2 * Copyright (C) 2004, 2005, 2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 2000, 2001 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
18 /* $Id: keytable.h,v 1.23 2010/06/25 03:24:05 marka Exp $ */
20 #ifndef DNS_KEYTABLE_H
21 #define DNS_KEYTABLE_H 1
29 * The keytable module provides services for storing and retrieving DNSSEC
30 * trusted keys, as well as the ability to find the deepest matching key
31 * for a given domain name.
34 *\li The module ensures appropriate synchronization of data structures it
35 * creates and manipulates.
41 *\li No anticipated impact.
45 #include <isc/magic.h>
46 #include <isc/refcount.h>
47 #include <isc/rwlock.h>
48 #include <isc/stdtime.h>
50 #include <dns/types.h>
63 isc_uint32_t active_nodes;
64 /* Locked by rwlock. */
65 isc_uint32_t references;
69 #define KEYTABLE_MAGIC ISC_MAGIC('K', 'T', 'b', 'l')
70 #define VALID_KEYTABLE(kt) ISC_MAGIC_VALID(kt, KEYTABLE_MAGIC)
74 isc_refcount_t refcount;
76 isc_boolean_t managed;
77 struct dns_keynode * next;
80 #define KEYNODE_MAGIC ISC_MAGIC('K', 'N', 'o', 'd')
81 #define VALID_KEYNODE(kn) ISC_MAGIC_VALID(kn, KEYNODE_MAGIC)
84 dns_keytable_create(isc_mem_t *mctx, dns_keytable_t **keytablep);
90 *\li 'mctx' is a valid memory context.
92 *\li keytablep != NULL && *keytablep == NULL
96 *\li On success, *keytablep is a valid, empty key table.
102 *\li Any other result indicates failure.
107 dns_keytable_attach(dns_keytable_t *source, dns_keytable_t **targetp);
109 * Attach *targetp to source.
113 *\li 'source' is a valid keytable.
115 *\li 'targetp' points to a NULL dns_keytable_t *.
119 *\li *targetp is attached to source.
123 dns_keytable_detach(dns_keytable_t **keytablep);
125 * Detach *keytablep from its keytable.
129 *\li 'keytablep' points to a valid keytable.
133 *\li *keytablep is NULL.
135 *\li If '*keytablep' is the last reference to the keytable,
136 * all resources used by the keytable will be freed
140 dns_keytable_add(dns_keytable_t *keytable, isc_boolean_t managed,
143 * Add '*keyp' to 'keytable' (using the name in '*keyp').
144 * The value of keynode->managed is set to 'managed'
148 *\li Ownership of *keyp is transferred to the keytable.
149 *\li If the key already exists in the table, ISC_R_EXISTS is
150 * returned and the new key is freed.
154 *\li 'keytable' points to a valid keytable.
156 *\li keyp != NULL && *keyp is a valid dst_key_t *.
160 *\li On success, *keyp == NULL
167 *\li Any other result indicates failure.
171 dns_keytable_marksecure(dns_keytable_t *keytable, dns_name_t *name);
173 * Add a null key to 'keytable' for name 'name'. This marks the
174 * name as a secure domain, but doesn't supply any key data to allow the
175 * domain to be validated. (Used when automated trust anchor management
176 * has gotten broken by a zone misconfiguration; for example, when the
177 * active key has been revoked but the stand-by key was still in its 30-day
178 * waiting period for validity.)
182 *\li If a key already exists in the table, ISC_R_EXISTS is
183 * returned and nothing is done.
187 *\li 'keytable' points to a valid keytable.
189 *\li keyp != NULL && *keyp is a valid dst_key_t *.
196 *\li Any other result indicates failure.
200 dns_keytable_delete(dns_keytable_t *keytable, dns_name_t *keyname);
202 * Delete node(s) from 'keytable' matching name 'keyname'
206 *\li 'keytable' points to a valid keytable.
208 *\li 'name' is not NULL
214 *\li Any other result indicates failure.
218 dns_keytable_deletekeynode(dns_keytable_t *keytable, dst_key_t *dstkey);
220 * Delete node(s) from 'keytable' containing copies of the key pointed
225 *\li 'keytable' points to a valid keytable.
226 *\li 'dstkey' is not NULL
232 *\li Any other result indicates failure.
236 dns_keytable_find(dns_keytable_t *keytable, dns_name_t *keyname,
237 dns_keynode_t **keynodep);
239 * Search for the first instance of a key named 'name' in 'keytable',
240 * without regard to keyid and algorithm. Use dns_keytable_nextkeynode()
241 * to find subsequent instances.
245 *\li 'keytable' is a valid keytable.
247 *\li 'name' is a valid absolute name.
249 *\li keynodep != NULL && *keynodep == NULL
256 *\li Any other result indicates an error.
260 dns_keytable_nextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
261 dns_keynode_t **nextnodep);
263 * Return for the next key after 'keynode' in 'keytable', without regard to
264 * keyid and algorithm.
268 *\li 'keytable' is a valid keytable.
270 *\li 'keynode' is a valid keynode.
272 *\li nextnodep != NULL && *nextnodep == NULL
279 *\li Any other result indicates an error.
283 dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
284 dns_secalg_t algorithm, dns_keytag_t tag,
285 dns_keynode_t **keynodep);
287 * Search for a key named 'name', matching 'algorithm' and 'tag' in
288 * 'keytable'. This finds the first instance which matches. Use
289 * dns_keytable_findnextkeynode() to find other instances.
293 *\li 'keytable' is a valid keytable.
295 *\li 'name' is a valid absolute name.
297 *\li keynodep != NULL && *keynodep == NULL
302 *\li DNS_R_PARTIALMATCH the name existed in the keytable.
305 *\li Any other result indicates an error.
309 dns_keytable_findnextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
310 dns_keynode_t **nextnodep);
312 * Search for the next key with the same properties as 'keynode' in
313 * 'keytable' as found by dns_keytable_findkeynode().
317 *\li 'keytable' is a valid keytable.
319 *\li 'keynode' is a valid keynode.
321 *\li nextnodep != NULL && *nextnodep == NULL
328 *\li Any other result indicates an error.
332 dns_keytable_finddeepestmatch(dns_keytable_t *keytable, dns_name_t *name,
333 dns_name_t *foundname);
335 * Search for the deepest match of 'name' in 'keytable'.
339 *\li 'keytable' is a valid keytable.
341 *\li 'name' is a valid absolute name.
343 *\li 'foundname' is a name with a dedicated buffer.
350 *\li Any other result indicates an error.
354 dns_keytable_attachkeynode(dns_keytable_t *keytable, dns_keynode_t *source,
355 dns_keynode_t **target);
357 * Attach a keynode and and increment the active_nodes counter in a
358 * corresponding keytable.
362 *\li 'keytable' is a valid keytable.
364 *\li 'source' is a valid keynode.
366 *\li 'target' is not null and '*target' is null.
370 dns_keytable_detachkeynode(dns_keytable_t *keytable,
371 dns_keynode_t **keynodep);
373 * Give back a keynode found via dns_keytable_findkeynode().
377 *\li 'keytable' is a valid keytable.
379 *\li *keynodep is a valid keynode returned by a call to
380 * dns_keytable_findkeynode().
384 *\li *keynodep == NULL
388 dns_keytable_issecuredomain(dns_keytable_t *keytable, dns_name_t *name,
389 isc_boolean_t *wantdnssecp);
391 * Is 'name' at or beneath a trusted key?
395 *\li 'keytable' is a valid keytable.
397 *\li 'name' is a valid absolute name.
399 *\li '*wantsdnssecp' is a valid isc_boolean_t.
403 *\li On success, *wantsdnssecp will be ISC_TRUE if and only if 'name'
404 * is at or beneath a trusted key.
410 *\li Any other result is an error.
414 dns_keytable_dump(dns_keytable_t *keytable, FILE *fp);
416 * Dump the keytable on fp.
420 dns_keynode_key(dns_keynode_t *keynode);
422 * Get the DST key associated with keynode.
426 dns_keynode_managed(dns_keynode_t *keynode);
428 * Is this flagged as a managed key?
432 dns_keynode_create(isc_mem_t *mctx, dns_keynode_t **target);
434 * Allocate space for a keynode
438 dns_keynode_attach(dns_keynode_t *source, dns_keynode_t **target);
440 * Attach keynode 'source' to '*target'
444 dns_keynode_detach(isc_mem_t *mctx, dns_keynode_t **target);
446 * Detach a single keynode, without touching any keynodes that
447 * may be pointed to by its 'next' pointer
451 dns_keynode_detachall(isc_mem_t *mctx, dns_keynode_t **target);
453 * Detach a keynode and all its succesors.
457 #endif /* DNS_KEYTABLE_H */