1 /* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> 2 3 This program is free software: you can redistribute it and/or modify 4 it under the terms of the GNU General Public License as published by 5 the Free Software Foundation, either version 3 of the License, or 6 (at your option) any later version. 7 8 This program is distributed in the hope that it will be useful, 9 but WITHOUT ANY WARRANTY; without even the implied warranty of 10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 GNU General Public License for more details. 12 13 You should have received a copy of the GNU General Public License 14 along with this program. If not, see <https://www.gnu.org/licenses/>. 15 */ 16 17 #pragma once 18 19 #include "knot/updates/changesets.h" 20 #include "knot/updates/zone-update.h" 21 #include "knot/zone/contents.h" 22 #include "knot/dnssec/context.h" 23 #include "knot/dnssec/zone-keys.h" 24 25 int rrset_add_zone_key(knot_rrset_t *rrset, zone_key_t *zone_key); 26 27 bool rrsig_covers_type(const knot_rrset_t *rrsig, uint16_t type); 28 29 /*! 30 * \brief Prepare DNSKEYs, CDNSKEYs and CDSs to be added to the zone into rrsets. 31 * 32 * \param zone_keys Zone keyset. 33 * \param dnssec_ctx KASP context. 34 * \param add_r RRSets to be added. 35 * 36 * \return KNOT_E* 37 */ 38 int knot_zone_sign_add_dnskeys(zone_keyset_t *zone_keys, const kdnssec_ctx_t *dnssec_ctx, 39 key_records_t *add_r); 40 41 /*! 42 * \brief Adds/removes DNSKEY (and CDNSKEY, CDS) records to zone according to zone keyset. 43 * 44 * \param update Structure holding zone contents and to be updated with changes. 45 * \param zone_keys Keyset with private keys. 46 * \param dnssec_ctx KASP context. 47 * 48 * \return KNOT_E* 49 */ 50 int knot_zone_sign_update_dnskeys(zone_update_t *update, 51 zone_keyset_t *zone_keys, 52 kdnssec_ctx_t *dnssec_ctx, 53 knot_time_t *next_resign); 54 55 /*! 56 * \brief Check if key can be used to sign given RR. 57 * 58 * \param key Zone key. 59 * \param covered RR to be checked. 60 * 61 * \return The RR should be signed. 62 */ 63 bool knot_zone_sign_use_key(const zone_key_t *key, const knot_rrset_t *covered); 64 65 /*! 66 * \brief Return those keys for whose the CDNSKEY/CDS records shall be created. 67 * 68 * \param ctx DNSSEC context. 69 * \param zone_keys Zone keyset, includeing ZSKs. 70 * 71 * \return Dynarray containing pointers on some KSKs in keyset. 72 */ 73 keyptr_dynarray_t knot_zone_sign_get_cdnskeys(const kdnssec_ctx_t *ctx, 74 zone_keyset_t *zone_keys); 75 76 /*! 77 * \brief Check that at least one correct signature exists to at least one DNSKEY and that none incorrect exists. 78 * 79 * \param covered RRSet bein validated. 80 * \param rrsigs RRSIG with signatures. 81 * \param sign_ctx Signing context (with keys == NULL) 82 * \param skip_crypto Crypto operations might be skipped as they had been successful earlier. 83 * 84 * \return KNOT_E* 85 */ 86 int knot_validate_rrsigs(const knot_rrset_t *covered, 87 const knot_rrset_t *rrsigs, 88 zone_sign_ctx_t *sign_ctx, 89 bool skip_crypto); 90 91 /*! 92 * \brief Update zone signatures and store performed changes in update. 93 * 94 * Updates RRSIGs, NSEC(3)s, and DNSKEYs. 95 * 96 * \param update Zone Update containing the zone and to be updated with new DNSKEYs and RRSIGs. 97 * \param zone_keys Zone keys. 98 * \param dnssec_ctx DNSSEC context. 99 * \param expire_at Time, when the oldest signature in the zone expires. 100 * 101 * \return Error code, KNOT_EOK if successful. 102 */ 103 int knot_zone_sign(zone_update_t *update, 104 zone_keyset_t *zone_keys, 105 const kdnssec_ctx_t *dnssec_ctx, 106 knot_time_t *expire_at); 107 108 /*! 109 * \brief Check if zone SOA signatures are expired. 110 * 111 * \param zone Zone to be signed. 112 * \param zone_keys Zone keys. 113 * \param dnssec_ctx DNSSEC context. 114 * 115 * \return True if zone SOA signatures need update, false othewise. 116 */ 117 bool knot_zone_sign_soa_expired(const zone_contents_t *zone, 118 const zone_keyset_t *zone_keys, 119 const kdnssec_ctx_t *dnssec_ctx); 120 121 /*! 122 * \brief Sign NSEC/NSEC3 nodes in changeset and update the changeset. 123 * 124 * \param zone_keys Zone keys. 125 * \param dnssec_ctx DNSSEC context. 126 * \param changeset Changeset to be updated. 127 * 128 * \return Error code, KNOT_EOK if successful. 129 */ 130 int knot_zone_sign_nsecs_in_changeset(const zone_keyset_t *zone_keys, 131 const kdnssec_ctx_t *dnssec_ctx, 132 zone_update_t *update); 133 134 /*! 135 * \brief Checks whether RRSet in a node has to be signed. Will not return 136 * true for all types that should be signed, do not use this as an 137 * universal function, it is implementation specific. 138 * 139 * \param node Node containing the RRSet. 140 * \param rrset RRSet we are checking for. 141 * 142 * \retval true if should be signed. 143 */ 144 bool knot_zone_sign_rr_should_be_signed(const zone_node_t *node, 145 const knot_rrset_t *rrset); 146 147 /*! 148 * \brief Sign updates of the zone, storing new RRSIGs in this update again. 149 * 150 * \param update Zone Update structure. 151 * \param zone_keys Zone keys. 152 * \param dnssec_ctx DNSSEC context. 153 * \param expire_at Time, when the oldest signature in the update expires. 154 * 155 * \return Error code, KNOT_EOK if successful. 156 */ 157 int knot_zone_sign_update(zone_update_t *update, 158 zone_keyset_t *zone_keys, 159 const kdnssec_ctx_t *dnssec_ctx, 160 knot_time_t *expire_at); 161 162 /*! 163 * \brief Force re-sign of a RRSet in zone apex. 164 * 165 * \param update Zone update to be updated. 166 * \param rrtype Type of the apex RR. 167 * \param zone_keys Zone keyset. 168 * \param dnssec_ctx DNSSEC context. 169 * 170 * \return KNOT_E* 171 */ 172 int knot_zone_sign_apex_rr(zone_update_t *update, uint16_t rrtype, 173 const zone_keyset_t *zone_keys, 174 const kdnssec_ctx_t *dnssec_ctx); 175