Description of problem:
RHEL 9.0 has obsoleted SHA-1 signatures. named is configured via crypto-policies package to disable RSASHA1 and NSEC3RSASHA1 algorithms (bug #2070230). delv tool from bind-utils validates using the same algorithm, but does not read any configuration file. It has no way to disable algorithms from command line or configuration file, even a custom one. It should modify named code to be able to test availability of SHA1 signatures.

Might need also ED25519 and ED448 algorithms detection in FIPS mode.

Version-Release number of selected component (if applicable):
bind-utils-9.16.23-1.el9.x86_64
crypto-policies-20220223-1.git5203b41.el9_0.1.noarch

How reproducible:
reliable

Steps to Reproduce:
1. delv int
2.
3.

Actual results:

1. delv int
   ;; EVP_VerifyFinal failed (verify failure)
   ;; error:03000098:digital envelope routines::invalid digest:crypto/evp/pmeth_lib.c:959:
   ;; EVP_VerifyFinal failed (verify failure)
   ;; error:03000098:digital envelope routines::invalid digest:crypto/evp/pmeth_lib.c:959:
   ;; validating int/DNSKEY: no valid signature found
   ;; insecurity proof failed resolving 'int/DNSKEY/IN': 10.2.32.1#53
   ;; validating rtma1k8jfek31ikuajq7rie9dufhe33b.int/NSEC3: bad cache hit (int/DNSKEY)
   ;; broken trust chain resolving 'int/A/IN': 10.2.32.1#53
   ;; resolution failed: broken trust chain

Expected results:

1. delv int
   ;; resolution failed: ncache nxrrset
   ; negative response, fully validated
   ; int. 3408 IN -A ;-$NXRRSET
   ; int. SOA sns.dns.icann.org. noc.dns.icann.org. 2022040623 3600 1800 604800 3600
   ; int. RRSIG SOA ...
   ; rtma1k8jfek31ikuajq7rie9dufhe33b.int. RRSIG NSEC3 ...
   ; rtma1k8jfek31ikuajq7rie9dufhe33b.int. NSEC3 1 0 5 398954BBB503FF9D S2BQ3UEQJHSGU7FE7M8QPQ563E9PTFH5 NS SOA RRSIG DNSKEY NSEC3PARAM

or insecure, but successful reply.

Additional info: