nsec3.h | searchcode

/contrib/bind9/lib/dns/include/dns/nsec3.h

https://bitbucket.org/freebsd/freebsd-head/
C Header | 253 lines | 77 code | 29 blank | 147 comment | 0 complexity | 943bff80598dd35f4274ae32089de4b2 MD5 | raw file
Possible License(s): MPL-2.0-no-copyleft-exception, BSD-3-Clause, LGPL-2.0, LGPL-2.1, BSD-2-Clause, 0BSD, JSON, AGPL-1.0, GPL-2.0
  1/*
  2 * Copyright (C) 2008-2010, 2012  Internet Systems Consortium, Inc. ("ISC")
  3 *
  4 * Permission to use, copy, modify, and/or distribute this software for any
  5 * purpose with or without fee is hereby granted, provided that the above
  6 * copyright notice and this permission notice appear in all copies.
  7 *
  8 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  9 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
 10 * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 11 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 12 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 13 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 14 * PERFORMANCE OF THIS SOFTWARE.
 15 */
 16
 17/* $Id$ */
 18
 19#ifndef DNS_NSEC3_H
 20#define DNS_NSEC3_H 1
 21
 22#include <isc/lang.h>
 23#include <isc/iterated_hash.h>
 24
 25#include <dns/db.h>
 26#include <dns/diff.h>
 27#include <dns/name.h>
 28#include <dns/rdatastruct.h>
 29#include <dns/types.h>
 30
 31#define DNS_NSEC3_SALTSIZE 255
 32
 33/*
 34 * hash = 1, flags =1, iterations = 2, salt length = 1, salt = 255 (max)
 35 * hash length = 1, hash = 255 (max), bitmap = 8192 + 512 (max)
 36 */
 37#define DNS_NSEC3_BUFFERSIZE (6 + 255 + 255 + 8192 + 512)
 38/*
 39 * hash = 1, flags = 1, iterations = 2, salt length = 1, salt = 255 (max)
 40 */
 41#define DNS_NSEC3PARAM_BUFFERSIZE (5 + 255)
 42
 43/*
 44 * Test "unknown" algorithm.  Is mapped to dns_hash_sha1.
 45 */
 46#define DNS_NSEC3_UNKNOWNALG 245U
 47
 48ISC_LANG_BEGINDECLS
 49
 50isc_result_t
 51dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version,
 52		     dns_dbnode_t *node, unsigned int hashalg,
 53		     unsigned int optin, unsigned int iterations,
 54		     const unsigned char *salt, size_t salt_length,
 55		     const unsigned char *nexthash, size_t hash_length,
 56		     unsigned char *buffer, dns_rdata_t *rdata);
 57/*%<
 58 * Build the rdata of a NSEC3 record for the data at 'node'.
 59 * Note: 'node' is not the node where the NSEC3 record will be stored.
 60 *
 61 * Requires:
 62 *	buffer	Points to a temporary buffer of at least
 63 * 		DNS_NSEC_BUFFERSIZE bytes.
 64 *	rdata	Points to an initialized dns_rdata_t.
 65 *
 66 * Ensures:
 67 *      *rdata	Contains a valid NSEC3 rdata.  The 'data' member refers
 68 *		to 'buffer'.
 69 */
 70
 71isc_boolean_t
 72dns_nsec3_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type);
 73/*%<
 74 * Determine if a type is marked as present in an NSEC3 record.
 75 *
 76 * Requires:
 77 *	'nsec' points to a valid rdataset of type NSEC3
 78 */
 79
 80isc_result_t
 81dns_nsec3_hashname(dns_fixedname_t *result,
 82		   unsigned char rethash[NSEC3_MAX_HASH_LENGTH],
 83		   size_t *hash_length, dns_name_t *name, dns_name_t *origin,
 84		   dns_hash_t hashalg, unsigned int iterations,
 85		   const unsigned char *salt, size_t saltlength);
 86/*%<
 87 * Make a hashed domain name from an unhashed one. If rethash is not NULL
 88 * the raw hash is stored there.
 89 */
 90
 91unsigned int
 92dns_nsec3_hashlength(dns_hash_t hash);
 93/*%<
 94 * Return the length of the hash produced by the specified algorithm
 95 * or zero when unknown.
 96 */
 97
 98isc_boolean_t
 99dns_nsec3_supportedhash(dns_hash_t hash);
100/*%<
101 * Return whether we support this hash algorithm or not.
102 */
103
104isc_result_t
105dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version,
106		   dns_name_t *name, const dns_rdata_nsec3param_t *nsec3param,
107		   dns_ttl_t nsecttl, isc_boolean_t unsecure, dns_diff_t *diff);
108
109isc_result_t
110dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
111		    dns_name_t *name, dns_ttl_t nsecttl,
112		    isc_boolean_t unsecure, dns_diff_t *diff);
113
114isc_result_t
115dns_nsec3_addnsec3sx(dns_db_t *db, dns_dbversion_t *version,
116		     dns_name_t *name, dns_ttl_t nsecttl,
117		     isc_boolean_t unsecure, dns_rdatatype_t private,
118		     dns_diff_t *diff);
119/*%<
120 * Add NSEC3 records for 'name', recording the change in 'diff'.
121 * Adjust previous NSEC3 records, if any, to reflect the addition.
122 * The existing NSEC3 records are removed.
123 *
124 * dns_nsec3_addnsec3() will only add records to the chain identified by
125 * 'nsec3param'.
126 *
127 * 'unsecure' should be set to reflect if this is a potentially
128 * unsecure delegation (no DS record).
129 *
130 * dns_nsec3_addnsec3s() will examine the NSEC3PARAM RRset to determine which
131 * chains to be updated.  NSEC3PARAM records with the DNS_NSEC3FLAG_CREATE
132 * will be preferentially chosen over NSEC3PARAM records without
133 * DNS_NSEC3FLAG_CREATE set.  NSEC3PARAM records with DNS_NSEC3FLAG_REMOVE
134 * set will be ignored by dns_nsec3_addnsec3s().  If DNS_NSEC3FLAG_CREATE
135 * is set then the new NSEC3 will have OPTOUT set to match the that in the
136 * NSEC3PARAM record otherwise OPTOUT will be inherited from the previous
137 * record in the chain.
138 *
139 * dns_nsec3_addnsec3sx() is similar to dns_nsec3_addnsec3s() but 'private'
140 * specifies the type of the private rdataset to be checked in addition to
141 * the nsec3param rdataset at the zone apex.
142 *
143 * Requires:
144 *	'db' to be valid.
145 *	'version' to be valid or NULL.
146 *	'name' to be valid.
147 *	'nsec3param' to be valid.
148 *	'diff' to be valid.
149 */
150
151isc_result_t
152dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
153		   const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff);
154
155isc_result_t
156dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
157		    dns_diff_t *diff);
158
159isc_result_t
160dns_nsec3_delnsec3sx(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
161		     dns_rdatatype_t private, dns_diff_t *diff);
162/*%<
163 * Remove NSEC3 records for 'name', recording the change in 'diff'.
164 * Adjust previous NSEC3 records, if any, to reflect the removal.
165 *
166 * dns_nsec3_delnsec3() performs the above for the chain identified by
167 * 'nsec3param'.
168 *
169 * dns_nsec3_delnsec3s() examines the NSEC3PARAM RRset in a similar manner
170 * to dns_nsec3_addnsec3s().  Unlike dns_nsec3_addnsec3s() updated NSEC3
171 * records have the OPTOUT flag preserved.
172 *
173 * dns_nsec3_delnsec3sx() is similar to dns_nsec3_delnsec3s() but 'private'
174 * specifies the type of the private rdataset to be checked in addition to
175 * the nsec3param rdataset at the zone apex.
176 *
177 * Requires:
178 *	'db' to be valid.
179 *	'version' to be valid or NULL.
180 *	'name' to be valid.
181 *	'nsec3param' to be valid.
182 *	'diff' to be valid.
183 */
184
185isc_result_t
186dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version,
187		 isc_boolean_t complete, isc_boolean_t *answer);
188
189isc_result_t
190dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version,
191		  isc_boolean_t complete, dns_rdatatype_t private,
192		  isc_boolean_t *answer);
193/*%<
194 * Check if there are any complete/to be built NSEC3 chains.
195 * If 'complete' is ISC_TRUE only complete chains will be recognized.
196 *
197 * dns_nsec3_activex() is similar to dns_nsec3_active() but 'private'
198 * specifies the type of the private rdataset to be checked in addition to
199 * the nsec3param rdataset at the zone apex.
200 *
201 * Requires:
202 *	'db' to be valid.
203 *	'version' to be valid or NULL.
204 *	'answer' to be non NULL.
205 */
206
207isc_result_t
208dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version,
209			isc_mem_t *mctx, unsigned int *iterationsp);
210/*%<
211 * Find the maximum permissible number of iterations allowed based on
212 * the key strength.
213 *
214 * Requires:
215 *	'db' to be valid.
216 *	'version' to be valid or NULL.
217 *	'mctx' to be valid.
218 *	'iterationsp' to be non NULL.
219 */
220
221isc_boolean_t
222dns_nsec3param_fromprivate(dns_rdata_t *src, dns_rdata_t *target,
223			   unsigned char *buf, size_t buflen);
224/*%<
225 * Convert a private rdata to a nsec3param rdata.
226 *
227 * Return ISC_TRUE if 'src' could be successfully converted.
228 *
229 * 'buf' should be at least DNS_NSEC3PARAM_BUFFERSIZE in size.
230 */
231
232void
233dns_nsec3param_toprivate(dns_rdata_t *src, dns_rdata_t *target,
234			 dns_rdatatype_t privatetype,
235			 unsigned char *buf, size_t buflen);
236/*%<
237 * Convert a nsec3param rdata to a private rdata.
238 *
239 * 'buf' should be at least src->length + 1 in size.
240 */
241
242isc_result_t
243dns_nsec3param_deletechains(dns_db_t *db, dns_dbversion_t *ver,
244			    dns_zone_t *zone, dns_diff_t *diff);
245
246/*%<
247 * Mark NSEC3PARAM for deletion.
248 */
249
250
251ISC_LANG_ENDDECLS
252
253#endif /* DNS_NSEC3_H */