1/* $NetBSD: nsec3_50.h,v 1.7 2024/02/21 22:52:13 christos Exp $ */ 2 3/* 4 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 5 * 6 * SPDX-License-Identifier: MPL-2.0 7 * 8 * This Source Code Form is subject to the terms of the Mozilla Public 9 * License, v. 2.0. If a copy of the MPL was not distributed with this 10 * file, you can obtain one at https://mozilla.org/MPL/2.0/. 11 * 12 * See the COPYRIGHT file distributed with this work for additional 13 * information regarding copyright ownership. 14 */ 15 16#pragma once 17 18/*! 19 * \brief Per RFC 5155 */ 20 21#include <isc/iterated_hash.h> 22 23typedef struct dns_rdata_nsec3 { 24 dns_rdatacommon_t common; 25 isc_mem_t *mctx; 26 dns_hash_t hash; 27 unsigned char flags; 28 dns_iterations_t iterations; 29 unsigned char salt_length; 30 unsigned char next_length; 31 uint16_t len; 32 unsigned char *salt; 33 unsigned char *next; 34 unsigned char *typebits; 35} dns_rdata_nsec3_t; 36 37/* 38 * The corresponding NSEC3 interval is OPTOUT indicating possible 39 * insecure delegations. 40 */ 41#define DNS_NSEC3FLAG_OPTOUT 0x01U 42 43/*% 44 * The following flags are used in the private-type record (implemented in 45 * lib/dns/private.c) which is used to store NSEC3PARAM data during the 46 * time when it is not legal to have an actual NSEC3PARAM record in the 47 * zone. They are defined here because the private-type record uses the 48 * same flags field for the OPTOUT flag above and for the private flags 49 * below. XXX: This should be considered for refactoring. 50 */ 51 52/*% 53 * Non-standard, private type only. 54 * 55 * Create a corresponding NSEC3 chain. 56 * Once the NSEC3 chain is complete this flag will be removed to signal 57 * that there is a complete chain. 58 * 59 * This flag is automatically set when a NSEC3PARAM record is added to 60 * the zone via UPDATE. 61 * 62 * NSEC3PARAM records containing this flag should never be published, 63 * but if they are, they should be ignored by RFC 5155 compliant 64 * nameservers. 65 */ 66#define DNS_NSEC3FLAG_CREATE 0x80U 67 68/*% 69 * Non-standard, private type only. 70 * 71 * The corresponding NSEC3 set is to be removed once the NSEC chain 72 * has been generated. 73 * 74 * This flag is automatically set when the last active NSEC3PARAM record 75 * is removed from the zone via UPDATE. 76 * 77 * NSEC3PARAM records containing this flag should never be published, 78 * but if they are, they should be ignored by RFC 5155 compliant 79 * nameservers. 80 */ 81#define DNS_NSEC3FLAG_REMOVE 0x40U 82 83/*% 84 * Non-standard, private type only. 85 * 86 * When set with the CREATE flag, a corresponding NSEC3 chain will be 87 * created when the zone becomes capable of supporting one (i.e., when it 88 * has a DNSKEY RRset containing at least one NSEC3-capable algorithm). 89 * Without this flag, NSEC3 chain creation would be attempted immediately, 90 * fail, and the private type record would be removed. With it, the NSEC3 91 * parameters are stored until they can be used. When the zone has the 92 * necessary prerequisites for NSEC3, then the INITIAL flag can be cleared, 93 * and the record will be cleaned up normally. 94 * 95 * NSEC3PARAM records containing this flag should never be published, but 96 * if they are, they should be ignored by RFC 5155 compliant nameservers. 97 */ 98#define DNS_NSEC3FLAG_INITIAL 0x20U 99 100/*% 101 * Non-standard, private type only. 102 * 103 * Prevent the creation of a NSEC chain before the last NSEC3 chain 104 * is removed. This will normally only be set when the zone is 105 * transitioning from secure with NSEC3 chains to insecure. 106 * 107 * NSEC3PARAM records containing this flag should never be published, 108 * but if they are, they should be ignored by RFC 5155 compliant 109 * nameservers. 110 */ 111#define DNS_NSEC3FLAG_NONSEC 0x10U 112