Allow unsupported algorithms in zone when not used for signing
If you have a DNSKEY with an unsupported algorithm in your zone,
dnssec-signzone refuses to sign the zone.
BIND version used
Steps to reproduce
Have a DSA public key stored in a file
dsa.key. Have an unsigned zone file for example
root.db. Then create a key for signing and sign the zone with it.
dnssec-keygen -a rsasha256 -qfk . dnssec-keygen -a rsasha256 -q . cat dsa.key >> root.db dnssec-signzone -S -o . root.db K.+008+57997 K.+008+46623
This will output:
dnssec-signzone: fatal: failed to load the zone keys: algorithm is unsupported
What is the current bug behavior?
dnssec-signzone encounters a fatal error and refuses to sign the zone.
What is the expected correct behavior?
dnssec-signzone should sign the zone regardless of the algorithms used in the DNSKEY RRset.
Relevant configuration files
Relevant logs and/or screenshots