1 /*  Copyright (C) 2015-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
2  *  SPDX-License-Identifier: GPL-3.0-or-later
3  */
4 
5 #pragma once
6 
7 #include <libknot/packet/pkt.h>
8 
9 /** High numbers in NSEC3 iterations don't really help security
10  *
11  * ...so we avoid doing all the work.  The value is a current compromise;
12  * zones shooting over get downgraded to insecure status.
13  *
14  * Original restriction wasn't that strict:
15    https://datatracker.ietf.org/doc/html/rfc5155#section-10.3
16  * but there is discussion about officially lowering the limits:
17    https://tools.ietf.org/id/draft-hardaker-dnsop-nsec3-guidance-02.html#section-2.3
18  */
19 #define KR_NSEC3_MAX_ITERATIONS 150
20 
21 /**
22  * Name error response check (RFC5155 7.2.2).
23  * @note No RRSIGs are validated.
24  * @param pkt        Packet structure to be processed.
25  * @param section_id Packet section to be processed.
26  * @param sname      Name to be checked.
27  * @return           0 or error code.
28  */
29 int kr_nsec3_name_error_response_check(const knot_pkt_t *pkt, knot_section_t section_id,
30                                        const knot_dname_t *sname);
31 
32 /**
33  * Wildcard answer response check (RFC5155 7.2.6).
34  * @param pkt          Packet structure to be processed.
35  * @param section_id   Packet section to be processed.
36  * @param sname        Name to be checked.
37  * @param trim_to_next Number of labels to remove to obtain next closer name.
38  * @return             0 or error code:
39  *                     KNOT_ERANGE - NSEC3 RR that covers a wildcard
40  *                     has been found, but has opt-out flag set;
41  *                     otherwise - error.
42  * Records over KR_NSEC3_MAX_ITERATIONS are skipped, so you probably get kr_error(ENOENT).
43  */
44 int kr_nsec3_wildcard_answer_response_check(const knot_pkt_t *pkt, knot_section_t section_id,
45                                             const knot_dname_t *sname, int trim_to_next);
46 
47 /**
48  * Authenticated denial of existence according to RFC5155 8.5 and 8.7.
49  * @note No RRSIGs are validated.
50  * @param pkt        Packet structure to be processed.
51  * @param section_id Packet section to be processed.
52  * @param sname      Queried domain name.
53  * @param stype      Queried type.
54  * @return           0 or error code:
55  *                   DNSSEC_NOT_FOUND - neither ds nor nsec records
56  *                   were not found.
57  *                   KNOT_ERANGE - denial of existence can't be proven
58  *                   due to opt-out, otherwise - bogus.
59  */
60 int kr_nsec3_no_data(const knot_pkt_t *pkt, knot_section_t section_id,
61                      const knot_dname_t *sname, uint16_t stype);
62 
63 /**
64  * Referral to unsigned subzone check (RFC5155 8.9).
65  * @note 	     No RRSIGs are validated.
66  * @param pkt        Packet structure to be processed.
67  * @return           0 or error code:
68  *                   KNOT_ERANGE - denial of existence can't be proven
69  *                   due to opt-out.
70  *                   EEXIST - ds record was found.
71  *                   EINVAL - bogus.
72  */
73 int kr_nsec3_ref_to_unsigned(const knot_pkt_t *pkt);
74 
75 /**
76  * Checks whether supplied NSEC3 RR matches the supplied name and NS type.
77  * @param nsec3 NSEC3 RR.
78  * @param name  Name to be checked.
79  * @param type  Type to be checked.  Only use with NS!  TODO
80  * @return      0 or error code.
81  */
82 int kr_nsec3_matches_name_and_type(const knot_rrset_t *nsec3,
83 				   const knot_dname_t *name, uint16_t type);
84