1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
|
/*
* Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: nsec3.h,v 1.5 2008/09/24 03:16:58 tbox Exp $ */
#ifndef DNS_NSEC3_H
#define DNS_NSEC3_H 1
#include <isc/lang.h>
#include <isc/iterated_hash.h>
#include <dns/db.h>
#include <dns/diff.h>
#include <dns/name.h>
#include <dns/rdatastruct.h>
#include <dns/types.h>
/*
* hash = 1, flags =1, iterations = 2, salt length = 1, salt = 255 (max)
* hash length = 1, hash = 255 (max), bitmap = 8192 + 512 (max)
*/
#define DNS_NSEC3_BUFFERSIZE (6 + 255 + 255 + 8192 + 512)
/*
* hash = 1, flags = 1, iterations = 2, salt length = 1, salt = 255 (max)
*/
#define DNS_NSEC3PARAM_BUFFERSIZE (5 + 255)
/*
* Test "unknown" algorithm. Is mapped to dns_hash_sha1.
*/
#define DNS_NSEC3_UNKNOWNALG 245U
ISC_LANG_BEGINDECLS
isc_result_t
dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version,
dns_dbnode_t *node, unsigned int hashalg,
unsigned int optin, unsigned int iterations,
const unsigned char *salt, size_t salt_length,
const unsigned char *nexthash, size_t hash_length,
unsigned char *buffer, dns_rdata_t *rdata);
/*%<
* Build the rdata of a NSEC3 record for the data at 'node'.
* Note: 'node' is not the node where the NSEC3 record will be stored.
*
* Requires:
* buffer Points to a temporary buffer of at least
* DNS_NSEC_BUFFERSIZE bytes.
* rdata Points to an initialized dns_rdata_t.
*
* Ensures:
* *rdata Contains a valid NSEC3 rdata. The 'data' member refers
* to 'buffer'.
*/
isc_boolean_t
dns_nsec3_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type);
/*%<
* Determine if a type is marked as present in an NSEC3 record.
*
* Requires:
* 'nsec' points to a valid rdataset of type NSEC3
*/
isc_result_t
dns_nsec3_hashname(dns_fixedname_t *result,
unsigned char rethash[NSEC3_MAX_HASH_LENGTH],
size_t *hash_length, dns_name_t *name, dns_name_t *origin,
dns_hash_t hashalg, unsigned int iterations,
const unsigned char *salt, size_t saltlength);
/*%<
* Make a hashed domain name from an unhashed one. If rethash is not NULL
* the raw hash is stored there.
*/
unsigned int
dns_nsec3_hashlength(dns_hash_t hash);
/*%<
* Return the length of the hash produced by the specified algorithm
* or zero when unknown.
*/
isc_boolean_t
dns_nsec3_supportedhash(dns_hash_t hash);
/*%<
* Return whether we support this hash algorithm or not.
*/
isc_result_t
dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version,
dns_name_t *name, const dns_rdata_nsec3param_t *nsec3param,
dns_ttl_t nsecttl, isc_boolean_t unsecure, dns_diff_t *diff);
isc_result_t
dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
dns_name_t *name, dns_ttl_t nsecttl,
isc_boolean_t unsecure, dns_diff_t *diff);
/*%<
* Add NSEC3 records for 'name', recording the change in 'diff'.
* Adjust previous NSEC3 records, if any, to reflect the addition.
* The existing NSEC3 records are removed.
*
* dns_nsec3_addnsec3() will only add records to the chain identified by
* 'nsec3param'.
*
* 'unsecure' should be set to reflect if this is a potentially
* unsecure delegation (no DS record).
*
* dns_nsec3_addnsec3s() will examine the NSEC3PARAM RRset to determine which
* chains to be updated. NSEC3PARAM records with the DNS_NSEC3FLAG_CREATE
* will be preferentially choosen over NSEC3PARAM records without
* DNS_NSEC3FLAG_CREATE set. NSEC3PARAM records with DNS_NSEC3FLAG_REMOVE
* set will be ignored by dns_nsec3_addnsec3s(). If DNS_NSEC3FLAG_CREATE
* is set then the new NSEC3 will have OPTOUT set to match the that in the
* NSEC3PARAM record otherwise OPTOUT will be inherited from the previous
* record in the chain.
*
* Requires:
* 'db' to be valid.
* 'version' to be valid or NULL.
* 'name' to be valid.
* 'nsec3param' to be valid.
* 'diff' to be valid.
*/
isc_result_t
dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff);
isc_result_t
dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
dns_diff_t *diff);
/*%<
* Remove NSEC3 records for 'name', recording the change in 'diff'.
* Adjust previous NSEC3 records, if any, to reflect the removal.
*
* dns_nsec3_delnsec3() performs the above for the chain identified by
* 'nsec3param'.
*
* dns_nsec3_delnsec3s() examines the NSEC3PARAM RRset in a similar manner
* to dns_nsec3_addnsec3s(). Unlike dns_nsec3_addnsec3s() updated NSEC3
* records have the OPTOUT flag preserved.
*
* Requires:
* 'db' to be valid.
* 'version' to be valid or NULL.
* 'name' to be valid.
* 'nsec3param' to be valid.
* 'diff' to be valid.
*/
isc_result_t
dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version,
isc_boolean_t complete, isc_boolean_t *answer);
/*%<
* Check if there are any complete/to be built NSEC3 chains.
* If 'complete' is ISC_TRUE only complete chains will be recognised.
*
* Requires:
* 'db' to be valid.
* 'version' to be valid or NULL.
* 'answer' to be non NULL.
*/
isc_result_t
dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version,
isc_mem_t *mctx, unsigned int *iterationsp);
/*%<
* Find the maximum permissible number of iterations allowed based on
* the key strength.
*
* Requires:
* 'db' to be valid.
* 'version' to be valid or NULL.
* 'mctx' to be valid.
* 'iterationsp' to be non NULL.
*/
ISC_LANG_ENDDECLS
#endif /* DNS_NSEC3_H */
|
