From: Ondřej Surý <ondrej@sury.org>
Date: Mon, 11 Aug 2025 08:06:33 +0000 (+0200)
Subject: Add dns_rdatatype_isnsec() helper function
X-Git-Tag: v9.21.12~44^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=344536291892b8ccce7db98212385ae37d335cca;p=thirdparty%2Fbind9.git

Add dns_rdatatype_isnsec() helper function

Replace the checks for both NSEC and NSEC3 with a single helper
function.
---

diff --git a/bin/dig/host.c b/bin/dig/host.c
index 2afcf7638df..c85ba70258e 100644
--- a/bin/dig/host.c
+++ b/bin/dig/host.c
@@ -240,8 +240,7 @@ printsection(dns_message_t *msg, dns_section_t sectionid,
 			}
 			if (list_almost_all &&
 			    (rdataset->type == dns_rdatatype_rrsig ||
-			     rdataset->type == dns_rdatatype_nsec ||
-			     rdataset->type == dns_rdatatype_nsec3))
+			     dns_rdatatype_isnsec(rdataset->type)))
 			{
 				continue;
 			}
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 6128b33a25e..44b1d39fe3e 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -214,8 +214,7 @@ dumpnode(dns_name_t *name, dns_dbnode_t *node) {
 		dns_rdatasetiter_current(iter, &rds);
 
 		if (rds.type != dns_rdatatype_rrsig &&
-		    rds.type != dns_rdatatype_nsec &&
-		    rds.type != dns_rdatatype_nsec3 &&
+		    !dns_rdatatype_isnsec(rds.type) &&
 		    rds.type != dns_rdatatype_nsec3param &&
 		    (!smartsign || rds.type != dns_rdatatype_dnskey))
 		{
@@ -1264,9 +1263,7 @@ active_node(dns_dbnode_t *node) {
 		dns_rdatatype_t t = rdataset.type;
 		dns_rdataset_disassociate(&rdataset);
 
-		if (t != dns_rdatatype_nsec && t != dns_rdatatype_nsec3 &&
-		    t != dns_rdatatype_rrsig)
-		{
+		if (!dns_rdatatype_isnsec(t) && t != dns_rdatatype_rrsig) {
 			active = true;
 			break;
 		}
diff --git a/lib/dns/include/dns/rdata.h b/lib/dns/include/dns/rdata.h
index 6e0a89cdf6a..f31dce0fe2f 100644
--- a/lib/dns/include/dns/rdata.h
+++ b/lib/dns/include/dns/rdata.h
@@ -736,6 +736,14 @@ dns_rdatatype_issig(dns_rdatatype_t type) {
 	return type == dns_rdatatype_rrsig || type == dns_rdatatype_sig;
 }
 
+/*%
+ * Return true iff the rdata type is a insecurity proof: either NSEC or NSEC3.
+ */
+static inline bool
+dns_rdatatype_isnsec(dns_rdatatype_t type) {
+	return type == dns_rdatatype_nsec || type == dns_rdatatype_nsec3;
+}
+
 /*%
  * Return true iff the rdata type is an address: either A or AAAA.
  */
diff --git a/lib/dns/ncache.c b/lib/dns/ncache.c
index 0461bde7a44..5051185862b 100644
--- a/lib/dns/ncache.c
+++ b/lib/dns/ncache.c
@@ -154,8 +154,7 @@ dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 					type = rdataset->covers;
 				}
 				if (type == dns_rdatatype_soa ||
-				    type == dns_rdatatype_nsec ||
-				    type == dns_rdatatype_nsec3)
+				    dns_rdatatype_isnsec(type))
 				{
 					if (ttl > rdataset->ttl) {
 						ttl = rdataset->ttl;
diff --git a/lib/dns/nsec.c b/lib/dns/nsec.c
index 6b8f6fffd0e..03f12404922 100644
--- a/lib/dns/nsec.c
+++ b/lib/dns/nsec.c
@@ -125,8 +125,7 @@ dns_nsec_buildrdata(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 	DNS_RDATASETITER_FOREACH (rdsiter) {
 		dns_rdataset_t rdataset = DNS_RDATASET_INIT;
 		dns_rdatasetiter_current(rdsiter, &rdataset);
-		if (rdataset.type != dns_rdatatype_nsec &&
-		    rdataset.type != dns_rdatatype_nsec3 &&
+		if (!dns_rdatatype_isnsec(rdataset.type) &&
 		    rdataset.type != dns_rdatatype_rrsig)
 		{
 			if (rdataset.type > max_type) {
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index 7a7db5aafdf..a0c5f070dfb 100644
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -123,8 +123,7 @@ dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 	DNS_RDATASETITER_FOREACH (rdsiter) {
 		dns_rdataset_t rdataset = DNS_RDATASET_INIT;
 		dns_rdatasetiter_current(rdsiter, &rdataset);
-		if (rdataset.type != dns_rdatatype_nsec &&
-		    rdataset.type != dns_rdatatype_nsec3 &&
+		if (!dns_rdatatype_isnsec(rdataset.type) &&
 		    rdataset.type != dns_rdatatype_rrsig)
 		{
 			if (rdataset.type > max_type) {
diff --git a/lib/dns/qpzone.c b/lib/dns/qpzone.c
index eabaec5e735..bb3fb9f5629 100644
--- a/lib/dns/qpzone.c
+++ b/lib/dns/qpzone.c
@@ -3867,8 +3867,7 @@ found:
 			 * cut or not.  It is needed for RFC3007
 			 * validated updates.
 			 */
-			if (type == dns_rdatatype_nsec ||
-			    type == dns_rdatatype_nsec3 ||
+			if (dns_rdatatype_isnsec(type) ||
 			    type == dns_rdatatype_key)
 			{
 				result = ISC_R_SUCCESS;
diff --git a/lib/dns/rdatalist.c b/lib/dns/rdatalist.c
index ac286c64b36..fbcf15c1214 100644
--- a/lib/dns/rdatalist.c
+++ b/lib/dns/rdatalist.c
@@ -182,9 +182,7 @@ dns_rdatalist_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name) {
 		if (rdset->rdclass != rdataset->rdclass) {
 			continue;
 		}
-		if (rdset->type == dns_rdatatype_nsec ||
-		    rdset->type == dns_rdatatype_nsec3)
-		{
+		if (dns_rdatatype_isnsec(rdset->type)) {
 			neg = rdset;
 		}
 	}
@@ -241,9 +239,7 @@ dns_rdatalist_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
 		if (rdset->rdclass != rdclass) {
 			continue;
 		}
-		if (rdset->type == dns_rdatatype_nsec ||
-		    rdset->type == dns_rdatatype_nsec3)
-		{
+		if (dns_rdatatype_isnsec(rdset->type)) {
 			tneg = rdset;
 		}
 	}
@@ -280,9 +276,7 @@ dns_rdatalist_addclosest(dns_rdataset_t *rdataset, dns_name_t *name) {
 		if (rdset->rdclass != rdataset->rdclass) {
 			continue;
 		}
-		if (rdset->type == dns_rdatatype_nsec ||
-		    rdset->type == dns_rdatatype_nsec3)
-		{
+		if (dns_rdatatype_isnsec(rdset->type)) {
 			neg = rdset;
 		}
 	}
@@ -338,9 +332,7 @@ dns_rdatalist_getclosest(dns_rdataset_t *rdataset, dns_name_t *name,
 		if (rdset->rdclass != rdclass) {
 			continue;
 		}
-		if (rdset->type == dns_rdatatype_nsec ||
-		    rdset->type == dns_rdatatype_nsec3)
-		{
+		if (dns_rdatatype_isnsec(rdset->type)) {
 			tneg = rdset;
 		}
 	}
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 139f87d7071..970e6f1708f 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -5683,9 +5683,7 @@ findnoqname(fetchctx_t *fctx, dns_message_t *message, dns_name_t *name,
 			bool setclosest = false;
 			bool setnearest = false;
 
-			if (nrdataset->type != dns_rdatatype_nsec &&
-			    nrdataset->type != dns_rdatatype_nsec3)
-			{
+			if (!dns_rdatatype_isnsec(nrdataset->type)) {
 				continue;
 			}
 
diff --git a/lib/dns/update.c b/lib/dns/update.c
index b0781de4417..16b287c3c0c 100644
--- a/lib/dns/update.c
+++ b/lib/dns/update.c
@@ -750,11 +750,9 @@ failure:
 static isc_result_t
 is_non_nsec_action(void *data, dns_rdataset_t *rrset) {
 	UNUSED(data);
-	if (!(rrset->type == dns_rdatatype_nsec ||
-	      rrset->type == dns_rdatatype_nsec3 ||
+	if (!(dns_rdatatype_isnsec(rrset->type) ||
 	      (rrset->type == dns_rdatatype_rrsig &&
-	       (rrset->covers == dns_rdatatype_nsec ||
-		rrset->covers == dns_rdatatype_nsec3))))
+	       dns_rdatatype_isnsec(rrset->covers))))
 	{
 		return ISC_R_EXISTS;
 	}
diff --git a/lib/ns/query.c b/lib/ns/query.c
index 8f649ac1f49..19c83ee5c3b 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -4376,8 +4376,7 @@ rpz_ck_dnssec(ns_client_t *client, isc_result_t qresult,
 	/*
 	 * Do not rewrite if there is any sign of signatures.
 	 */
-	if (rdataset->type == dns_rdatatype_nsec ||
-	    rdataset->type == dns_rdatatype_nsec3 ||
+	if (dns_rdatatype_isnsec(rdataset->type) ||
 	    rdataset->type == dns_rdatatype_rrsig)
 	{
 		return false;
@@ -4395,9 +4394,7 @@ rpz_ck_dnssec(ns_client_t *client, isc_result_t qresult,
 		dns_ncache_current(rdataset, found, &trdataset);
 		type = trdataset.type;
 		dns_rdataset_disassociate(&trdataset);
-		if (type == dns_rdatatype_nsec || type == dns_rdatatype_nsec3 ||
-		    type == dns_rdatatype_rrsig)
-		{
+		if (dns_rdatatype_isnsec(type) || type == dns_rdatatype_rrsig) {
 			return false;
 		}
 	}
@@ -4732,8 +4729,7 @@ redirect(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset,
 			return ISC_R_NOTFOUND;
 		}
 		if (rdataset->trust == dns_trust_ultimate &&
-		    (rdataset->type == dns_rdatatype_nsec ||
-		     rdataset->type == dns_rdatatype_nsec3))
+		    dns_rdatatype_isnsec(rdataset->type))
 		{
 			return ISC_R_NOTFOUND;
 		}
@@ -4742,8 +4738,7 @@ redirect(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset,
 				dns_ncache_current(rdataset, found, &trdataset);
 				type = trdataset.type;
 				dns_rdataset_disassociate(&trdataset);
-				if (type == dns_rdatatype_nsec ||
-				    type == dns_rdatatype_nsec3 ||
+				if (dns_rdatatype_isnsec(type) ||
 				    type == dns_rdatatype_rrsig)
 				{
 					return ISC_R_NOTFOUND;
@@ -4866,8 +4861,7 @@ redirect2(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset,
 			return ISC_R_NOTFOUND;
 		}
 		if (rdataset->trust == dns_trust_ultimate &&
-		    (rdataset->type == dns_rdatatype_nsec ||
-		     rdataset->type == dns_rdatatype_nsec3))
+		    dns_rdatatype_isnsec(rdataset->type))
 		{
 			return ISC_R_NOTFOUND;
 		}
@@ -4876,8 +4870,7 @@ redirect2(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset,
 				dns_ncache_current(rdataset, found, &trdataset);
 				type = trdataset.type;
 				dns_rdataset_disassociate(&trdataset);
-				if (type == dns_rdatatype_nsec ||
-				    type == dns_rdatatype_nsec3 ||
+				if (dns_rdatatype_isnsec(type) ||
 				    type == dns_rdatatype_rrsig)
 				{
 					return ISC_R_NOTFOUND;