A DS, CDS, or DLV record whose algorithm field is unrecognized or disabled by the system crypto policy currently triggers a cascade of follow-on errors: each RRSIG covering the record is reported as orphaned, and the NSEC bitmap (or NSEC3 opt-out chain) is reported as referring to a non-existing record. The root-cause message itself omits the domain name and record type. Roy Arends reported this for a TLD-shaped zone where every signed delegation to a child with an unsupported algorithm produces three lines instead of one.
extract_algorithm now reports its status via a flags out-parameter and no longer rejects the record on the caller's behalf. DS, CDS, and DLV parsers keep the record (with rr->algorithm set to the raw integer) and emit one record-level message in the unrecognized-algorithm case; the policy-disabled case stays silent at the record level since the existing one-shot global warning is sufficient. Other callers (DNSKEY, RRSIG, CERT) preserve their current drop-and-bitch behavior via mechanical caller updates.
Tests cover NSEC and NSEC3-opt-out variants for the unrecognized-algorithm path, plus a SHA-1-disabled variant for the policy-disabled path (activates on RHEL9-style platforms via the existing $sha1_disabled gate).
Fixes: #104
A DS, CDS, or DLV record whose algorithm field is unrecognized or disabled by the system crypto policy currently triggers a cascade of follow-on errors: each RRSIG covering the record is reported as orphaned, and the NSEC bitmap (or NSEC3 opt-out chain) is reported as referring to a non-existing record. The root-cause message itself omits the domain name and record type. Roy Arends reported this for a TLD-shaped zone where every signed delegation to a child with an unsupported algorithm produces three lines instead of one.
`extract_algorithm` now reports its status via a flags out-parameter and no longer rejects the record on the caller's behalf. DS, CDS, and DLV parsers keep the record (with `rr->algorithm` set to the raw integer) and emit one record-level message in the unrecognized-algorithm case; the policy-disabled case stays silent at the record level since the existing one-shot global warning is sufficient. Other callers (DNSKEY, RRSIG, CERT) preserve their current drop-and-bitch behavior via mechanical caller updates.
Tests cover NSEC and NSEC3-opt-out variants for the unrecognized-algorithm path, plus a SHA-1-disabled variant for the policy-disabled path (activates on RHEL9-style platforms via the existing `$sha1_disabled` gate).
Fixes: https://codeberg.org/DNS-OARC/validns/issues/104