1/* $NetBSD: validator.h,v 1.1 2024/02/18 20:57:39 christos Exp $ */ 2 3/* 4 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 5 * 6 * SPDX-License-Identifier: MPL-2.0 7 * 8 * This Source Code Form is subject to the terms of the Mozilla Public 9 * License, v. 2.0. If a copy of the MPL was not distributed with this 10 * file, you can obtain one at https://mozilla.org/MPL/2.0/. 11 * 12 * See the COPYRIGHT file distributed with this work for additional 13 * information regarding copyright ownership. 14 */ 15 16#ifndef DNS_VALIDATOR_H 17#define DNS_VALIDATOR_H 1 18 19/***** 20***** Module Info 21*****/ 22 23/*! \file dns/validator.h 24 * 25 * \brief 26 * DNS Validator 27 * This is the BIND 9 validator, the module responsible for validating the 28 * rdatasets and negative responses (messages). It makes use of zones in 29 * the view and may fetch RRset to complete trust chains. It implements 30 * DNSSEC as specified in RFC 4033, 4034 and 4035. 31 * 32 * Correct operation is critical to preventing spoofed answers from secure 33 * zones being accepted. 34 * 35 * MP: 36 *\li The module ensures appropriate synchronization of data structures it 37 * creates and manipulates. 38 * 39 * Reliability: 40 *\li No anticipated impact. 41 * 42 * Resources: 43 *\li TBS 44 * 45 * Security: 46 *\li No anticipated impact. 47 * 48 * Standards: 49 *\li RFCs: 1034, 1035, 2181, 4033, 4034, 4035. 50 */ 51 52#include <stdbool.h> 53 54#include <isc/event.h> 55#include <isc/lang.h> 56#include <isc/mutex.h> 57 58#include <dns/fixedname.h> 59#include <dns/rdataset.h> 60#include <dns/rdatastruct.h> /* for dns_rdata_rrsig_t */ 61#include <dns/types.h> 62 63#include <dst/dst.h> 64 65/*% 66 * A dns_validatorevent_t is sent when a 'validation' completes. 67 * \brief 68 * 'name', 'rdataset', 'sigrdataset', and 'message' are the values that were 69 * supplied when dns_validator_create() was called. They are returned to the 70 * caller so that they may be freed. 71 * 72 * If the RESULT is ISC_R_SUCCESS and the answer is secure then 73 * proofs[] will contain the names of the NSEC records that hold the 74 * various proofs. Note the same name may appear multiple times. 75 */ 76typedef struct dns_validatorevent { 77 ISC_EVENT_COMMON(struct dns_validatorevent); 78 dns_validator_t *validator; 79 isc_result_t result; 80 /* 81 * Name and type of the response to be validated. 82 */ 83 dns_name_t *name; 84 dns_rdatatype_t type; 85 /* 86 * Rdata and RRSIG (if any) for positive responses. 87 */ 88 dns_rdataset_t *rdataset; 89 dns_rdataset_t *sigrdataset; 90 /* 91 * The full response. Required for negative responses. 92 * Also required for positive wildcard responses. 93 */ 94 dns_message_t *message; 95 /* 96 * Proofs to be cached. 97 */ 98 dns_name_t *proofs[4]; 99 /* 100 * Optout proof seen. 101 */ 102 bool optout; 103 /* 104 * Answer is secure. 105 */ 106 bool secure; 107} dns_validatorevent_t; 108 109#define DNS_VALIDATOR_NOQNAMEPROOF 0 110#define DNS_VALIDATOR_NODATAPROOF 1 111#define DNS_VALIDATOR_NOWILDCARDPROOF 2 112#define DNS_VALIDATOR_CLOSESTENCLOSER 3 113 114/*% 115 * A validator object represents a validation in progress. 116 * \brief 117 * Clients are strongly discouraged from using this type directly, with 118 * the exception of the 'link' field, which may be used directly for 119 * whatever purpose the client desires. 120 */ 121struct dns_validator { 122 /* Unlocked. */ 123 unsigned int magic; 124 isc_mutex_t lock; 125 dns_view_t *view; 126 /* Locked by lock. */ 127 unsigned int options; 128 unsigned int attributes; 129 dns_validatorevent_t *event; 130 dns_fetch_t *fetch; 131 dns_validator_t *subvalidator; 132 dns_validator_t *parent; 133 dns_keytable_t *keytable; 134 dst_key_t *key; 135 dns_rdata_rrsig_t *siginfo; 136 isc_task_t *task; 137 isc_taskaction_t action; 138 void *arg; 139 unsigned int labels; 140 dns_rdataset_t *currentset; 141 dns_rdataset_t *keyset; 142 dns_rdataset_t *dsset; 143 dns_rdataset_t fdsset; 144 dns_rdataset_t frdataset; 145 dns_rdataset_t fsigrdataset; 146 dns_fixedname_t fname; 147 dns_fixedname_t wild; 148 dns_fixedname_t closest; 149 ISC_LINK(dns_validator_t) link; 150 bool mustbesecure; 151 unsigned int depth; 152 unsigned int authcount; 153 unsigned int authfail; 154 bool failed; 155 isc_stdtime_t start; 156}; 157 158/*% 159 * dns_validator_create() options. 160 */ 161/* obsolete: #define DNS_VALIDATOR_DLV 0x0001U */ 162#define DNS_VALIDATOR_DEFER 0x0002U 163#define DNS_VALIDATOR_NOCDFLAG 0x0004U 164#define DNS_VALIDATOR_NONTA 0x0008U /*% Ignore NTA table */ 165 166ISC_LANG_BEGINDECLS 167 168isc_result_t 169dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, 170 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, 171 dns_message_t *message, unsigned int options, 172 isc_task_t *task, isc_taskaction_t action, void *arg, 173 dns_validator_t **validatorp); 174/*%< 175 * Start a DNSSEC validation. 176 * 177 * This validates a response to the question given by 178 * 'name' and 'type'. 179 * 180 * To validate a positive response, the response data is 181 * given by 'rdataset' and 'sigrdataset'. If 'sigrdataset' 182 * is NULL, the data is presumed insecure and an attempt 183 * is made to prove its insecurity by finding the appropriate 184 * null key. 185 * 186 * The complete response message may be given in 'message', 187 * to make available any authority section NSECs that may be 188 * needed for validation of a response resulting from a 189 * wildcard expansion (though no such wildcard validation 190 * is implemented yet). If the complete response message 191 * is not available, 'message' is NULL. 192 * 193 * To validate a negative response, the complete negative response 194 * message is given in 'message'. The 'rdataset', and 195 * 'sigrdataset' arguments must be NULL, but the 'name' and 'type' 196 * arguments must be provided. 197 * 198 * The validation is performed in the context of 'view'. 199 * 200 * When the validation finishes, a dns_validatorevent_t with 201 * the given 'action' and 'arg' are sent to 'task'. 202 * Its 'result' field will be ISC_R_SUCCESS iff the 203 * response was successfully proven to be either secure or 204 * part of a known insecure domain. 205 */ 206 207void 208dns_validator_send(dns_validator_t *validator); 209/*%< 210 * Send a deferred validation request 211 * 212 * Requires: 213 * 'validator' to points to a valid DNSSEC validator. 214 */ 215 216void 217dns_validator_cancel(dns_validator_t *validator); 218/*%< 219 * Cancel a DNSSEC validation in progress. 220 * 221 * Requires: 222 *\li 'validator' points to a valid DNSSEC validator, which 223 * may or may not already have completed. 224 * 225 * Ensures: 226 *\li It the validator has not already sent its completion 227 * event, it will send it with result code ISC_R_CANCELED. 228 */ 229 230void 231dns_validator_destroy(dns_validator_t **validatorp); 232/*%< 233 * Destroy a DNSSEC validator. 234 * 235 * Requires: 236 *\li '*validatorp' points to a valid DNSSEC validator. 237 * \li The validator must have completed and sent its completion 238 * event. 239 * 240 * Ensures: 241 *\li All resources used by the validator are freed. 242 */ 243 244ISC_LANG_ENDDECLS 245 246#endif /* DNS_VALIDATOR_H */ 247