diff options
Diffstat (limited to 'src/knot/dnssec/zone-nsec.h')
-rw-r--r-- | src/knot/dnssec/zone-nsec.h | 163 |
1 files changed, 163 insertions, 0 deletions
diff --git a/src/knot/dnssec/zone-nsec.h b/src/knot/dnssec/zone-nsec.h new file mode 100644 index 0000000..c43b658 --- /dev/null +++ b/src/knot/dnssec/zone-nsec.h @@ -0,0 +1,163 @@ +/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#pragma once + +#include <stdbool.h> + +#include "knot/dnssec/context.h" +#include "knot/dnssec/zone-keys.h" +#include "knot/updates/zone-update.h" +#include "knot/zone/contents.h" + +/*! + * Check if NSEC3 is enabled for the given zone. + * + * \param zone Zone to be checked. + * + * \return NSEC3 is enabled. + */ +inline static bool knot_is_nsec3_enabled(const zone_contents_t *zone) +{ + return zone != NULL && zone->nsec3_params.algorithm != 0; +} + +inline static size_t zone_nsec3_hash_len(const zone_contents_t *zone) +{ + return knot_is_nsec3_enabled(zone) ? dnssec_nsec3_hash_length(zone->nsec3_params.algorithm) : 0; +} + +inline static size_t zone_nsec3_name_len(const zone_contents_t *zone) +{ + return 1 + ((zone_nsec3_hash_len(zone) + 4) / 5) * 8 + knot_dname_size(zone->apex->owner); +} + +/*! + * \brief Create NSEC3 owner name from hash and zone apex. + * + * \param out Output buffer. + * \param out_size Size of the output buffer. + * \param hash Raw hash. + * \param hash_size Size of the hash. + * \param zone_apex Zone apex. + * + * \return Error code, KNOT_EOK if successful. + */ +int knot_nsec3_hash_to_dname(uint8_t *out, size_t out_size, const uint8_t *hash, + size_t hash_size, const knot_dname_t *zone_apex); + +/*! + * \brief Create NSEC3 owner name from regular owner name. + * + * \param out Output buffer. + * \param out_size Size of the output buffer. + * \param owner Node owner name. + * \param zone_apex Zone apex name. + * \param params Params for NSEC3 hashing function. + * + * \return Error code, KNOT_EOK if successful. + */ +int knot_create_nsec3_owner(uint8_t *out, size_t out_size, + const knot_dname_t *owner, const knot_dname_t *zone_apex, + const dnssec_nsec3_params_t *params); + +/*! + * \brief Return (and compute of needed) the corresponding NSEC3 node's name. + * + * \param node Normal node. + * \param zone Optional: zone contents with NSEC3 params. + * + * \return NSEC3 node owner. + * + * \note The result is also stored in (node), unless zone == NULL; + */ +knot_dname_t *node_nsec3_hash(zone_node_t *node, const zone_contents_t *zone); + +/*! + * \brief Return (and compute if needed) the corresponding NSEC3 node. + * + * \param node Normal node. + * \param zone Optional: zone contents with NSEC3 params and NSEC3 tree. + * + * \return NSEC3 node. + * + * \note The result is also stored in (node), unless zone == NULL; + */ +zone_node_t *node_nsec3_node(zone_node_t *node, const zone_contents_t *zone); + +/*! + * \brief Update node's NSEC3 pointer (or hash), taking it from bi-node counterpart if possible. + * + * \param node Bi-node with this node to be updated. + * \param zone Zone contents the node is in. + * + * \return KNOT_EOK :) + */ +int binode_fix_nsec3_pointer(zone_node_t *node, const zone_contents_t *zone); + +/*! + * \brief Check if NSEC3 record in zone is consistent with configured params. + */ +bool knot_nsec3param_uptodate(const zone_contents_t *zone, + const dnssec_nsec3_params_t *params); + +/*! + * \brief Update NSEC3PARAM in zone to be consistent with configured params. + * + * \param update Zone to be updated. + * \param params NSEC3 params. + * \param ttl Desired TTL for NSEC3PARAM. + * + * \return KNOT_E* + */ +int knot_nsec3param_update(zone_update_t *update, + const dnssec_nsec3_params_t *params, + uint32_t ttl); + +/*! + * \brief Create NSEC or NSEC3 chain in the zone. + * + * \param update Zone Update with current zone contents and to be updated with NSEC chain. + * \param ctx Signing context. + * + * \return Error code, KNOT_EOK if successful. + */ +int knot_zone_create_nsec_chain(zone_update_t *update, const kdnssec_ctx_t *ctx); + +/*! + * \brief Fix NSEC or NSEC3 chain after zone was updated, and sign the changed NSECs. + * + * \param update Zone Update with the update and to be update with NSEC chain. + * \param zone_keys Zone keys used for NSEC(3) creation. + * \param ctx Signing context. + * + * \return Error code, KNOT_EOK if successful. + */ +int knot_zone_fix_nsec_chain(zone_update_t *update, + const zone_keyset_t *zone_keys, + const kdnssec_ctx_t *ctx); + +/*! + * \brief Validate NSEC or NSEC3 chain in the zone. + * + * \param update Zone update with current/previous contents. + * \param ctx Signing context. + * \param incremental Validate incremental update. + * + * \return KNOT_E* + */ +int knot_zone_check_nsec_chain(zone_update_t *update, const kdnssec_ctx_t *ctx, + bool incremental); |