43  *            Normal RRs are protected via RRSIG RRs in combination with DNSKEY RRs, all in the same zone
44  *            DNSKEY RRs are either protected like normal RRs, or via a DS from a zone "higher" up the tree
668         /* Some keys may only appear signed in the zone apex, and are invalid anywhere else. (SOA, NS...) */
679         /* OTOH DS RRs may not appear in the zone apex, but are valid everywhere else. */
1264         /* Ignore NSEC3 RRs that are located anywhere else than one label below the zone */
1271         /* If a second NSEC3 RR is specified, also check if they are from the same zone. */
1305 static int nsec3_hashed_domain_format(const uint8_t *hashed, size_t hashed_size, const char *zone, char **ret) {
1311         assert(zone);
1318         j = strjoin(l, ".", zone, NULL);
1326 static int nsec3_hashed_domain_make(DnsResourceRecord *nsec3, const char *domain, const char *zone, char **ret) {
1332         assert(zone);
1339         return nsec3_hashed_domain_format(hashed, (size_t) hashed_size, zone, ret);
1354         const char *zone, *p, *pp = NULL, *wildcard;
1363         /* First step, find the zone name and the NSEC3 parameters of the zone.
1366          * records from a given zone in a response must use the same
1368         zone = DNS_RESOURCE_KEY_NAME(key);
1377                         r = dns_name_equal_skip(DNS_RESOURCE_KEY_NAME(zone_rr->key), 1, zone);
1385                 r = dns_name_parent(&zone);
1401                 hashed_size = nsec3_hashed_domain_make(zone_rr, p, zone, &hashed_domain);
1494         r = nsec3_hashed_domain_make(enclosure_rr, wildcard, zone, &wildcard_domain);
1500         r = nsec3_hashed_domain_make(enclosure_rr, pp, zone, &next_closer_domain);
1515                 r = nsec3_hashed_domain_format(rr->nsec3.next_hashed_name, rr->nsec3.next_hashed_name_size, zone, &next_hashed_domain);
1671         /* Checks whether this NSEC originates to the parent zone or the child zone. */
1796                                 /* If we look for a DS RR and the server sent us the NSEC RR of the child zone
1887 static int dnssec_nsec_test_enclosed(DnsAnswer *answer, uint16_t type, const char *name, const char *zone, bool *authenticated) {
1893         assert(zone);
1896          * 'zone'. The 'zone' must be a suffix of the 'name'. */
1908                         /* We only care for NSEC RRs from the indicated zone */
1909                         r = dns_resource_record_is_signer(rr, zone);
1925                         /* We only care for NSEC3 RRs from the indicated zone */
1926                         r = dns_resource_record_is_signer(rr, zone);
1942                                         zone,
1953                                         zone,
1984                 const char *zone,
2016         return dnssec_nsec_test_enclosed(answer, DNS_TYPE_NSEC3, next_closer, zone, authenticated);
2023                 const char *zone,
2032          * a prefix of the synthesizing source "source" in the zone "zone".
2053                 r = dnssec_nsec_test_enclosed(answer, DNS_TYPE_NSEC, name, zone, &a);
2087                 r = dnssec_nsec_test_enclosed(answer, DNS_TYPE_NSEC, wc, zone, &a);
2100                 const char *zone,
2107         assert(zone);
2110         r = dns_answer_contains_zone_nsec3(answer, zone);
2114                 return dnssec_test_positive_wildcard_nsec3(answer, name, source, zone, authenticated);
2116                 return dnssec_test_positive_wildcard_nsec(answer, name, source, zone, authenticated);
2182                 const char *zone,

Indexes created Tue Jul 24 14:28:13 CEST 2018