1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
|
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#pragma once
/*****
***** Module Info
*****/
/*! \file
* \brief
* The NTA module provides services for storing and retrieving negative
* trust anchors, and determine whether a given domain is subject to
* DNSSEC validation.
*/
#include <inttypes.h>
#include <stdbool.h>
#include <isc/buffer.h>
#include <isc/lang.h>
#include <isc/magic.h>
#include <isc/refcount.h>
#include <isc/rwlock.h>
#include <isc/stdtime.h>
#include <isc/task.h>
#include <isc/timer.h>
#include <dns/rdataset.h>
#include <dns/resolver.h>
#include <dns/types.h>
#include <dns/view.h>
ISC_LANG_BEGINDECLS
struct dns_ntatable {
/* Unlocked. */
unsigned int magic;
dns_view_t *view;
isc_rwlock_t rwlock;
isc_taskmgr_t *taskmgr;
isc_timermgr_t *timermgr;
isc_task_t *task;
/* Protected by atomics */
isc_refcount_t references;
/* Locked by rwlock. */
dns_rbt_t *table;
bool shuttingdown;
};
#define NTATABLE_MAGIC ISC_MAGIC('N', 'T', 'A', 't')
#define VALID_NTATABLE(nt) ISC_MAGIC_VALID(nt, NTATABLE_MAGIC)
isc_result_t
dns_ntatable_create(dns_view_t *view, isc_taskmgr_t *taskmgr,
isc_timermgr_t *timermgr, dns_ntatable_t **ntatablep);
/*%<
* Create an NTA table in view 'view'.
*
* Requires:
*
*\li 'view' is a valid view.
*
*\li 'tmgr' is a valid timer manager.
*
*\li ntatablep != NULL && *ntatablep == NULL
*
* Ensures:
*
*\li On success, *ntatablep is a valid, empty NTA table.
*
* Returns:
*
*\li ISC_R_SUCCESS
*\li Any other result indicates failure.
*/
void
dns_ntatable_attach(dns_ntatable_t *source, dns_ntatable_t **targetp);
/*%<
* Attach *targetp to source.
*
* Requires:
*
*\li 'source' is a valid ntatable.
*
*\li 'targetp' points to a NULL dns_ntatable_t *.
*
* Ensures:
*
*\li *targetp is attached to source.
*/
void
dns_ntatable_detach(dns_ntatable_t **ntatablep);
/*%<
* Detach *ntatablep from its ntatable.
*
* Requires:
*
*\li 'ntatablep' points to a valid ntatable.
*
* Ensures:
*
*\li *ntatablep is NULL.
*
*\li If '*ntatablep' is the last reference to the ntatable,
* all resources used by the ntatable will be freed
*/
isc_result_t
dns_ntatable_add(dns_ntatable_t *ntatable, const dns_name_t *name, bool force,
isc_stdtime_t now, uint32_t lifetime);
/*%<
* Add a negative trust anchor to 'ntatable' for name 'name',
* which will expire at time 'now' + 'lifetime'. If 'force' is true,
* then the NTA will persist for the entire specified lifetime.
* If it is false, then the name will be queried periodically and
* validation will be attempted to see whether it's still bogus;
* if validation is successful, the NTA will be allowed to expire
* early and validation below the NTA will resume.
*
* Notes:
*
*\li If an NTA already exists in the table, its expiry time
* is updated.
*
* Requires:
*
*\li 'ntatable' points to a valid ntatable.
*
*\li 'name' points to a valid name.
*
* Returns:
*
*\li ISC_R_SUCCESS
*
*\li Any other result indicates failure.
*/
isc_result_t
dns_ntatable_delete(dns_ntatable_t *ntatable, const dns_name_t *keyname);
/*%<
* Delete node(s) from 'ntatable' matching name 'keyname'
*
* Requires:
*
*\li 'ntatable' points to a valid ntatable.
*
*\li 'name' is not NULL
*
* Returns:
*
*\li ISC_R_SUCCESS
*
*\li Any other result indicates failure.
*/
bool
dns_ntatable_covered(dns_ntatable_t *ntatable, isc_stdtime_t now,
const dns_name_t *name, const dns_name_t *anchor);
/*%<
* Return true if 'name' is below a non-expired negative trust
* anchor which in turn is at or below 'anchor'.
*
* If 'ntatable' has not been initialized, return false.
*
* Requires:
*
*\li 'ntatable' is NULL or is a valid ntatable.
*
*\li 'name' is a valid absolute name.
*/
isc_result_t
dns_ntatable_totext(dns_ntatable_t *ntatable, const char *view,
isc_buffer_t **buf);
/*%<
* Dump the NTA table to buffer at 'buf', with view names
*
* Requires:
* \li "ntatable" is a valid table.
*
* \li "*buf" is a valid buffer.
*/
isc_result_t
dns_ntatable_save(dns_ntatable_t *ntatable, FILE *fp);
/*%<
* Save the NTA table to the file opened as 'fp', for later loading.
*/
void
dns_ntatable_shutdown(dns_ntatable_t *ntatable);
/*%<
* Cancel future checks to see if NTAs can be removed.
*/
ISC_LANG_ENDDECLS
|