#include <config.h>#include <isc/base32.h>#include <isc/buffer.h>#include <isc/hex.h>#include <isc/iterated_hash.h>#include <isc/log.h>#include <isc/string.h>#include <isc/util.h>#include <dst/dst.h>#include <dns/db.h>#include <dns/zone.h>#include <dns/compress.h>#include <dns/dbiterator.h>#include <dns/diff.h>#include <dns/fixedname.h>#include <dns/nsec.h>#include <dns/nsec3.h>#include <dns/rdata.h>#include <dns/rdatalist.h>#include <dns/rdataset.h>#include <dns/rdatasetiter.h>#include <dns/rdatastruct.h>#include <dns/result.h>Go to the source code of this file.
Defines | |
| #define | CHECK(x) |
| #define | OPTOUT(x) (((x) & DNS_NSEC3FLAG_OPTOUT) != 0) |
| #define | CREATE(x) (((x) & DNS_NSEC3FLAG_CREATE) != 0) |
| #define | INITIAL(x) (((x) & DNS_NSEC3FLAG_INITIAL) != 0) |
| #define | REMOVE(x) (((x) & DNS_NSEC3FLAG_REMOVE) != 0) |
Functions | |
| isc_result_t | dns_nsec3_buildrdata (dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node, unsigned int hashalg, unsigned int flags, unsigned int iterations, const unsigned char *salt, size_t salt_length, const unsigned char *nexthash, size_t hash_length, unsigned char *buffer, dns_rdata_t *rdata) |
| Build the rdata of a NSEC3 record for the data at 'node'. Note: 'node' is not the node where the NSEC3 record will be stored. | |
| isc_boolean_t | dns_nsec3_typepresent (dns_rdata_t *rdata, dns_rdatatype_t type) |
| Determine if a type is marked as present in an NSEC3 record. | |
| isc_result_t | dns_nsec3_hashname (dns_fixedname_t *result, unsigned char rethash[NSEC3_MAX_HASH_LENGTH], size_t *hash_length, dns_name_t *name, dns_name_t *origin, dns_hash_t hashalg, unsigned int iterations, const unsigned char *salt, size_t saltlength) |
| Make a hashed domain name from an unhashed one. If rethash is not NULL the raw hash is stored there. | |
| unsigned int | dns_nsec3_hashlength (dns_hash_t hash) |
| Return the length of the hash produced by the specified algorithm or zero when unknown. | |
| isc_boolean_t | dns_nsec3_supportedhash (dns_hash_t hash) |
| Return whether we support this hash algorithm or not. | |
| static isc_result_t | do_one_tuple (dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff) |
| Update a single RR in version 'ver' of 'db' and log the update in 'diff'. | |
| static isc_result_t | name_exists (dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, isc_boolean_t *exists) |
| Set '*exists' to true iff the given name exists, to false otherwise. | |
| static isc_boolean_t | match_nsec3param (const dns_rdata_nsec3_t *nsec3, const dns_rdata_nsec3param_t *nsec3param) |
| static isc_result_t | delete (dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff) |
| Delete NSEC3 records at "name" which match "param", recording the change in "diff". | |
| static isc_boolean_t | better_param (dns_rdataset_t *nsec3paramset, dns_rdata_t *param) |
| static isc_result_t | find_nsec3 (dns_rdata_nsec3_t *nsec3, dns_rdataset_t *rdataset, const dns_rdata_nsec3param_t *nsec3param) |
| isc_result_t | dns_nsec3_addnsec3 (dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, const dns_rdata_nsec3param_t *nsec3param, dns_ttl_t nsecttl, isc_boolean_t unsecure, dns_diff_t *diff) |
| isc_result_t | dns_nsec3_addnsec3s (dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, dns_ttl_t nsecttl, isc_boolean_t unsecure, dns_diff_t *diff) |
| Add NSEC3 records for "name", recording the change in "diff". The existing NSEC3 records are removed. | |
| isc_boolean_t | dns_nsec3param_fromprivate (dns_rdata_t *src, dns_rdata_t *target, unsigned char *buf, size_t buflen) |
| Convert a private rdata to a nsec3param rdata. | |
| void | dns_nsec3param_toprivate (dns_rdata_t *src, dns_rdata_t *target, dns_rdatatype_t privatetype, unsigned char *buf, size_t buflen) |
| Convert a nsec3param rdata to a private rdata. | |
| static isc_result_t | rr_exists (dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, const dns_rdata_t *rdata, isc_boolean_t *flag) |
| isc_result_t | dns_nsec3param_deletechains (dns_db_t *db, dns_dbversion_t *ver, dns_zone_t *zone, isc_boolean_t nonsec, dns_diff_t *diff) |
| Mark NSEC3PARAM for deletion. | |
| isc_result_t | dns_nsec3_addnsec3sx (dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, dns_ttl_t nsecttl, isc_boolean_t unsecure, dns_rdatatype_t type, dns_diff_t *diff) |
| Add NSEC3 records for 'name', recording the change in 'diff'. Adjust previous NSEC3 records, if any, to reflect the addition. The existing NSEC3 records are removed. | |
| static isc_result_t | deleteit (dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, isc_boolean_t *yesno) |
| Determine whether any NSEC3 records that were associated with 'name' should be deleted or if they should continue to exist. ISC_TRUE indicates they should be deleted. ISC_FALSE indicates they should be retained. | |
| isc_result_t | dns_nsec3_delnsec3 (dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff) |
| isc_result_t | dns_nsec3_delnsec3s (dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, dns_diff_t *diff) |
| isc_result_t | dns_nsec3_delnsec3sx (dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, dns_rdatatype_t privatetype, dns_diff_t *diff) |
| Remove NSEC3 records for 'name', recording the change in 'diff'. Adjust previous NSEC3 records, if any, to reflect the removal. | |
| isc_result_t | dns_nsec3_active (dns_db_t *db, dns_dbversion_t *version, isc_boolean_t complete, isc_boolean_t *answer) |
| isc_result_t | dns_nsec3_activex (dns_db_t *db, dns_dbversion_t *version, isc_boolean_t complete, dns_rdatatype_t privatetype, isc_boolean_t *answer) |
| Check if there are any complete/to be built NSEC3 chains. If 'complete' is ISC_TRUE only complete chains will be recognized. | |
| isc_result_t | dns_nsec3_maxiterations (dns_db_t *db, dns_dbversion_t *version, isc_mem_t *mctx, unsigned int *iterationsp) |
| Find the maximum permissible number of iterations allowed based on the key strength. | |
| isc_result_t | dns_nsec3_noexistnodata (dns_rdatatype_t type, dns_name_t *name, dns_name_t *nsec3name, dns_rdataset_t *nsec3set, dns_name_t *zonename, isc_boolean_t *exists, isc_boolean_t *data, isc_boolean_t *optout, isc_boolean_t *unknown, isc_boolean_t *setclosest, isc_boolean_t *setnearest, dns_name_t *closest, dns_name_t *nearest, dns_nseclog_t logit, void *arg) |
| #define CHECK | ( | x | ) |
Value:
do { \ result = (x); \ if (result != ISC_R_SUCCESS) \ goto failure; \ } while (0)
| #define CREATE | ( | x | ) | (((x) & DNS_NSEC3FLAG_CREATE) != 0) |
Definition at line 53 of file nsec3.c.
Referenced by better_param(), dns_nsec3_activex(), dns_nsec3_addnsec3(), dns_nsec3_delnsec3(), dns_private_chains(), and ignore().
| #define REMOVE | ( | x | ) | (((x) & DNS_NSEC3FLAG_REMOVE) != 0) |
| isc_result_t dns_nsec3_buildrdata | ( | dns_db_t * | db, | |
| dns_dbversion_t * | version, | |||
| dns_dbnode_t * | node, | |||
| unsigned int | hashalg, | |||
| unsigned int | optin, | |||
| unsigned int | iterations, | |||
| const unsigned char * | salt, | |||
| size_t | salt_length, | |||
| const unsigned char * | nexthash, | |||
| size_t | hash_length, | |||
| unsigned char * | buffer, | |||
| dns_rdata_t * | rdata | |||
| ) |
Build the rdata of a NSEC3 record for the data at 'node'. Note: 'node' is not the node where the NSEC3 record will be stored.
Requires: buffer Points to a temporary buffer of at least DNS_NSEC_BUFFERSIZE bytes. rdata Points to an initialized dns_rdata_t.
Ensures: *rdata Contains a valid NSEC3 rdata. The 'data' member refers to 'buffer'.
Definition at line 58 of file nsec3.c.
References isc_region::base, dns_db_allrdatasets(), dns_db_class(), dns_hash_sha1, DNS_NSEC3_BUFFERSIZE, dns_nsec_compressbitmap(), dns_nsec_isset(), dns_nsec_setbit(), dns_rdata_fromregion(), dns_rdataset_disassociate(), dns_rdataset_init(), dns_rdatasetiter_current(), dns_rdatasetiter_destroy(), dns_rdatasetiter_first(), dns_rdatasetiter_next(), dns_rdatatype_iszonecutauth(), INSIST, ISC_FALSE, ISC_R_NOMORE, ISC_R_SUCCESS, ISC_SHA1_DIGESTLENGTH, ISC_TRUE, isc_region::length, r, REQUIRE, and dns_rdataset::type.
Referenced by addnsec3(), and dns_nsec3_addnsec3().
| isc_boolean_t dns_nsec3_typepresent | ( | dns_rdata_t * | nsec, | |
| dns_rdatatype_t | type | |||
| ) |
Determine if a type is marked as present in an NSEC3 record.
Requires: 'nsec' points to a valid rdataset of type NSEC3
Definition at line 188 of file nsec3.c.
References dns_nsec_isset(), dns_rdata_freestruct(), dns_rdata_tostruct(), INSIST, ISC_FALSE, ISC_R_SUCCESS, ISC_TF, REQUIRE, and dns_rdata::type.
Referenced by dns_nsec3_noexistnodata(), and isdelegation().
| isc_result_t dns_nsec3_hashname | ( | dns_fixedname_t * | result, | |
| unsigned char | rethash[NSEC3_MAX_HASH_LENGTH], | |||
| size_t * | hash_length, | |||
| dns_name_t * | name, | |||
| dns_name_t * | origin, | |||
| dns_hash_t | hashalg, | |||
| unsigned int | iterations, | |||
| const unsigned char * | salt, | |||
| size_t | saltlength | |||
| ) |
Make a hashed domain name from an unhashed one. If rethash is not NULL the raw hash is stored there.
Definition at line 223 of file nsec3.c.
References isc_region::base, dns_fixedname_init, dns_fixedname_name, dns_name_downcase(), DNS_NAME_FORMATSIZE, dns_name_fromtext(), DNS_R_BADALG, fixed, hash, isc_base32hexnp_totext(), isc_buffer_init, isc_iterated_hash(), isc_region::length, dns_name::length, and dns_name::ndata.
Referenced by addnsec3(), dns_nsec3_addnsec3(), dns_nsec3_delnsec3(), isoptout(), query_findclosestnsec3(), set_nsec3params(), and verifynsec3().
| unsigned int dns_nsec3_hashlength | ( | dns_hash_t | hash | ) |
Return the length of the hash produced by the specified algorithm or zero when unknown.
Definition at line 269 of file nsec3.c.
References dns_hash_sha1, and ISC_SHA1_DIGESTLENGTH.
Referenced by main().
| isc_boolean_t dns_nsec3_supportedhash | ( | dns_hash_t | hash | ) |
Return whether we support this hash algorithm or not.
Definition at line 279 of file nsec3.c.
References dns_hash_sha1, ISC_FALSE, and ISC_TRUE.
Referenced by check_nsec3param(), dns_nsec3_noexistnodata(), setnsec3parameters(), and verifynsec3().
| static isc_result_t do_one_tuple | ( | dns_difftuple_t ** | tuple, | |
| dns_db_t * | db, | |||
| dns_dbversion_t * | ver, | |||
| dns_diff_t * | diff | |||
| ) | [static] |
Update a single RR in version 'ver' of 'db' and log the update in 'diff'.
Ensures:
Definition at line 296 of file nsec3.c.
References dns_diff_appendminimal(), dns_diff_apply(), dns_diff_init(), dns_difftuple_free(), ISC_LIST_APPEND, ISC_LIST_UNLINK, ISC_R_SUCCESS, and dns_diff::mctx.
Referenced by add_nsec(), add_nsec3param_records(), add_placeholder_nsec(), add_signing_records(), delete(), dns_nsec3_addnsec3(), dns_nsec3_delnsec3(), dns_nsec3param_deletechains(), do_diff(), receive_secure_serial(), rollback_private(), update_one_rr(), and update_soa_serial().
| static isc_result_t name_exists | ( | dns_db_t * | db, | |
| dns_dbversion_t * | version, | |||
| dns_name_t * | name, | |||
| isc_boolean_t * | exists | |||
| ) | [static] |
Set '*exists' to true iff the given name exists, to false otherwise.
Definition at line 333 of file nsec3.c.
References dns_db_allrdatasets(), dns_db_detachnode(), dns_db_findnode(), dns_rdatasetiter_destroy(), dns_rdatasetiter_first(), ISC_FALSE, ISC_R_NOMORE, ISC_R_NOTFOUND, ISC_R_SUCCESS, and ISC_TRUE.
Referenced by dns_nsec3_addnsec3(), dns_update_signaturesinc(), and update_action().
| static isc_boolean_t match_nsec3param | ( | const dns_rdata_nsec3_t * | nsec3, | |
| const dns_rdata_nsec3param_t * | nsec3param | |||
| ) | [static] |
| static isc_result_t delete | ( | dns_db_t * | db, | |
| dns_dbversion_t * | version, | |||
| dns_name_t * | name, | |||
| const dns_rdata_nsec3param_t * | nsec3param, | |||
| dns_diff_t * | diff | |||
| ) | [static] |
Delete NSEC3 records at "name" which match "param", recording the change in "diff".
Definition at line 385 of file nsec3.c.
References CHECK, dns_db_detachnode(), dns_db_findnsec3node(), dns_db_findrdataset(), DNS_DIFFOP_DEL, dns_difftuple_create(), DNS_RDATA_INIT, dns_rdata_tostruct(), dns_rdataset_current(), dns_rdataset_disassociate(), dns_rdataset_first(), dns_rdataset_init(), dns_rdataset_next(), do_one_tuple(), ISC_FALSE, ISC_R_NOMORE, ISC_R_NOTFOUND, ISC_R_SUCCESS, match_nsec3param(), name, dns_rdataset::ttl, and version.
| static isc_boolean_t better_param | ( | dns_rdataset_t * | nsec3paramset, | |
| dns_rdata_t * | param | |||
| ) | [static] |
Definition at line 443 of file nsec3.c.
References CREATE, dns_rdata::data, DNS_NSEC3PARAM_BUFFERSIZE, dns_nsec3param_fromprivate(), DNS_RDATA_INIT, dns_rdataset_clone(), dns_rdataset_current(), dns_rdataset_disassociate(), dns_rdataset_first(), dns_rdataset_init(), dns_rdataset_next(), ISC_FALSE, ISC_R_SUCCESS, ISC_TRUE, dns_rdata::length, REMOVE, and dns_rdataset::type.
Referenced by dns_nsec3_addnsec3sx(), and dns_nsec3_delnsec3sx().
| static isc_result_t find_nsec3 | ( | dns_rdata_nsec3_t * | nsec3, | |
| dns_rdataset_t * | rdataset, | |||
| const dns_rdata_nsec3param_t * | nsec3param | |||
| ) | [static] |
Definition at line 486 of file nsec3.c.
References CHECK, DNS_RDATA_INIT, dns_rdata_reset(), dns_rdata_tostruct(), dns_rdataset_current(), dns_rdataset_first(), dns_rdataset_next(), ISC_R_SUCCESS, and match_nsec3param().
Referenced by dns_nsec3_addnsec3(), and dns_nsec3_delnsec3().
| isc_result_t dns_nsec3_addnsec3 | ( | dns_db_t * | db, | |
| dns_dbversion_t * | version, | |||
| dns_name_t * | name, | |||
| const dns_rdata_nsec3param_t * | nsec3param, | |||
| dns_ttl_t | nsecttl, | |||
| isc_boolean_t | unsecure, | |||
| dns_diff_t * | diff | |||
| ) |
Definition at line 506 of file nsec3.c.
References addnsec3(), buffer, CHECK, CREATE, dns_db_createiterator(), dns_db_detachnode(), dns_db_findnode(), dns_db_findnsec3node(), dns_db_findrdataset(), DNS_DB_NSEC3ONLY, dns_db_origin(), dns_dbiterator_current(), dns_dbiterator_destroy(), dns_dbiterator_last(), dns_dbiterator_pause(), dns_dbiterator_prev(), dns_dbiterator_seek(), DNS_DIFFOP_ADD, dns_difftuple_create(), dns_fixedname_init, dns_fixedname_name, dns_name_clone(), dns_name_countlabels(), dns_name_getlabelsequence(), dns_name_init(), DNS_NSEC3_BUFFERSIZE, dns_nsec3_buildrdata(), dns_nsec3_delnsec3(), dns_nsec3_hashname(), dns_rdata_fromstruct(), DNS_RDATA_INIT, dns_rdata_reset(), dns_rdataset_disassociate(), dns_rdataset_init(), dns_rdataset_isassociated(), do_one_tuple(), find_nsec3(), fixed, hash, INSIST, isc_buffer_init, ISC_FALSE, ISC_R_NOMORE, ISC_R_SUCCESS, ISC_TRUE, dns_diff::mctx, name_exists(), NSEC3_MAX_HASH_LENGTH, OPTOUT, origin, dns_rdataset::rdclass, salt_length, and dns_rdataset::ttl.
Referenced by dns_nsec3_addnsec3s(), dns_nsec3_addnsec3sx(), and zone_nsec3chain().
| isc_result_t dns_nsec3_addnsec3s | ( | dns_db_t * | db, | |
| dns_dbversion_t * | version, | |||
| dns_name_t * | name, | |||
| dns_ttl_t | nsecttl, | |||
| isc_boolean_t | unsecure, | |||
| dns_diff_t * | diff | |||
| ) |
Add NSEC3 records for "name", recording the change in "diff". The existing NSEC3 records are removed.
Definition at line 868 of file nsec3.c.
References CHECK, dns_db_detachnode(), dns_db_findrdataset(), dns_db_getoriginnode(), dns_nsec3_addnsec3(), DNS_RDATA_INIT, dns_rdata_tostruct(), dns_rdataset_current(), dns_rdataset_disassociate(), dns_rdataset_first(), dns_rdataset_init(), dns_rdataset_isassociated(), dns_rdataset_next(), ISC_R_NOMORE, ISC_R_NOTFOUND, and ISC_R_SUCCESS.
Referenced by sign_a_node(), updatesignwithkey(), and zone_nsec3chain().
| isc_boolean_t dns_nsec3param_fromprivate | ( | dns_rdata_t * | src, | |
| dns_rdata_t * | target, | |||
| unsigned char * | buf, | |||
| size_t | buflen | |||
| ) |
Convert a private rdata to a nsec3param rdata.
Return ISC_TRUE if 'src' could be successfully converted.
'buf' should be at least DNS_NSEC3PARAM_BUFFERSIZE in size.
Definition at line 927 of file nsec3.c.
References dns_rdata::data, dns_decompress_init(), dns_decompress_invalidate(), DNS_DECOMPRESS_NONE, dns_rdata_fromwire(), isc_buffer_add, isc_buffer_init, isc_buffer_setactive, ISC_FALSE, ISC_R_SUCCESS, ISC_TF, dns_rdata::length, and dns_rdata::rdclass.
Referenced by better_param(), dns_nsec3_activex(), dns_nsec3_addnsec3sx(), dns_nsec3_delnsec3sx(), dns_private_chains(), dns_private_totext(), fixup_nsec3param(), get_iterations(), ignore(), resume_addnsec3chain(), save_nsec3param(), and update_action().
| void dns_nsec3param_toprivate | ( | dns_rdata_t * | src, | |
| dns_rdata_t * | target, | |||
| dns_rdatatype_t | privatetype, | |||
| unsigned char * | buf, | |||
| size_t | buflen | |||
| ) |
Convert a nsec3param rdata to a private rdata.
'buf' should be at least src->length + 1 in size.
Definition at line 956 of file nsec3.c.
References dns_rdata::data, DNS_RDATA_INITIALIZED, dns_rdata::flags, ISC_LINK_INIT, dns_rdata::length, dns_rdata::rdclass, REQUIRE, and dns_rdata::type.
Referenced by add_nsec3param_records(), dns_nsec3param_deletechains(), make_nsec3(), and save_nsec3param().
| static isc_result_t rr_exists | ( | dns_db_t * | db, | |
| dns_dbversion_t * | ver, | |||
| dns_name_t * | name, | |||
| const dns_rdata_t * | rdata, | |||
| isc_boolean_t * | flag | |||
| ) | [static] |
Definition at line 975 of file nsec3.c.
References CHECK, dns_db_detachnode(), dns_db_findnode(), dns_db_findnsec3node(), dns_db_findrdataset(), dns_rdata_casecompare(), DNS_RDATA_INIT, dns_rdataset_current(), dns_rdataset_disassociate(), dns_rdataset_first(), dns_rdataset_init(), dns_rdataset_next(), ISC_FALSE, ISC_R_NOMORE, ISC_R_NOTFOUND, ISC_R_SUCCESS, ISC_TRUE, and dns_rdata::type.
Referenced by add_nsec3param_records(), add_signing_records(), and dns_nsec3param_deletechains().
| isc_result_t dns_nsec3param_deletechains | ( | dns_db_t * | db, | |
| dns_dbversion_t * | ver, | |||
| dns_zone_t * | zone, | |||
| isc_boolean_t | nonsec, | |||
| dns_diff_t * | diff | |||
| ) |
Mark NSEC3PARAM for deletion.
Definition at line 1018 of file nsec3.c.
References CHECK, dns_rdata::data, dns_db_detachnode(), dns_db_findrdataset(), dns_db_getoriginnode(), DNS_DIFFOP_ADD, DNS_DIFFOP_DEL, dns_difftuple_create(), dns_name_init(), DNS_NSEC3PARAM_BUFFERSIZE, dns_nsec3param_toprivate(), DNS_RDATA_INIT, dns_rdata_reset(), dns_rdataset_current(), dns_rdataset_disassociate(), dns_rdataset_first(), dns_rdataset_init(), dns_rdataset_isassociated(), dns_rdataset_next(), dns_zone_getorigin(), dns_zone_getprivatetype(), do_one_tuple(), INSIST, ISC_R_NOMORE, ISC_R_NOTFOUND, ISC_R_SUCCESS, dns_rdata::length, dns_diff::mctx, origin, privatetype, rr_exists(), and dns_rdataset::ttl.
Referenced by update_action().
| isc_result_t dns_nsec3_addnsec3sx | ( | dns_db_t * | db, | |
| dns_dbversion_t * | version, | |||
| dns_name_t * | name, | |||
| dns_ttl_t | nsecttl, | |||
| isc_boolean_t | unsecure, | |||
| dns_rdatatype_t | private, | |||
| dns_diff_t * | diff | |||
| ) |
Add NSEC3 records for 'name', recording the change in 'diff'. Adjust previous NSEC3 records, if any, to reflect the addition. The existing NSEC3 records are removed.
dns_nsec3_addnsec3() will only add records to the chain identified by 'nsec3param'.
'unsecure' should be set to reflect if this is a potentially unsecure delegation (no DS record).
dns_nsec3_addnsec3s() will examine the NSEC3PARAM RRset to determine which chains to be updated. NSEC3PARAM records with the DNS_NSEC3FLAG_CREATE will be preferentially chosen over NSEC3PARAM records without DNS_NSEC3FLAG_CREATE set. NSEC3PARAM records with DNS_NSEC3FLAG_REMOVE set will be ignored by dns_nsec3_addnsec3s(). If DNS_NSEC3FLAG_CREATE is set then the new NSEC3 will have OPTOUT set to match the that in the NSEC3PARAM record otherwise OPTOUT will be inherited from the previous record in the chain.
dns_nsec3_addnsec3sx() is similar to dns_nsec3_addnsec3s() but 'private' specifies the type of the private rdataset to be checked in addition to the nsec3param rdataset at the zone apex.
Requires: 'db' to be valid. 'version' to be valid or NULL. 'name' to be valid. 'nsec3param' to be valid. 'diff' to be valid.
Definition at line 1143 of file nsec3.c.
References better_param(), CHECK, dns_db_detachnode(), dns_db_findrdataset(), dns_db_getoriginnode(), dns_nsec3_addnsec3(), DNS_NSEC3PARAM_BUFFERSIZE, dns_nsec3param_fromprivate(), DNS_RDATA_INIT, dns_rdata_tostruct(), dns_rdataset_current(), dns_rdataset_disassociate(), dns_rdataset_first(), dns_rdataset_init(), dns_rdataset_isassociated(), dns_rdataset_next(), ISC_R_NOMORE, ISC_R_NOTFOUND, and ISC_R_SUCCESS.
Referenced by dns_update_signaturesinc().
| static isc_result_t deleteit | ( | dns_db_t * | db, | |
| dns_dbversion_t * | ver, | |||
| dns_name_t * | name, | |||
| isc_boolean_t * | yesno | |||
| ) | [static] |
Determine whether any NSEC3 records that were associated with 'name' should be deleted or if they should continue to exist. ISC_TRUE indicates they should be deleted. ISC_FALSE indicates they should be retained.
Definition at line 1253 of file nsec3.c.
References dns_db_find(), DNS_DBFIND_GLUEOK, DNS_DBFIND_NOWILD, dns_fixedname_init, dns_fixedname_name, DNS_R_DELEGATION, DNS_R_DNAME, DNS_R_EMPTYNAME, DNS_R_GLUE, DNS_R_NXDOMAIN, DNS_R_ZONECUT, ISC_FALSE, ISC_R_SUCCESS, and ISC_TRUE.
Referenced by dns_nsec3_delnsec3().
| isc_result_t dns_nsec3_delnsec3 | ( | dns_db_t * | db, | |
| dns_dbversion_t * | version, | |||
| dns_name_t * | name, | |||
| const dns_rdata_nsec3param_t * | nsec3param, | |||
| dns_diff_t * | diff | |||
| ) |
Definition at line 1283 of file nsec3.c.
References buffer, CHECK, CREATE, deleteit(), dns_db_createiterator(), dns_db_detachnode(), dns_db_findrdataset(), DNS_DB_NSEC3ONLY, dns_db_origin(), dns_dbiterator_current(), dns_dbiterator_destroy(), dns_dbiterator_last(), dns_dbiterator_pause(), dns_dbiterator_prev(), dns_dbiterator_seek(), DNS_DIFFOP_ADD, dns_difftuple_create(), dns_fixedname_init, dns_fixedname_name, dns_name_clone(), dns_name_countlabels(), dns_name_getlabelsequence(), dns_name_init(), DNS_NSEC3_BUFFERSIZE, dns_nsec3_hashname(), dns_rdata_fromstruct(), DNS_RDATA_INIT, dns_rdata_reset(), dns_rdataset_disassociate(), dns_rdataset_init(), dns_rdataset_isassociated(), do_one_tuple(), find_nsec3(), fixed, hash, INSIST, isc_buffer_init, ISC_R_NOMORE, ISC_R_NOTFOUND, ISC_R_SUCCESS, dns_diff::mctx, NSEC3_MAX_HASH_LENGTH, origin, dns_rdataset::rdclass, salt_length, and dns_rdataset::ttl.
Referenced by dns_nsec3_addnsec3(), and dns_nsec3_delnsec3sx().
| isc_result_t dns_nsec3_delnsec3s | ( | dns_db_t * | db, | |
| dns_dbversion_t * | version, | |||
| dns_name_t * | name, | |||
| dns_diff_t * | diff | |||
| ) |
| isc_result_t dns_nsec3_delnsec3sx | ( | dns_db_t * | db, | |
| dns_dbversion_t * | version, | |||
| dns_name_t * | name, | |||
| dns_rdatatype_t | private, | |||
| dns_diff_t * | diff | |||
| ) |
Remove NSEC3 records for 'name', recording the change in 'diff'. Adjust previous NSEC3 records, if any, to reflect the removal.
dns_nsec3_delnsec3() performs the above for the chain identified by 'nsec3param'.
dns_nsec3_delnsec3s() examines the NSEC3PARAM RRset in a similar manner to dns_nsec3_addnsec3s(). Unlike dns_nsec3_addnsec3s() updated NSEC3 records have the OPTOUT flag preserved.
dns_nsec3_delnsec3sx() is similar to dns_nsec3_delnsec3s() but 'private' specifies the type of the private rdataset to be checked in addition to the nsec3param rdataset at the zone apex.
Requires: 'db' to be valid. 'version' to be valid or NULL. 'name' to be valid. 'nsec3param' to be valid. 'diff' to be valid.
Definition at line 1551 of file nsec3.c.
References better_param(), CHECK, dns_db_detachnode(), dns_db_findrdataset(), dns_db_getoriginnode(), dns_nsec3_delnsec3(), DNS_NSEC3PARAM_BUFFERSIZE, dns_nsec3param_fromprivate(), DNS_RDATA_INIT, dns_rdata_tostruct(), dns_rdataset_current(), dns_rdataset_disassociate(), dns_rdataset_first(), dns_rdataset_init(), dns_rdataset_isassociated(), dns_rdataset_next(), ISC_R_NOMORE, ISC_R_NOTFOUND, and ISC_R_SUCCESS.
Referenced by dns_nsec3_delnsec3s(), and dns_update_signaturesinc().
| isc_result_t dns_nsec3_active | ( | dns_db_t * | db, | |
| dns_dbversion_t * | version, | |||
| isc_boolean_t | complete, | |||
| isc_boolean_t * | answer | |||
| ) |
| isc_result_t dns_nsec3_activex | ( | dns_db_t * | db, | |
| dns_dbversion_t * | version, | |||
| isc_boolean_t | complete, | |||
| dns_rdatatype_t | private, | |||
| isc_boolean_t * | answer | |||
| ) |
Check if there are any complete/to be built NSEC3 chains. If 'complete' is ISC_TRUE only complete chains will be recognized.
dns_nsec3_activex() is similar to dns_nsec3_active() but 'private' specifies the type of the private rdataset to be checked in addition to the nsec3param rdataset at the zone apex.
Requires: 'db' to be valid. 'version' to be valid or NULL. 'answer' to be non NULL.
Definition at line 1653 of file nsec3.c.
References CREATE, dns_db_detachnode(), dns_db_findrdataset(), dns_db_getoriginnode(), DNS_NSEC3PARAM_BUFFERSIZE, dns_nsec3param_fromprivate(), DNS_RDATA_INIT, dns_rdata_tostruct(), dns_rdataset_current(), dns_rdataset_disassociate(), dns_rdataset_first(), dns_rdataset_init(), dns_rdataset_next(), ISC_FALSE, ISC_R_NOMORE, ISC_R_NOTFOUND, ISC_R_SUCCESS, ISC_TRUE, REQUIRE, and RUNTIME_CHECK.
Referenced by check_dnssec(), dns_nsec3_active(), and dnskey_sane().
| isc_result_t dns_nsec3_maxiterations | ( | dns_db_t * | db, | |
| dns_dbversion_t * | version, | |||
| isc_mem_t * | mctx, | |||
| unsigned int * | iterationsp | |||
| ) |
Find the maximum permissible number of iterations allowed based on the key strength.
Requires: 'db' to be valid. 'version' to be valid or NULL. 'mctx' to be valid. 'iterationsp' to be non NULL.
Definition at line 1749 of file nsec3.c.
References buffer, CHECK, dns_rdata::data, dns_db_detachnode(), dns_db_findrdataset(), dns_db_getoriginnode(), dns_db_origin(), DNS_RDATA_INIT, dns_rdataset_current(), dns_rdataset_disassociate(), dns_rdataset_first(), dns_rdataset_init(), dns_rdataset_isassociated(), dns_rdataset_next(), dst_key_free(), dst_key_fromdns(), dst_key_size(), isc_buffer_add, isc_buffer_init, ISC_R_NOMORE, ISC_R_NOTFOUND, ISC_R_SUCCESS, key, dns_rdata::length, and dns_rdataset::rdclass.
Referenced by check_dnssec(), and main().
| isc_result_t dns_nsec3_noexistnodata | ( | dns_rdatatype_t | type, | |
| dns_name_t * | name, | |||
| dns_name_t * | nsec3name, | |||
| dns_rdataset_t * | nsec3set, | |||
| dns_name_t * | zonename, | |||
| isc_boolean_t * | exists, | |||
| isc_boolean_t * | data, | |||
| isc_boolean_t * | optout, | |||
| isc_boolean_t * | unknown, | |||
| isc_boolean_t * | setclosest, | |||
| isc_boolean_t * | setnearest, | |||
| dns_name_t * | closest, | |||
| dns_name_t * | nearest, | |||
| dns_nseclog_t | logit, | |||
| void * | arg | |||
| ) |
Definition at line 1807 of file nsec3.c.
References answer, buffer, dns_fixedname_init, dns_fixedname_name, dns_name_copy(), dns_name_countlabels(), dns_name_downcase(), dns_name_equal(), dns_name_format(), DNS_NAME_FORMATSIZE, dns_name_getlabel(), dns_name_issubdomain(), dns_name_split(), dns_nsec3_supportedhash(), dns_nsec3_typepresent(), DNS_RDATA_INIT, dns_rdata_tostruct(), dns_rdataset_current(), dns_rdataset_first(), dns_rdatatype_atparent(), hash, isc_base32hex_decoderegion(), isc_buffer_init, isc_buffer_usedlength, ISC_FALSE, isc_iterated_hash(), ISC_LOG_DEBUG, ISC_R_IGNORE, ISC_R_SUCCESS, isc_region_consume, ISC_TF, ISC_TRUE, dns_name::length, namebuf, dns_name::ndata, NSEC3_MAX_HASH_LENGTH, REQUIRE, dns_rdataset::type, and zone.
Referenced by checkwildcard(), findnoqname(), and findnsec3proofs().