RFC 4035 sec 5.2: downgrade to insecure when only unknown algorithms are used (provably)
Currently these lead to SERVFAIL, as detected by https://rootcanary.org/test.html
This will probably be about handling the
DNSSEC_INVALID_DS_ALGORITHM return code from libdnssec.
If the validator does not support any of the algorithms listed in an authenticated DS RRset, then the resolver has no supported authentication path leading from the parent to the child. The resolver should treat this case as it would the case of an authenticated NSEC RRset proving that no DS RRset exists, as described above.