1 /* $NetBSD: nsec3.h,v 1.6 2014/12/10 04:37:58 christos Exp $ */ 2 3 /* 4 * Copyright (C) 2008-2013 Internet Systems Consortium, Inc. ("ISC") 5 * 6 * Permission to use, copy, modify, and/or distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 11 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 12 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 13 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 14 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 15 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 16 * PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 /* Id: nsec3.h,v 1.14 2011/10/28 12:20:31 tbox Exp */ 20 21 #ifndef DNS_NSEC3_H 22 #define DNS_NSEC3_H 1 23 24 #include <isc/lang.h> 25 #include <isc/iterated_hash.h> 26 27 #include <dns/db.h> 28 #include <dns/diff.h> 29 #include <dns/name.h> 30 #include <dns/rdatastruct.h> 31 #include <dns/types.h> 32 33 #define DNS_NSEC3_SALTSIZE 255 34 35 /* 36 * hash = 1, flags =1, iterations = 2, salt length = 1, salt = 255 (max) 37 * hash length = 1, hash = 255 (max), bitmap = 8192 + 512 (max) 38 */ 39 #define DNS_NSEC3_BUFFERSIZE (6 + 255 + 255 + 8192 + 512) 40 /* 41 * hash = 1, flags = 1, iterations = 2, salt length = 1, salt = 255 (max) 42 */ 43 #define DNS_NSEC3PARAM_BUFFERSIZE (5 + 255) 44 45 /* 46 * Test "unknown" algorithm. Is mapped to dns_hash_sha1. 47 */ 48 #define DNS_NSEC3_UNKNOWNALG ((dns_hash_t)245U) 49 50 ISC_LANG_BEGINDECLS 51 52 isc_result_t 53 dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version, 54 dns_dbnode_t *node, unsigned int hashalg, 55 unsigned int optin, unsigned int iterations, 56 const unsigned char *salt, size_t salt_length, 57 const unsigned char *nexthash, size_t hash_length, 58 unsigned char *buffer, dns_rdata_t *rdata); 59 /*%< 60 * Build the rdata of a NSEC3 record for the data at 'node'. 61 * Note: 'node' is not the node where the NSEC3 record will be stored. 62 * 63 * Requires: 64 * buffer Points to a temporary buffer of at least 65 * DNS_NSEC_BUFFERSIZE bytes. 66 * rdata Points to an initialized dns_rdata_t. 67 * 68 * Ensures: 69 * *rdata Contains a valid NSEC3 rdata. The 'data' member refers 70 * to 'buffer'. 71 */ 72 73 isc_boolean_t 74 dns_nsec3_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type); 75 /*%< 76 * Determine if a type is marked as present in an NSEC3 record. 77 * 78 * Requires: 79 * 'nsec' points to a valid rdataset of type NSEC3 80 */ 81 82 isc_result_t 83 dns_nsec3_hashname(dns_fixedname_t *result, 84 unsigned char rethash[NSEC3_MAX_HASH_LENGTH], 85 size_t *hash_length, dns_name_t *name, dns_name_t *origin, 86 dns_hash_t hashalg, unsigned int iterations, 87 const unsigned char *salt, size_t saltlength); 88 /*%< 89 * Make a hashed domain name from an unhashed one. If rethash is not NULL 90 * the raw hash is stored there. 91 */ 92 93 unsigned int 94 dns_nsec3_hashlength(dns_hash_t hash); 95 /*%< 96 * Return the length of the hash produced by the specified algorithm 97 * or zero when unknown. 98 */ 99 100 isc_boolean_t 101 dns_nsec3_supportedhash(dns_hash_t hash); 102 /*%< 103 * Return whether we support this hash algorithm or not. 104 */ 105 106 isc_result_t 107 dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version, 108 dns_name_t *name, const dns_rdata_nsec3param_t *nsec3param, 109 dns_ttl_t nsecttl, isc_boolean_t unsecure, dns_diff_t *diff); 110 111 isc_result_t 112 dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version, 113 dns_name_t *name, dns_ttl_t nsecttl, 114 isc_boolean_t unsecure, dns_diff_t *diff); 115 116 isc_result_t 117 dns_nsec3_addnsec3sx(dns_db_t *db, dns_dbversion_t *version, 118 dns_name_t *name, dns_ttl_t nsecttl, 119 isc_boolean_t unsecure, dns_rdatatype_t private, 120 dns_diff_t *diff); 121 /*%< 122 * Add NSEC3 records for 'name', recording the change in 'diff'. 123 * Adjust previous NSEC3 records, if any, to reflect the addition. 124 * The existing NSEC3 records are removed. 125 * 126 * dns_nsec3_addnsec3() will only add records to the chain identified by 127 * 'nsec3param'. 128 * 129 * 'unsecure' should be set to reflect if this is a potentially 130 * unsecure delegation (no DS record). 131 * 132 * dns_nsec3_addnsec3s() will examine the NSEC3PARAM RRset to determine which 133 * chains to be updated. NSEC3PARAM records with the DNS_NSEC3FLAG_CREATE 134 * will be preferentially chosen over NSEC3PARAM records without 135 * DNS_NSEC3FLAG_CREATE set. NSEC3PARAM records with DNS_NSEC3FLAG_REMOVE 136 * set will be ignored by dns_nsec3_addnsec3s(). If DNS_NSEC3FLAG_CREATE 137 * is set then the new NSEC3 will have OPTOUT set to match the that in the 138 * NSEC3PARAM record otherwise OPTOUT will be inherited from the previous 139 * record in the chain. 140 * 141 * dns_nsec3_addnsec3sx() is similar to dns_nsec3_addnsec3s() but 'private' 142 * specifies the type of the private rdataset to be checked in addition to 143 * the nsec3param rdataset at the zone apex. 144 * 145 * Requires: 146 * 'db' to be valid. 147 * 'version' to be valid or NULL. 148 * 'name' to be valid. 149 * 'nsec3param' to be valid. 150 * 'diff' to be valid. 151 */ 152 153 isc_result_t 154 dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, 155 const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff); 156 157 isc_result_t 158 dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, 159 dns_diff_t *diff); 160 161 isc_result_t 162 dns_nsec3_delnsec3sx(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, 163 dns_rdatatype_t private, dns_diff_t *diff); 164 /*%< 165 * Remove NSEC3 records for 'name', recording the change in 'diff'. 166 * Adjust previous NSEC3 records, if any, to reflect the removal. 167 * 168 * dns_nsec3_delnsec3() performs the above for the chain identified by 169 * 'nsec3param'. 170 * 171 * dns_nsec3_delnsec3s() examines the NSEC3PARAM RRset in a similar manner 172 * to dns_nsec3_addnsec3s(). Unlike dns_nsec3_addnsec3s() updated NSEC3 173 * records have the OPTOUT flag preserved. 174 * 175 * dns_nsec3_delnsec3sx() is similar to dns_nsec3_delnsec3s() but 'private' 176 * specifies the type of the private rdataset to be checked in addition to 177 * the nsec3param rdataset at the zone apex. 178 * 179 * Requires: 180 * 'db' to be valid. 181 * 'version' to be valid or NULL. 182 * 'name' to be valid. 183 * 'nsec3param' to be valid. 184 * 'diff' to be valid. 185 */ 186 187 isc_result_t 188 dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version, 189 isc_boolean_t complete, isc_boolean_t *answer); 190 191 isc_result_t 192 dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version, 193 isc_boolean_t complete, dns_rdatatype_t private, 194 isc_boolean_t *answer); 195 /*%< 196 * Check if there are any complete/to be built NSEC3 chains. 197 * If 'complete' is ISC_TRUE only complete chains will be recognized. 198 * 199 * dns_nsec3_activex() is similar to dns_nsec3_active() but 'private' 200 * specifies the type of the private rdataset to be checked in addition to 201 * the nsec3param rdataset at the zone apex. 202 * 203 * Requires: 204 * 'db' to be valid. 205 * 'version' to be valid or NULL. 206 * 'answer' to be non NULL. 207 */ 208 209 isc_result_t 210 dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version, 211 isc_mem_t *mctx, unsigned int *iterationsp); 212 /*%< 213 * Find the maximum permissible number of iterations allowed based on 214 * the key strength. 215 * 216 * Requires: 217 * 'db' to be valid. 218 * 'version' to be valid or NULL. 219 * 'mctx' to be valid. 220 * 'iterationsp' to be non NULL. 221 */ 222 223 isc_boolean_t 224 dns_nsec3param_fromprivate(dns_rdata_t *src, dns_rdata_t *target, 225 unsigned char *buf, size_t buflen); 226 /*%< 227 * Convert a private rdata to a nsec3param rdata. 228 * 229 * Return ISC_TRUE if 'src' could be successfully converted. 230 * 231 * 'buf' should be at least DNS_NSEC3PARAM_BUFFERSIZE in size. 232 */ 233 234 void 235 dns_nsec3param_toprivate(dns_rdata_t *src, dns_rdata_t *target, 236 dns_rdatatype_t privatetype, 237 unsigned char *buf, size_t buflen); 238 /*%< 239 * Convert a nsec3param rdata to a private rdata. 240 * 241 * 'buf' should be at least src->length + 1 in size. 242 */ 243 244 isc_result_t 245 dns_nsec3param_deletechains(dns_db_t *db, dns_dbversion_t *ver, 246 dns_zone_t *zone, isc_boolean_t nonsec, 247 dns_diff_t *diff); 248 249 /*%< 250 * Mark NSEC3PARAM for deletion. 251 */ 252 253 isc_result_t 254 dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name, 255 dns_name_t *nsec3name, dns_rdataset_t *nsec3set, 256 dns_name_t *zonename, isc_boolean_t *exists, 257 isc_boolean_t *data, isc_boolean_t *optout, 258 isc_boolean_t *unknown, isc_boolean_t *setclosest, 259 isc_boolean_t *setnearest, dns_name_t *closest, 260 dns_name_t *nearest, dns_nseclog_t logit, void *arg); 261 262 ISC_LANG_ENDDECLS 263 264 #endif /* DNS_NSEC3_H */ 265