Investigate and fix what happens when managed-key algorithm is not supported
There's are several possible scenarios (as discussed) how algorithm can end up in not supported set:
- The algorithm is not supported (f.e. DSA on lower side of the spectrum and ED448 on the other end)
- The algorithm has been disabled via configuration
managed-keyshas been configured with not supported algorithm
- The RFC5011 roll rolls to not supported algorithm
First, we need to have (system) tests about what happens in different combinations.
Second, we will have to decide what is the correct behaviour, as in the past, some people might have used this as NTA - configure TA with unknown algorithm to disable validation for the (broken) part of the DNS tree.