1 /*
2  * Copyright (C) 2008-2013  Internet Systems Consortium, Inc. ("ISC")
3  *
4  * Permission to use, copy, modify, and/or distribute this software for any
5  * purpose with or without fee is hereby granted, provided that the above
6  * copyright notice and this permission notice appear in all copies.
7  *
8  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
9  * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
10  * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
11  * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
12  * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
13  * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
14  * PERFORMANCE OF THIS SOFTWARE.
15  */
16 
17 /* $Id: nsec3.h,v 1.14 2011/10/28 12:20:31 tbox Exp $ */
18 
19 #ifndef DNS_NSEC3_H
20 #define DNS_NSEC3_H 1
21 
22 #include <isc/lang.h>
23 #include <isc/iterated_hash.h>
24 
25 #include <dns/db.h>
26 #include <dns/diff.h>
27 #include <dns/name.h>
28 #include <dns/rdatastruct.h>
29 #include <dns/types.h>
30 
31 #define DNS_NSEC3_SALTSIZE 255
32 
33 /*
34  * hash = 1, flags =1, iterations = 2, salt length = 1, salt = 255 (max)
35  * hash length = 1, hash = 255 (max), bitmap = 8192 + 512 (max)
36  */
37 #define DNS_NSEC3_BUFFERSIZE (6 + 255 + 255 + 8192 + 512)
38 /*
39  * hash = 1, flags = 1, iterations = 2, salt length = 1, salt = 255 (max)
40  */
41 #define DNS_NSEC3PARAM_BUFFERSIZE (5 + 255)
42 
43 /*
44  * Test "unknown" algorithm.  Is mapped to dns_hash_sha1.
45  */
46 #define DNS_NSEC3_UNKNOWNALG ((dns_hash_t)245U)
47 
48 ISC_LANG_BEGINDECLS
49 
50 isc_result_t
51 dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version,
52 		     dns_dbnode_t *node, unsigned int hashalg,
53 		     unsigned int optin, unsigned int iterations,
54 		     const unsigned char *salt, size_t salt_length,
55 		     const unsigned char *nexthash, size_t hash_length,
56 		     unsigned char *buffer, dns_rdata_t *rdata);
57 /*%<
58  * Build the rdata of a NSEC3 record for the data at 'node'.
59  * Note: 'node' is not the node where the NSEC3 record will be stored.
60  *
61  * Requires:
62  *	buffer	Points to a temporary buffer of at least
63  * 		DNS_NSEC_BUFFERSIZE bytes.
64  *	rdata	Points to an initialized dns_rdata_t.
65  *
66  * Ensures:
67  *      *rdata	Contains a valid NSEC3 rdata.  The 'data' member refers
68  *		to 'buffer'.
69  */
70 
71 isc_boolean_t
72 dns_nsec3_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type);
73 /*%<
74  * Determine if a type is marked as present in an NSEC3 record.
75  *
76  * Requires:
77  *	'nsec' points to a valid rdataset of type NSEC3
78  */
79 
80 isc_result_t
81 dns_nsec3_hashname(dns_fixedname_t *result,
82 		   unsigned char rethash[NSEC3_MAX_HASH_LENGTH],
83 		   size_t *hash_length, dns_name_t *name, dns_name_t *origin,
84 		   dns_hash_t hashalg, unsigned int iterations,
85 		   const unsigned char *salt, size_t saltlength);
86 /*%<
87  * Make a hashed domain name from an unhashed one. If rethash is not NULL
88  * the raw hash is stored there.
89  */
90 
91 unsigned int
92 dns_nsec3_hashlength(dns_hash_t hash);
93 /*%<
94  * Return the length of the hash produced by the specified algorithm
95  * or zero when unknown.
96  */
97 
98 isc_boolean_t
99 dns_nsec3_supportedhash(dns_hash_t hash);
100 /*%<
101  * Return whether we support this hash algorithm or not.
102  */
103 
104 isc_result_t
105 dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version,
106 		   dns_name_t *name, const dns_rdata_nsec3param_t *nsec3param,
107 		   dns_ttl_t nsecttl, isc_boolean_t unsecure, dns_diff_t *diff);
108 
109 isc_result_t
110 dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
111 		    dns_name_t *name, dns_ttl_t nsecttl,
112 		    isc_boolean_t unsecure, dns_diff_t *diff);
113 
114 isc_result_t
115 dns_nsec3_addnsec3sx(dns_db_t *db, dns_dbversion_t *version,
116 		     dns_name_t *name, dns_ttl_t nsecttl,
117 		     isc_boolean_t unsecure, dns_rdatatype_t private,
118 		     dns_diff_t *diff);
119 /*%<
120  * Add NSEC3 records for 'name', recording the change in 'diff'.
121  * Adjust previous NSEC3 records, if any, to reflect the addition.
122  * The existing NSEC3 records are removed.
123  *
124  * dns_nsec3_addnsec3() will only add records to the chain identified by
125  * 'nsec3param'.
126  *
127  * 'unsecure' should be set to reflect if this is a potentially
128  * unsecure delegation (no DS record).
129  *
130  * dns_nsec3_addnsec3s() will examine the NSEC3PARAM RRset to determine which
131  * chains to be updated.  NSEC3PARAM records with the DNS_NSEC3FLAG_CREATE
132  * will be preferentially chosen over NSEC3PARAM records without
133  * DNS_NSEC3FLAG_CREATE set.  NSEC3PARAM records with DNS_NSEC3FLAG_REMOVE
134  * set will be ignored by dns_nsec3_addnsec3s().  If DNS_NSEC3FLAG_CREATE
135  * is set then the new NSEC3 will have OPTOUT set to match the that in the
136  * NSEC3PARAM record otherwise OPTOUT will be inherited from the previous
137  * record in the chain.
138  *
139  * dns_nsec3_addnsec3sx() is similar to dns_nsec3_addnsec3s() but 'private'
140  * specifies the type of the private rdataset to be checked in addition to
141  * the nsec3param rdataset at the zone apex.
142  *
143  * Requires:
144  *	'db' to be valid.
145  *	'version' to be valid or NULL.
146  *	'name' to be valid.
147  *	'nsec3param' to be valid.
148  *	'diff' to be valid.
149  */
150 
151 isc_result_t
152 dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
153 		   const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff);
154 
155 isc_result_t
156 dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
157 		    dns_diff_t *diff);
158 
159 isc_result_t
160 dns_nsec3_delnsec3sx(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
161 		     dns_rdatatype_t private, dns_diff_t *diff);
162 /*%<
163  * Remove NSEC3 records for 'name', recording the change in 'diff'.
164  * Adjust previous NSEC3 records, if any, to reflect the removal.
165  *
166  * dns_nsec3_delnsec3() performs the above for the chain identified by
167  * 'nsec3param'.
168  *
169  * dns_nsec3_delnsec3s() examines the NSEC3PARAM RRset in a similar manner
170  * to dns_nsec3_addnsec3s().  Unlike dns_nsec3_addnsec3s() updated NSEC3
171  * records have the OPTOUT flag preserved.
172  *
173  * dns_nsec3_delnsec3sx() is similar to dns_nsec3_delnsec3s() but 'private'
174  * specifies the type of the private rdataset to be checked in addition to
175  * the nsec3param rdataset at the zone apex.
176  *
177  * Requires:
178  *	'db' to be valid.
179  *	'version' to be valid or NULL.
180  *	'name' to be valid.
181  *	'nsec3param' to be valid.
182  *	'diff' to be valid.
183  */
184 
185 isc_result_t
186 dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version,
187 		 isc_boolean_t complete, isc_boolean_t *answer);
188 
189 isc_result_t
190 dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version,
191 		  isc_boolean_t complete, dns_rdatatype_t private,
192 		  isc_boolean_t *answer);
193 /*%<
194  * Check if there are any complete/to be built NSEC3 chains.
195  * If 'complete' is ISC_TRUE only complete chains will be recognized.
196  *
197  * dns_nsec3_activex() is similar to dns_nsec3_active() but 'private'
198  * specifies the type of the private rdataset to be checked in addition to
199  * the nsec3param rdataset at the zone apex.
200  *
201  * Requires:
202  *	'db' to be valid.
203  *	'version' to be valid or NULL.
204  *	'answer' to be non NULL.
205  */
206 
207 isc_result_t
208 dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version,
209 			isc_mem_t *mctx, unsigned int *iterationsp);
210 /*%<
211  * Find the maximum permissible number of iterations allowed based on
212  * the key strength.
213  *
214  * Requires:
215  *	'db' to be valid.
216  *	'version' to be valid or NULL.
217  *	'mctx' to be valid.
218  *	'iterationsp' to be non NULL.
219  */
220 
221 isc_boolean_t
222 dns_nsec3param_fromprivate(dns_rdata_t *src, dns_rdata_t *target,
223 			   unsigned char *buf, size_t buflen);
224 /*%<
225  * Convert a private rdata to a nsec3param rdata.
226  *
227  * Return ISC_TRUE if 'src' could be successfully converted.
228  *
229  * 'buf' should be at least DNS_NSEC3PARAM_BUFFERSIZE in size.
230  */
231 
232 void
233 dns_nsec3param_toprivate(dns_rdata_t *src, dns_rdata_t *target,
234 			 dns_rdatatype_t privatetype,
235 			 unsigned char *buf, size_t buflen);
236 /*%<
237  * Convert a nsec3param rdata to a private rdata.
238  *
239  * 'buf' should be at least src->length + 1 in size.
240  */
241 
242 isc_result_t
243 dns_nsec3param_deletechains(dns_db_t *db, dns_dbversion_t *ver,
244 			    dns_zone_t *zone, isc_boolean_t nonsec,
245 			    dns_diff_t *diff);
246 
247 /*%<
248  * Mark NSEC3PARAM for deletion.
249  */
250 
251 isc_result_t
252 dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
253 			dns_name_t *nsec3name, dns_rdataset_t *nsec3set,
254 			dns_name_t *zonename, isc_boolean_t *exists,
255 			isc_boolean_t *data, isc_boolean_t *optout,
256 			isc_boolean_t *unknown, isc_boolean_t *setclosest,
257 			isc_boolean_t *setnearest, dns_name_t *closest,
258 			dns_name_t *nearest, dns_nseclog_t logit, void *arg);
259 
260 ISC_LANG_ENDDECLS
261 
262 #endif /* DNS_NSEC3_H */
263