Add check for NSEC3 and key algorithms

NSEC3 is not backwards compatible with key algorithms that existed
before the RFC 5155 specification was published.

(cherry picked from commit 00c5dabea3)

bin/tests/system/checkconf/kasp-bad-nsec3-alg.conf

@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "bad-salt" {
+	keys {
+		csk lifetime unlimited algorithm rsasha1;
+	};
+	nsec3param ;
+};
+
+zone "example.net" {
+	type master;
+	file "example.db";
+	dnssec-policy "bad-salt";
+};
+

bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf

@@ -11,14 +11,14 @@
 
 dnssec-policy "rsasha1" {
 	keys {
-		csk lifetime P10Y algorithm rsasha1 1024;
+		csk lifetime P10Y algorithm nsec3rsasha1 1024;
 	};
 	nsec3param iterations 150;
 };
 
 dnssec-policy "rsasha1-bad" {
 	keys {
-		csk lifetime P10Y algorithm rsasha1 1024;
+		csk lifetime P10Y algorithm nsec3rsasha1 1024;
 	};
 	nsec3param iterations 151;
 };

bin/tests/system/checkconf/tests.sh

@@ -529,6 +529,14 @@ if [ $lines != 3 ]; then ret=1; fi
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo_i "checking named-checkconf kasp nsec3 algorithm errors ($n)"
+ret=0
+$CHECKCONF kasp-bad-nsec3-alg.conf > checkconf.out$n 2>&1 && ret=1
+grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" < checkconf.out$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 n=`expr $n + 1`
 echo_i "checking named-checkconf kasp key errors ($n)"
 ret=0