change issecuredomain() functions to bool

dns_keytable_issecuredomain() and dns_view_issecuredomain() previously returned a result code to inform the caller of unexpected database failures when looking up names in the keytable and/or NTA table. such failures are not actually possible. both functions now return a simple bool. also, dns_view_issecuredomain() now returns false if view->enablevalidation is false, so the caller no longer has to check for that.
2025-08-22 18:19:42 +00:00 · 2025-02-26 22:06:40 -08:00 · 2025-02-26 22:06:40 -08:00 · 7371c4882a
commit 7371c4882a
parent 5d56df23f2
6 changed files with 49 additions and 115 deletions
--- a/lib/dns/include/dns/keytable.h
+++ b/lib/dns/include/dns/keytable.h
@ -205,9 +205,9 @@ dns_keytable_finddeepestmatch(dns_keytable_t *keytable, const dns_name_t *name,
 *\li	Any other result indicates an error.
 */
-isc_result_t
+bool
 dns_keytable_issecuredomain(dns_keytable_t *keytable, const dns_name_t *name,
-			    dns_name_t *foundname, bool *wantdnssecp);
+			    dns_name_t *foundname);
 /*%<
 * Is 'name' at or beneath a trusted key?
 *
@ -219,20 +219,11 @@ dns_keytable_issecuredomain(dns_keytable_t *keytable, const dns_name_t *name,
 *
 *\li	'foundanme' is NULL or is a pointer to an initialized dns_name_t
 *
 *\li	'*wantsdnssecp' is a valid bool.
 *
 * Ensures:
 *
- *\li	On success, *wantsdnssecp will be true if and only if 'name'
+ *\li	Returns true if and only if 'name' is at or beneath a trusted key.
- *	is at or beneath a trusted key.  If 'foundname' is not NULL, then
+ *	If 'foundname' is not NULL, then it will be updated to contain
- *	it will be updated to contain the name of the closest enclosing
+ *	the name of the closest enclosing trust anchor.
 *	trust anchor.
 *
 * Returns:
 *
 *\li	ISC_R_SUCCESS
 *
 *\li	Any other result is an error.
 */
 isc_result_t
--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@ -985,13 +985,12 @@ dns_view_getsecroots(dns_view_t *view, dns_keytable_t **ktp);
 *\li	ISC_R_NOTFOUND
 */
-isc_result_t
+bool
 dns_view_issecuredomain(dns_view_t *view, const dns_name_t *name,
-			isc_stdtime_t now, bool checknta, bool *ntap,
+			isc_stdtime_t now, bool checknta, bool *ntap);
 			bool *secure_domain);
 /*%<
 * Is 'name' at or beneath a trusted key, and not covered by a valid
- * negative trust anchor?  Put answer in '*secure_domain'.
+ * negative trust anchor, and DNSSEC validation is enabled?
 *
 * If 'checknta' is false, ignore the NTA table in determining
 * whether this is a secure domain. If 'checknta' is not false, and if
@ -1000,10 +999,6 @@ dns_view_issecuredomain(dns_view_t *view, const dns_name_t *name,
 *
 * Requires:
 * \li	'view' is valid.
 *
 * Returns:
 *\li	ISC_R_SUCCESS
 *\li	Any other value indicates failure
 */
 bool
--- a/lib/dns/keytable.c
+++ b/lib/dns/keytable.c
@ -524,13 +524,14 @@ dns_keytable_finddeepestmatch(dns_keytable_t *keytable, const dns_name_t *name,
 	return result;
 }
-isc_result_t
+bool
 dns_keytable_issecuredomain(dns_keytable_t *keytable, const dns_name_t *name,
-			    dns_name_t *foundname, bool *wantdnssecp) {
+			    dns_name_t *foundname) {
 	isc_result_t result;
 	dns_qpread_t qpr;
 	dns_keynode_t *keynode = NULL;
 	void *pval = NULL;
 	bool secure = false;
 	/*
 	 * Is 'name' at or beneath a trusted key?
@ -538,7 +539,6 @@ dns_keytable_issecuredomain(dns_keytable_t *keytable, const dns_name_t *name,
 	REQUIRE(VALID_KEYTABLE(keytable));
 	REQUIRE(dns_name_isabsolute(name));
 	REQUIRE(wantdnssecp != NULL);
 	dns_qpmulti_query(keytable->table, &qpr);
 	result = dns_qp_lookup(&qpr, name, DNS_DBNAMESPACE_NORMAL, NULL, NULL,
@ -548,16 +548,12 @@ dns_keytable_issecuredomain(dns_keytable_t *keytable, const dns_name_t *name,
 		if (foundname != NULL) {
 			dns_name_copy(&keynode->name, foundname);
 		}
-		*wantdnssecp = true;
+		secure = true;
 		result = ISC_R_SUCCESS;
 	} else if (result == ISC_R_NOTFOUND) {
 		*wantdnssecp = false;
 		result = ISC_R_SUCCESS;
 	}
 	dns_qpread_destroy(keytable->table, &qpr);
-	return result;
+	return secure;
 }
 static isc_result_t
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@ -2236,9 +2236,9 @@ compute_cc(const resquery_t *query, uint8_t *cookie, const size_t len) {
 	memmove(cookie, digest, CLIENT_COOKIE_SIZE);
 }
-static isc_result_t
+static bool
 issecuredomain(dns_view_t *view, const dns_name_t *name, dns_rdatatype_t type,
-	       isc_stdtime_t now, bool checknta, bool *ntap, bool *issecure) {
+	       isc_stdtime_t now, bool checknta, bool *ntap) {
 	dns_name_t suffix;
 	unsigned int labels;
@ -2255,8 +2255,7 @@ issecuredomain(dns_view_t *view, const dns_name_t *name, dns_rdatatype_t type,
 		name = &suffix;
 	}
-	return dns_view_issecuredomain(view, name, now, checknta, ntap,
+	return dns_view_issecuredomain(view, name, now, checknta, ntap);
 				       issecure);
 }
 static isc_result_t
@ -5846,13 +5845,8 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_message_t *message,
 		checknta = false;
 	}
-	if (res->view->enablevalidation) {
+	secure_domain = issecuredomain(res->view, name, fctx->type, now,
-		result = issecuredomain(res->view, name, fctx->type, now,
+				       checknta, NULL);
 					checknta, NULL, &secure_domain);
 		if (result != ISC_R_SUCCESS) {
 			return result;
 		}
 	}
 	if ((fctx->options & DNS_FETCHOPT_NOCDFLAG) != 0) {
 		valoptions |= DNS_VALIDATOR_NOCDFLAG;
@ -6436,13 +6430,8 @@ ncache_message(fetchctx_t *fctx, dns_message_t *message,
 		checknta = false;
 	}
-	if (fctx->res->view->enablevalidation) {
+	secure_domain = issecuredomain(res->view, name, fctx->type, now,
-		result = issecuredomain(res->view, name, fctx->type, now,
+				       checknta, NULL);
 					checknta, NULL, &secure_domain);
 		if (result != ISC_R_SUCCESS) {
 			return result;
 		}
 	}
 	if ((fctx->options & DNS_FETCHOPT_NOCDFLAG) != 0) {
 		valoptions |= DNS_VALIDATOR_NOCDFLAG;
@ -9029,7 +9018,6 @@ rctx_ncache(respctx_t *rctx) {
 */
 static isc_result_t
 rctx_authority_dnssec(respctx_t *rctx) {
 	isc_result_t result;
 	fetchctx_t *fctx = rctx->fctx;
 	dns_message_t *msg = rctx->query->rmessage;
@ -9112,15 +9100,9 @@ rctx_authority_dnssec(respctx_t *rctx) {
 				if ((fctx->options & DNS_FETCHOPT_NONTA) != 0) {
 					checknta = false;
 				}
-				if (fctx->res->view->enablevalidation) {
+				secure_domain = issecuredomain(
-					result = issecuredomain(
+					fctx->res->view, name, dns_rdatatype_ds,
-						fctx->res->view, name,
+					fctx->now, checknta, NULL);
 						dns_rdatatype_ds, fctx->now,
 						checknta, NULL, &secure_domain);
 					if (result != ISC_R_SUCCESS) {
 						return result;
 					}
 				}
 				if (secure_domain) {
 					rdataset->trust =
 						dns_trust_pending_answer;
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@ -1535,41 +1535,31 @@ dns_view_ntacovers(dns_view_t *view, isc_stdtime_t now, const dns_name_t *name,
 	return dns_ntatable_covered(view->ntatable_priv, now, name, anchor);
 }
-isc_result_t
+bool
 dns_view_issecuredomain(dns_view_t *view, const dns_name_t *name,
-			isc_stdtime_t now, bool checknta, bool *ntap,
+			isc_stdtime_t now, bool checknta, bool *ntap) {
 			bool *secure_domain) {
 	isc_result_t result;
 	bool secure = false;
 	dns_fixedname_t fn;
 	dns_name_t *anchor;
 	REQUIRE(DNS_VIEW_VALID(view));
-	if (view->secroots_priv == NULL) {
+	if (!view->enablevalidation || view->secroots_priv == NULL) {
-		return ISC_R_NOTFOUND;
+		return false;
 	}
 	anchor = dns_fixedname_initname(&fn);
-
+	secure = dns_keytable_issecuredomain(view->secroots_priv, name, anchor);
 	result = dns_keytable_issecuredomain(view->secroots_priv, name, anchor,
 					     &secure);
 	if (result != ISC_R_SUCCESS) {
 		return result;
 	}
 	SET_IF_NOT_NULL(ntap, false);
 	if (checknta && secure && view->ntatable_priv != NULL &&
 	    dns_ntatable_covered(view->ntatable_priv, now, name, anchor))
 	{
-		if (ntap != NULL) {
+		SET_IF_NOT_NULL(ntap, true);
 			*ntap = true;
 		}
 		secure = false;
 	}
-	*secure_domain = secure;
+	return secure;
 	return ISC_R_SUCCESS;
 }
 void
--- a/tests/dns/keytable_test.c
+++ b/tests/dns/keytable_test.c
@ -544,7 +544,6 @@ ISC_LOOP_TEST_IMPL(find) {
 /* check issecuredomain() */
 ISC_LOOP_TEST_IMPL(issecuredomain) {
 	bool issecure;
 	const char **n;
 	const char *names[] = { "example.com", "sub.example.com",
 				"null.example", "sub.null.example", NULL };
@ -559,22 +558,16 @@ ISC_LOOP_TEST_IMPL(issecuredomain) {
 	 * of installing a null key).
 	 */
 	for (n = names; *n != NULL; n++) {
-		assert_int_equal(dns_keytable_issecuredomain(keytable,
+		assert_true(dns_keytable_issecuredomain(keytable, str2name(*n),
-							     str2name(*n), NULL,
+							NULL));
 							     &issecure),
 				 ISC_R_SUCCESS);
 		assert_true(issecure);
 	}
 	/*
 	 * If the key table has no entry (not even a null one) for a domain or
 	 * any of its ancestors, that domain is considered insecure.
 	 */
-	assert_int_equal(dns_keytable_issecuredomain(keytable,
+	assert_false(dns_keytable_issecuredomain(
-						     str2name("example.org"),
+		keytable, str2name("example.org"), NULL));
 						     NULL, &issecure),
 			 ISC_R_SUCCESS);
 	assert_false(issecure);
 	destroy_tables();
@ -604,7 +597,7 @@ ISC_LOOP_TEST_IMPL(dump) {
 /* check negative trust anchors */
 ISC_LOOP_TEST_IMPL(nta) {
 	isc_result_t result;
-	bool issecure, covered;
+	bool covered;
 	dns_fixedname_t fn;
 	dns_name_t *keyname = dns_fixedname_name(&fn);
 	unsigned char digest[DNS_DS_BUFFERSIZE];
@ -636,20 +629,15 @@ ISC_LOOP_TEST_IMPL(nta) {
 	assert_int_equal(result, ISC_R_SUCCESS);
 	/* Should be secure */
-	result = dns_view_issecuredomain(myview,
+	assert_true(dns_view_issecuredomain(
-					 str2name("test.secure.example"), now,
+		myview, str2name("test.secure.example"), now, true, &covered));
 					 true, &covered, &issecure);
 	assert_int_equal(result, ISC_R_SUCCESS);
 	assert_false(covered);
 	assert_true(issecure);
 	/* Should not be secure */
-	result = dns_view_issecuredomain(myview,
+	assert_false(dns_view_issecuredomain(myview,
-					 str2name("test.insecure.example"), now,
+					     str2name("test.insecure.example"),
-					 true, &covered, &issecure);
+					     now, true, &covered));
 	assert_int_equal(result, ISC_R_SUCCESS);
 	assert_true(covered);
 	assert_false(issecure);
 	/* NTA covered */
 	covered = dns_view_ntacovers(myview, now, str2name("insecure.example"),
@ -662,38 +650,30 @@ ISC_LOOP_TEST_IMPL(nta) {
 	assert_false(covered);
 	/* As of now + 2, the NTA should be clear */
-	result = dns_view_issecuredomain(myview,
+	assert_true(dns_view_issecuredomain(myview,
-					 str2name("test.insecure.example"),
+					    str2name("test.insecure.example"),
-					 now + 2, true, &covered, &issecure);
+					    now + 2, true, &covered));
 	assert_int_equal(result, ISC_R_SUCCESS);
 	assert_false(covered);
 	assert_true(issecure);
 	/* Now check deletion */
-	result = dns_view_issecuredomain(myview, str2name("test.new.example"),
+	assert_true(dns_view_issecuredomain(
-					 now, true, &covered, &issecure);
+		myview, str2name("test.new.example"), now, true, &covered));
 	assert_int_equal(result, ISC_R_SUCCESS);
 	assert_false(covered);
 	assert_true(issecure);
 	result = dns_ntatable_add(ntatable, str2name("new.example"), false, now,
 				  3600);
 	assert_int_equal(result, ISC_R_SUCCESS);
-	result = dns_view_issecuredomain(myview, str2name("test.new.example"),
+	assert_false(dns_view_issecuredomain(
-					 now, true, &covered, &issecure);
+		myview, str2name("test.new.example"), now, true, &covered));
 	assert_int_equal(result, ISC_R_SUCCESS);
 	assert_true(covered);
 	assert_false(issecure);
 	result = dns_ntatable_delete(ntatable, str2name("new.example"));
 	assert_int_equal(result, ISC_R_SUCCESS);
-	result = dns_view_issecuredomain(myview, str2name("test.new.example"),
+	assert_true(dns_view_issecuredomain(
-					 now, true, &covered, &issecure);
+		myview, str2name("test.new.example"), now, true, &covered));
 	assert_int_equal(result, ISC_R_SUCCESS);
 	assert_false(covered);
 	assert_true(issecure);
 	isc_loopmgr_shutdown();