Revert isdelegation() to return boolean value again

The isdelegation() was changed to return an isc_result_t because the
idea was to have a separate return value DNS_R_NSEC3ITERRANGE to signal
to the caller we could not verify the proof because of too many
iterations in the NSEC3 record, or perhaps ISC_R_UNEXPECTED for a more
generic cause that verification was not done.

But this would make error handling more fragile and all we care about
is whether we can reliably say the NS bit was not set.

If we can not reliably say so, we have to treat it as an insecure
referrral.

Since the answer is either yes or no, we can revert back to returning
a boolean value.

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index a0ec6dfe34611c0fc551ad8b2cd103c333bfc4f7..93838f174a85941ada54434e56cc8720ef391bc4 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -255,13 +255,13 @@ validator_done(dns_validator_t *val, isc_result_t result) {
  * the delegation.
  *
  * Returns:
- *\li  #ISC_R_SUCCESS  the NS bitmap was set in the NSEC or NSEC3 record, or
- *                     the NSEC3 covers the name (in case of opt-out), or
- *                     we cannot validate the insecurity proof and are going
- *                     to treat the message as isnecure.
- *\li  #ISC_R_NOTFOUND the NS bitmap was not set,
+ *\li  #true  the NS bitmap was set in the NSEC or NSEC3 record, or
+ *            the NSEC3 covers the name (in case of opt-out), or
+ *            we cannot validate the insecurity proof and are going
+ *            to treat the message as insecure.
+ *\li  #false the NS bitmap was not set.
  */
-static isc_result_t
+static bool
 isdelegation(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset,
             isc_result_t dbresult, const char *caller) {
        dns_fixedname_t fixed;
@@ -290,7 +290,7 @@ isdelegation(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset,
                        goto trynsec3;
                }
                if (result != ISC_R_SUCCESS) {
-                       return ISC_R_NOTFOUND;
+                       return false;
                }
        }
 
@@ -304,7 +304,7 @@ isdelegation(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset,
                found = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
        }
        dns_rdataset_disassociate(&set);
-       return found ? ISC_R_SUCCESS : ISC_R_NOTFOUND;
+       return found;
 
 trynsec3:
        /*
@@ -349,7 +349,7 @@ trynsec3:
                                              "%s: too many iterations",
                                              caller);
                                dns_rdataset_disassociate(&set);
-                               return ISC_R_SUCCESS;
+                               return true;
                        }
                        length = isc_iterated_hash(
                                hash, nsec3.hash, nsec3.iterations,
@@ -363,7 +363,7 @@ trynsec3:
                                found = dns_nsec3_typepresent(&rdata,
                                                              dns_rdatatype_ns);
                                dns_rdataset_disassociate(&set);
-                               return found ? ISC_R_SUCCESS : ISC_R_NOTFOUND;
+                               return found;
                        }
                        if ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) == 0) {
                                continue;
@@ -380,12 +380,12 @@ trynsec3:
                              memcmp(hash, nsec3.next.base, length) < 0)))
                        {
                                dns_rdataset_disassociate(&set);
-                               return ISC_R_SUCCESS;
+                               return true;
                        }
                }
                dns_rdataset_disassociate(&set);
        }
-       return found ? ISC_R_SUCCESS : ISC_R_NOTFOUND;
+       return found;
 }
 
 static void
@@ -621,10 +621,9 @@ fetch_callback_ds(void *arg) {
                        break;
                case DNS_R_NXRRSET:
                case DNS_R_NCACHENXRRSET:
-                       result = isdelegation(val, resp->foundname,
-                                             &val->frdataset, eresult,
-                                             "fetch_callback_ds");
-                       if (result == ISC_R_SUCCESS) {
+                       if (isdelegation(val, resp->foundname, &val->frdataset,
+                                        eresult, "fetch_callback_ds"))
+                       {
                                /*
                                 * Failed to find a DS while trying to prove
                                 * insecurity. If this is a zone cut, that
@@ -742,8 +741,7 @@ validator_callback_ds(void *arg) {
                    val->frdataset.covers == dns_rdatatype_ds &&
                    NEGATIVE(&val->frdataset) &&
                    isdelegation(val, name, &val->frdataset,
-                                DNS_R_NCACHENXRRSET,
-                                "validator_callback_ds") == ISC_R_SUCCESS)
+                                DNS_R_NCACHENXRRSET, "validator_callback_ds"))
                {
                        result = markanswer(val, "validator_callback_ds");
                } else if ((val->attributes & VALATTR_INSECURITY) != 0) {
@@ -3314,9 +3312,9 @@ seek_ds(dns_validator_t *val, isc_result_t *resp) {
                        return ISC_R_COMPLETE;
                }
 
-               result = isdelegation(val, tname, &val->frdataset, result,
-                                     "seek_ds");
-               if (result == ISC_R_SUCCESS) {
+               if (isdelegation(val, tname, &val->frdataset, result,
+                                "seek_ds"))
+               {
                        *resp = markanswer(val, "seek_ds (3)");
                        return ISC_R_COMPLETE;
                }