diff --git a/lib/dns/include/dns/keytable.h b/lib/dns/include/dns/keytable.h index 689aab7e9d..9213e99b19 100644 --- a/lib/dns/include/dns/keytable.h +++ b/lib/dns/include/dns/keytable.h @@ -205,9 +205,9 @@ dns_keytable_finddeepestmatch(dns_keytable_t *keytable, const dns_name_t *name, *\li Any other result indicates an error. */ -isc_result_t +bool dns_keytable_issecuredomain(dns_keytable_t *keytable, const dns_name_t *name, - dns_name_t *foundname, bool *wantdnssecp); + dns_name_t *foundname); /*%< * Is 'name' at or beneath a trusted key? * @@ -219,20 +219,11 @@ dns_keytable_issecuredomain(dns_keytable_t *keytable, const dns_name_t *name, * *\li 'foundanme' is NULL or is a pointer to an initialized dns_name_t * - *\li '*wantsdnssecp' is a valid bool. - * * Ensures: * - *\li On success, *wantsdnssecp will be true if and only if 'name' - * is at or beneath a trusted key. If 'foundname' is not NULL, then - * it will be updated to contain the name of the closest enclosing - * trust anchor. - * - * Returns: - * - *\li ISC_R_SUCCESS - * - *\li Any other result is an error. + *\li Returns true if and only if 'name' is at or beneath a trusted key. + * If 'foundname' is not NULL, then it will be updated to contain + * the name of the closest enclosing trust anchor. */ isc_result_t diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h index 9f7c0d43f9..d536cccbd3 100644 --- a/lib/dns/include/dns/view.h +++ b/lib/dns/include/dns/view.h @@ -985,13 +985,12 @@ dns_view_getsecroots(dns_view_t *view, dns_keytable_t **ktp); *\li ISC_R_NOTFOUND */ -isc_result_t +bool dns_view_issecuredomain(dns_view_t *view, const dns_name_t *name, - isc_stdtime_t now, bool checknta, bool *ntap, - bool *secure_domain); + isc_stdtime_t now, bool checknta, bool *ntap); /*%< * Is 'name' at or beneath a trusted key, and not covered by a valid - * negative trust anchor? Put answer in '*secure_domain'. + * negative trust anchor, and DNSSEC validation is enabled? * * If 'checknta' is false, ignore the NTA table in determining * whether this is a secure domain. If 'checknta' is not false, and if @@ -1000,10 +999,6 @@ dns_view_issecuredomain(dns_view_t *view, const dns_name_t *name, * * Requires: * \li 'view' is valid. - * - * Returns: - *\li ISC_R_SUCCESS - *\li Any other value indicates failure */ bool diff --git a/lib/dns/keytable.c b/lib/dns/keytable.c index 018b4f73e0..54b7a5633f 100644 --- a/lib/dns/keytable.c +++ b/lib/dns/keytable.c @@ -524,13 +524,14 @@ dns_keytable_finddeepestmatch(dns_keytable_t *keytable, const dns_name_t *name, return result; } -isc_result_t +bool dns_keytable_issecuredomain(dns_keytable_t *keytable, const dns_name_t *name, - dns_name_t *foundname, bool *wantdnssecp) { + dns_name_t *foundname) { isc_result_t result; dns_qpread_t qpr; dns_keynode_t *keynode = NULL; void *pval = NULL; + bool secure = false; /* * Is 'name' at or beneath a trusted key? @@ -538,7 +539,6 @@ dns_keytable_issecuredomain(dns_keytable_t *keytable, const dns_name_t *name, REQUIRE(VALID_KEYTABLE(keytable)); REQUIRE(dns_name_isabsolute(name)); - REQUIRE(wantdnssecp != NULL); dns_qpmulti_query(keytable->table, &qpr); result = dns_qp_lookup(&qpr, name, DNS_DBNAMESPACE_NORMAL, NULL, NULL, @@ -548,16 +548,12 @@ dns_keytable_issecuredomain(dns_keytable_t *keytable, const dns_name_t *name, if (foundname != NULL) { dns_name_copy(&keynode->name, foundname); } - *wantdnssecp = true; - result = ISC_R_SUCCESS; - } else if (result == ISC_R_NOTFOUND) { - *wantdnssecp = false; - result = ISC_R_SUCCESS; + secure = true; } dns_qpread_destroy(keytable->table, &qpr); - return result; + return secure; } static isc_result_t diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index dbd446e5d6..62760a52ea 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -2236,9 +2236,9 @@ compute_cc(const resquery_t *query, uint8_t *cookie, const size_t len) { memmove(cookie, digest, CLIENT_COOKIE_SIZE); } -static isc_result_t +static bool issecuredomain(dns_view_t *view, const dns_name_t *name, dns_rdatatype_t type, - isc_stdtime_t now, bool checknta, bool *ntap, bool *issecure) { + isc_stdtime_t now, bool checknta, bool *ntap) { dns_name_t suffix; unsigned int labels; @@ -2255,8 +2255,7 @@ issecuredomain(dns_view_t *view, const dns_name_t *name, dns_rdatatype_t type, name = &suffix; } - return dns_view_issecuredomain(view, name, now, checknta, ntap, - issecure); + return dns_view_issecuredomain(view, name, now, checknta, ntap); } static isc_result_t @@ -5846,13 +5845,8 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_message_t *message, checknta = false; } - if (res->view->enablevalidation) { - result = issecuredomain(res->view, name, fctx->type, now, - checknta, NULL, &secure_domain); - if (result != ISC_R_SUCCESS) { - return result; - } - } + secure_domain = issecuredomain(res->view, name, fctx->type, now, + checknta, NULL); if ((fctx->options & DNS_FETCHOPT_NOCDFLAG) != 0) { valoptions |= DNS_VALIDATOR_NOCDFLAG; @@ -6436,13 +6430,8 @@ ncache_message(fetchctx_t *fctx, dns_message_t *message, checknta = false; } - if (fctx->res->view->enablevalidation) { - result = issecuredomain(res->view, name, fctx->type, now, - checknta, NULL, &secure_domain); - if (result != ISC_R_SUCCESS) { - return result; - } - } + secure_domain = issecuredomain(res->view, name, fctx->type, now, + checknta, NULL); if ((fctx->options & DNS_FETCHOPT_NOCDFLAG) != 0) { valoptions |= DNS_VALIDATOR_NOCDFLAG; @@ -9029,7 +9018,6 @@ rctx_ncache(respctx_t *rctx) { */ static isc_result_t rctx_authority_dnssec(respctx_t *rctx) { - isc_result_t result; fetchctx_t *fctx = rctx->fctx; dns_message_t *msg = rctx->query->rmessage; @@ -9112,15 +9100,9 @@ rctx_authority_dnssec(respctx_t *rctx) { if ((fctx->options & DNS_FETCHOPT_NONTA) != 0) { checknta = false; } - if (fctx->res->view->enablevalidation) { - result = issecuredomain( - fctx->res->view, name, - dns_rdatatype_ds, fctx->now, - checknta, NULL, &secure_domain); - if (result != ISC_R_SUCCESS) { - return result; - } - } + secure_domain = issecuredomain( + fctx->res->view, name, dns_rdatatype_ds, + fctx->now, checknta, NULL); if (secure_domain) { rdataset->trust = dns_trust_pending_answer; diff --git a/lib/dns/view.c b/lib/dns/view.c index 4193a43b9e..662eecf3e1 100644 --- a/lib/dns/view.c +++ b/lib/dns/view.c @@ -1535,41 +1535,31 @@ dns_view_ntacovers(dns_view_t *view, isc_stdtime_t now, const dns_name_t *name, return dns_ntatable_covered(view->ntatable_priv, now, name, anchor); } -isc_result_t +bool dns_view_issecuredomain(dns_view_t *view, const dns_name_t *name, - isc_stdtime_t now, bool checknta, bool *ntap, - bool *secure_domain) { - isc_result_t result; + isc_stdtime_t now, bool checknta, bool *ntap) { bool secure = false; dns_fixedname_t fn; dns_name_t *anchor; REQUIRE(DNS_VIEW_VALID(view)); - if (view->secroots_priv == NULL) { - return ISC_R_NOTFOUND; + if (!view->enablevalidation || view->secroots_priv == NULL) { + return false; } anchor = dns_fixedname_initname(&fn); - - result = dns_keytable_issecuredomain(view->secroots_priv, name, anchor, - &secure); - if (result != ISC_R_SUCCESS) { - return result; - } + secure = dns_keytable_issecuredomain(view->secroots_priv, name, anchor); SET_IF_NOT_NULL(ntap, false); if (checknta && secure && view->ntatable_priv != NULL && dns_ntatable_covered(view->ntatable_priv, now, name, anchor)) { - if (ntap != NULL) { - *ntap = true; - } + SET_IF_NOT_NULL(ntap, true); secure = false; } - *secure_domain = secure; - return ISC_R_SUCCESS; + return secure; } void diff --git a/tests/dns/keytable_test.c b/tests/dns/keytable_test.c index f04c720241..0606334c40 100644 --- a/tests/dns/keytable_test.c +++ b/tests/dns/keytable_test.c @@ -544,7 +544,6 @@ ISC_LOOP_TEST_IMPL(find) { /* check issecuredomain() */ ISC_LOOP_TEST_IMPL(issecuredomain) { - bool issecure; const char **n; const char *names[] = { "example.com", "sub.example.com", "null.example", "sub.null.example", NULL }; @@ -559,22 +558,16 @@ ISC_LOOP_TEST_IMPL(issecuredomain) { * of installing a null key). */ for (n = names; *n != NULL; n++) { - assert_int_equal(dns_keytable_issecuredomain(keytable, - str2name(*n), NULL, - &issecure), - ISC_R_SUCCESS); - assert_true(issecure); + assert_true(dns_keytable_issecuredomain(keytable, str2name(*n), + NULL)); } /* * If the key table has no entry (not even a null one) for a domain or * any of its ancestors, that domain is considered insecure. */ - assert_int_equal(dns_keytable_issecuredomain(keytable, - str2name("example.org"), - NULL, &issecure), - ISC_R_SUCCESS); - assert_false(issecure); + assert_false(dns_keytable_issecuredomain( + keytable, str2name("example.org"), NULL)); destroy_tables(); @@ -604,7 +597,7 @@ ISC_LOOP_TEST_IMPL(dump) { /* check negative trust anchors */ ISC_LOOP_TEST_IMPL(nta) { isc_result_t result; - bool issecure, covered; + bool covered; dns_fixedname_t fn; dns_name_t *keyname = dns_fixedname_name(&fn); unsigned char digest[DNS_DS_BUFFERSIZE]; @@ -636,20 +629,15 @@ ISC_LOOP_TEST_IMPL(nta) { assert_int_equal(result, ISC_R_SUCCESS); /* Should be secure */ - result = dns_view_issecuredomain(myview, - str2name("test.secure.example"), now, - true, &covered, &issecure); - assert_int_equal(result, ISC_R_SUCCESS); + assert_true(dns_view_issecuredomain( + myview, str2name("test.secure.example"), now, true, &covered)); assert_false(covered); - assert_true(issecure); /* Should not be secure */ - result = dns_view_issecuredomain(myview, - str2name("test.insecure.example"), now, - true, &covered, &issecure); - assert_int_equal(result, ISC_R_SUCCESS); + assert_false(dns_view_issecuredomain(myview, + str2name("test.insecure.example"), + now, true, &covered)); assert_true(covered); - assert_false(issecure); /* NTA covered */ covered = dns_view_ntacovers(myview, now, str2name("insecure.example"), @@ -662,38 +650,30 @@ ISC_LOOP_TEST_IMPL(nta) { assert_false(covered); /* As of now + 2, the NTA should be clear */ - result = dns_view_issecuredomain(myview, - str2name("test.insecure.example"), - now + 2, true, &covered, &issecure); - assert_int_equal(result, ISC_R_SUCCESS); + assert_true(dns_view_issecuredomain(myview, + str2name("test.insecure.example"), + now + 2, true, &covered)); assert_false(covered); - assert_true(issecure); /* Now check deletion */ - result = dns_view_issecuredomain(myview, str2name("test.new.example"), - now, true, &covered, &issecure); - assert_int_equal(result, ISC_R_SUCCESS); + assert_true(dns_view_issecuredomain( + myview, str2name("test.new.example"), now, true, &covered)); assert_false(covered); - assert_true(issecure); result = dns_ntatable_add(ntatable, str2name("new.example"), false, now, 3600); assert_int_equal(result, ISC_R_SUCCESS); - result = dns_view_issecuredomain(myview, str2name("test.new.example"), - now, true, &covered, &issecure); - assert_int_equal(result, ISC_R_SUCCESS); + assert_false(dns_view_issecuredomain( + myview, str2name("test.new.example"), now, true, &covered)); assert_true(covered); - assert_false(issecure); result = dns_ntatable_delete(ntatable, str2name("new.example")); assert_int_equal(result, ISC_R_SUCCESS); - result = dns_view_issecuredomain(myview, str2name("test.new.example"), - now, true, &covered, &issecure); - assert_int_equal(result, ISC_R_SUCCESS); + assert_true(dns_view_issecuredomain( + myview, str2name("test.new.example"), now, true, &covered)); assert_false(covered); - assert_true(issecure); isc_loopmgr_shutdown();