Update keyfetch_done compute_tag check

If in keyfetch_done the compute_tag fails (because for example the
algorithm is not supported), don't crash, but instead ignore the
key.

lib/dns/include/dst/dst.h

@@ -70,8 +70,7 @@ typedef struct dst_context 	dst_context_t;
 #define DST_ALG_HMACSHA512	165	/* XXXMPA */
 #define DST_ALG_INDIRECT	252
 #define DST_ALG_PRIVATE		254
-#define DST_ALG_EXPAND		255
+#define DST_MAX_ALGS		256
-#define DST_MAX_ALGS		255
 
 /*% A buffer of this size is large enough to hold any key */
 #define DST_KEY_MAXSIZE		1280

lib/dns/zone.c

@@ -9653,6 +9653,17 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 
 		dns_keydata_todnskey(&keydata, &dnskey, NULL);
 		result = compute_tag(keyname, &dnskey, mctx, &keytag);
+		if (result != ISC_R_SUCCESS) {
+			/*
+			 * Skip if we cannot compute the key tag.
+			 * This may happen if the algorithm is unsupported
+			 */
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				"Cannot compute tag for key in zone %s: %s "
+				"(skipping)",
+				namebuf, dns_result_totext(result));
+			continue;
+		}
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
 		/*
@@ -9766,6 +9777,17 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 		}
 
 		result = compute_tag(keyname, &dnskey, mctx, &keytag);
+		if (result != ISC_R_SUCCESS) {
+			/*
+			 * Skip if we cannot compute the key tag.
+			 * This may happen if the algorithm is unsupported
+			 */
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				"Cannot compute tag for key in zone %s: %s "
+				"(skipping)",
+				namebuf, dns_result_totext(result));
+			continue;
+		}
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
 		revoked = ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0);