[9.20] chg: dev: Revert isdelegation() to return boolean value again

Closes #5838 Backport of MR !11792 Merge branch 'backport-5838-cid-645252-control-flow-issues-deadcode-in-validator-9.20' into 'bind-9.20' See merge request isc-projects/bind9!11802
2026-06-10 06:09:59 -04:00 · 2026-04-07 08:23:57 +00:00 · 2026-04-07 08:23:57 +00:00 · 6d89bfdf03
commit 6d89bfdf03
parent a48b287d9f f58554d05a
1 changed files with 28 additions and 27 deletions
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@ -258,9 +258,9 @@ validator_done(dns_validator_t *val, isc_result_t result) {
 }

 /*%
- * The isdelegation() function is called as part of seeking the DS record.
- * Look in the NSEC or NSEC3 record returned from a DS query to see if the
- * record has the NS bitmap set. If so, we are at a delegation point.
+ * The is_insecure_referral() function is called as part of seeking the DS
+ * record. Look in the NSEC or NSEC3 record returned from a DS query to see if
+ * the record has the NS bitmap set. If so, we are at a delegation point.
 *
 * If the response contains NSEC3 records with too high iterations, we cannot
 * (or rather we are not going to) validate the insecurity proof. Instead we
@ -268,15 +268,16 @@ validator_done(dns_validator_t *val, isc_result_t result) {
 * the delegation.
 *
 * Returns:
- *\li	#ISC_R_SUCCESS	the NS bitmap was set in the NSEC or NSEC3 record, or
- *			the NSEC3 covers the name (in case of opt-out), or
- *			we cannot validate the insecurity proof and are going
- *			to treat the message as isnecure.
- *\li	#ISC_R_NOTFOUND the NS bitmap was not set,
+ *\li	#true  the NS bitmap was set in the NSEC or NSEC3 record, or
+ *	       the NSEC3 covers the name (in case of opt-out), or
+ *	       we cannot validate the insecurity proof and are going
+ *	       to treat the message as insecure.
+ *\li	#false the NS bitmap was not set.
 */
-static isc_result_t
-isdelegation(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset,
-	     isc_result_t dbresult, const char *caller) {
+static bool
+is_insecure_referral(dns_validator_t *val, dns_name_t *name,
+		     dns_rdataset_t *rdataset, isc_result_t dbresult,
+		     const char *caller) {
 	dns_fixedname_t fixed;
 	dns_label_t hashlabel;
 	dns_name_t nsec3name;
@ -304,7 +305,7 @@ isdelegation(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset,
 			goto trynsec3;
 		}
 		if (result != ISC_R_SUCCESS) {
-			return ISC_R_NOTFOUND;
+			return false;
 		}
 	}

@ -318,7 +319,7 @@ isdelegation(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset,
 		dns_rdata_reset(&rdata);
 	}
 	dns_rdataset_disassociate(&set);
-	return found ? ISC_R_SUCCESS : ISC_R_NOTFOUND;
+	return found;

 trynsec3:
 	/*
@ -367,7 +368,7 @@ trynsec3:
 					      "%s: too many iterations",
 					      caller);
 				dns_rdataset_disassociate(&set);
-				return ISC_R_SUCCESS;
+				return true;
 			}
 			length = isc_iterated_hash(
 				hash, nsec3.hash, nsec3.iterations, nsec3.salt,
@ -380,7 +381,7 @@ trynsec3:
 				found = dns_nsec3_typepresent(&rdata,
 							      dns_rdatatype_ns);
 				dns_rdataset_disassociate(&set);
-				return found ? ISC_R_SUCCESS : ISC_R_NOTFOUND;
+				return found;
 			}
 			if ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) == 0) {
 				continue;
@ -396,12 +397,12 @@ trynsec3:
 			      memcmp(hash, nsec3.next, length) < 0)))
 			{
 				dns_rdataset_disassociate(&set);
-				return ISC_R_SUCCESS;
+				return true;
 			}
 		}
 		dns_rdataset_disassociate(&set);
 	}
-	return found ? ISC_R_SUCCESS : ISC_R_NOTFOUND;
+	return found;
 }

 static void
@ -615,10 +616,10 @@ fetch_callback_ds(void *arg) {
 			break;
 		case DNS_R_NXRRSET:
 		case DNS_R_NCACHENXRRSET:
-			result = isdelegation(val, resp->foundname,
-					      &val->frdataset, eresult,
-					      "fetch_callback_ds");
-			if (result == ISC_R_SUCCESS) {
+			if (is_insecure_referral(val, resp->foundname,
+						 &val->frdataset, eresult,
+						 "fetch_callback_ds"))
+			{
 				/*
 				 * Failed to find a DS while trying to prove
 				 * insecurity. If this is a zone cut, that
@ -738,9 +739,9 @@ validator_callback_ds(void *arg) {
 		if ((val->attributes & VALATTR_INSECURITY) != 0 &&
 		    val->frdataset.covers == dns_rdatatype_ds &&
 		    NEGATIVE(&val->frdataset) &&
-		    isdelegation(val, name, &val->frdataset,
-				 DNS_R_NCACHENXRRSET,
-				 "validator_callback_ds") == ISC_R_SUCCESS)
+		    is_insecure_referral(val, name, &val->frdataset,
+					 DNS_R_NCACHENXRRSET,
+					 "validator_callback_ds"))
 		{
 			result = markanswer(val, "validator_callback_ds",
 					    "no DS and this is a delegation");
@ -3223,9 +3224,9 @@ seek_ds(dns_validator_t *val, isc_result_t *resp) {
 			return ISC_R_COMPLETE;
 		}

-		result = isdelegation(val, tname, &val->frdataset, result,
-				      "seek_ds");
-		if (result == ISC_R_SUCCESS) {
+		if (is_insecure_referral(val, tname, &val->frdataset, result,
+					 "seek_ds"))
+		{
 			*resp = markanswer(val, "seek_ds (3)",
 					   "this is a delegation");
 			return ISC_R_COMPLETE;