1/* $NetBSD: nsec3_50.h,v 1.1 2024/02/18 20:57:43 christos Exp $ */ 2 3/* 4 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 5 * 6 * SPDX-License-Identifier: MPL-2.0 7 * 8 * This Source Code Form is subject to the terms of the Mozilla Public 9 * License, v. 2.0. If a copy of the MPL was not distributed with this 10 * file, you can obtain one at https://mozilla.org/MPL/2.0/. 11 * 12 * See the COPYRIGHT file distributed with this work for additional 13 * information regarding copyright ownership. 14 */ 15 16#ifndef GENERIC_NSEC3_50_H 17#define GENERIC_NSEC3_50_H 1 18 19/*! 20 * \brief Per RFC 5155 */ 21 22#include <isc/iterated_hash.h> 23 24typedef struct dns_rdata_nsec3 { 25 dns_rdatacommon_t common; 26 isc_mem_t *mctx; 27 dns_hash_t hash; 28 unsigned char flags; 29 dns_iterations_t iterations; 30 unsigned char salt_length; 31 unsigned char next_length; 32 uint16_t len; 33 unsigned char *salt; 34 unsigned char *next; 35 unsigned char *typebits; 36} dns_rdata_nsec3_t; 37 38/* 39 * The corresponding NSEC3 interval is OPTOUT indicating possible 40 * insecure delegations. 41 */ 42#define DNS_NSEC3FLAG_OPTOUT 0x01U 43 44/*% 45 * The following flags are used in the private-type record (implemented in 46 * lib/dns/private.c) which is used to store NSEC3PARAM data during the 47 * time when it is not legal to have an actual NSEC3PARAM record in the 48 * zone. They are defined here because the private-type record uses the 49 * same flags field for the OPTOUT flag above and for the private flags 50 * below. XXX: This should be considered for refactoring. 51 */ 52 53/*% 54 * Non-standard, private type only. 55 * 56 * Create a corresponding NSEC3 chain. 57 * Once the NSEC3 chain is complete this flag will be removed to signal 58 * that there is a complete chain. 59 * 60 * This flag is automatically set when a NSEC3PARAM record is added to 61 * the zone via UPDATE. 62 * 63 * NSEC3PARAM records containing this flag should never be published, 64 * but if they are, they should be ignored by RFC 5155 compliant 65 * nameservers. 66 */ 67#define DNS_NSEC3FLAG_CREATE 0x80U 68 69/*% 70 * Non-standard, private type only. 71 * 72 * The corresponding NSEC3 set is to be removed once the NSEC chain 73 * has been generated. 74 * 75 * This flag is automatically set when the last active NSEC3PARAM record 76 * is removed from the zone via UPDATE. 77 * 78 * NSEC3PARAM records containing this flag should never be published, 79 * but if they are, they should be ignored by RFC 5155 compliant 80 * nameservers. 81 */ 82#define DNS_NSEC3FLAG_REMOVE 0x40U 83 84/*% 85 * Non-standard, private type only. 86 * 87 * When set with the CREATE flag, a corresponding NSEC3 chain will be 88 * created when the zone becomes capable of supporting one (i.e., when it 89 * has a DNSKEY RRset containing at least one NSEC3-capable algorithm). 90 * Without this flag, NSEC3 chain creation would be attempted immediately, 91 * fail, and the private type record would be removed. With it, the NSEC3 92 * parameters are stored until they can be used. When the zone has the 93 * necessary prerequisites for NSEC3, then the INITIAL flag can be cleared, 94 * and the record will be cleaned up normally. 95 * 96 * NSEC3PARAM records containing this flag should never be published, but 97 * if they are, they should be ignored by RFC 5155 compliant nameservers. 98 */ 99#define DNS_NSEC3FLAG_INITIAL 0x20U 100 101/*% 102 * Non-standard, private type only. 103 * 104 * Prevent the creation of a NSEC chain before the last NSEC3 chain 105 * is removed. This will normally only be set when the zone is 106 * transitioning from secure with NSEC3 chains to insecure. 107 * 108 * NSEC3PARAM records containing this flag should never be published, 109 * but if they are, they should be ignored by RFC 5155 compliant 110 * nameservers. 111 */ 112#define DNS_NSEC3FLAG_NONSEC 0x10U 113 114#endif /* GENERIC_NSEC3_50_H */ 115