1 /* $NetBSD: nsec3_50.h,v 1.5 2014/12/10 04:37:59 christos Exp $ */ 2 3 /* 4 * Copyright (C) 2008, 2011, 2012 Internet Systems Consortium, Inc. ("ISC") 5 * 6 * Permission to use, copy, modify, and/or distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 11 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 12 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 13 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 14 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 15 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 16 * PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 20 #ifndef GENERIC_NSEC3_50_H 21 #define GENERIC_NSEC3_50_H 1 22 23 /* Id */ 24 25 /*! 26 * \brief Per RFC 5155 */ 27 28 #include <isc/iterated_hash.h> 29 30 typedef struct dns_rdata_nsec3 { 31 dns_rdatacommon_t common; 32 isc_mem_t *mctx; 33 dns_hash_t hash; 34 unsigned char flags; 35 dns_iterations_t iterations; 36 unsigned char salt_length; 37 unsigned char next_length; 38 isc_uint16_t len; 39 unsigned char *salt; 40 unsigned char *next; 41 unsigned char *typebits; 42 } dns_rdata_nsec3_t; 43 44 /* 45 * The corresponding NSEC3 interval is OPTOUT indicating possible 46 * insecure delegations. 47 */ 48 #define DNS_NSEC3FLAG_OPTOUT 0x01U 49 50 /*% 51 * The following flags are used in the private-type record (implemented in 52 * lib/dns/private.c) which is used to store NSEC3PARAM data during the 53 * time when it is not legal to have an actual NSEC3PARAM record in the 54 * zone. They are defined here because the private-type record uses the 55 * same flags field for the OPTOUT flag above and for the private flags 56 * below. XXX: This should be considered for refactoring. 57 */ 58 59 /*% 60 * Non-standard, private type only. 61 * 62 * Create a corresponding NSEC3 chain. 63 * Once the NSEC3 chain is complete this flag will be removed to signal 64 * that there is a complete chain. 65 * 66 * This flag is automatically set when a NSEC3PARAM record is added to 67 * the zone via UPDATE. 68 * 69 * NSEC3PARAM records containing this flag should never be published, 70 * but if they are, they should be ignored by RFC 5155 compliant 71 * nameservers. 72 */ 73 #define DNS_NSEC3FLAG_CREATE 0x80U 74 75 /*% 76 * Non-standard, private type only. 77 * 78 * The corresponding NSEC3 set is to be removed once the NSEC chain 79 * has been generated. 80 * 81 * This flag is automatically set when the last active NSEC3PARAM record 82 * is removed from the zone via UPDATE. 83 * 84 * NSEC3PARAM records containing this flag should never be published, 85 * but if they are, they should be ignored by RFC 5155 compliant 86 * nameservers. 87 */ 88 #define DNS_NSEC3FLAG_REMOVE 0x40U 89 90 /*% 91 * Non-standard, private type only. 92 * 93 * When set with the CREATE flag, a corresponding NSEC3 chain will be 94 * created when the zone becomes capable of supporting one (i.e., when it 95 * has a DNSKEY RRset containing at least one NSEC3-capable algorithm). 96 * Without this flag, NSEC3 chain creation would be attempted immediately, 97 * fail, and the private type record would be removed. With it, the NSEC3 98 * parameters are stored until they can be used. When the zone has the 99 * necessary prerequisites for NSEC3, then the INITIAL flag can be cleared, 100 * and the record will be cleaned up normally. 101 * 102 * NSEC3PARAM records containing this flag should never be published, but 103 * if they are, they should be ignored by RFC 5155 compliant nameservers. 104 */ 105 #define DNS_NSEC3FLAG_INITIAL 0x20U 106 107 /*% 108 * Non-standard, private type only. 109 * 110 * Prevent the creation of a NSEC chain before the last NSEC3 chain 111 * is removed. This will normally only be set when the zone is 112 * transitioning from secure with NSEC3 chains to insecure. 113 * 114 * NSEC3PARAM records containing this flag should never be published, 115 * but if they are, they should be ignored by RFC 5155 compliant 116 * nameservers. 117 */ 118 #define DNS_NSEC3FLAG_NONSEC 0x10U 119 120 #endif /* GENERIC_NSEC3_50_H */ 121