lib/dnssec/ta kr_ta_covers_qry(): generalize and improve

The closer (N)TA will win now.  That wasn't the case
if we had a positive TA underneath a negative TA.
(Well, I can't recall ever seeing anything close to a use case.)

diff --git a/lib/dnssec/ta.c b/lib/dnssec/ta.c
index b6a8cb0bc69be440f1a9def52f870abf88fbda51..7d0cea47ef0885632b10dd156663d2bc282e4b1c 100644 (file)
--- a/lib/dnssec/ta.c
+++ b/lib/dnssec/ta.c
@@ -35,6 +35,27 @@ const knot_dname_t *kr_ta_get_longest_name(map_t *trust_anchors, const knot_dnam
        return NULL;
 }
 
+const knot_dname_t * kr_ta_closest(const struct kr_context *ctx, const knot_dname_t *name,
+                                  const uint16_t type)
+{
+       assert(ctx && name);
+       if (type == KNOT_RRTYPE_DS && name[0] != '\0') {
+               /* DS is parent-side record, so the parent name needs to be covered. */
+               name = knot_wire_next_label(name, NULL);
+       }
+       while (name) {
+               struct kr_context *ctx_nc = (struct kr_context *)/*const-cast*/ctx;
+               if (kr_ta_get(&ctx_nc->trust_anchors, name)) {
+                       return name;
+               }
+               if (kr_ta_get(&ctx_nc->negative_anchors, name)) {
+                       return NULL;
+               }
+               name = knot_wire_next_label(name, NULL);
+       }
+       return NULL;
+}
+
 /* @internal Create DS from DNSKEY, caller MUST free dst if successful. */
 static int dnskey2ds(dnssec_binary_t *dst, const knot_dname_t *owner, const uint8_t *rdata, uint16_t rdlen)
 {
@@ -130,22 +151,6 @@ int kr_ta_covers(map_t *trust_anchors, const knot_dname_t *name)
        return false;
 }
 
-bool kr_ta_covers_qry(struct kr_context *ctx, const knot_dname_t *name,
-                     const uint16_t type)
-{
-       assert(ctx && name);
-       if (type == KNOT_RRTYPE_DS && name[0] != '\0') {
-               /* DS is parent-side record, so the parent name needs to be covered. */
-               name = knot_wire_next_label(name, NULL);
-               if (!name) {
-                       assert(false);
-                       return false;
-               }
-       }
-       return kr_ta_covers(&ctx->trust_anchors, name)
-               && !kr_ta_covers(&ctx->negative_anchors, name);
-}
-
 /* Delete record data */
 static int del_record(const char *k, void *v, void *ext)
 {

diff --git a/lib/dnssec/ta.h b/lib/dnssec/ta.h
index 40094a8b36fc2f8fdefc231ab2a641cacc331639..8f3885a280afaf722a1a92d2bc17efbdf1da21ea 100644 (file)
--- a/lib/dnssec/ta.h
+++ b/lib/dnssec/ta.h
@@ -42,12 +42,28 @@ KR_EXPORT KR_PURE
 int kr_ta_covers(map_t *trust_anchors, const knot_dname_t *name);
 
 struct kr_context;
+
 /**
- * A wrapper around kr_ta_covers that is aware of negative TA and types.
+ * Return pointer to the name of the closest positive trust anchor or NULL.
+ *
+ * "Closest" means on path towards root.  Closer negative anchor results into NULL.
+ * @param type serves as a shorthand because DS needs to start one level higher.
  */
-KR_EXPORT KR_PURE
+KR_PURE
+const knot_dname_t * kr_ta_closest(const struct kr_context *ctx, const knot_dname_t *name,
+                                  const uint16_t type);
+
+/**
+ * A trivial wrapper around kr_ta_closest
+ *
+ * TODO: drop it?  The name doesn't feel very suitable either.
+ */
+static inline
 bool kr_ta_covers_qry(struct kr_context *ctx, const knot_dname_t *name,
-                     const uint16_t type);
+                     const uint16_t type)
+{
+       return kr_ta_closest(ctx, name, type) != NULL;
+}
 
 /**
  * Remove TA from trust store.