diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-04 10:23:33 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-04 10:23:33 +0000 |
commit | a40ea05d08f1d6dce2fb12fb119a33540bf6256f (patch) | |
tree | 76580546179a403e346084143bd92393474e71be /src/resolve/resolved-dns-dnssec.h | |
parent | Adding upstream version 252.22. (diff) | |
download | systemd-upstream/252.23.tar.xz systemd-upstream/252.23.zip |
Adding upstream version 252.23.upstream/252.23
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/resolve/resolved-dns-dnssec.h')
-rw-r--r-- | src/resolve/resolved-dns-dnssec.h | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/src/resolve/resolved-dns-dnssec.h b/src/resolve/resolved-dns-dnssec.h index 954bb3e..29b9013 100644 --- a/src/resolve/resolved-dns-dnssec.h +++ b/src/resolve/resolved-dns-dnssec.h @@ -9,12 +9,13 @@ typedef enum DnssecVerdict DnssecVerdict; #include "resolved-dns-rr.h" enum DnssecResult { - /* These five are returned by dnssec_verify_rrset() */ + /* These six are returned by dnssec_verify_rrset() */ DNSSEC_VALIDATED, DNSSEC_VALIDATED_WILDCARD, /* Validated via a wildcard RRSIG, further NSEC/NSEC3 checks necessary */ DNSSEC_INVALID, DNSSEC_SIGNATURE_EXPIRED, DNSSEC_UNSUPPORTED_ALGORITHM, + DNSSEC_TOO_MANY_VALIDATIONS, /* These two are added by dnssec_verify_rrset_search() */ DNSSEC_NO_SIGNATURE, @@ -45,6 +46,12 @@ enum DnssecVerdict { /* The longest digest we'll ever generate, of all digest algorithms we support */ #define DNSSEC_HASH_SIZE_MAX (MAX(20, 32)) +/* The most invalid signatures we will tolerate for a single rrset */ +#define DNSSEC_INVALID_MAX 5 + +/* The total number of signature validations we will tolerate for a single transaction */ +#define DNSSEC_VALIDATION_MAX 64 + int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, bool revoked_ok); int dnssec_key_match_rrsig(const DnsResourceKey *key, DnsResourceRecord *rrsig); |