# Issue #104 — DS/CDS/DLV unsupported-algorithm cascade

Codeberg issue: https://codeberg.org/DNS-OARC/validns/issues/104

Three signed-zone variants from one unsigned source:

- `example.sec.signed.nsec`   — NSEC chain; DS/CDS/DLV algorithm = 99 (UNKNOWN).
- `example.sec.signed.nsec3`  — NSEC3 opt-out chain; DS/CDS/DLV algorithm = 99 (UNKNOWN).
- `example.sec.signed.policy` — NSEC chain; DS/CDS/DLV algorithm = 5 (RSASHA1, POLICY_OFF on RHEL9).

The apex zone is signed with RSASHA256 throughout, so apex DNSKEY/NSEC/NSEC3
signatures validate on every platform. Only the algorithm field embedded in
the DS/CDS/DLV RDATA is "bad" (post-processed after BIND signing), which is
what the test exercises.

To regenerate:

    cd src/t/issues/104-unsupported-algorithm-cascade
    ./regenerate.sh

Test-time used by `src/t/test.pl`: **1800000000** (a UTC time inside the
signing window 2026-01-01 .. 2030-01-01). If `regenerate.sh` is changed to
use a different window, update the `-t` flag in `test.pl` accordingly.
