00001 /* 00002 * Copyright (C) 2008-2013 Internet Systems Consortium, Inc. ("ISC") 00003 * 00004 * Permission to use, copy, modify, and/or distribute this software for any 00005 * purpose with or without fee is hereby granted, provided that the above 00006 * copyright notice and this permission notice appear in all copies. 00007 * 00008 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 00009 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 00010 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 00011 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 00012 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 00013 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 00014 * PERFORMANCE OF THIS SOFTWARE. 00015 */ 00016 00017 /* $Id: nsec3.h,v 1.14 2011/10/28 12:20:31 tbox Exp $ */ 00018 00019 #ifndef DNS_NSEC3_H 00020 #define DNS_NSEC3_H 1 00021 00022 #include <isc/lang.h> 00023 #include <isc/iterated_hash.h> 00024 00025 #include <dns/db.h> 00026 #include <dns/diff.h> 00027 #include <dns/name.h> 00028 #include <dns/rdatastruct.h> 00029 #include <dns/types.h> 00030 00031 #define DNS_NSEC3_SALTSIZE 255 00032 00033 /* 00034 * hash = 1, flags =1, iterations = 2, salt length = 1, salt = 255 (max) 00035 * hash length = 1, hash = 255 (max), bitmap = 8192 + 512 (max) 00036 */ 00037 #define DNS_NSEC3_BUFFERSIZE (6 + 255 + 255 + 8192 + 512) 00038 /* 00039 * hash = 1, flags = 1, iterations = 2, salt length = 1, salt = 255 (max) 00040 */ 00041 #define DNS_NSEC3PARAM_BUFFERSIZE (5 + 255) 00042 00043 /* 00044 * Test "unknown" algorithm. Is mapped to dns_hash_sha1. 00045 */ 00046 #define DNS_NSEC3_UNKNOWNALG ((dns_hash_t)245U) 00047 00048 ISC_LANG_BEGINDECLS 00049 00050 isc_result_t 00051 dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version, 00052 dns_dbnode_t *node, unsigned int hashalg, 00053 unsigned int optin, unsigned int iterations, 00054 const unsigned char *salt, size_t salt_length, 00055 const unsigned char *nexthash, size_t hash_length, 00056 unsigned char *buffer, dns_rdata_t *rdata); 00057 /*%< 00058 * Build the rdata of a NSEC3 record for the data at 'node'. 00059 * Note: 'node' is not the node where the NSEC3 record will be stored. 00060 * 00061 * Requires: 00062 * buffer Points to a temporary buffer of at least 00063 * DNS_NSEC_BUFFERSIZE bytes. 00064 * rdata Points to an initialized dns_rdata_t. 00065 * 00066 * Ensures: 00067 * *rdata Contains a valid NSEC3 rdata. The 'data' member refers 00068 * to 'buffer'. 00069 */ 00070 00071 isc_boolean_t 00072 dns_nsec3_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type); 00073 /*%< 00074 * Determine if a type is marked as present in an NSEC3 record. 00075 * 00076 * Requires: 00077 * 'nsec' points to a valid rdataset of type NSEC3 00078 */ 00079 00080 isc_result_t 00081 dns_nsec3_hashname(dns_fixedname_t *result, 00082 unsigned char rethash[NSEC3_MAX_HASH_LENGTH], 00083 size_t *hash_length, dns_name_t *name, dns_name_t *origin, 00084 dns_hash_t hashalg, unsigned int iterations, 00085 const unsigned char *salt, size_t saltlength); 00086 /*%< 00087 * Make a hashed domain name from an unhashed one. If rethash is not NULL 00088 * the raw hash is stored there. 00089 */ 00090 00091 unsigned int 00092 dns_nsec3_hashlength(dns_hash_t hash); 00093 /*%< 00094 * Return the length of the hash produced by the specified algorithm 00095 * or zero when unknown. 00096 */ 00097 00098 isc_boolean_t 00099 dns_nsec3_supportedhash(dns_hash_t hash); 00100 /*%< 00101 * Return whether we support this hash algorithm or not. 00102 */ 00103 00104 isc_result_t 00105 dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version, 00106 dns_name_t *name, const dns_rdata_nsec3param_t *nsec3param, 00107 dns_ttl_t nsecttl, isc_boolean_t unsecure, dns_diff_t *diff); 00108 00109 isc_result_t 00110 dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version, 00111 dns_name_t *name, dns_ttl_t nsecttl, 00112 isc_boolean_t unsecure, dns_diff_t *diff); 00113 00114 isc_result_t 00115 dns_nsec3_addnsec3sx(dns_db_t *db, dns_dbversion_t *version, 00116 dns_name_t *name, dns_ttl_t nsecttl, 00117 isc_boolean_t unsecure, dns_rdatatype_t private, 00118 dns_diff_t *diff); 00119 /*%< 00120 * Add NSEC3 records for 'name', recording the change in 'diff'. 00121 * Adjust previous NSEC3 records, if any, to reflect the addition. 00122 * The existing NSEC3 records are removed. 00123 * 00124 * dns_nsec3_addnsec3() will only add records to the chain identified by 00125 * 'nsec3param'. 00126 * 00127 * 'unsecure' should be set to reflect if this is a potentially 00128 * unsecure delegation (no DS record). 00129 * 00130 * dns_nsec3_addnsec3s() will examine the NSEC3PARAM RRset to determine which 00131 * chains to be updated. NSEC3PARAM records with the DNS_NSEC3FLAG_CREATE 00132 * will be preferentially chosen over NSEC3PARAM records without 00133 * DNS_NSEC3FLAG_CREATE set. NSEC3PARAM records with DNS_NSEC3FLAG_REMOVE 00134 * set will be ignored by dns_nsec3_addnsec3s(). If DNS_NSEC3FLAG_CREATE 00135 * is set then the new NSEC3 will have OPTOUT set to match the that in the 00136 * NSEC3PARAM record otherwise OPTOUT will be inherited from the previous 00137 * record in the chain. 00138 * 00139 * dns_nsec3_addnsec3sx() is similar to dns_nsec3_addnsec3s() but 'private' 00140 * specifies the type of the private rdataset to be checked in addition to 00141 * the nsec3param rdataset at the zone apex. 00142 * 00143 * Requires: 00144 * 'db' to be valid. 00145 * 'version' to be valid or NULL. 00146 * 'name' to be valid. 00147 * 'nsec3param' to be valid. 00148 * 'diff' to be valid. 00149 */ 00150 00151 isc_result_t 00152 dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, 00153 const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff); 00154 00155 isc_result_t 00156 dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, 00157 dns_diff_t *diff); 00158 00159 isc_result_t 00160 dns_nsec3_delnsec3sx(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, 00161 dns_rdatatype_t private, dns_diff_t *diff); 00162 /*%< 00163 * Remove NSEC3 records for 'name', recording the change in 'diff'. 00164 * Adjust previous NSEC3 records, if any, to reflect the removal. 00165 * 00166 * dns_nsec3_delnsec3() performs the above for the chain identified by 00167 * 'nsec3param'. 00168 * 00169 * dns_nsec3_delnsec3s() examines the NSEC3PARAM RRset in a similar manner 00170 * to dns_nsec3_addnsec3s(). Unlike dns_nsec3_addnsec3s() updated NSEC3 00171 * records have the OPTOUT flag preserved. 00172 * 00173 * dns_nsec3_delnsec3sx() is similar to dns_nsec3_delnsec3s() but 'private' 00174 * specifies the type of the private rdataset to be checked in addition to 00175 * the nsec3param rdataset at the zone apex. 00176 * 00177 * Requires: 00178 * 'db' to be valid. 00179 * 'version' to be valid or NULL. 00180 * 'name' to be valid. 00181 * 'nsec3param' to be valid. 00182 * 'diff' to be valid. 00183 */ 00184 00185 isc_result_t 00186 dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version, 00187 isc_boolean_t complete, isc_boolean_t *answer); 00188 00189 isc_result_t 00190 dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version, 00191 isc_boolean_t complete, dns_rdatatype_t private, 00192 isc_boolean_t *answer); 00193 /*%< 00194 * Check if there are any complete/to be built NSEC3 chains. 00195 * If 'complete' is ISC_TRUE only complete chains will be recognized. 00196 * 00197 * dns_nsec3_activex() is similar to dns_nsec3_active() but 'private' 00198 * specifies the type of the private rdataset to be checked in addition to 00199 * the nsec3param rdataset at the zone apex. 00200 * 00201 * Requires: 00202 * 'db' to be valid. 00203 * 'version' to be valid or NULL. 00204 * 'answer' to be non NULL. 00205 */ 00206 00207 isc_result_t 00208 dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version, 00209 isc_mem_t *mctx, unsigned int *iterationsp); 00210 /*%< 00211 * Find the maximum permissible number of iterations allowed based on 00212 * the key strength. 00213 * 00214 * Requires: 00215 * 'db' to be valid. 00216 * 'version' to be valid or NULL. 00217 * 'mctx' to be valid. 00218 * 'iterationsp' to be non NULL. 00219 */ 00220 00221 isc_boolean_t 00222 dns_nsec3param_fromprivate(dns_rdata_t *src, dns_rdata_t *target, 00223 unsigned char *buf, size_t buflen); 00224 /*%< 00225 * Convert a private rdata to a nsec3param rdata. 00226 * 00227 * Return ISC_TRUE if 'src' could be successfully converted. 00228 * 00229 * 'buf' should be at least DNS_NSEC3PARAM_BUFFERSIZE in size. 00230 */ 00231 00232 void 00233 dns_nsec3param_toprivate(dns_rdata_t *src, dns_rdata_t *target, 00234 dns_rdatatype_t privatetype, 00235 unsigned char *buf, size_t buflen); 00236 /*%< 00237 * Convert a nsec3param rdata to a private rdata. 00238 * 00239 * 'buf' should be at least src->length + 1 in size. 00240 */ 00241 00242 isc_result_t 00243 dns_nsec3param_deletechains(dns_db_t *db, dns_dbversion_t *ver, 00244 dns_zone_t *zone, isc_boolean_t nonsec, 00245 dns_diff_t *diff); 00246 00247 /*%< 00248 * Mark NSEC3PARAM for deletion. 00249 */ 00250 00251 isc_result_t 00252 dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name, 00253 dns_name_t *nsec3name, dns_rdataset_t *nsec3set, 00254 dns_name_t *zonename, isc_boolean_t *exists, 00255 isc_boolean_t *data, isc_boolean_t *optout, 00256 isc_boolean_t *unknown, isc_boolean_t *setclosest, 00257 isc_boolean_t *setnearest, dns_name_t *closest, 00258 dns_name_t *nearest, dns_nseclog_t logit, void *arg); 00259 00260 ISC_LANG_ENDDECLS 00261 00262 #endif /* DNS_NSEC3_H */