_private_algorithms(ns4):
         isctest.check.noerror(res1)
         isctest.check.servfail(res2)
         watcher.wait_for_line(
-            "No DNSKEY for extradsunknownoid.example/DS with PRIVATEOID"
+            "no DNSKEY matching DS"
         )
 
 

lib/dns/include/dns/validator.h

@@ -150,6 +150,7 @@ struct dns_validator {
 	bool	       digest_sha1;
 	uint8_t	       unsupported_algorithm;
 	uint8_t	       unsupported_digest;
+	uint8_t	       validation_attempts;
 	dns_rdata_t    rdata;
 	bool	       resume;
 	isc_counter_t *nvalidations;

lib/dns/validator.c

@@ -2089,6 +2089,8 @@ validate_dnskey_dsset(dns_validator_t *val) {
 		}
 	}
 
+	val->validation_attempts++;
+
 	/*
 	 * Find the DNSKEY matching the DS...
 	 */
@@ -2113,6 +2115,12 @@ validate_dnskey_dsset(dns_validator_t *val) {
 						      val->name, key.algorithm,
 						      key.data, key.datalen))
 		{
+			/*
+			 * Don't count the unsupported algorithm into the
+			 * validation attempts.
+			 */
+			val->validation_attempts--;
+
 			if (val->unsupported_algorithm == 0) {
 				val->unsupported_algorithm = key.algorithm;
 				/*
@@ -2184,6 +2192,11 @@ validate_dnskey_dsset_next_done(void *arg) {
 		return;
 	}
 
+	if (val->validation_attempts != 0) {
+		val->unsupported_algorithm = 0;
+		val->unsupported_digest = 0;
+	}
+
 	validate_dnskey_dsset_done(val, result);
 	return;
 }