2 * Copyright (C) 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
4 * Permission to use, copy, modify, and/or distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
9 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
10 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
11 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
12 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
13 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
14 * PERFORMANCE OF THIS SOFTWARE.
17 /* $Id: nsec3.h,v 1.5.48.3 2009/10/06 21:20:18 each Exp $ */
23 #include <isc/iterated_hash.h>
28 #include <dns/rdatastruct.h>
29 #include <dns/types.h>
31 #define DNS_NSEC3_SALTSIZE 255
34 * hash = 1, flags =1, iterations = 2, salt length = 1, salt = 255 (max)
35 * hash length = 1, hash = 255 (max), bitmap = 8192 + 512 (max)
37 #define DNS_NSEC3_BUFFERSIZE (6 + 255 + 255 + 8192 + 512)
39 * hash = 1, flags = 1, iterations = 2, salt length = 1, salt = 255 (max)
41 #define DNS_NSEC3PARAM_BUFFERSIZE (5 + 255)
44 * Test "unknown" algorithm. Is mapped to dns_hash_sha1.
46 #define DNS_NSEC3_UNKNOWNALG 245U
51 dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version,
52 dns_dbnode_t *node, unsigned int hashalg,
53 unsigned int optin, unsigned int iterations,
54 const unsigned char *salt, size_t salt_length,
55 const unsigned char *nexthash, size_t hash_length,
56 unsigned char *buffer, dns_rdata_t *rdata);
58 * Build the rdata of a NSEC3 record for the data at 'node'.
59 * Note: 'node' is not the node where the NSEC3 record will be stored.
62 * buffer Points to a temporary buffer of at least
63 * DNS_NSEC_BUFFERSIZE bytes.
64 * rdata Points to an initialized dns_rdata_t.
67 * *rdata Contains a valid NSEC3 rdata. The 'data' member refers
72 dns_nsec3_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type);
74 * Determine if a type is marked as present in an NSEC3 record.
77 * 'nsec' points to a valid rdataset of type NSEC3
81 dns_nsec3_hashname(dns_fixedname_t *result,
82 unsigned char rethash[NSEC3_MAX_HASH_LENGTH],
83 size_t *hash_length, dns_name_t *name, dns_name_t *origin,
84 dns_hash_t hashalg, unsigned int iterations,
85 const unsigned char *salt, size_t saltlength);
87 * Make a hashed domain name from an unhashed one. If rethash is not NULL
88 * the raw hash is stored there.
92 dns_nsec3_hashlength(dns_hash_t hash);
94 * Return the length of the hash produced by the specified algorithm
95 * or zero when unknown.
99 dns_nsec3_supportedhash(dns_hash_t hash);
101 * Return whether we support this hash algorithm or not.
105 dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version,
106 dns_name_t *name, const dns_rdata_nsec3param_t *nsec3param,
107 dns_ttl_t nsecttl, isc_boolean_t unsecure, dns_diff_t *diff);
110 dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
111 dns_name_t *name, dns_ttl_t nsecttl,
112 isc_boolean_t unsecure, dns_diff_t *diff);
114 * Add NSEC3 records for 'name', recording the change in 'diff'.
115 * Adjust previous NSEC3 records, if any, to reflect the addition.
116 * The existing NSEC3 records are removed.
118 * dns_nsec3_addnsec3() will only add records to the chain identified by
121 * 'unsecure' should be set to reflect if this is a potentially
122 * unsecure delegation (no DS record).
124 * dns_nsec3_addnsec3s() will examine the NSEC3PARAM RRset to determine which
125 * chains to be updated. NSEC3PARAM records with the DNS_NSEC3FLAG_CREATE
126 * will be preferentially chosen over NSEC3PARAM records without
127 * DNS_NSEC3FLAG_CREATE set. NSEC3PARAM records with DNS_NSEC3FLAG_REMOVE
128 * set will be ignored by dns_nsec3_addnsec3s(). If DNS_NSEC3FLAG_CREATE
129 * is set then the new NSEC3 will have OPTOUT set to match the that in the
130 * NSEC3PARAM record otherwise OPTOUT will be inherited from the previous
131 * record in the chain.
135 * 'version' to be valid or NULL.
136 * 'name' to be valid.
137 * 'nsec3param' to be valid.
138 * 'diff' to be valid.
142 dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
143 const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff);
146 dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
149 * Remove NSEC3 records for 'name', recording the change in 'diff'.
150 * Adjust previous NSEC3 records, if any, to reflect the removal.
152 * dns_nsec3_delnsec3() performs the above for the chain identified by
155 * dns_nsec3_delnsec3s() examines the NSEC3PARAM RRset in a similar manner
156 * to dns_nsec3_addnsec3s(). Unlike dns_nsec3_addnsec3s() updated NSEC3
157 * records have the OPTOUT flag preserved.
161 * 'version' to be valid or NULL.
162 * 'name' to be valid.
163 * 'nsec3param' to be valid.
164 * 'diff' to be valid.
168 dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version,
169 isc_boolean_t complete, isc_boolean_t *answer);
171 * Check if there are any complete/to be built NSEC3 chains.
172 * If 'complete' is ISC_TRUE only complete chains will be recognized.
176 * 'version' to be valid or NULL.
177 * 'answer' to be non NULL.
181 dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version,
182 isc_mem_t *mctx, unsigned int *iterationsp);
184 * Find the maximum permissible number of iterations allowed based on
189 * 'version' to be valid or NULL.
190 * 'mctx' to be valid.
191 * 'iterationsp' to be non NULL.
196 #endif /* DNS_NSEC3_H */