remove unused DNS_DBFIND options

the DNS_DBFIND_VALIDATEGLUE and DNS_DBFIND_FORCENSEC options
were never set, so the code implementing them (which in the case
of _VALIDATEGLUE appears to have been quite outdated anyway) was
never reached. they have now been removed.

lib/dns/include/dns/db.h

@@ -221,8 +221,10 @@ struct dns_db {
 	ISC_LIST(dns_dbonupdatelistener_t) update_listeners;
 };
 
-#define DNS_DBATTR_CACHE 0x01
-#define DNS_DBATTR_STUB	 0x02
+enum {
+	DNS_DBATTR_CACHE = 1 << 0,
+	DNS_DBATTR_STUB = 1 << 1,
+};
 
 struct dns_dbonupdatelistener {
 	dns_dbupdate_callback_t onupdate;
@@ -234,16 +236,16 @@ struct dns_dbonupdatelistener {
 /*%
  * Options that can be specified for dns_db_find().
  */
-#define DNS_DBFIND_GLUEOK	0x0001
-#define DNS_DBFIND_VALIDATEGLUE 0x0002
-#define DNS_DBFIND_NOWILD	0x0004
-#define DNS_DBFIND_PENDINGOK	0x0008
-#define DNS_DBFIND_NOEXACT	0x0010
-#define DNS_DBFIND_FORCENSEC	0x0020
-#define DNS_DBFIND_COVERINGNSEC 0x0040
-#define DNS_DBFIND_FORCENSEC3	0x0080
-#define DNS_DBFIND_ADDITIONALOK 0x0100
-#define DNS_DBFIND_NOZONECUT	0x0200
+enum {
+	DNS_DBFIND_GLUEOK = 1 << 0,
+	DNS_DBFIND_NOWILD = 1 << 1,
+	DNS_DBFIND_PENDINGOK = 1 << 2,
+	DNS_DBFIND_NOEXACT = 1 << 3,
+	DNS_DBFIND_COVERINGNSEC = 1 << 4,
+	DNS_DBFIND_FORCENSEC3 = 1 << 5,
+	DNS_DBFIND_ADDITIONALOK = 1 << 6,
+	DNS_DBFIND_NOZONECUT = 1 << 7,
+};
 
 /*
  * DNS_DBFIND_STALEOK: This flag is set when BIND fails to refresh a RRset due
@@ -785,11 +787,6 @@ dns__db_findext(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version,
  *	and working up to the zone origin.  This option is only meaningful
  *	when querying redirect zones.
  *
- * \li	If the #DNS_DBFIND_FORCENSEC option is set, the database is assumed to
- *	have NSEC records, and these will be returned when appropriate.  This
- *	is only necessary when querying a database that was not secure
- *	when created.
- *
  * \li	If the DNS_DBFIND_COVERINGNSEC option is set, then look for a
  *	NSEC record that potentially covers 'name' if a answer cannot
  *	be found.  Note the returned NSEC needs to be checked to ensure

lib/dns/rbtdb.c

@@ -3231,60 +3231,6 @@ setup_delegation(rbtdb_search_t *search, dns_dbnode_t **nodep,
 	return (DNS_R_DELEGATION);
 }
 
-static bool
-valid_glue(rbtdb_search_t *search, dns_name_t *name, rbtdb_rdatatype_t type,
-	   dns_rbtnode_t *node) {
-	unsigned char *raw; /* RDATASLAB */
-	unsigned int count, size;
-	dns_name_t ns_name;
-	bool valid = false;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	/*
-	 * No additional locking is required.
-	 */
-
-	/*
-	 * Valid glue types are A, AAAA, A6.  NS is also a valid glue type
-	 * if it occurs at a zone cut, but is not valid below it.
-	 */
-	if (type == dns_rdatatype_ns) {
-		if (node != search->zonecut) {
-			return (false);
-		}
-	} else if (type != dns_rdatatype_a && type != dns_rdatatype_aaaa &&
-		   type != dns_rdatatype_a6)
-	{
-		return (false);
-	}
-
-	raw = raw_from_header(search->zonecut_rdataset);
-	count = raw[0] * 256 + raw[1];
-	raw += DNS_RDATASET_COUNT + DNS_RDATASET_LENGTH;
-
-	while (count > 0) {
-		count--;
-		size = raw[0] * 256 + raw[1];
-		raw += DNS_RDATASET_ORDER + DNS_RDATASET_LENGTH;
-		region.base = raw;
-		region.length = size;
-		raw += size;
-		/*
-		 * XXX Until we have rdata structures, we have no choice but
-		 * to directly access the rdata format.
-		 */
-		dns_name_init(&ns_name, offsets);
-		dns_name_fromregion(&ns_name, &region);
-		if (dns_name_compare(&ns_name, name) == 0) {
-			valid = true;
-			break;
-		}
-	}
-
-	return (valid);
-}
-
 static bool
 activeempty(rbtdb_search_t *search, dns_rbtnodechain_t *chain,
 	    const dns_name_t *name) {
@@ -4093,7 +4039,6 @@ zone_find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version,
 		 */
 		if ((search.rbtversion->secure == dns_db_secure &&
 		     !search.rbtversion->havensec3) ||
-		    (search.options & DNS_DBFIND_FORCENSEC) != 0 ||
 		    (search.options & DNS_DBFIND_FORCENSEC3) != 0)
 		{
 			result = find_closest_nsec(
@@ -4379,24 +4324,13 @@ found:
 			}
 			goto tree_exit;
 		}
-		if ((search.options & DNS_DBFIND_FORCENSEC) != 0 &&
-		    nsecheader == NULL)
-		{
-			/*
-			 * There's no NSEC record, and we were told
-			 * to find one.
-			 */
-			result = DNS_R_BADDB;
-			goto node_exit;
-		}
 		if (nodep != NULL) {
 			new_reference(search.rbtdb, node,
 				      nlocktype DNS__DB_FLARG_PASS);
 			*nodep = node;
 		}
 		if ((search.rbtversion->secure == dns_db_secure &&
-		     !search.rbtversion->havensec3) ||
-		    (search.options & DNS_DBFIND_FORCENSEC) != 0)
+		     !search.rbtversion->havensec3))
 		{
 			bind_rdataset(search.rbtdb, node, nsecheader, 0,
 				      nlocktype, rdataset DNS__DB_FLARG_PASS);
@@ -4451,23 +4385,6 @@ found:
 		} else {
 			result = DNS_R_GLUE;
 		}
-		/*
-		 * We might have found data that isn't glue, but was occluded
-		 * by a dynamic update.  If the caller cares about this, they
-		 * will have told us to validate glue.
-		 *
-		 * XXX We should cache the glue validity state!
-		 */
-		if (result == DNS_R_GLUE &&
-		    (search.options & DNS_DBFIND_VALIDATEGLUE) != 0 &&
-		    !valid_glue(&search, foundname, type, node))
-		{
-			NODE_UNLOCK(lock, &nlocktype);
-			result = setup_delegation(
-				&search, nodep, foundname, rdataset,
-				sigrdataset DNS__DB_FLARG_PASS);
-			goto tree_exit;
-		}
 	} else {
 		/*
 		 * An ordinary successful query!