/contrib/bind9/lib/dns/include/dns/nsec3.h

https://bitbucket.org/freebsd/freebsd-head/ · C Header · 253 lines · 77 code · 29 blank · 147 comment · 0 complexity · 943bff80598dd35f4274ae32089de4b2 MD5 · raw file

  1. /*
  2. * Copyright (C) 2008-2010, 2012 Internet Systems Consortium, Inc. ("ISC")
  3. *
  4. * Permission to use, copy, modify, and/or distribute this software for any
  5. * purpose with or without fee is hereby granted, provided that the above
  6. * copyright notice and this permission notice appear in all copies.
  7. *
  8. * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  9. * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  10. * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  11. * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  12. * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  13. * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  14. * PERFORMANCE OF THIS SOFTWARE.
  15. */
  16. /* $Id$ */
  17. #ifndef DNS_NSEC3_H
  18. #define DNS_NSEC3_H 1
  19. #include <isc/lang.h>
  20. #include <isc/iterated_hash.h>
  21. #include <dns/db.h>
  22. #include <dns/diff.h>
  23. #include <dns/name.h>
  24. #include <dns/rdatastruct.h>
  25. #include <dns/types.h>
  26. #define DNS_NSEC3_SALTSIZE 255
  27. /*
  28. * hash = 1, flags =1, iterations = 2, salt length = 1, salt = 255 (max)
  29. * hash length = 1, hash = 255 (max), bitmap = 8192 + 512 (max)
  30. */
  31. #define DNS_NSEC3_BUFFERSIZE (6 + 255 + 255 + 8192 + 512)
  32. /*
  33. * hash = 1, flags = 1, iterations = 2, salt length = 1, salt = 255 (max)
  34. */
  35. #define DNS_NSEC3PARAM_BUFFERSIZE (5 + 255)
  36. /*
  37. * Test "unknown" algorithm. Is mapped to dns_hash_sha1.
  38. */
  39. #define DNS_NSEC3_UNKNOWNALG 245U
  40. ISC_LANG_BEGINDECLS
  41. isc_result_t
  42. dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version,
  43. dns_dbnode_t *node, unsigned int hashalg,
  44. unsigned int optin, unsigned int iterations,
  45. const unsigned char *salt, size_t salt_length,
  46. const unsigned char *nexthash, size_t hash_length,
  47. unsigned char *buffer, dns_rdata_t *rdata);
  48. /*%<
  49. * Build the rdata of a NSEC3 record for the data at 'node'.
  50. * Note: 'node' is not the node where the NSEC3 record will be stored.
  51. *
  52. * Requires:
  53. * buffer Points to a temporary buffer of at least
  54. * DNS_NSEC_BUFFERSIZE bytes.
  55. * rdata Points to an initialized dns_rdata_t.
  56. *
  57. * Ensures:
  58. * *rdata Contains a valid NSEC3 rdata. The 'data' member refers
  59. * to 'buffer'.
  60. */
  61. isc_boolean_t
  62. dns_nsec3_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type);
  63. /*%<
  64. * Determine if a type is marked as present in an NSEC3 record.
  65. *
  66. * Requires:
  67. * 'nsec' points to a valid rdataset of type NSEC3
  68. */
  69. isc_result_t
  70. dns_nsec3_hashname(dns_fixedname_t *result,
  71. unsigned char rethash[NSEC3_MAX_HASH_LENGTH],
  72. size_t *hash_length, dns_name_t *name, dns_name_t *origin,
  73. dns_hash_t hashalg, unsigned int iterations,
  74. const unsigned char *salt, size_t saltlength);
  75. /*%<
  76. * Make a hashed domain name from an unhashed one. If rethash is not NULL
  77. * the raw hash is stored there.
  78. */
  79. unsigned int
  80. dns_nsec3_hashlength(dns_hash_t hash);
  81. /*%<
  82. * Return the length of the hash produced by the specified algorithm
  83. * or zero when unknown.
  84. */
  85. isc_boolean_t
  86. dns_nsec3_supportedhash(dns_hash_t hash);
  87. /*%<
  88. * Return whether we support this hash algorithm or not.
  89. */
  90. isc_result_t
  91. dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version,
  92. dns_name_t *name, const dns_rdata_nsec3param_t *nsec3param,
  93. dns_ttl_t nsecttl, isc_boolean_t unsecure, dns_diff_t *diff);
  94. isc_result_t
  95. dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
  96. dns_name_t *name, dns_ttl_t nsecttl,
  97. isc_boolean_t unsecure, dns_diff_t *diff);
  98. isc_result_t
  99. dns_nsec3_addnsec3sx(dns_db_t *db, dns_dbversion_t *version,
  100. dns_name_t *name, dns_ttl_t nsecttl,
  101. isc_boolean_t unsecure, dns_rdatatype_t private,
  102. dns_diff_t *diff);
  103. /*%<
  104. * Add NSEC3 records for 'name', recording the change in 'diff'.
  105. * Adjust previous NSEC3 records, if any, to reflect the addition.
  106. * The existing NSEC3 records are removed.
  107. *
  108. * dns_nsec3_addnsec3() will only add records to the chain identified by
  109. * 'nsec3param'.
  110. *
  111. * 'unsecure' should be set to reflect if this is a potentially
  112. * unsecure delegation (no DS record).
  113. *
  114. * dns_nsec3_addnsec3s() will examine the NSEC3PARAM RRset to determine which
  115. * chains to be updated. NSEC3PARAM records with the DNS_NSEC3FLAG_CREATE
  116. * will be preferentially chosen over NSEC3PARAM records without
  117. * DNS_NSEC3FLAG_CREATE set. NSEC3PARAM records with DNS_NSEC3FLAG_REMOVE
  118. * set will be ignored by dns_nsec3_addnsec3s(). If DNS_NSEC3FLAG_CREATE
  119. * is set then the new NSEC3 will have OPTOUT set to match the that in the
  120. * NSEC3PARAM record otherwise OPTOUT will be inherited from the previous
  121. * record in the chain.
  122. *
  123. * dns_nsec3_addnsec3sx() is similar to dns_nsec3_addnsec3s() but 'private'
  124. * specifies the type of the private rdataset to be checked in addition to
  125. * the nsec3param rdataset at the zone apex.
  126. *
  127. * Requires:
  128. * 'db' to be valid.
  129. * 'version' to be valid or NULL.
  130. * 'name' to be valid.
  131. * 'nsec3param' to be valid.
  132. * 'diff' to be valid.
  133. */
  134. isc_result_t
  135. dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
  136. const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff);
  137. isc_result_t
  138. dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
  139. dns_diff_t *diff);
  140. isc_result_t
  141. dns_nsec3_delnsec3sx(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
  142. dns_rdatatype_t private, dns_diff_t *diff);
  143. /*%<
  144. * Remove NSEC3 records for 'name', recording the change in 'diff'.
  145. * Adjust previous NSEC3 records, if any, to reflect the removal.
  146. *
  147. * dns_nsec3_delnsec3() performs the above for the chain identified by
  148. * 'nsec3param'.
  149. *
  150. * dns_nsec3_delnsec3s() examines the NSEC3PARAM RRset in a similar manner
  151. * to dns_nsec3_addnsec3s(). Unlike dns_nsec3_addnsec3s() updated NSEC3
  152. * records have the OPTOUT flag preserved.
  153. *
  154. * dns_nsec3_delnsec3sx() is similar to dns_nsec3_delnsec3s() but 'private'
  155. * specifies the type of the private rdataset to be checked in addition to
  156. * the nsec3param rdataset at the zone apex.
  157. *
  158. * Requires:
  159. * 'db' to be valid.
  160. * 'version' to be valid or NULL.
  161. * 'name' to be valid.
  162. * 'nsec3param' to be valid.
  163. * 'diff' to be valid.
  164. */
  165. isc_result_t
  166. dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version,
  167. isc_boolean_t complete, isc_boolean_t *answer);
  168. isc_result_t
  169. dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version,
  170. isc_boolean_t complete, dns_rdatatype_t private,
  171. isc_boolean_t *answer);
  172. /*%<
  173. * Check if there are any complete/to be built NSEC3 chains.
  174. * If 'complete' is ISC_TRUE only complete chains will be recognized.
  175. *
  176. * dns_nsec3_activex() is similar to dns_nsec3_active() but 'private'
  177. * specifies the type of the private rdataset to be checked in addition to
  178. * the nsec3param rdataset at the zone apex.
  179. *
  180. * Requires:
  181. * 'db' to be valid.
  182. * 'version' to be valid or NULL.
  183. * 'answer' to be non NULL.
  184. */
  185. isc_result_t
  186. dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version,
  187. isc_mem_t *mctx, unsigned int *iterationsp);
  188. /*%<
  189. * Find the maximum permissible number of iterations allowed based on
  190. * the key strength.
  191. *
  192. * Requires:
  193. * 'db' to be valid.
  194. * 'version' to be valid or NULL.
  195. * 'mctx' to be valid.
  196. * 'iterationsp' to be non NULL.
  197. */
  198. isc_boolean_t
  199. dns_nsec3param_fromprivate(dns_rdata_t *src, dns_rdata_t *target,
  200. unsigned char *buf, size_t buflen);
  201. /*%<
  202. * Convert a private rdata to a nsec3param rdata.
  203. *
  204. * Return ISC_TRUE if 'src' could be successfully converted.
  205. *
  206. * 'buf' should be at least DNS_NSEC3PARAM_BUFFERSIZE in size.
  207. */
  208. void
  209. dns_nsec3param_toprivate(dns_rdata_t *src, dns_rdata_t *target,
  210. dns_rdatatype_t privatetype,
  211. unsigned char *buf, size_t buflen);
  212. /*%<
  213. * Convert a nsec3param rdata to a private rdata.
  214. *
  215. * 'buf' should be at least src->length + 1 in size.
  216. */
  217. isc_result_t
  218. dns_nsec3param_deletechains(dns_db_t *db, dns_dbversion_t *ver,
  219. dns_zone_t *zone, dns_diff_t *diff);
  220. /*%<
  221. * Mark NSEC3PARAM for deletion.
  222. */
  223. ISC_LANG_ENDDECLS
  224. #endif /* DNS_NSEC3_H */