2 * Copyright (C) 2004-2010, 2013 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 2000-2003 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
18 /* $Id: validator.h,v 1.46 2010/02/25 05:08:01 tbox Exp $ */
20 #ifndef DNS_VALIDATOR_H
21 #define DNS_VALIDATOR_H 1
27 /*! \file dns/validator.h
31 * This is the BIND 9 validator, the module responsible for validating the
32 * rdatasets and negative responses (messages). It makes use of zones in
33 * the view and may fetch RRset to complete trust chains. It implements
34 * DNSSEC as specified in RFC 4033, 4034 and 4035.
36 * It can also optionally implement ISC's DNSSEC look-aside validation.
38 * Correct operation is critical to preventing spoofed answers from secure
39 * zones being accepted.
42 *\li The module ensures appropriate synchronization of data structures it
43 * creates and manipulates.
46 *\li No anticipated impact.
52 *\li No anticipated impact.
55 *\li RFCs: 1034, 1035, 2181, 4033, 4034, 4035.
59 #include <isc/event.h>
60 #include <isc/mutex.h>
62 #include <dns/fixedname.h>
63 #include <dns/types.h>
64 #include <dns/rdataset.h>
65 #include <dns/rdatastruct.h> /* for dns_rdata_rrsig_t */
70 * A dns_validatorevent_t is sent when a 'validation' completes.
72 * 'name', 'rdataset', 'sigrdataset', and 'message' are the values that were
73 * supplied when dns_validator_create() was called. They are returned to the
74 * caller so that they may be freed.
76 * If the RESULT is ISC_R_SUCCESS and the answer is secure then
77 * proofs[] will contain the names of the NSEC records that hold the
78 * various proofs. Note the same name may appear multiple times.
80 typedef struct dns_validatorevent {
81 ISC_EVENT_COMMON(struct dns_validatorevent);
82 dns_validator_t * validator;
85 * Name and type of the response to be validated.
90 * Rdata and RRSIG (if any) for positive responses.
92 dns_rdataset_t * rdataset;
93 dns_rdataset_t * sigrdataset;
95 * The full response. Required for negative responses.
96 * Also required for positive wildcard responses.
98 dns_message_t * message;
100 * Proofs to be cached.
102 dns_name_t * proofs[4];
106 isc_boolean_t optout;
110 isc_boolean_t secure;
111 } dns_validatorevent_t;
113 #define DNS_VALIDATOR_NOQNAMEPROOF 0
114 #define DNS_VALIDATOR_NODATAPROOF 1
115 #define DNS_VALIDATOR_NOWILDCARDPROOF 2
116 #define DNS_VALIDATOR_CLOSESTENCLOSER 3
119 * A validator object represents a validation in progress.
121 * Clients are strongly discouraged from using this type directly, with
122 * the exception of the 'link' field, which may be used directly for
123 * whatever purpose the client desires.
125 struct dns_validator {
130 /* Locked by lock. */
131 unsigned int options;
132 unsigned int attributes;
133 dns_validatorevent_t * event;
135 dns_validator_t * subvalidator;
136 dns_validator_t * parent;
137 dns_keytable_t * keytable;
138 dns_keynode_t * keynode;
140 dns_rdata_rrsig_t * siginfo;
142 isc_taskaction_t action;
145 dns_rdataset_t * currentset;
146 isc_boolean_t seensig;
147 dns_rdataset_t * keyset;
148 dns_rdataset_t * dsset;
149 dns_rdataset_t * soaset;
150 dns_rdataset_t * nsecset;
151 dns_rdataset_t * nsec3set;
152 dns_name_t * soaname;
153 dns_rdataset_t frdataset;
154 dns_rdataset_t fsigrdataset;
155 dns_fixedname_t fname;
156 dns_fixedname_t wild;
157 dns_fixedname_t nearest;
158 dns_fixedname_t closest;
159 ISC_LINK(dns_validator_t) link;
161 dns_fixedname_t dlvsep;
162 isc_boolean_t havedlvsep;
163 isc_boolean_t mustbesecure;
164 unsigned int dlvlabels;
166 unsigned int authcount;
167 unsigned int authfail;
171 * dns_validator_create() options.
173 #define DNS_VALIDATOR_DLV 1U
174 #define DNS_VALIDATOR_DEFER 2U
179 dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
180 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
181 dns_message_t *message, unsigned int options,
182 isc_task_t *task, isc_taskaction_t action, void *arg,
183 dns_validator_t **validatorp);
185 * Start a DNSSEC validation.
187 * This validates a response to the question given by
190 * To validate a positive response, the response data is
191 * given by 'rdataset' and 'sigrdataset'. If 'sigrdataset'
192 * is NULL, the data is presumed insecure and an attempt
193 * is made to prove its insecurity by finding the appropriate
196 * The complete response message may be given in 'message',
197 * to make available any authority section NSECs that may be
198 * needed for validation of a response resulting from a
199 * wildcard expansion (though no such wildcard validation
200 * is implemented yet). If the complete response message
201 * is not available, 'message' is NULL.
203 * To validate a negative response, the complete negative response
204 * message is given in 'message'. The 'rdataset', and
205 * 'sigrdataset' arguments must be NULL, but the 'name' and 'type'
206 * arguments must be provided.
208 * The validation is performed in the context of 'view'.
210 * When the validation finishes, a dns_validatorevent_t with
211 * the given 'action' and 'arg' are sent to 'task'.
212 * Its 'result' field will be ISC_R_SUCCESS iff the
213 * response was successfully proven to be either secure or
214 * part of a known insecure domain.
217 * If DNS_VALIDATOR_DLV is set the caller knows there is not a
218 * trusted key and the validator should immediately attempt to validate
219 * the answer by looking for an appropriate DLV RRset.
223 dns_validator_send(dns_validator_t *validator);
225 * Send a deferred validation request
228 * 'validator' to points to a valid DNSSEC validator.
232 dns_validator_cancel(dns_validator_t *validator);
234 * Cancel a DNSSEC validation in progress.
237 *\li 'validator' points to a valid DNSSEC validator, which
238 * may or may not already have completed.
241 *\li It the validator has not already sent its completion
242 * event, it will send it with result code ISC_R_CANCELED.
246 dns_validator_destroy(dns_validator_t **validatorp);
248 * Destroy a DNSSEC validator.
251 *\li '*validatorp' points to a valid DNSSEC validator.
252 * \li The validator must have completed and sent its completion
256 *\li All resources used by the validator are freed.
261 #endif /* DNS_VALIDATOR_H */