1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
|
/* Copyright (C) 2022 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
#pragma once
#include "knot/updates/changesets.h"
#include "knot/updates/zone-update.h"
#include "knot/zone/contents.h"
#include "knot/dnssec/context.h"
#include "knot/dnssec/zone-keys.h"
int rrset_add_zone_key(knot_rrset_t *rrset, zone_key_t *zone_key);
bool rrsig_covers_type(const knot_rrset_t *rrsig, uint16_t type);
/*!
* \brief Prepare DNSKEYs, CDNSKEYs and CDSs to be added to the zone into rrsets.
*
* \param zone_keys Zone keyset.
* \param dnssec_ctx KASP context.
* \param add_r RRSets to be added.
* \param rem_r RRSets to be removed (only for incremental policy).
* \param orig_r RRSets that was originally in zone (only for incremental policy).
*
* \return KNOT_E*
*/
int knot_zone_sign_add_dnskeys(zone_keyset_t *zone_keys, const kdnssec_ctx_t *dnssec_ctx,
key_records_t *add_r, key_records_t *rem_r, key_records_t *orig_r);
/*!
* \brief Adds/removes DNSKEY (and CDNSKEY, CDS) records to zone according to zone keyset.
*
* \param update Structure holding zone contents and to be updated with changes.
* \param zone_keys Keyset with private keys.
* \param dnssec_ctx KASP context.
*
* \return KNOT_E*
*/
int knot_zone_sign_update_dnskeys(zone_update_t *update,
zone_keyset_t *zone_keys,
kdnssec_ctx_t *dnssec_ctx);
/*!
* \brief Check if key can be used to sign given RR.
*
* \param key Zone key.
* \param covered RR to be checked.
*
* \return The RR should be signed.
*/
bool knot_zone_sign_use_key(const zone_key_t *key, const knot_rrset_t *covered);
/*!
* \brief Return those keys for whose the CDNSKEY/CDS records shall be created.
*
* \param ctx DNSSEC context.
* \param zone_keys Zone keyset, including ZSKs.
*
* \return Dynarray containing pointers on some KSKs in keyset.
*/
keyptr_dynarray_t knot_zone_sign_get_cdnskeys(const kdnssec_ctx_t *ctx,
zone_keyset_t *zone_keys);
/*!
* \brief Check that at least one correct signature exists to at least one DNSKEY and that none incorrect exists.
*
* \param covered RRSet bein validated.
* \param rrsigs RRSIG with signatures.
* \param sign_ctx Signing context (with keys == NULL)
* \param skip_crypto Crypto operations might be skipped as they had been successful earlier.
*
* \return KNOT_E*
*/
int knot_validate_rrsigs(const knot_rrset_t *covered,
const knot_rrset_t *rrsigs,
zone_sign_ctx_t *sign_ctx,
bool skip_crypto);
/*!
* \brief Update zone signatures and store performed changes in update.
*
* Updates RRSIGs, NSEC(3)s, and DNSKEYs.
*
* \param update Zone Update containing the zone and to be updated with new DNSKEYs and RRSIGs.
* \param zone_keys Zone keys.
* \param dnssec_ctx DNSSEC context.
* \param expire_at Time, when the oldest signature in the zone expires.
*
* \return Error code, KNOT_EOK if successful.
*/
int knot_zone_sign(zone_update_t *update,
zone_keyset_t *zone_keys,
const kdnssec_ctx_t *dnssec_ctx,
knot_time_t *expire_at);
/*!
* \brief Sign NSEC/NSEC3 nodes in changeset and update the changeset.
*
* \param zone_keys Zone keys.
* \param dnssec_ctx DNSSEC context.
* \param changeset Changeset to be updated.
*
* \return Error code, KNOT_EOK if successful.
*/
int knot_zone_sign_nsecs_in_changeset(const zone_keyset_t *zone_keys,
const kdnssec_ctx_t *dnssec_ctx,
zone_update_t *update);
/*!
* \brief Checks whether RRSet in a node has to be signed. Will not return
* true for all types that should be signed, do not use this as an
* universal function, it is implementation specific.
*
* \param node Node containing the RRSet.
* \param rrset RRSet we are checking for.
*
* \retval true if should be signed.
*/
bool knot_zone_sign_rr_should_be_signed(const zone_node_t *node,
const knot_rrset_t *rrset);
/*!
* \brief Sign updates of the zone, storing new RRSIGs in this update again.
*
* \param update Zone Update structure.
* \param zone_keys Zone keys.
* \param dnssec_ctx DNSSEC context.
* \param expire_at Time, when the oldest signature in the update expires.
*
* \return Error code, KNOT_EOK if successful.
*/
int knot_zone_sign_update(zone_update_t *update,
zone_keyset_t *zone_keys,
const kdnssec_ctx_t *dnssec_ctx,
knot_time_t *expire_at);
/*!
* \brief Force re-sign of a RRSet in zone apex.
*
* \param update Zone update to be updated.
* \param rrtype Type of the apex RR.
* \param zone_keys Zone keyset.
* \param dnssec_ctx DNSSEC context.
*
* \return KNOT_E*
*/
int knot_zone_sign_apex_rr(zone_update_t *update, uint16_t rrtype,
const zone_keyset_t *zone_keys,
const kdnssec_ctx_t *dnssec_ctx);
|