lib/resolve: minor improvements around kr_ta_* calls

This orphaned kr_ta_get_longest_name() so it got removed as well,
even though it's a potentially useful abstraction.

lib/dnssec/ta.c

@@ -21,20 +21,6 @@ knot_rrset_t *kr_ta_get(map_t *trust_anchors, const knot_dname_t *name)
 	return map_get(trust_anchors, (const char *)name);
 }
 
-const knot_dname_t *kr_ta_get_longest_name(map_t *trust_anchors, const knot_dname_t *name)
-{
-	while(name) {
-		if (kr_ta_get(trust_anchors, name)) {
-			return name;
-		}
-		if (name[0] == '\0') {
-			break;
-		}
-		name = knot_wire_next_label(name, NULL);
-	}
-	return NULL;
-}
-
 const knot_dname_t * kr_ta_closest(const struct kr_context *ctx, const knot_dname_t *name,
 				   const uint16_t type)
 {

lib/dnssec/ta.h

@@ -71,13 +71,3 @@ int kr_ta_del(map_t *trust_anchors, const knot_dname_t *name);
 KR_EXPORT
 void kr_ta_clear(map_t *trust_anchors);
 
-/**
- * Return TA with the longest name that covers given name.
- * @param trust_anchors trust store
- * @param name name of the TA
- * @return pointer to name or NULL.
-	   if not NULL, points inside the name parameter.
- */
-KR_EXPORT
-const knot_dname_t *kr_ta_get_longest_name(map_t *trust_anchors, const knot_dname_t *name);
-

lib/resolve.c

@@ -931,7 +931,7 @@ static int forward_trust_chain_check(struct kr_request *request, struct kr_query
 	const knot_dname_t *start_name = qry->sname;
 	if ((qry->flags.AWAIT_CUT) && !resume) {
 		qry->flags.AWAIT_CUT = false;
-		const knot_dname_t *longest_ta = kr_ta_get_longest_name(trust_anchors, qry->sname);
+		const knot_dname_t *longest_ta = kr_ta_closest(request->ctx, qry->sname, qry->stype);
 		if (longest_ta) {
 			start_name = longest_ta;
 			qry->zone_cut.name = knot_dname_copy(start_name, qry->zone_cut.pool);
@@ -1105,13 +1105,10 @@ static int trust_chain_check(struct kr_request *request, struct kr_query *qry)
 	}
 	/* Enable DNSSEC if entering a new (or different) island of trust,
 	 * and update the TA RRset if required. */
-	bool want_secured = (qry->flags.DNSSEC_WANT) &&
-			    !knot_wire_get_cd(request->qsource.packet->wire);
+	const bool has_cd = knot_wire_get_cd(request->qsource.packet->wire);
 	knot_rrset_t *ta_rr = kr_ta_get(trust_anchors, qry->zone_cut.name);
-	if (!knot_wire_get_cd(request->qsource.packet->wire) && ta_rr) {
+	if (!has_cd && ta_rr) {
 		qry->flags.DNSSEC_WANT = true;
-		want_secured = true;
-
 		if (qry->zone_cut.trust_anchor == NULL
 		    || !knot_dname_is_equal(qry->zone_cut.trust_anchor->owner, qry->zone_cut.name)) {
 			mm_free(qry->zone_cut.pool, qry->zone_cut.trust_anchor);
@@ -1128,6 +1125,7 @@ static int trust_chain_check(struct kr_request *request, struct kr_query *qry)
 	const bool has_ta = (qry->zone_cut.trust_anchor != NULL);
 	const knot_dname_t *ta_name = (has_ta ? qry->zone_cut.trust_anchor->owner : NULL);
 	const bool refetch_ta = !has_ta || !knot_dname_is_equal(qry->zone_cut.name, ta_name);
+	const bool want_secured = qry->flags.DNSSEC_WANT && !has_cd;
 	if (want_secured && refetch_ta) {
 		/* @todo we could fetch the information from the parent cut, but we don't remember that now */
 		struct kr_query *next = kr_rplan_push(rplan, qry, qry->zone_cut.name, qry->sclass, KNOT_RRTYPE_DS);

lib/resolve.h

@@ -108,7 +108,8 @@ enum kr_rank {
 
 	/** Proven to be insecure, i.e. we have a chain of trust from TAs
 	 * that cryptographically denies the possibility of existence
-	 * of a positive chain of trust from the TAs to the record. */
+	 * of a positive chain of trust from the TAs to the record.
+	 * Or it may be covered by a closer negative TA. */
 	KR_RANK_INSECURE = 8,
 
 	/** Authoritative data flag; the chain of authority was "verified".