Revert isdelegation() to return boolean value again

The isdelegation() was changed to return an isc_result_t because the
idea was to have a separate return value DNS_R_NSEC3ITERRANGE to signal
to the caller we could not verify the proof because of too many
iterations in the NSEC3 record, or perhaps ISC_R_UNEXPECTED for a more
generic cause that verification was not done.

But this would make error handling more fragile and all we care about
is whether we can reliably say the NS bit was not set.

If we can not reliably say so, we have to treat it as an insecure
referrral.

Since the answer is either yes or no, we can revert back to returning
a boolean value.

(cherry picked from commit 3ac1bb1c391394d23a40facd424e49acfa5513bf)

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 7db102062bfb877cbc953c9ba621d7b7929024c4..d7d38df39a304b61213ae1ea0888120cb4b7c812 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -266,13 +266,13 @@ exit_check(dns_validator_t *val) {
  * the delegation.
  *
  * Returns:
- *\li  #ISC_R_SUCCESS  the NS bitmap was set in the NSEC or NSEC3 record, or
- *                     the NSEC3 covers the name (in case of opt-out), or
- *                     we cannot validate the insecurity proof and are going
- *                     to treat the message as isnecure.
- *\li  #ISC_R_NOTFOUND the NS bitmap was not set,
+ *\li  #true  the NS bitmap was set in the NSEC or NSEC3 record, or
+ *            the NSEC3 covers the name (in case of opt-out), or
+ *            we cannot validate the insecurity proof and are going
+ *            to treat the message as insecure.
+ *\li  #false the NS bitmap was not set.
  */
-static isc_result_t
+static bool
 isdelegation(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset,
             isc_result_t dbresult, const char *caller) {
        dns_fixedname_t fixed;
@@ -302,7 +302,7 @@ isdelegation(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset,
                        goto trynsec3;
                }
                if (result != ISC_R_SUCCESS) {
-                       return ISC_R_NOTFOUND;
+                       return false;
                }
        }
 
@@ -316,7 +316,7 @@ isdelegation(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset,
                dns_rdata_reset(&rdata);
        }
        dns_rdataset_disassociate(&set);
-       return found ? ISC_R_SUCCESS : ISC_R_NOTFOUND;
+       return found;
 
 trynsec3:
        /*
@@ -365,7 +365,7 @@ trynsec3:
                                              "%s: too many iterations",
                                              caller);
                                dns_rdataset_disassociate(&set);
-                               return ISC_R_SUCCESS;
+                               return true;
                        }
                        length = isc_iterated_hash(
                                hash, nsec3.hash, nsec3.iterations, nsec3.salt,
@@ -378,7 +378,7 @@ trynsec3:
                                found = dns_nsec3_typepresent(&rdata,
                                                              dns_rdatatype_ns);
                                dns_rdataset_disassociate(&set);
-                               return found ? ISC_R_SUCCESS : ISC_R_NOTFOUND;
+                               return found;
                        }
                        if ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) == 0) {
                                continue;
@@ -394,12 +394,12 @@ trynsec3:
                              memcmp(hash, nsec3.next, length) < 0)))
                        {
                                dns_rdataset_disassociate(&set);
-                               return ISC_R_SUCCESS;
+                               return true;
                        }
                }
                dns_rdataset_disassociate(&set);
        }
-       return found ? ISC_R_SUCCESS : ISC_R_NOTFOUND;
+       return found;
 }
 
 /*%
@@ -616,8 +616,7 @@ fetch_callback_ds(isc_task_t *task, isc_event_t *event) {
                        goto unexpected;
                } else if (eresult != DNS_R_CNAME &&
                           isdelegation(val, devent->foundname, &val->frdataset,
-                                       eresult,
-                                       "fetch_callback_ds") == ISC_R_SUCCESS)
+                                       eresult, "fetch_callback_ds"))
                {
                        /*
                         * Failed to find a DS while trying to prove
@@ -786,8 +785,7 @@ validator_callback_ds(isc_task_t *task, isc_event_t *event) {
                    val->frdataset.covers == dns_rdatatype_ds &&
                    NEGATIVE(&val->frdataset) &&
                    isdelegation(val, name, &val->frdataset,
-                                DNS_R_NCACHENXRRSET,
-                                "validator_callback_ds") == ISC_R_SUCCESS)
+                                DNS_R_NCACHENXRRSET, "validator_callback_ds"))
                {
                        result = markanswer(val, "validator_callback_ds",
                                            "no DS and this is a delegation");
@@ -2879,9 +2877,9 @@ seek_ds(dns_validator_t *val, isc_result_t *resp) {
                        return ISC_R_COMPLETE;
                }
 
-               result = isdelegation(val, tname, &val->frdataset, result,
-                                     "seek_ds");
-               if (result == ISC_R_SUCCESS) {
+               if (isdelegation(val, tname, &val->frdataset, result,
+                                "seek_ds"))
+               {
                        *resp = markanswer(val, "seek_ds (3)",
                                           "this is a delegation");
                        return ISC_R_COMPLETE;