change issecuredomain() functions to bool

dns_keytable_issecuredomain() and dns_view_issecuredomain()
previously returned a result code to inform the caller of
unexpected database failures when looking up names in the
keytable and/or NTA table. such failures are not actually
possible. both functions now return a simple bool.

also, dns_view_issecuredomain() now returns false if
view->enablevalidation is false, so the caller no longer
has to check for that.

lib/dns/include/dns/keytable.h

@@ -205,9 +205,9 @@ dns_keytable_finddeepestmatch(dns_keytable_t *keytable, const dns_name_t *name,
  *\li	Any other result indicates an error.
  */
 
-isc_result_t
+bool
 dns_keytable_issecuredomain(dns_keytable_t *keytable, const dns_name_t *name,
-			    dns_name_t *foundname, bool *wantdnssecp);
+			    dns_name_t *foundname);
 /*%<
  * Is 'name' at or beneath a trusted key?
  *
@@ -219,20 +219,11 @@ dns_keytable_issecuredomain(dns_keytable_t *keytable, const dns_name_t *name,
  *
  *\li	'foundanme' is NULL or is a pointer to an initialized dns_name_t
  *
- *\li	'*wantsdnssecp' is a valid bool.
- *
  * Ensures:
  *
- *\li	On success, *wantsdnssecp will be true if and only if 'name'
- *	is at or beneath a trusted key.  If 'foundname' is not NULL, then
- *	it will be updated to contain the name of the closest enclosing
- *	trust anchor.
- *
- * Returns:
- *
- *\li	ISC_R_SUCCESS
- *
- *\li	Any other result is an error.
+ *\li	Returns true if and only if 'name' is at or beneath a trusted key.
+ *	If 'foundname' is not NULL, then it will be updated to contain
+ *	the name of the closest enclosing trust anchor.
  */
 
 isc_result_t

lib/dns/include/dns/view.h

@@ -985,13 +985,12 @@ dns_view_getsecroots(dns_view_t *view, dns_keytable_t **ktp);
  *\li	ISC_R_NOTFOUND
  */
 
-isc_result_t
+bool
 dns_view_issecuredomain(dns_view_t *view, const dns_name_t *name,
-			isc_stdtime_t now, bool checknta, bool *ntap,
-			bool *secure_domain);
+			isc_stdtime_t now, bool checknta, bool *ntap);
 /*%<
  * Is 'name' at or beneath a trusted key, and not covered by a valid
- * negative trust anchor?  Put answer in '*secure_domain'.
+ * negative trust anchor, and DNSSEC validation is enabled?
  *
  * If 'checknta' is false, ignore the NTA table in determining
  * whether this is a secure domain. If 'checknta' is not false, and if
@@ -1000,10 +999,6 @@ dns_view_issecuredomain(dns_view_t *view, const dns_name_t *name,
  *
  * Requires:
  * \li	'view' is valid.
- *
- * Returns:
- *\li	ISC_R_SUCCESS
- *\li	Any other value indicates failure
  */
 
 bool

lib/dns/keytable.c

@@ -524,13 +524,14 @@ dns_keytable_finddeepestmatch(dns_keytable_t *keytable, const dns_name_t *name,
 	return result;
 }
 
-isc_result_t
+bool
 dns_keytable_issecuredomain(dns_keytable_t *keytable, const dns_name_t *name,
-			    dns_name_t *foundname, bool *wantdnssecp) {
+			    dns_name_t *foundname) {
 	isc_result_t result;
 	dns_qpread_t qpr;
 	dns_keynode_t *keynode = NULL;
 	void *pval = NULL;
+	bool secure = false;
 
 	/*
 	 * Is 'name' at or beneath a trusted key?
@@ -538,7 +539,6 @@ dns_keytable_issecuredomain(dns_keytable_t *keytable, const dns_name_t *name,
 
 	REQUIRE(VALID_KEYTABLE(keytable));
 	REQUIRE(dns_name_isabsolute(name));
-	REQUIRE(wantdnssecp != NULL);
 
 	dns_qpmulti_query(keytable->table, &qpr);
 	result = dns_qp_lookup(&qpr, name, DNS_DBNAMESPACE_NORMAL, NULL, NULL,
@@ -548,16 +548,12 @@ dns_keytable_issecuredomain(dns_keytable_t *keytable, const dns_name_t *name,
 		if (foundname != NULL) {
 			dns_name_copy(&keynode->name, foundname);
 		}
-		*wantdnssecp = true;
-		result = ISC_R_SUCCESS;
-	} else if (result == ISC_R_NOTFOUND) {
-		*wantdnssecp = false;
-		result = ISC_R_SUCCESS;
+		secure = true;
 	}
 
 	dns_qpread_destroy(keytable->table, &qpr);
 
-	return result;
+	return secure;
 }
 
 static isc_result_t

lib/dns/resolver.c

@@ -2236,9 +2236,9 @@ compute_cc(const resquery_t *query, uint8_t *cookie, const size_t len) {
 	memmove(cookie, digest, CLIENT_COOKIE_SIZE);
 }
 
-static isc_result_t
+static bool
 issecuredomain(dns_view_t *view, const dns_name_t *name, dns_rdatatype_t type,
-	       isc_stdtime_t now, bool checknta, bool *ntap, bool *issecure) {
+	       isc_stdtime_t now, bool checknta, bool *ntap) {
 	dns_name_t suffix;
 	unsigned int labels;
 
@@ -2255,8 +2255,7 @@ issecuredomain(dns_view_t *view, const dns_name_t *name, dns_rdatatype_t type,
 		name = &suffix;
 	}
 
-	return dns_view_issecuredomain(view, name, now, checknta, ntap,
-				       issecure);
+	return dns_view_issecuredomain(view, name, now, checknta, ntap);
 }
 
 static isc_result_t
@@ -5846,13 +5845,8 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_message_t *message,
 		checknta = false;
 	}
 
-	if (res->view->enablevalidation) {
-		result = issecuredomain(res->view, name, fctx->type, now,
-					checknta, NULL, &secure_domain);
-		if (result != ISC_R_SUCCESS) {
-			return result;
-		}
-	}
+	secure_domain = issecuredomain(res->view, name, fctx->type, now,
+				       checknta, NULL);
 
 	if ((fctx->options & DNS_FETCHOPT_NOCDFLAG) != 0) {
 		valoptions |= DNS_VALIDATOR_NOCDFLAG;
@@ -6436,13 +6430,8 @@ ncache_message(fetchctx_t *fctx, dns_message_t *message,
 		checknta = false;
 	}
 
-	if (fctx->res->view->enablevalidation) {
-		result = issecuredomain(res->view, name, fctx->type, now,
-					checknta, NULL, &secure_domain);
-		if (result != ISC_R_SUCCESS) {
-			return result;
-		}
-	}
+	secure_domain = issecuredomain(res->view, name, fctx->type, now,
+				       checknta, NULL);
 
 	if ((fctx->options & DNS_FETCHOPT_NOCDFLAG) != 0) {
 		valoptions |= DNS_VALIDATOR_NOCDFLAG;
@@ -9029,7 +9018,6 @@ rctx_ncache(respctx_t *rctx) {
  */
 static isc_result_t
 rctx_authority_dnssec(respctx_t *rctx) {
-	isc_result_t result;
 	fetchctx_t *fctx = rctx->fctx;
 
 	dns_message_t *msg = rctx->query->rmessage;
@@ -9112,15 +9100,9 @@ rctx_authority_dnssec(respctx_t *rctx) {
 				if ((fctx->options & DNS_FETCHOPT_NONTA) != 0) {
 					checknta = false;
 				}
-				if (fctx->res->view->enablevalidation) {
-					result = issecuredomain(
-						fctx->res->view, name,
-						dns_rdatatype_ds, fctx->now,
-						checknta, NULL, &secure_domain);
-					if (result != ISC_R_SUCCESS) {
-						return result;
-					}
-				}
+				secure_domain = issecuredomain(
+					fctx->res->view, name, dns_rdatatype_ds,
+					fctx->now, checknta, NULL);
 				if (secure_domain) {
 					rdataset->trust =
 						dns_trust_pending_answer;

lib/dns/view.c

@@ -1535,41 +1535,31 @@ dns_view_ntacovers(dns_view_t *view, isc_stdtime_t now, const dns_name_t *name,
 	return dns_ntatable_covered(view->ntatable_priv, now, name, anchor);
 }
 
-isc_result_t
+bool
 dns_view_issecuredomain(dns_view_t *view, const dns_name_t *name,
-			isc_stdtime_t now, bool checknta, bool *ntap,
-			bool *secure_domain) {
-	isc_result_t result;
+			isc_stdtime_t now, bool checknta, bool *ntap) {
 	bool secure = false;
 	dns_fixedname_t fn;
 	dns_name_t *anchor;
 
 	REQUIRE(DNS_VIEW_VALID(view));
 
-	if (view->secroots_priv == NULL) {
-		return ISC_R_NOTFOUND;
+	if (!view->enablevalidation || view->secroots_priv == NULL) {
+		return false;
 	}
 
 	anchor = dns_fixedname_initname(&fn);
-
-	result = dns_keytable_issecuredomain(view->secroots_priv, name, anchor,
-					     &secure);
-	if (result != ISC_R_SUCCESS) {
-		return result;
-	}
+	secure = dns_keytable_issecuredomain(view->secroots_priv, name, anchor);
 
 	SET_IF_NOT_NULL(ntap, false);
 	if (checknta && secure && view->ntatable_priv != NULL &&
 	    dns_ntatable_covered(view->ntatable_priv, now, name, anchor))
 	{
-		if (ntap != NULL) {
-			*ntap = true;
-		}
+		SET_IF_NOT_NULL(ntap, true);
 		secure = false;
 	}
 
-	*secure_domain = secure;
-	return ISC_R_SUCCESS;
+	return secure;
 }
 
 void

tests/dns/keytable_test.c

@@ -544,7 +544,6 @@ ISC_LOOP_TEST_IMPL(find) {
 
 /* check issecuredomain() */
 ISC_LOOP_TEST_IMPL(issecuredomain) {
-	bool issecure;
 	const char **n;
 	const char *names[] = { "example.com", "sub.example.com",
 				"null.example", "sub.null.example", NULL };
@@ -559,22 +558,16 @@ ISC_LOOP_TEST_IMPL(issecuredomain) {
 	 * of installing a null key).
 	 */
 	for (n = names; *n != NULL; n++) {
-		assert_int_equal(dns_keytable_issecuredomain(keytable,
-							     str2name(*n), NULL,
-							     &issecure),
-				 ISC_R_SUCCESS);
-		assert_true(issecure);
+		assert_true(dns_keytable_issecuredomain(keytable, str2name(*n),
+							NULL));
 	}
 
 	/*
 	 * If the key table has no entry (not even a null one) for a domain or
 	 * any of its ancestors, that domain is considered insecure.
 	 */
-	assert_int_equal(dns_keytable_issecuredomain(keytable,
-						     str2name("example.org"),
-						     NULL, &issecure),
-			 ISC_R_SUCCESS);
-	assert_false(issecure);
+	assert_false(dns_keytable_issecuredomain(
+		keytable, str2name("example.org"), NULL));
 
 	destroy_tables();
 
@@ -604,7 +597,7 @@ ISC_LOOP_TEST_IMPL(dump) {
 /* check negative trust anchors */
 ISC_LOOP_TEST_IMPL(nta) {
 	isc_result_t result;
-	bool issecure, covered;
+	bool covered;
 	dns_fixedname_t fn;
 	dns_name_t *keyname = dns_fixedname_name(&fn);
 	unsigned char digest[DNS_DS_BUFFERSIZE];
@@ -636,20 +629,15 @@ ISC_LOOP_TEST_IMPL(nta) {
 	assert_int_equal(result, ISC_R_SUCCESS);
 
 	/* Should be secure */
-	result = dns_view_issecuredomain(myview,
-					 str2name("test.secure.example"), now,
-					 true, &covered, &issecure);
-	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_true(dns_view_issecuredomain(
+		myview, str2name("test.secure.example"), now, true, &covered));
 	assert_false(covered);
-	assert_true(issecure);
 
 	/* Should not be secure */
-	result = dns_view_issecuredomain(myview,
-					 str2name("test.insecure.example"), now,
-					 true, &covered, &issecure);
-	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_false(dns_view_issecuredomain(myview,
+					     str2name("test.insecure.example"),
+					     now, true, &covered));
 	assert_true(covered);
-	assert_false(issecure);
 
 	/* NTA covered */
 	covered = dns_view_ntacovers(myview, now, str2name("insecure.example"),
@@ -662,38 +650,30 @@ ISC_LOOP_TEST_IMPL(nta) {
 	assert_false(covered);
 
 	/* As of now + 2, the NTA should be clear */
-	result = dns_view_issecuredomain(myview,
+	assert_true(dns_view_issecuredomain(myview,
 					    str2name("test.insecure.example"),
-					 now + 2, true, &covered, &issecure);
-	assert_int_equal(result, ISC_R_SUCCESS);
+					    now + 2, true, &covered));
 	assert_false(covered);
-	assert_true(issecure);
 
 	/* Now check deletion */
-	result = dns_view_issecuredomain(myview, str2name("test.new.example"),
-					 now, true, &covered, &issecure);
-	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_true(dns_view_issecuredomain(
+		myview, str2name("test.new.example"), now, true, &covered));
 	assert_false(covered);
-	assert_true(issecure);
 
 	result = dns_ntatable_add(ntatable, str2name("new.example"), false, now,
 				  3600);
 	assert_int_equal(result, ISC_R_SUCCESS);
 
-	result = dns_view_issecuredomain(myview, str2name("test.new.example"),
-					 now, true, &covered, &issecure);
-	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_false(dns_view_issecuredomain(
+		myview, str2name("test.new.example"), now, true, &covered));
 	assert_true(covered);
-	assert_false(issecure);
 
 	result = dns_ntatable_delete(ntatable, str2name("new.example"));
 	assert_int_equal(result, ISC_R_SUCCESS);
 
-	result = dns_view_issecuredomain(myview, str2name("test.new.example"),
-					 now, true, &covered, &issecure);
-	assert_int_equal(result, ISC_R_SUCCESS);
+	assert_true(dns_view_issecuredomain(
+		myview, str2name("test.new.example"), now, true, &covered));
 	assert_false(covered);
-	assert_true(issecure);
 
 	isc_loopmgr_shutdown();