1/* 2 * Copyright (C) 2008-2010, 2012 Internet Systems Consortium, Inc. ("ISC") 3 * 4 * Permission to use, copy, modify, and/or distribute this software for any 5 * purpose with or without fee is hereby granted, provided that the above 6 * copyright notice and this permission notice appear in all copies. 7 * 8 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 9 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 10 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 11 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 12 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 13 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 14 * PERFORMANCE OF THIS SOFTWARE. 15 */ 16 17/* $Id$ */ 18 19#ifndef DNS_NSEC3_H 20#define DNS_NSEC3_H 1 21 22#include <isc/lang.h> 23#include <isc/iterated_hash.h> 24 25#include <dns/db.h> 26#include <dns/diff.h> 27#include <dns/name.h> 28#include <dns/rdatastruct.h> 29#include <dns/types.h> 30 31#define DNS_NSEC3_SALTSIZE 255 32 33/* 34 * hash = 1, flags =1, iterations = 2, salt length = 1, salt = 255 (max) 35 * hash length = 1, hash = 255 (max), bitmap = 8192 + 512 (max) 36 */ 37#define DNS_NSEC3_BUFFERSIZE (6 + 255 + 255 + 8192 + 512) 38/* 39 * hash = 1, flags = 1, iterations = 2, salt length = 1, salt = 255 (max) 40 */ 41#define DNS_NSEC3PARAM_BUFFERSIZE (5 + 255) 42 43/* 44 * Test "unknown" algorithm. Is mapped to dns_hash_sha1. 45 */ 46#define DNS_NSEC3_UNKNOWNALG 245U 47 48ISC_LANG_BEGINDECLS 49 50isc_result_t 51dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version, 52 dns_dbnode_t *node, unsigned int hashalg, 53 unsigned int optin, unsigned int iterations, 54 const unsigned char *salt, size_t salt_length, 55 const unsigned char *nexthash, size_t hash_length, 56 unsigned char *buffer, dns_rdata_t *rdata); 57/*%< 58 * Build the rdata of a NSEC3 record for the data at 'node'. 59 * Note: 'node' is not the node where the NSEC3 record will be stored. 60 * 61 * Requires: 62 * buffer Points to a temporary buffer of at least 63 * DNS_NSEC_BUFFERSIZE bytes. 64 * rdata Points to an initialized dns_rdata_t. 65 * 66 * Ensures: 67 * *rdata Contains a valid NSEC3 rdata. The 'data' member refers 68 * to 'buffer'. 69 */ 70 71isc_boolean_t 72dns_nsec3_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type); 73/*%< 74 * Determine if a type is marked as present in an NSEC3 record. 75 * 76 * Requires: 77 * 'nsec' points to a valid rdataset of type NSEC3 78 */ 79 80isc_result_t 81dns_nsec3_hashname(dns_fixedname_t *result, 82 unsigned char rethash[NSEC3_MAX_HASH_LENGTH], 83 size_t *hash_length, dns_name_t *name, dns_name_t *origin, 84 dns_hash_t hashalg, unsigned int iterations, 85 const unsigned char *salt, size_t saltlength); 86/*%< 87 * Make a hashed domain name from an unhashed one. If rethash is not NULL 88 * the raw hash is stored there. 89 */ 90 91unsigned int 92dns_nsec3_hashlength(dns_hash_t hash); 93/*%< 94 * Return the length of the hash produced by the specified algorithm 95 * or zero when unknown. 96 */ 97 98isc_boolean_t 99dns_nsec3_supportedhash(dns_hash_t hash); 100/*%< 101 * Return whether we support this hash algorithm or not. 102 */ 103 104isc_result_t 105dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version, 106 dns_name_t *name, const dns_rdata_nsec3param_t *nsec3param, 107 dns_ttl_t nsecttl, isc_boolean_t unsecure, dns_diff_t *diff); 108 109isc_result_t 110dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version, 111 dns_name_t *name, dns_ttl_t nsecttl, 112 isc_boolean_t unsecure, dns_diff_t *diff); 113 114isc_result_t 115dns_nsec3_addnsec3sx(dns_db_t *db, dns_dbversion_t *version, 116 dns_name_t *name, dns_ttl_t nsecttl, 117 isc_boolean_t unsecure, dns_rdatatype_t private, 118 dns_diff_t *diff); 119/*%< 120 * Add NSEC3 records for 'name', recording the change in 'diff'. 121 * Adjust previous NSEC3 records, if any, to reflect the addition. 122 * The existing NSEC3 records are removed. 123 * 124 * dns_nsec3_addnsec3() will only add records to the chain identified by 125 * 'nsec3param'. 126 * 127 * 'unsecure' should be set to reflect if this is a potentially 128 * unsecure delegation (no DS record). 129 * 130 * dns_nsec3_addnsec3s() will examine the NSEC3PARAM RRset to determine which 131 * chains to be updated. NSEC3PARAM records with the DNS_NSEC3FLAG_CREATE 132 * will be preferentially chosen over NSEC3PARAM records without 133 * DNS_NSEC3FLAG_CREATE set. NSEC3PARAM records with DNS_NSEC3FLAG_REMOVE 134 * set will be ignored by dns_nsec3_addnsec3s(). If DNS_NSEC3FLAG_CREATE 135 * is set then the new NSEC3 will have OPTOUT set to match the that in the 136 * NSEC3PARAM record otherwise OPTOUT will be inherited from the previous 137 * record in the chain. 138 * 139 * dns_nsec3_addnsec3sx() is similar to dns_nsec3_addnsec3s() but 'private' 140 * specifies the type of the private rdataset to be checked in addition to 141 * the nsec3param rdataset at the zone apex. 142 * 143 * Requires: 144 * 'db' to be valid. 145 * 'version' to be valid or NULL. 146 * 'name' to be valid. 147 * 'nsec3param' to be valid. 148 * 'diff' to be valid. 149 */ 150 151isc_result_t 152dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, 153 const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff); 154 155isc_result_t 156dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, 157 dns_diff_t *diff); 158 159isc_result_t 160dns_nsec3_delnsec3sx(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, 161 dns_rdatatype_t private, dns_diff_t *diff); 162/*%< 163 * Remove NSEC3 records for 'name', recording the change in 'diff'. 164 * Adjust previous NSEC3 records, if any, to reflect the removal. 165 * 166 * dns_nsec3_delnsec3() performs the above for the chain identified by 167 * 'nsec3param'. 168 * 169 * dns_nsec3_delnsec3s() examines the NSEC3PARAM RRset in a similar manner 170 * to dns_nsec3_addnsec3s(). Unlike dns_nsec3_addnsec3s() updated NSEC3 171 * records have the OPTOUT flag preserved. 172 * 173 * dns_nsec3_delnsec3sx() is similar to dns_nsec3_delnsec3s() but 'private' 174 * specifies the type of the private rdataset to be checked in addition to 175 * the nsec3param rdataset at the zone apex. 176 * 177 * Requires: 178 * 'db' to be valid. 179 * 'version' to be valid or NULL. 180 * 'name' to be valid. 181 * 'nsec3param' to be valid. 182 * 'diff' to be valid. 183 */ 184 185isc_result_t 186dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version, 187 isc_boolean_t complete, isc_boolean_t *answer); 188 189isc_result_t 190dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version, 191 isc_boolean_t complete, dns_rdatatype_t private, 192 isc_boolean_t *answer); 193/*%< 194 * Check if there are any complete/to be built NSEC3 chains. 195 * If 'complete' is ISC_TRUE only complete chains will be recognized. 196 * 197 * dns_nsec3_activex() is similar to dns_nsec3_active() but 'private' 198 * specifies the type of the private rdataset to be checked in addition to 199 * the nsec3param rdataset at the zone apex. 200 * 201 * Requires: 202 * 'db' to be valid. 203 * 'version' to be valid or NULL. 204 * 'answer' to be non NULL. 205 */ 206 207isc_result_t 208dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version, 209 isc_mem_t *mctx, unsigned int *iterationsp); 210/*%< 211 * Find the maximum permissible number of iterations allowed based on 212 * the key strength. 213 * 214 * Requires: 215 * 'db' to be valid. 216 * 'version' to be valid or NULL. 217 * 'mctx' to be valid. 218 * 'iterationsp' to be non NULL. 219 */ 220 221isc_boolean_t 222dns_nsec3param_fromprivate(dns_rdata_t *src, dns_rdata_t *target, 223 unsigned char *buf, size_t buflen); 224/*%< 225 * Convert a private rdata to a nsec3param rdata. 226 * 227 * Return ISC_TRUE if 'src' could be successfully converted. 228 * 229 * 'buf' should be at least DNS_NSEC3PARAM_BUFFERSIZE in size. 230 */ 231 232void 233dns_nsec3param_toprivate(dns_rdata_t *src, dns_rdata_t *target, 234 dns_rdatatype_t privatetype, 235 unsigned char *buf, size_t buflen); 236/*%< 237 * Convert a nsec3param rdata to a private rdata. 238 * 239 * 'buf' should be at least src->length + 1 in size. 240 */ 241 242isc_result_t 243dns_nsec3param_deletechains(dns_db_t *db, dns_dbversion_t *ver, 244 dns_zone_t *zone, dns_diff_t *diff); 245 246/*%< 247 * Mark NSEC3PARAM for deletion. 248 */ 249 250 251ISC_LANG_ENDDECLS 252 253#endif /* DNS_NSEC3_H */ 254