From 65105e6555db1f8131ec5fc33d4a4c44ca1c94d2 Mon Sep 17 00:00:00 2001
From: Miod Vallat <miod.vallat@powerdns.com>
Date: Fri, 25 Jul 2025 09:05:25 +0200
Subject: [PATCH] Simplify some DNSName label processing.

Instead of checking countLabels() against zero, introduce a faster
hasLabels() which does not need to actually count them.

Also replace getRawLabels()[n] with getRawLabel(n), the only difference
being that getRawLabel() will raise an exception if n is out of bounds,
instead of returning garbage.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>
---
 pdns/dnsname.hh       |  1 +
 pdns/dnssecsigner.cc  |  2 +-
 pdns/packethandler.cc |  8 ++++----
 pdns/pdnsutil.cc      |  4 ++--
 pdns/validate.cc      | 10 +++++-----
 5 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/pdns/dnsname.hh b/pdns/dnsname.hh
index 4949d04650..a20c0f1d0c 100644
--- a/pdns/dnsname.hh
+++ b/pdns/dnsname.hh
@@ -152,6 +152,7 @@ public:
   size_t wirelength() const; //!< Number of total bytes in the name
   bool empty() const { return d_storage.empty(); }
   bool isRoot() const { return d_storage.size()==1 && d_storage[0]==0; }
+  bool hasLabels() const { return !empty() && !isRoot(); }
   void clear() { d_storage.clear(); }
   void trimToLabels(unsigned int);
   size_t hash(size_t init=0) const
diff --git a/pdns/dnssecsigner.cc b/pdns/dnssecsigner.cc
index 9b93a41357..880c1b0b22 100644
--- a/pdns/dnssecsigner.cc
+++ b/pdns/dnssecsigner.cc
@@ -161,7 +161,7 @@ static void addSignature(DNSSECKeeper& dsk, UeberBackend& ueber, const ZoneName&
     dsk.getPreRRSIGs(ueber, outsigned, origTTL, packet); // does it all
   }
   else {
-    if(getRRSIGsForRRSET(dsk, signer, wildcardname.countLabels() != 0 ? wildcardname : signQName, signQType, signTTL, toSign, rrcs) < 0)  {
+    if(getRRSIGsForRRSET(dsk, signer, wildcardname.hasLabels() ? wildcardname : signQName, signQType, signTTL, toSign, rrcs) < 0)  {
       // cerr<<"Error signing a record!"<<endl;
       return;
     }
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index b76b45b86b..51b9f645b3 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -382,8 +382,8 @@ void PacketHandler::getBestDNAMESynth(DNSPacket& p, DNSName &target, vector<DNSZ
     if(!ret.empty()) {
       return;
     }
-    if(subdomain.countLabels() != 0) {
-      prefix.appendRawLabel(subdomain.getRawLabels()[0]); // XXX DNSName pain this feels wrong
+    if(subdomain.hasLabels()) {
+      prefix.appendRawLabel(subdomain.getRawLabel(0)); // XXX DNSName pain this feels wrong
     }
     if(subdomain == d_sd.qname()) { // stop at SOA
       break;
@@ -1337,7 +1337,7 @@ void PacketHandler::completeANYRecords(DNSPacket& p, std::unique_ptr<DNSPacket>&
 bool PacketHandler::tryAuthSignal(DNSPacket& p, std::unique_ptr<DNSPacket>& r, DNSName &target) // NOLINT(readability-identifier-length)
 {
   DLOG(g_log<<Logger::Warning<<"Let's try authenticated DNSSEC bootstrapping (RFC 9615) ..."<<endl);
-  if(d_sd.zonename.operator const DNSName&().countLabels() == 0 || !pdns_iequals(d_sd.zonename.operator const DNSName&().getRawLabel(0), "_signal") || !d_dk.isSignalingZone(d_sd.zonename)) {
+  if(!d_sd.zonename.operator const DNSName&().hasLabels() || !pdns_iequals(d_sd.zonename.operator const DNSName&().getRawLabel(0), "_signal") || !d_dk.isSignalingZone(d_sd.zonename)) {
     return false;
   }
 
@@ -1353,7 +1353,7 @@ bool PacketHandler::tryAuthSignal(DNSPacket& p, std::unique_ptr<DNSPacket>& r, D
   }
 
   // Check for prefix mismatch
-  if(target.countLabels() == 0 || !pdns_iequals(target.getRawLabel(0), "_dsboot")) {
+  if(!target.hasLabels() || !pdns_iequals(target.getRawLabel(0), "_dsboot")) {
     makeNOError(p, r, target, DNSName(), 0); // could be ENT
     return true;
   }
diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc
index 1f4517c9c7..3f4f9c552d 100644
--- a/pdns/pdnsutil.cc
+++ b/pdns/pdnsutil.cc
@@ -1107,7 +1107,7 @@ static int checkZone(DNSSECKeeper &dk, UeberBackend &B, const ZoneName& zone, co
       continue;
     }
 
-    if (isSecure && isOptOut && (rr.qname.countLabels() != 0 && rr.qname.getRawLabels()[0] == "*")) {
+    if (isSecure && isOptOut && (rr.qname.hasLabels() && rr.qname.getRawLabel(0) == "*")) {
       cout<<"[Warning] wildcard record '"<<rr.qname<<" IN " <<rr.qtype.toString()<<" "<<rr.content<<"' is insecure"<<endl;
       cout<<"[Info] Wildcard records in opt-out zones are insecure. Disable the opt-out flag for this zone to avoid this warning. Command: pdnsutil set-nsec3 "<<zone<<endl;
       numwarnings++;
@@ -4221,7 +4221,7 @@ static int setSignalingZone(vector<string>& cmds, const std::string_view synopsi
 
   ZoneName zone(cmds.at(0));
 
-  if(zone.operator const DNSName&().countLabels() == 0 || !pdns_iequals(zone.operator const DNSName&().getRawLabel(0), "_signal")) {
+  if(!zone.operator const DNSName&().hasLabels() || !pdns_iequals(zone.operator const DNSName&().getRawLabel(0), "_signal")) {
     cerr << "Signaling zone's first label must be '_signal': " << zone << endl;
     return 1;
   }
diff --git a/pdns/validate.cc b/pdns/validate.cc
index b36f7e6f03..6f7aa17b20 100644
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -224,7 +224,7 @@ bool denialProvesNoDelegation(const DNSName& zone, const std::vector<DNSRecord>&
         return false;
       }
 
-      const string beginHash = fromBase32Hex(record.d_name.getRawLabels()[0]);
+      const string beginHash = fromBase32Hex(record.d_name.getRawLabel(0));
       if (beginHash == hash) {
         return !nsec3->isSet(QType::NS);
       }
@@ -436,7 +436,7 @@ static bool provesNSEC3NoWildCard(const DNSName& closestEncloser, uint16_t const
           return false;
         }
         VLOG(log, closestEncloser << ":\tWildcard hash: "<<toBase32Hex(hash)<<endl);
-        string beginHash=fromBase32Hex(validset.first.first.getRawLabels()[0]);
+        string beginHash=fromBase32Hex(validset.first.first.getRawLabel(0));
         VLOG(log, closestEncloser << ":\tNSEC3 hash: "<<toBase32Hex(beginHash)<<" -> "<<toBase32Hex(nsec3->d_nexthash)<<endl);
 
         if (beginHash == hash) {
@@ -761,7 +761,7 @@ dState getDenial(const cspmap_t &validrrsets, const DNSName& qname, const uint16
         nsec3Seen = true;
 
         VLOG(log, qname << ":\tquery hash: "<<toBase32Hex(hash)<<endl);
-        string beginHash = fromBase32Hex(hashedOwner.getRawLabels()[0]);
+        string beginHash = fromBase32Hex(hashedOwner.getRawLabel(0));
 
         // If the name exists, check if the qtype is denied
         if (beginHash == hash) {
@@ -864,7 +864,7 @@ dState getDenial(const cspmap_t &validrrsets, const DNSName& qname, const uint16
               return dState::INSECURE;
             }
 
-            string beginHash=fromBase32Hex(validset.first.first.getRawLabels()[0]);
+            string beginHash=fromBase32Hex(validset.first.first.getRawLabel(0));
 
             VLOG(log, qname << ": Comparing "<<toBase32Hex(hash)<<" ("<<closestEncloser<<") against "<<toBase32Hex(beginHash)<<endl);
             if (beginHash == hash) {
@@ -961,7 +961,7 @@ dState getDenial(const cspmap_t &validrrsets, const DNSName& qname, const uint16
               continue;
             }
 
-            string beginHash=fromBase32Hex(validset.first.first.getRawLabels()[0]);
+            string beginHash=fromBase32Hex(validset.first.first.getRawLabel(0));
 
             VLOG(log, qname << ": Comparing "<<toBase32Hex(hash)<<" against "<<toBase32Hex(beginHash)<<" -> "<<toBase32Hex(nsec3->d_nexthash)<<endl);
             if (isCoveredByNSEC3Hash(hash, beginHash, nsec3->d_nexthash)) {
-- 
2.47.2