GitLab

There's are several possible scenarios (as discussed) how algorithm can end up in not supported set:

• The algorithm is not supported (f.e. DSA on lower side of the spectrum and ED448 on the other end)
• The algorithm has been disabled via configuration

and:

• The managed-keys has been configured with not supported algorithm
• The RFC5011 roll rolls to not supported algorithm

First, we need to have (system) tests about what happens in different combinations.

Second, we will have to decide what is the correct behaviour, as in the past, some people might have used this as NTA - configure TA with unknown algorithm to disable validation for the (broken) part of the DNS tree.