chg: usr: Revert "Fix NSEC3 closest encloser lookup for names with em…

…pty non-terminals"

The fix for #4950 should have never been backported to 9.18. Revert the change.

This reverts MR !9632

History:
A performance improvement for NSEC3 closest encloser lookups (#4460) was introduced (in MR !9436) and backported to 9.20 (MR !9438) and to 9.18 in (MR !9439). It was released in 9.18.30 (and 9.20.2 and 9.21.1).

There was a bug in the code (#4950), so we reverted the change in !9611, !9613 and !9614 (not released).

Then a new attempt was merged in main (MR !9610) and backported to 9.20 (MR !9631) and 9.18 (MR !9632). The latter should not have been backported.

Furthermore, the initial MR used the wrong MR title so the change was never added to the release note. This is done in main with MR !9598 and backports to 9.20 (MR !9615) and 9.18 (MR !9616).

The new release notes for 9.21 and 9.20 should probably say that the bug is fixed. The new release notes for 9.18 should probably say that the change is reverted.

Merge branch 'revert-4950-bind-logs-expected-covering-nsec3-got-an-exact-match-9.18' into 'bind-9.18'

See merge request isc-projects/bind9!9689

bin/tests/system/dnssec/tests.sh

@@ -4468,35 +4468,5 @@ n=$((n + 1))
 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
-echo_i "checking NSEC3 nxdomain response closest encloser with 0 ENT ($n)"
-ret=0
-dig_with_opts @10.53.0.3 b.b.b.b.b.a.nsec3.example. >dig.out.ns3.test$n
-grep "status: NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1
-pat="^6OVDUHTN094ML2PV8AN90U0DPU823GH2\.nsec3.example\..*NSEC3 1 0 0 - 7AT0S0RIDCJRFF2M5H5AAV22CSFJBUL4 A RRSIG\$"
-grep "$pat" dig.out.ns3.test$n >/dev/null || ret=1
-n=$((n + 1))
-if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-
-echo_i "checking NSEC3 nxdomain response closest encloser with 1 ENTs ($n)"
-ret=0
-dig_with_opts @10.53.0.3 b.b.b.b.b.a.a.nsec3.example. >dig.out.ns3.test$n
-grep "status: NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1
-pat="^NGCJFSOLJUUE27PFNQNJIME4TQ0OU2DH\.nsec3.example\..*NSEC3 1 0 0 - R8EVDMNIGNOKME4LH2H90OSP2PRSNJ1Q\$"
-grep "$pat" dig.out.ns3.test$n >/dev/null || ret=1
-n=$((n + 1))
-if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-
-echo_i "checking NSEC3 nxdomain response closest encloser with 2 ENTs ($n)"
-ret=0
-dig_with_opts @10.53.0.3 b.b.b.b.b.a.a.a.nsec3.example. >dig.out.ns3.test$n
-grep "status: NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1
-pat="^H7RHPDCHSVVRAND332F878C8AB6IBJQV\.nsec3.example\..*NSEC3 1 0 0 - K8IG76R2UPQ13IKFO49L7IB9JRVB6QJI\$"
-grep "$pat" dig.out.ns3.test$n >/dev/null || ret=1
-n=$((n + 1))
-if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1

lib/ns/query.c

@@ -11565,33 +11565,24 @@ query_addwildcardproof(query_ctx_t *qctx, bool ispositive, bool nodata) {
 		 * No NSEC proof available, return NSEC3 proofs instead.
 		 */
 		cname = dns_fixedname_initname(&cfixed);
-
 		/*
-		 * Find the closest encloser using a binary search.
-		 * maxlabels: suffix length of NXDOMAIN result
-		 * minlabels: suffix length of non NXDOMAIN result
+		 * Find the closest encloser.
 		 */
-		unsigned int maxlabels = dns_name_countlabels(name);
-		unsigned int minlabels = dns_name_countlabels(fname);
-		bool search = result == DNS_R_NXDOMAIN;
 		dns_name_copy(name, cname);
-		while (search) {
-			labels = (maxlabels + minlabels) / 2;
-			dns_name_split(name, labels, NULL, cname);
-			if (labels == minlabels) {
-				break;
+		while (result == DNS_R_NXDOMAIN) {
+			labels = dns_name_countlabels(cname) - 1;
+			/*
+			 * Sanity check.
+			 */
+			if (labels == 0U) {
+				goto cleanup;
 			}
+			dns_name_split(cname, labels, NULL, cname);
 			result = dns_db_findext(qctx->db, cname, qctx->version,
 						dns_rdatatype_nsec, options, 0,
 						NULL, fname, &cm, &ci, NULL,
 						NULL);
-			if (result == DNS_R_NXDOMAIN) {
-				maxlabels = labels;
-			} else {
-				minlabels = labels;
-			}
 		}
-
 		/*
 		 * Add closest (provable) encloser NSEC3.
 		 */