xref: /minix/external/bsd/bind/dist/lib/dns/include/dns/nsec3.h (revision bb9622b5) 
1 /*	$NetBSD: nsec3.h,v 1.6 2014/12/10 04:37:58 christos Exp $	*/
2 
3 /*
4  * Copyright (C) 2008-2013  Internet Systems Consortium, Inc. ("ISC")
5  *
6  * Permission to use, copy, modify, and/or distribute this software for any
7  * purpose with or without fee is hereby granted, provided that the above
8  * copyright notice and this permission notice appear in all copies.
9  *
10  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
11  * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
12  * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
13  * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
14  * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
15  * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
16  * PERFORMANCE OF THIS SOFTWARE.
17  */
18 
19 /* Id: nsec3.h,v 1.14 2011/10/28 12:20:31 tbox Exp  */
20 
21 #ifndef DNS_NSEC3_H
22 #define DNS_NSEC3_H 1
23 
24 #include <isc/lang.h>
25 #include <isc/iterated_hash.h>
26 
27 #include <dns/db.h>
28 #include <dns/diff.h>
29 #include <dns/name.h>
30 #include <dns/rdatastruct.h>
31 #include <dns/types.h>
32 
33 #define DNS_NSEC3_SALTSIZE 255
34 
35 /*
36  * hash = 1, flags =1, iterations = 2, salt length = 1, salt = 255 (max)
37  * hash length = 1, hash = 255 (max), bitmap = 8192 + 512 (max)
38  */
39 #define DNS_NSEC3_BUFFERSIZE (6 + 255 + 255 + 8192 + 512)
40 /*
41  * hash = 1, flags = 1, iterations = 2, salt length = 1, salt = 255 (max)
42  */
43 #define DNS_NSEC3PARAM_BUFFERSIZE (5 + 255)
44 
45 /*
46  * Test "unknown" algorithm.  Is mapped to dns_hash_sha1.
47  */
48 #define DNS_NSEC3_UNKNOWNALG ((dns_hash_t)245U)
49 
50 ISC_LANG_BEGINDECLS
51 
52 isc_result_t
53 dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version,
54 		     dns_dbnode_t *node, unsigned int hashalg,
55 		     unsigned int optin, unsigned int iterations,
56 		     const unsigned char *salt, size_t salt_length,
57 		     const unsigned char *nexthash, size_t hash_length,
58 		     unsigned char *buffer, dns_rdata_t *rdata);
59 /*%<
60  * Build the rdata of a NSEC3 record for the data at 'node'.
61  * Note: 'node' is not the node where the NSEC3 record will be stored.
62  *
63  * Requires:
64  *	buffer	Points to a temporary buffer of at least
65  * 		DNS_NSEC_BUFFERSIZE bytes.
66  *	rdata	Points to an initialized dns_rdata_t.
67  *
68  * Ensures:
69  *      *rdata	Contains a valid NSEC3 rdata.  The 'data' member refers
70  *		to 'buffer'.
71  */
72 
73 isc_boolean_t
74 dns_nsec3_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type);
75 /*%<
76  * Determine if a type is marked as present in an NSEC3 record.
77  *
78  * Requires:
79  *	'nsec' points to a valid rdataset of type NSEC3
80  */
81 
82 isc_result_t
83 dns_nsec3_hashname(dns_fixedname_t *result,
84 		   unsigned char rethash[NSEC3_MAX_HASH_LENGTH],
85 		   size_t *hash_length, dns_name_t *name, dns_name_t *origin,
86 		   dns_hash_t hashalg, unsigned int iterations,
87 		   const unsigned char *salt, size_t saltlength);
88 /*%<
89  * Make a hashed domain name from an unhashed one. If rethash is not NULL
90  * the raw hash is stored there.
91  */
92 
93 unsigned int
94 dns_nsec3_hashlength(dns_hash_t hash);
95 /*%<
96  * Return the length of the hash produced by the specified algorithm
97  * or zero when unknown.
98  */
99 
100 isc_boolean_t
101 dns_nsec3_supportedhash(dns_hash_t hash);
102 /*%<
103  * Return whether we support this hash algorithm or not.
104  */
105 
106 isc_result_t
107 dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version,
108 		   dns_name_t *name, const dns_rdata_nsec3param_t *nsec3param,
109 		   dns_ttl_t nsecttl, isc_boolean_t unsecure, dns_diff_t *diff);
110 
111 isc_result_t
112 dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
113 		    dns_name_t *name, dns_ttl_t nsecttl,
114 		    isc_boolean_t unsecure, dns_diff_t *diff);
115 
116 isc_result_t
117 dns_nsec3_addnsec3sx(dns_db_t *db, dns_dbversion_t *version,
118 		     dns_name_t *name, dns_ttl_t nsecttl,
119 		     isc_boolean_t unsecure, dns_rdatatype_t private,
120 		     dns_diff_t *diff);
121 /*%<
122  * Add NSEC3 records for 'name', recording the change in 'diff'.
123  * Adjust previous NSEC3 records, if any, to reflect the addition.
124  * The existing NSEC3 records are removed.
125  *
126  * dns_nsec3_addnsec3() will only add records to the chain identified by
127  * 'nsec3param'.
128  *
129  * 'unsecure' should be set to reflect if this is a potentially
130  * unsecure delegation (no DS record).
131  *
132  * dns_nsec3_addnsec3s() will examine the NSEC3PARAM RRset to determine which
133  * chains to be updated.  NSEC3PARAM records with the DNS_NSEC3FLAG_CREATE
134  * will be preferentially chosen over NSEC3PARAM records without
135  * DNS_NSEC3FLAG_CREATE set.  NSEC3PARAM records with DNS_NSEC3FLAG_REMOVE
136  * set will be ignored by dns_nsec3_addnsec3s().  If DNS_NSEC3FLAG_CREATE
137  * is set then the new NSEC3 will have OPTOUT set to match the that in the
138  * NSEC3PARAM record otherwise OPTOUT will be inherited from the previous
139  * record in the chain.
140  *
141  * dns_nsec3_addnsec3sx() is similar to dns_nsec3_addnsec3s() but 'private'
142  * specifies the type of the private rdataset to be checked in addition to
143  * the nsec3param rdataset at the zone apex.
144  *
145  * Requires:
146  *	'db' to be valid.
147  *	'version' to be valid or NULL.
148  *	'name' to be valid.
149  *	'nsec3param' to be valid.
150  *	'diff' to be valid.
151  */
152 
153 isc_result_t
154 dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
155 		   const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff);
156 
157 isc_result_t
158 dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
159 		    dns_diff_t *diff);
160 
161 isc_result_t
162 dns_nsec3_delnsec3sx(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
163 		     dns_rdatatype_t private, dns_diff_t *diff);
164 /*%<
165  * Remove NSEC3 records for 'name', recording the change in 'diff'.
166  * Adjust previous NSEC3 records, if any, to reflect the removal.
167  *
168  * dns_nsec3_delnsec3() performs the above for the chain identified by
169  * 'nsec3param'.
170  *
171  * dns_nsec3_delnsec3s() examines the NSEC3PARAM RRset in a similar manner
172  * to dns_nsec3_addnsec3s().  Unlike dns_nsec3_addnsec3s() updated NSEC3
173  * records have the OPTOUT flag preserved.
174  *
175  * dns_nsec3_delnsec3sx() is similar to dns_nsec3_delnsec3s() but 'private'
176  * specifies the type of the private rdataset to be checked in addition to
177  * the nsec3param rdataset at the zone apex.
178  *
179  * Requires:
180  *	'db' to be valid.
181  *	'version' to be valid or NULL.
182  *	'name' to be valid.
183  *	'nsec3param' to be valid.
184  *	'diff' to be valid.
185  */
186 
187 isc_result_t
188 dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version,
189 		 isc_boolean_t complete, isc_boolean_t *answer);
190 
191 isc_result_t
192 dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version,
193 		  isc_boolean_t complete, dns_rdatatype_t private,
194 		  isc_boolean_t *answer);
195 /*%<
196  * Check if there are any complete/to be built NSEC3 chains.
197  * If 'complete' is ISC_TRUE only complete chains will be recognized.
198  *
199  * dns_nsec3_activex() is similar to dns_nsec3_active() but 'private'
200  * specifies the type of the private rdataset to be checked in addition to
201  * the nsec3param rdataset at the zone apex.
202  *
203  * Requires:
204  *	'db' to be valid.
205  *	'version' to be valid or NULL.
206  *	'answer' to be non NULL.
207  */
208 
209 isc_result_t
210 dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version,
211 			isc_mem_t *mctx, unsigned int *iterationsp);
212 /*%<
213  * Find the maximum permissible number of iterations allowed based on
214  * the key strength.
215  *
216  * Requires:
217  *	'db' to be valid.
218  *	'version' to be valid or NULL.
219  *	'mctx' to be valid.
220  *	'iterationsp' to be non NULL.
221  */
222 
223 isc_boolean_t
224 dns_nsec3param_fromprivate(dns_rdata_t *src, dns_rdata_t *target,
225 			   unsigned char *buf, size_t buflen);
226 /*%<
227  * Convert a private rdata to a nsec3param rdata.
228  *
229  * Return ISC_TRUE if 'src' could be successfully converted.
230  *
231  * 'buf' should be at least DNS_NSEC3PARAM_BUFFERSIZE in size.
232  */
233 
234 void
235 dns_nsec3param_toprivate(dns_rdata_t *src, dns_rdata_t *target,
236 			 dns_rdatatype_t privatetype,
237 			 unsigned char *buf, size_t buflen);
238 /*%<
239  * Convert a nsec3param rdata to a private rdata.
240  *
241  * 'buf' should be at least src->length + 1 in size.
242  */
243 
244 isc_result_t
245 dns_nsec3param_deletechains(dns_db_t *db, dns_dbversion_t *ver,
246 			    dns_zone_t *zone, isc_boolean_t nonsec,
247 			    dns_diff_t *diff);
248 
249 /*%<
250  * Mark NSEC3PARAM for deletion.
251  */
252 
253 isc_result_t
254 dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
255 			dns_name_t *nsec3name, dns_rdataset_t *nsec3set,
256 			dns_name_t *zonename, isc_boolean_t *exists,
257 			isc_boolean_t *data, isc_boolean_t *optout,
258 			isc_boolean_t *unknown, isc_boolean_t *setclosest,
259 			isc_boolean_t *setnearest, dns_name_t *closest,
260 			dns_name_t *nearest, dns_nseclog_t logit, void *arg);
261 
262 ISC_LANG_ENDDECLS
263 
264 #endif /* DNS_NSEC3_H */
265