6fb9b25791778f69002eb72be6235e20d98ec452Tinderbox User * Copyright (C) 2009, 2011, 2012, 2015-2017 Internet Systems Consortium, Inc. ("ISC")
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews * This Source Code Form is subject to the terms of the Mozilla Public
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews * License, v. 2.0. If a copy of the MPL was not distributed with this
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews * file, You can obtain one at http://mozilla.org/MPL/2.0/.
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews * We need to build the relevant chain if there exists a NSEC/NSEC3PARAM
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews * at the apex; normally only one or the other of NSEC/NSEC3PARAM will exist.
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews * If a NSEC3PARAM RRset exists then we will need to build a NSEC chain
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews * if all the NSEC3PARAM records (and associated chains) are slated for
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews * destruction and we have not been told to NOT build the NSEC chain.
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews * If the NSEC set exist then check to see if there is a request to create
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews * a NSEC3 chain.
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews * If neither NSEC/NSEC3PARAM RRsets exist at the origin and the private
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews * type exists then we need to examine it to determine if NSEC3 chain has
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews * been requested to be built otherwise a NSEC chain needs to be built.
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews#define REMOVE(x) (((x) & DNS_NSEC3FLAG_REMOVE) != 0)
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews#define CREATE(x) (((x) & DNS_NSEC3FLAG_CREATE) != 0)
79ce3a9e82384cc31fd6b86be8f3d1474fcfd9f4Evan Hunt#define INITIAL(x) (((x) & DNS_NSEC3FLAG_INITIAL) != 0)
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews#define NONSEC(x) (((x) & DNS_NSEC3FLAG_NONSEC) != 0)
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews * Work out if 'param' should be ignored or not (i.e. it is in the process
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews * of being removed).
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews * Note: we 'belt-and-braces' here by also checking for a CREATE private
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews * record and keep the param record in this case.
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrewsignore(dns_rdata_t *param, dns_rdataset_t *privateset) {
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews if (!dns_nsec3param_fromprivate(&private, &rdata,
8a07de2f032b0137d89ae8af14faa1a915aaf9faAutomatic Updater * We are going to create a new NSEC3 chain so it
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews * doesn't matter if we are removing this one.
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews memcmp(&rdata.data[5], ¶m->data[5], param->data[4]))
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews * The removal of this NSEC3 chain does NOT cause a
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews * NSEC chain to be created so we don't need to tell
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews * the caller that it will be removed.
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrewsdns_private_chains(dns_db_t *db, dns_dbversion_t *ver,
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews isc_boolean_t *build_nsec, isc_boolean_t *build_nsec3)
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews dns_rdataset_t nsecset, nsec3paramset, privateset;
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec,
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews result = dns_db_findrdataset(db, node, ver, privatetype,
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
931814de4ad11f20b85c3b50399e2e7dda2e7d47Francis Dupont * Look to see if we also need to be creating a NSEC3 chain.
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews if (!dns_nsec3param_fromprivate(&private, &rdata,
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews if (dns_rdataset_isassociated(&nsec3paramset)) {
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews * If we are in the process of building a new NSEC3 chain
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews * then we don't need to build a NSEC chain.
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews if (!dns_nsec3param_fromprivate(&private, &rdata,
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews * Check to see if there will be a active NSEC3CHAIN once
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews * the changes queued complete.
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews for (result = dns_rdataset_first(&nsec3paramset);
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews * If there is more that one NSEC3 chain present then
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews * we don't need to construct a NSEC chain.
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews * We still have a good NSEC3 chain or we are
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews * not creating a NSEC chain as NONSEC is set.
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews * The last NSEC3 chain is being removed and does not have
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews * have NONSEC set.
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews if (!dns_nsec3param_fromprivate(&private, &rdata,
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews * Look for record that says we are signing the
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews * zone with a key.
d1bcaec0d6c3a2f6afe004c1a087314015cb77c0Mark Andrews if (private.length == 5 && private.data[0] != 0 &&
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Huntdns_private_totext(dns_rdata_t *private, isc_buffer_t *buf) {
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Hunt unsigned char nsec3buf[DNS_NSEC3PARAM_BUFFERSIZE];
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Hunt if (!dns_nsec3param_fromprivate(private, &rdata, nsec3buf,
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Hunt CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
bfde61d5194a534d800f3b90008d1f52261922c5Mark Andrews del = ISC_TF((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0);
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Hunt init = ISC_TF((nsec3param.flags & DNS_NSEC3FLAG_INITIAL) != 0);
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Hunt nonsec = ISC_TF((nsec3param.flags & DNS_NSEC3FLAG_NONSEC) != 0);
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Hunt CHECK(dns_rdata_fromstruct(&rdata, dns_rdataclass_in,
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Hunt dns_keytag_t keyid = (private->data[2] | private->data[1] << 8);
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Hunt char keybuf[BUFSIZ], algbuf[DNS_SECALG_FORMATSIZE];
bfde61d5194a534d800f3b90008d1f52261922c5Mark Andrews isc_boolean_t del = ISC_TF(private->data[3] != 0);
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Hunt isc_boolean_t complete = ISC_TF(private->data[4] != 0);
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Hunt isc_buffer_putstr(buf, "Done removing signatures for ");
9c03f13e18c1b0c32f62391a17300378605bbc7bEvan Hunt isc_buffer_putstr(buf, "Removing signatures for ");
ad1317338af79edad878c9c3e4361798503310baMark Andrews snprintf(keybuf, sizeof(keybuf), "key %d/%s", keyid, algbuf);