val_nsec.h revision 356345 
1/*
2 * validator/val_nsec.h - validator NSEC denial of existence functions.
3 *
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 *
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35
36/**
37 * \file
38 *
39 * This file contains helper functions for the validator module.
40 * The functions help with NSEC checking, the different NSEC proofs
41 * for denial of existence, and proofs for presence of types.
42 */
43
44#ifndef VALIDATOR_VAL_NSEC_H
45#define VALIDATOR_VAL_NSEC_H
46#include "util/data/packed_rrset.h"
47struct val_env;
48struct module_env;
49struct module_qstate;
50struct ub_packed_rrset_key;
51struct reply_info;
52struct query_info;
53struct key_entry_key;
54
55/**
56 * Check DS absence.
57 * There is a NODATA reply to a DS that needs checking.
58 * NSECs can prove this is not a delegation point, or successfully prove
59 * that there is no DS. Or this fails.
60 *
61 * @param env: module env for rrsig verification routines.
62 * @param ve: validator env for rrsig verification routines.
63 * @param qinfo: the DS queried for.
64 * @param rep: reply received.
65 * @param kkey: key entry to use for verification of signatures.
66 * @param proof_ttl: if secure, the TTL of how long this proof lasts.
67 * @param reason: string explaining why bogus.
68 * @param qstate: qstate with region.
69 * @return security status.
70 *	SECURE: proved absence of DS.
71 *	INSECURE: proved that this was not a delegation point.
72 *	BOGUS: crypto bad, or no absence of DS proven.
73 *	UNCHECKED: there was no way to prove anything (no NSECs, unknown algo).
74 */
75enum sec_status val_nsec_prove_nodata_dsreply(struct module_env* env,
76	struct val_env* ve, struct query_info* qinfo,
77	struct reply_info* rep, struct key_entry_key* kkey,
78	time_t* proof_ttl, char** reason, struct module_qstate* qstate);
79
80/**
81 * nsec typemap check, takes an NSEC-type bitmap as argument, checks for type.
82 * @param bitmap: pointer to the bitmap part of wireformat rdata.
83 * @param len: length of the bitmap, in bytes.
84 * @param type: the type (in host order) to check for.
85 * @return true if the type bit was set in the bitmap. false if not, or
86 * 	if the bitmap was malformed in some way.
87 */
88int nsecbitmap_has_type_rdata(uint8_t* bitmap, size_t len, uint16_t type);
89
90/**
91 * Check if type is present in the NSEC typemap
92 * @param nsec: the nsec RRset.
93 *	If there are multiple RRs, then each must have the same typemap,
94 *	since the typemap represents the types at this domain node.
95 * @param type: type to check for, host order.
96 * @return true if present
97 */
98int nsec_has_type(struct ub_packed_rrset_key* nsec, uint16_t type);
99
100/**
101 * Determine if a NSEC proves the NOERROR/NODATA conditions. This will also
102 * handle the empty non-terminal (ENT) case and partially handle the
103 * wildcard case. If the ownername of 'nsec' is a wildcard, the validator
104 * must still be provided proof that qname did not directly exist and that
105 * the wildcard is, in fact, *.closest_encloser.
106 *
107 * @param nsec: the nsec record to check against.
108 * @param qinfo: the query info.
109 * @param wc: if the nodata is proven for a wildcard match, the wildcard
110 * 	closest encloser is returned, else NULL (wc is unchanged).
111 * 	This closest encloser must then match the nameerror given for the
112 * 	nextcloser of qname.
113 * @return true if NSEC proves this.
114 */
115int nsec_proves_nodata(struct ub_packed_rrset_key* nsec,
116	struct query_info* qinfo, uint8_t** wc);
117
118/**
119 * Determine if the given NSEC proves a NameError (NXDOMAIN) for a given
120 * qname.
121 *
122 * @param nsec: the nsec to check
123 * @param qname: what was queried.
124 * @return true if proven.
125 */
126int val_nsec_proves_name_error(struct ub_packed_rrset_key* nsec,
127	uint8_t* qname);
128
129/**
130 * Determine if the given NSEC proves a positive wildcard response.
131 * @param nsec: the nsec to check
132 * @param qinf: what was queried.
133 * @param wc: wildcard (without *. label)
134 * @return true if proven.
135 */
136int val_nsec_proves_positive_wildcard(struct ub_packed_rrset_key* nsec,
137	struct query_info* qinf, uint8_t* wc);
138
139/**
140 * Determine closest encloser of a query name and the NSEC that covers it
141 * (and thus disproved it).
142 * A name error must have been proven already, otherwise this will be invalid.
143 * @param qname: the name queried for.
144 * @param nsec: the nsec RRset.
145 * @return closest encloser dname or NULL on error (bad nsec RRset).
146 */
147uint8_t* nsec_closest_encloser(uint8_t* qname,
148	struct ub_packed_rrset_key* nsec);
149
150/**
151 * Determine if the given NSEC proves that a wildcard match does not exist.
152 *
153 * @param nsec: the nsec RRset.
154 * @param qname: the name queried for.
155 * @param qnamelen: length of qname.
156 * @return true if proven.
157 */
158int val_nsec_proves_no_wc(struct ub_packed_rrset_key* nsec, uint8_t* qname,
159	size_t qnamelen);
160
161/**
162 * Determine the DLV result, what to do with NSEC DLV reply.
163 * @param qinfo: what was queried for.
164 * @param rep: the nonpositive reply.
165 * @param nm: dlv lookup name, to adjust for new lookup name (if needed).
166 * @param nm_len: length of lookup name.
167 * @return 0 on error, 1 if a higher point is found.
168 * 	If the higher point is above the dlv repo anchor, the qname does
169 * 	not exist.
170 */
171int val_nsec_check_dlv(struct query_info* qinfo,
172	struct reply_info* rep, uint8_t** nm, size_t* nm_len);
173
174/**
175 * Determine if an nsec proves an insecure delegation towards the qname.
176 * @param nsec: nsec rrset.
177 * @param qinfo: what was queries for.
178 * @return 0 if not, 1 if an NSEC that signals an insecure delegation to
179 * 	the qname.
180 */
181int val_nsec_proves_insecuredelegation(struct ub_packed_rrset_key* nsec,
182        struct query_info* qinfo);
183
184#endif /* VALIDATOR_VAL_NSEC_H */
185