1 /*------------------------------------------------------------------------------
2  *
3  * Copyright (c) 2011-2021, EURid vzw. All rights reserved.
4  * The YADIFA TM software product is provided under the BSD 3-clause license:
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  *        * Redistributions of source code must retain the above copyright
11  *          notice, this list of conditions and the following disclaimer.
12  *        * Redistributions in binary form must reproduce the above copyright
13  *          notice, this list of conditions and the following disclaimer in the
14  *          documentation and/or other materials provided with the distribution.
15  *        * Neither the name of EURid nor the names of its contributors may be
16  *          used to endorse or promote products derived from this software
17  *          without specific prior written permission.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
23  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
24  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29  * POSSIBILITY OF SUCH DAMAGE.
30  *
31  *------------------------------------------------------------------------------
32  *
33  */
34 
35 /** @defgroup zone Functions used to manipulate a zone
36  *  @ingroup dnsdb
37  *  @brief Functions used to manipulate a zone
38  *
39  *  Functions used to manipulate a zone
40  *
41  * @{
42  */
43 
44 #ifndef _ZDB_SANITIZE_H
45 #define	_ZDB_SANITIZE_H
46 
47 #include <dnsdb/zdb_zone.h>
48 
49 #ifdef	__cplusplus
50 extern "C"
51 {
52 #endif
53 
54 #define SANITY_ERROR_BASE                          0x800b0000
55 
56 #define SANITY_UNEXPECTEDSOA           1    // multiple SOA at apex, or SOA(s) oustide of APEX
57 #define SANITY_MUSTDROPZONE            2
58 #define SANITY_CNAMENOTALONE           4    // other records along CNAME (only NSEC & RRSIG accepted) of course CNAME is forbidden at APEX
59 #define SANITY_UNEXPECTEDCNAME         8    // CNAME at apex
60 #define SANITY_EXPECTEDNS             16    // no NS at apex or DS found without NS
61 #define SANITY_UNEXPECTEDDS           32    // DS found at APEX
62 #define SANITY_TRASHATDELEGATION      64
63 #define SANITY_TRASHUNDERDELEGATION  128
64 #define SANITY_RRSIGTTLDOESNTMATCH   256    // RRSIG original TTL does not match RRSET
65 #define SANITY_RRSIGWITHOUTKEYS      512
66 #define SANITY_RRSIGWITHOUTSET      1024    // RRSIG covers a record set that's not present in the label
67 #define SANITY_RRSIGOVERRRSIG       2048    // RRSIG covers the RRSIG record set (nonsense)
68 #define SANITY_RRSIGUNDERDELETATION 4096    // RRSIG under a delegation
69 #define SANITY_RRSIGBYKSKOVERNONKEY 8192    // RRSIG by a KSK over a type that's not a DNSKEY
70 #define SANITY_RRSIGBYKSKNOTINAPEX 16384    // RRSIG by a KSK should only appear in APEX (and over a DNSKEY)
71 #define SANITY_LABEL_DELETED       32768
72 
73 struct zdb_zone_load_parms;
74 
75 struct zdb_sanitize_parms
76 {
77     zdb_zone *zone;
78 #if ZDB_HAS_DNSSEC_SUPPORT
79     u32_set dnskey_set;
80 #endif
81     struct zdb_zone_load_parms *load_parms;
82     u64 types_mask;
83     u32 domains;
84 #if ZDB_HAS_DNSSEC_SUPPORT
85     u32 nsec_extraneous_rrsig;
86     u32 nsec3in_extraneous_rrsig;
87     u32 nsec3out_extraneous_rrsig;
88 
89     u32 nsec_missing_rrsig;
90     u32 nsec3in_missing_rrsig;
91     u32 nsec3out_missing_rrsig;
92 
93     bool has_bogus_rrsig;
94 #endif
95 };
96 
97 typedef struct zdb_sanitize_parms zdb_sanitize_parms;
98 
99 ya_result zdb_sanitize_rr_set(zdb_zone *zone, zdb_rr_label *label);
100 
101 ya_result zdb_sanitize_rr_label(zdb_zone *zone, zdb_rr_label *label, dnsname_stack *name);
102 
103 ya_result zdb_sanitize_rr_label_with_parent(zdb_zone *zone, zdb_rr_label *label, dnsname_stack *name);
104 
105 ya_result  zdb_sanitize_zone_ex(zdb_zone *zone, struct zdb_zone_load_parms *load_parms);
106 
107 ya_result zdb_sanitize_zone(zdb_zone *zone);
108 
109 void  zdb_sanitize_parms_finalize(zdb_sanitize_parms *parms);
110 
111 /**
112  * @param load_parms
113  * @param dnssec_modes ZDB_ZONE_NOSEC ZDB_ZONE_NSEC ZDB_ZONE_NSEC3 ZDB_ZONE_NSEC3_OPTOUT
114  */
115 
116 bool zdb_sanitize_is_good(struct zdb_zone_load_parms *load_parms, u8 dnssec_mode);
117 
118 ya_result zdb_sanitize_zone_rrset_flags(zdb_zone *zone);
119 
120 #ifdef	__cplusplus
121 }
122 #endif
123 
124 #endif	/* _ZDB_ZONE_H */
125 
126 /** @} */
127