2 * Copyright (C) 2008, 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
4 * Permission to use, copy, modify, and/or distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
9 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
10 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
11 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
12 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
13 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
14 * PERFORMANCE OF THIS SOFTWARE.
18 #ifndef GENERIC_NSEC3_50_H
19 #define GENERIC_NSEC3_50_H 1
24 * \brief Per RFC 5155 */
26 #include <isc/iterated_hash.h>
28 typedef struct dns_rdata_nsec3 {
29 dns_rdatacommon_t common;
33 dns_iterations_t iterations;
34 unsigned char salt_length;
35 unsigned char next_length;
39 unsigned char *typebits;
43 * The corresponding NSEC3 interval is OPTOUT indicating possible
44 * insecure delegations.
46 #define DNS_NSEC3FLAG_OPTOUT 0x01U
49 * The following flags are used in the private-type record (implemented in
50 * lib/dns/private.c) which is used to store NSEC3PARAM data during the
51 * time when it is not legal to have an actual NSEC3PARAM record in the
52 * zone. They are defined here because the private-type record uses the
53 * same flags field for the OPTOUT flag above and for the private flags
54 * below. XXX: This should be considered for refactoring.
58 * Non-standard, private type only.
60 * Create a corresponding NSEC3 chain.
61 * Once the NSEC3 chain is complete this flag will be removed to signal
62 * that there is a complete chain.
64 * This flag is automatically set when a NSEC3PARAM record is added to
65 * the zone via UPDATE.
67 * NSEC3PARAM records containing this flag should never be published,
68 * but if they are, they should be ignored by RFC 5155 compliant
71 #define DNS_NSEC3FLAG_CREATE 0x80U
74 * Non-standard, private type only.
76 * The corresponding NSEC3 set is to be removed once the NSEC chain
79 * This flag is automatically set when the last active NSEC3PARAM record
80 * is removed from the zone via UPDATE.
82 * NSEC3PARAM records containing this flag should never be published,
83 * but if they are, they should be ignored by RFC 5155 compliant
86 #define DNS_NSEC3FLAG_REMOVE 0x40U
89 * Non-standard, private type only.
91 * When set with the CREATE flag, a corresponding NSEC3 chain will be
92 * created when the zone becomes capable of supporting one (i.e., when it
93 * has a DNSKEY RRset containing at least one NSEC3-capable algorithm).
94 * Without this flag, NSEC3 chain creation would be attempted immediately,
95 * fail, and the private type record would be removed. With it, the NSEC3
96 * parameters are stored until they can be used. When the zone has the
97 * necessary prerequisites for NSEC3, then the INITIAL flag can be cleared,
98 * and the record will be cleaned up normally.
100 * NSEC3PARAM records containing this flag should never be published, but
101 * if they are, they should be ignored by RFC 5155 compliant nameservers.
103 #define DNS_NSEC3FLAG_INITIAL 0x20U
106 * Non-standard, private type only.
108 * Prevent the creation of a NSEC chain before the last NSEC3 chain
109 * is removed. This will normally only be set when the zone is
110 * transitioning from secure with NSEC3 chains to insecure.
112 * NSEC3PARAM records containing this flag should never be published,
113 * but if they are, they should be ignored by RFC 5155 compliant
116 #define DNS_NSEC3FLAG_NONSEC 0x10U
118 #endif /* GENERIC_NSEC3_50_H */