chg: usr: Revert "Fix NSEC3 closest encloser lookup for names with empty non-terminals"

Revert the fix for #4950 for 9.20.

This reverts MR !9438.

History: A performance improvement for NSEC3 closest encloser lookups (#4460) was introduced (in MR !9436) and backported to 9.20 (MR !9438) and to 9.18 in (MR !9439). It was released in 9.18.30 (and 9.20.2 and 9.21.1).

There was a bug in the code (#4950), so we reverted the change in !9611, !9613 and !9614 (not released).

Then a new attempt was merged in main (MR !9610) and backported to 9.20 (MR !9631) and 9.18 (MR !9632). The latter should not have been backported and was reverted in !9689. 

We now also revert the fix for 9.20

Related #5108

Merge branch 'revert-4950-bind-logs-expected-covering-nsec3-got-an-exact-match-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9947

bin/tests/system/dnssec/tests.sh

@@ -4487,36 +4487,6 @@ n=$((n + 1))
 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
-echo_i "checking NSEC3 nxdomain response closest encloser with 0 ENT ($n)"
-ret=0
-dig_with_opts @10.53.0.3 b.b.b.b.b.a.nsec3.example. >dig.out.ns3.test$n
-grep "status: NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1
-pat="^6OVDUHTN094ML2PV8AN90U0DPU823GH2\.nsec3.example\..*NSEC3 1 0 0 - 7AT0S0RIDCJRFF2M5H5AAV22CSFJBUL4 A RRSIG\$"
-grep "$pat" dig.out.ns3.test$n >/dev/null || ret=1
-n=$((n + 1))
-if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-
-echo_i "checking NSEC3 nxdomain response closest encloser with 1 ENTs ($n)"
-ret=0
-dig_with_opts @10.53.0.3 b.b.b.b.b.a.a.nsec3.example. >dig.out.ns3.test$n
-grep "status: NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1
-pat="^NGCJFSOLJUUE27PFNQNJIME4TQ0OU2DH\.nsec3.example\..*NSEC3 1 0 0 - R8EVDMNIGNOKME4LH2H90OSP2PRSNJ1Q\$"
-grep "$pat" dig.out.ns3.test$n >/dev/null || ret=1
-n=$((n + 1))
-if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-
-echo_i "checking NSEC3 nxdomain response closest encloser with 2 ENTs ($n)"
-ret=0
-dig_with_opts @10.53.0.3 b.b.b.b.b.a.a.a.nsec3.example. >dig.out.ns3.test$n
-grep "status: NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1
-pat="^H7RHPDCHSVVRAND332F878C8AB6IBJQV\.nsec3.example\..*NSEC3 1 0 0 - K8IG76R2UPQ13IKFO49L7IB9JRVB6QJI\$"
-grep "$pat" dig.out.ns3.test$n >/dev/null || ret=1
-n=$((n + 1))
-if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-
 echo_i "checking that records other than DNSKEY are not signed by a revoked key by dnssec-signzone ($n)"
 ret=0
 (

lib/ns/query.c

@@ -11324,33 +11324,24 @@ again:
 		 * No NSEC proof available, return NSEC3 proofs instead.
 		 */
 		cname = dns_fixedname_initname(&cfixed);
-
 		/*
-		 * Find the closest encloser using a binary search.
-		 * maxlabels: suffix length of NXDOMAIN result
-		 * minlabels: suffix length of non NXDOMAIN result
+		 * Find the closest encloser.
 		 */
-		unsigned int maxlabels = dns_name_countlabels(name);
-		unsigned int minlabels = dns_name_countlabels(fname);
-		bool search = result == DNS_R_NXDOMAIN;
 		dns_name_copy(name, cname);
-		while (search) {
-			labels = (maxlabels + minlabels) / 2;
-			dns_name_split(name, labels, NULL, cname);
-			if (labels == minlabels) {
-				break;
+		while (result == DNS_R_NXDOMAIN) {
+			labels = dns_name_countlabels(cname) - 1;
+			/*
+			 * Sanity check.
+			 */
+			if (labels == 0U) {
+				goto cleanup;
 			}
+			dns_name_split(cname, labels, NULL, cname);
 			result = dns_db_findext(qctx->db, cname, qctx->version,
 						dns_rdatatype_nsec, options, 0,
 						NULL, fname, &cm, &ci, NULL,
 						NULL);
-			if (result == DNS_R_NXDOMAIN) {
-				maxlabels = labels;
-			} else {
-				minlabels = labels;
-			}
 		}
-
 		/*
 		 * Add closest (provable) encloser NSEC3.
 		 */