2 * Copyright (C) 2004, 2005, 2007-2009, 2011 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 1999-2001, 2003 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
18 /* $Id: nsec.c,v 1.13.428.2 2011-03-12 04:59:17 tbox Exp $ */
24 #include <isc/string.h>
29 #include <dns/rdata.h>
30 #include <dns/rdatalist.h>
31 #include <dns/rdataset.h>
32 #include <dns/rdatasetiter.h>
33 #include <dns/rdatastruct.h>
34 #include <dns/result.h>
38 #define RETERR(x) do { \
40 if (result != ISC_R_SUCCESS) \
45 set_bit(unsigned char *array, unsigned int index, unsigned int bit) {
46 unsigned int shift, mask;
48 shift = 7 - (index % 8);
52 array[index / 8] |= mask;
54 array[index / 8] &= (~mask & 0xFF);
58 bit_isset(unsigned char *array, unsigned int index) {
59 unsigned int byte, shift, mask;
61 byte = array[index / 8];
62 shift = 7 - (index % 8);
65 return ((byte & mask) != 0);
69 dns_nsec_buildrdata(dns_db_t *db, dns_dbversion_t *version,
70 dns_dbnode_t *node, dns_name_t *target,
71 unsigned char *buffer, dns_rdata_t *rdata)
74 dns_rdataset_t rdataset;
76 unsigned int i, window;
79 unsigned char *nsec_bits, *bm;
80 unsigned int max_type;
81 dns_rdatasetiter_t *rdsiter;
83 memset(buffer, 0, DNS_NSEC_BUFFERSIZE);
84 dns_name_toregion(target, &r);
85 memcpy(buffer, r.base, r.length);
88 * Use the end of the space for a raw bitmap leaving enough
89 * space for the window identifiers and length octets.
91 bm = r.base + r.length + 512;
92 nsec_bits = r.base + r.length;
93 set_bit(bm, dns_rdatatype_rrsig, 1);
94 set_bit(bm, dns_rdatatype_nsec, 1);
95 max_type = dns_rdatatype_nsec;
96 dns_rdataset_init(&rdataset);
98 result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
99 if (result != ISC_R_SUCCESS)
101 for (result = dns_rdatasetiter_first(rdsiter);
102 result == ISC_R_SUCCESS;
103 result = dns_rdatasetiter_next(rdsiter))
105 dns_rdatasetiter_current(rdsiter, &rdataset);
106 if (rdataset.type != dns_rdatatype_nsec &&
107 rdataset.type != dns_rdatatype_nsec3 &&
108 rdataset.type != dns_rdatatype_rrsig) {
109 if (rdataset.type > max_type)
110 max_type = rdataset.type;
111 set_bit(bm, rdataset.type, 1);
113 dns_rdataset_disassociate(&rdataset);
117 * At zone cuts, deny the existence of glue in the parent zone.
119 if (bit_isset(bm, dns_rdatatype_ns) &&
120 ! bit_isset(bm, dns_rdatatype_soa)) {
121 for (i = 0; i <= max_type; i++) {
122 if (bit_isset(bm, i) &&
123 ! dns_rdatatype_iszonecutauth((dns_rdatatype_t)i))
128 dns_rdatasetiter_destroy(&rdsiter);
129 if (result != ISC_R_NOMORE)
132 for (window = 0; window < 256; window++) {
133 if (window * 256 > max_type)
135 for (octet = 31; octet >= 0; octet--)
136 if (bm[window * 32 + octet] != 0)
140 nsec_bits[0] = window;
141 nsec_bits[1] = octet + 1;
143 * Note: potential overlapping move.
145 memmove(&nsec_bits[2], &bm[window * 32], octet + 1);
146 nsec_bits += 3 + octet;
148 r.length = nsec_bits - r.base;
149 INSIST(r.length <= DNS_NSEC_BUFFERSIZE);
150 dns_rdata_fromregion(rdata,
155 return (ISC_R_SUCCESS);
160 dns_nsec_build(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
161 dns_name_t *target, dns_ttl_t ttl)
164 dns_rdata_t rdata = DNS_RDATA_INIT;
165 unsigned char data[DNS_NSEC_BUFFERSIZE];
166 dns_rdatalist_t rdatalist;
167 dns_rdataset_t rdataset;
169 dns_rdataset_init(&rdataset);
170 dns_rdata_init(&rdata);
172 RETERR(dns_nsec_buildrdata(db, version, node, target, data, &rdata));
174 rdatalist.rdclass = dns_db_class(db);
175 rdatalist.type = dns_rdatatype_nsec;
176 rdatalist.covers = 0;
178 ISC_LIST_INIT(rdatalist.rdata);
179 ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
180 RETERR(dns_rdatalist_tordataset(&rdatalist, &rdataset));
181 result = dns_db_addrdataset(db, node, version, 0, &rdataset,
183 if (result == DNS_R_UNCHANGED)
184 result = ISC_R_SUCCESS;
187 if (dns_rdataset_isassociated(&rdataset))
188 dns_rdataset_disassociate(&rdataset);
193 dns_nsec_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type) {
194 dns_rdata_nsec_t nsecstruct;
196 isc_boolean_t present;
197 unsigned int i, len, window;
199 REQUIRE(nsec != NULL);
200 REQUIRE(nsec->type == dns_rdatatype_nsec);
202 /* This should never fail */
203 result = dns_rdata_tostruct(nsec, &nsecstruct, NULL);
204 INSIST(result == ISC_R_SUCCESS);
207 for (i = 0; i < nsecstruct.len; i += len) {
208 INSIST(i + 2 <= nsecstruct.len);
209 window = nsecstruct.typebits[i];
210 len = nsecstruct.typebits[i + 1];
211 INSIST(len > 0 && len <= 32);
213 INSIST(i + len <= nsecstruct.len);
214 if (window * 256 > type)
216 if ((window + 1) * 256 <= type)
218 if (type < (window * 256) + len * 8)
219 present = ISC_TF(bit_isset(&nsecstruct.typebits[i],
223 dns_rdata_freestruct(&nsecstruct);
228 dns_nsec_nseconly(dns_db_t *db, dns_dbversion_t *version,
229 isc_boolean_t *answer)
231 dns_dbnode_t *node = NULL;
232 dns_rdataset_t rdataset;
233 dns_rdata_dnskey_t dnskey;
236 REQUIRE(answer != NULL);
238 dns_rdataset_init(&rdataset);
240 result = dns_db_getoriginnode(db, &node);
241 if (result != ISC_R_SUCCESS)
244 result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey,
245 0, 0, &rdataset, NULL);
246 dns_db_detachnode(db, &node);
248 if (result == ISC_R_NOTFOUND) {
250 return (ISC_R_SUCCESS);
252 if (result != ISC_R_SUCCESS)
254 for (result = dns_rdataset_first(&rdataset);
255 result == ISC_R_SUCCESS;
256 result = dns_rdataset_next(&rdataset)) {
257 dns_rdata_t rdata = DNS_RDATA_INIT;
259 dns_rdataset_current(&rdataset, &rdata);
260 result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
261 RUNTIME_CHECK(result == ISC_R_SUCCESS);
263 if (dnskey.algorithm == DST_ALG_RSAMD5 ||
264 dnskey.algorithm == DST_ALG_RSASHA1 ||
265 dnskey.algorithm == DST_ALG_DSA ||
266 dnskey.algorithm == DST_ALG_ECC)
269 dns_rdataset_disassociate(&rdataset);
270 if (result == ISC_R_SUCCESS)
272 if (result == ISC_R_NOMORE) {
274 result = ISC_R_SUCCESS;