PageRenderTime 13ms CodeModel.GetById 1ms app.highlight 8ms RepoModel.GetById 1ms app.codeStats 0ms

/contrib/bind9/lib/dns/include/dns/validator.h

https://bitbucket.org/freebsd/freebsd-head/
C++ Header | 257 lines | 85 code | 18 blank | 154 comment | 0 complexity | e118158aaef82b36ddc7e84f1ed501df MD5 | raw file
  1/*
  2 * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  3 * Copyright (C) 2000-2003  Internet Software Consortium.
  4 *
  5 * Permission to use, copy, modify, and/or distribute this software for any
  6 * purpose with or without fee is hereby granted, provided that the above
  7 * copyright notice and this permission notice appear in all copies.
  8 *
  9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
 11 * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 15 * PERFORMANCE OF THIS SOFTWARE.
 16 */
 17
 18/* $Id: validator.h,v 1.46 2010/02/25 05:08:01 tbox Exp $ */
 19
 20#ifndef DNS_VALIDATOR_H
 21#define DNS_VALIDATOR_H 1
 22
 23/*****
 24 ***** Module Info
 25 *****/
 26
 27/*! \file dns/validator.h
 28 *
 29 * \brief
 30 * DNS Validator
 31 * This is the BIND 9 validator, the module responsible for validating the
 32 * rdatasets and negative responses (messages).  It makes use of zones in
 33 * the view and may fetch RRset to complete trust chains.  It implements
 34 * DNSSEC as specified in RFC 4033, 4034 and 4035.
 35 *
 36 * It can also optionally implement ISC's DNSSEC look-aside validation.
 37 *
 38 * Correct operation is critical to preventing spoofed answers from secure
 39 * zones being accepted.
 40 *
 41 * MP:
 42 *\li	The module ensures appropriate synchronization of data structures it
 43 *	creates and manipulates.
 44 *
 45 * Reliability:
 46 *\li	No anticipated impact.
 47 *
 48 * Resources:
 49 *\li	TBS
 50 *
 51 * Security:
 52 *\li	No anticipated impact.
 53 *
 54 * Standards:
 55 *\li	RFCs:	1034, 1035, 2181, 4033, 4034, 4035.
 56 */
 57
 58#include <isc/lang.h>
 59#include <isc/event.h>
 60#include <isc/mutex.h>
 61
 62#include <dns/fixedname.h>
 63#include <dns/types.h>
 64#include <dns/rdataset.h>
 65#include <dns/rdatastruct.h> /* for dns_rdata_rrsig_t */
 66
 67#include <dst/dst.h>
 68
 69/*%
 70 * A dns_validatorevent_t is sent when a 'validation' completes.
 71 * \brief
 72 * 'name', 'rdataset', 'sigrdataset', and 'message' are the values that were
 73 * supplied when dns_validator_create() was called.  They are returned to the
 74 * caller so that they may be freed.
 75 *
 76 * If the RESULT is ISC_R_SUCCESS and the answer is secure then
 77 * proofs[] will contain the names of the NSEC records that hold the
 78 * various proofs.  Note the same name may appear multiple times.
 79 */
 80typedef struct dns_validatorevent {
 81	ISC_EVENT_COMMON(struct dns_validatorevent);
 82	dns_validator_t *		validator;
 83	isc_result_t			result;
 84	/*
 85	 * Name and type of the response to be validated.
 86	 */
 87	dns_name_t *			name;
 88	dns_rdatatype_t			type;
 89	/*
 90	 * Rdata and RRSIG (if any) for positive responses.
 91	 */
 92	dns_rdataset_t *		rdataset;
 93	dns_rdataset_t *		sigrdataset;
 94	/*
 95	 * The full response.  Required for negative responses.
 96	 * Also required for positive wildcard responses.
 97	 */
 98	dns_message_t *			message;
 99	/*
100	 * Proofs to be cached.
101	 */
102	dns_name_t *			proofs[4];
103	/*
104	 * Optout proof seen.
105	 */
106	isc_boolean_t			optout;
107} dns_validatorevent_t;
108
109#define DNS_VALIDATOR_NOQNAMEPROOF 0
110#define DNS_VALIDATOR_NODATAPROOF 1
111#define DNS_VALIDATOR_NOWILDCARDPROOF 2
112#define DNS_VALIDATOR_CLOSESTENCLOSER 3
113
114/*%
115 * A validator object represents a validation in progress.
116 * \brief
117 * Clients are strongly discouraged from using this type directly, with
118 * the exception of the 'link' field, which may be used directly for
119 * whatever purpose the client desires.
120 */
121struct dns_validator {
122	/* Unlocked. */
123	unsigned int			magic;
124	isc_mutex_t			lock;
125	dns_view_t *			view;
126	/* Locked by lock. */
127	unsigned int			options;
128	unsigned int			attributes;
129	dns_validatorevent_t *		event;
130	dns_fetch_t *			fetch;
131	dns_validator_t *		subvalidator;
132	dns_validator_t *		parent;
133	dns_keytable_t *		keytable;
134	dns_keynode_t *			keynode;
135	dst_key_t *			key;
136	dns_rdata_rrsig_t *		siginfo;
137	isc_task_t *			task;
138	isc_taskaction_t		action;
139	void *				arg;
140	unsigned int			labels;
141	dns_rdataset_t *		currentset;
142	isc_boolean_t			seensig;
143	dns_rdataset_t *		keyset;
144	dns_rdataset_t *		dsset;
145	dns_rdataset_t *		soaset;
146	dns_rdataset_t *		nsecset;
147	dns_rdataset_t *		nsec3set;
148	dns_name_t *			soaname;
149	dns_rdataset_t			frdataset;
150	dns_rdataset_t			fsigrdataset;
151	dns_fixedname_t			fname;
152	dns_fixedname_t			wild;
153	dns_fixedname_t			nearest;
154	dns_fixedname_t			closest;
155	ISC_LINK(dns_validator_t)	link;
156	dns_rdataset_t 			dlv;
157	dns_fixedname_t			dlvsep;
158	isc_boolean_t			havedlvsep;
159	isc_boolean_t			mustbesecure;
160	unsigned int			dlvlabels;
161	unsigned int			depth;
162	unsigned int			authcount;
163	unsigned int			authfail;
164};
165
166/*%
167 * dns_validator_create() options.
168 */
169#define DNS_VALIDATOR_DLV 1U
170#define DNS_VALIDATOR_DEFER 2U
171
172ISC_LANG_BEGINDECLS
173
174isc_result_t
175dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
176		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
177		     dns_message_t *message, unsigned int options,
178		     isc_task_t *task, isc_taskaction_t action, void *arg,
179		     dns_validator_t **validatorp);
180/*%<
181 * Start a DNSSEC validation.
182 *
183 * This validates a response to the question given by
184 * 'name' and 'type'.
185 *
186 * To validate a positive response, the response data is
187 * given by 'rdataset' and 'sigrdataset'.  If 'sigrdataset'
188 * is NULL, the data is presumed insecure and an attempt
189 * is made to prove its insecurity by finding the appropriate
190 * null key.
191 *
192 * The complete response message may be given in 'message',
193 * to make available any authority section NSECs that may be
194 * needed for validation of a response resulting from a
195 * wildcard expansion (though no such wildcard validation
196 * is implemented yet).  If the complete response message
197 * is not available, 'message' is NULL.
198 *
199 * To validate a negative response, the complete negative response
200 * message is given in 'message'.  The 'rdataset', and
201 * 'sigrdataset' arguments must be NULL, but the 'name' and 'type'
202 * arguments must be provided.
203 *
204 * The validation is performed in the context of 'view'.
205 *
206 * When the validation finishes, a dns_validatorevent_t with
207 * the given 'action' and 'arg' are sent to 'task'.
208 * Its 'result' field will be ISC_R_SUCCESS iff the
209 * response was successfully proven to be either secure or
210 * part of a known insecure domain.
211 *
212 * options:
213 * If DNS_VALIDATOR_DLV is set the caller knows there is not a
214 * trusted key and the validator should immediately attempt to validate
215 * the answer by looking for an appropriate DLV RRset.
216 */
217
218void
219dns_validator_send(dns_validator_t *validator);
220/*%<
221 * Send a deferred validation request
222 *
223 * Requires:
224 *	'validator' to points to a valid DNSSEC validator.
225 */
226
227void
228dns_validator_cancel(dns_validator_t *validator);
229/*%<
230 * Cancel a DNSSEC validation in progress.
231 *
232 * Requires:
233 *\li	'validator' points to a valid DNSSEC validator, which
234 *	may or may not already have completed.
235 *
236 * Ensures:
237 *\li	It the validator has not already sent its completion
238 *	event, it will send it with result code ISC_R_CANCELED.
239 */
240
241void
242dns_validator_destroy(dns_validator_t **validatorp);
243/*%<
244 * Destroy a DNSSEC validator.
245 *
246 * Requires:
247 *\li	'*validatorp' points to a valid DNSSEC validator.
248 * \li	The validator must have completed and sent its completion
249 * 	event.
250 *
251 * Ensures:
252 *\li	All resources used by the validator are freed.
253 */
254
255ISC_LANG_ENDDECLS
256
257#endif /* DNS_VALIDATOR_H */