#include <isc/lang.h>
#include <isc/event.h>
#include <isc/mutex.h>
#include <dns/fixedname.h>
#include <dns/types.h>
#include <dns/rdataset.h>
#include <dns/rdatastruct.h>
#include <dst/dst.h>
Go to the source code of this file.
Data Structures | |
| struct | dns_validatorevent |
| A dns_validatorevent_t is sent when a 'validation' completes. More... | |
| struct | dns_validator |
| A validator object represents a validation in progress. More... | |
Defines | |
| #define | DNS_VALIDATOR_H 1 |
| #define | DNS_VALIDATOR_NOQNAMEPROOF 0 |
| #define | DNS_VALIDATOR_NODATAPROOF 1 |
| #define | DNS_VALIDATOR_NOWILDCARDPROOF 2 |
| #define | DNS_VALIDATOR_CLOSESTENCLOSER 3 |
| #define | DNS_VALIDATOR_DLV 0x0001U |
| dns_validator_create() options. | |
| #define | DNS_VALIDATOR_DEFER 0x0002U |
| #define | DNS_VALIDATOR_NOCDFLAG 0x0004U |
| #define | DNS_VALIDATOR_NONTA 0x0008U |
Typedefs | |
| typedef struct dns_validatorevent | dns_validatorevent_t |
Functions | |
| ISC_LANG_BEGINDECLS isc_result_t | dns_validator_create (dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, dns_message_t *message, unsigned int options, isc_task_t *task, isc_taskaction_t action, void *arg, dns_validator_t **validatorp) |
| Start a DNSSEC validation. | |
| void | dns_validator_send (dns_validator_t *validator) |
| Send a deferred validation request. | |
| void | dns_validator_cancel (dns_validator_t *validator) |
| Cancel a DNSSEC validation in progress. | |
| void | dns_validator_destroy (dns_validator_t **validatorp) |
| Destroy a DNSSEC validator. | |
It can also optionally implement ISC's DNSSEC look-aside validation.
Correct operation is critical to preventing spoofed answers from secure zones being accepted.
MP:
Definition in file validator.h.
| #define DNS_VALIDATOR_H 1 |
Definition at line 21 of file validator.h.
| #define DNS_VALIDATOR_NOQNAMEPROOF 0 |
| #define DNS_VALIDATOR_NODATAPROOF 1 |
Definition at line 114 of file validator.h.
Referenced by authvalidated(), checkwildcard(), and findnsec3proofs().
| #define DNS_VALIDATOR_NOWILDCARDPROOF 2 |
| #define DNS_VALIDATOR_CLOSESTENCLOSER 3 |
| #define DNS_VALIDATOR_DLV 0x0001U |
dns_validator_create() options.
Definition at line 174 of file validator.h.
Referenced by cache_name(), dlv_validator_start(), ncache_message(), and validator_start().
| #define DNS_VALIDATOR_DEFER 0x0002U |
Definition at line 175 of file validator.h.
Referenced by cache_name(), dns_validator_cancel(), dns_validator_create(), dns_validator_send(), and valcreate().
| #define DNS_VALIDATOR_NOCDFLAG 0x0004U |
Definition at line 176 of file validator.h.
Referenced by cache_name(), create_fetch(), create_validator(), and ncache_message().
| #define DNS_VALIDATOR_NONTA 0x0008U |
Definition at line 177 of file validator.h.
Referenced by cache_name(), create_fetch(), create_validator(), finddlvsep(), and ncache_message().
| typedef struct dns_validatorevent dns_validatorevent_t |
| ISC_LANG_BEGINDECLS isc_result_t dns_validator_create | ( | dns_view_t * | view, | |
| dns_name_t * | name, | |||
| dns_rdatatype_t | type, | |||
| dns_rdataset_t * | rdataset, | |||
| dns_rdataset_t * | sigrdataset, | |||
| dns_message_t * | message, | |||
| unsigned int | options, | |||
| isc_task_t * | task, | |||
| isc_taskaction_t | action, | |||
| void * | arg, | |||
| dns_validator_t ** | validatorp | |||
| ) |
Start a DNSSEC validation.
This validates a response to the question given by 'name' and 'type'.
To validate a positive response, the response data is given by 'rdataset' and 'sigrdataset'. If 'sigrdataset' is NULL, the data is presumed insecure and an attempt is made to prove its insecurity by finding the appropriate null key.
The complete response message may be given in 'message', to make available any authority section NSECs that may be needed for validation of a response resulting from a wildcard expansion (though no such wildcard validation is implemented yet). If the complete response message is not available, 'message' is NULL.
To validate a negative response, the complete negative response message is given in 'message'. The 'rdataset', and 'sigrdataset' arguments must be NULL, but the 'name' and 'type' arguments must be provided.
The validation is performed in the context of 'view'.
When the validation finishes, a dns_validatorevent_t with the given 'action' and 'arg' are sent to 'task'. Its 'result' field will be ISC_R_SUCCESS iff the response was successfully proven to be either secure or part of a known insecure domain.
options: If DNS_VALIDATOR_DLV is set the caller knows there is not a trusted key and the validator should immediately attempt to validate the answer by looking for an appropriate DLV RRset.
Definition at line 3724 of file validator.c.
References dns_validator::action, dns_validator::arg, dns_validator::attributes, dns_validator::authcount, dns_validator::authfail, dns_validator::closest, dns_validator::currentset, dns_validator::depth, DESTROYLOCK, dns_validator::dlv, DNS_EVENT_VALIDATORSTART, dns_fixedname_init, dns_rdataset_init(), dns_resolver_getmustbesecure(), DNS_VALIDATOR_DEFER, dns_view_getsecroots(), dns_view_weakattach(), dns_view_weakdetach(), dns_validator::dsset, dns_validator::event, dns_validator::fetch, dns_validator::frdataset, dns_validator::fsigrdataset, dns_validator::havedlvsep, isc_event_allocate(), isc_event_free(), ISC_EVENT_PTR, ISC_FALSE, ISC_LINK_INIT, isc_mem_get, isc_mem_put, isc_mutex_init, ISC_R_FAILURE, ISC_R_NOMEMORY, ISC_R_SUCCESS, isc_stdtime_get(), isc_task_attach(), isc_task_detach(), isc_task_send(), dns_validator::key, dns_validator::keynode, dns_validator::keyset, dns_validator::keytable, dns_validator::labels, dns_validator::lock, dns_validator::magic, dns_view::mctx, dns_validator::mustbesecure, dns_validator::nearest, dns_validator::options, dns_validator::parent, dns_validatorevent::proofs, REQUIRE, dns_view::resolver, dns_validator::seensig, dns_validator::siginfo, dns_validator::start, dns_validator::subvalidator, dns_validator::task, VALIDATOR_MAGIC, validator_start(), dns_validator::view, and dns_validator::wild.
Referenced by create_validator(), and valcreate().
| void dns_validator_send | ( | dns_validator_t * | validator | ) |
Send a deferred validation request.
Requires: 'validator' to points to a valid DNSSEC validator.
Definition at line 3828 of file validator.c.
References DNS_VALIDATOR_DEFER, dns_validator::event, INSIST, ISC_EVENT_PTR, isc_task_send(), dns_validator::lock, LOCK, dns_validator::options, REQUIRE, dns_validator::task, UNLOCK, and VALID_VALIDATOR.
| void dns_validator_cancel | ( | dns_validator_t * | validator | ) |
Cancel a DNSSEC validation in progress.
Requires:
Definition at line 3843 of file validator.c.
References dns_validator::attributes, dns_resolver_cancelfetch(), dns_resolver_destroyfetch(), dns_validator_cancel(), DNS_VALIDATOR_DEFER, dns_validator::event, dns_validator::fetch, ISC_LOG_DEBUG, ISC_R_CANCELED, dns_validator::lock, LOCK, dns_validator::options, REQUIRE, dns_validator::subvalidator, UNLOCK, VALATTR_CANCELED, VALID_VALIDATOR, validator_done(), and validator_log().
Referenced by dns_validator_cancel(), fctx_doshutdown(), and maybe_destroy().
| void dns_validator_destroy | ( | dns_validator_t ** | validatorp | ) |
Destroy a DNSSEC validator.
Requires:
Definition at line 3907 of file validator.c.
References dns_validator::attributes, destroy(), exit_check(), ISC_FALSE, ISC_LOG_DEBUG, dns_validator::lock, LOCK, REQUIRE, UNLOCK, VALATTR_SHUTDOWN, VALID_VALIDATOR, and validator_log().
Referenced by authvalidated(), cnamevalidated(), destroy(), dlvvalidated(), dsvalidated(), and keyvalidated().