private.c revision 3759f10fc543747668b1ca4b4671f35b0dea8445
/*
* Copyright (C) 2009, 2011, 2012, 2015 Internet Systems Consortium, Inc. ("ISC")
*
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id$ */
#include "config.h"
/*
* We need to build the relevant chain if there exists a NSEC/NSEC3PARAM
* at the apex; normally only one or the other of NSEC/NSEC3PARAM will exist.
*
* If a NSEC3PARAM RRset exists then we will need to build a NSEC chain
* if all the NSEC3PARAM records (and associated chains) are slated for
* destruction and we have not been told to NOT build the NSEC chain.
*
* If the NSEC set exist then check to see if there is a request to create
* a NSEC3 chain.
*
* If neither NSEC/NSEC3PARAM RRsets exist at the origin and the private
* type exists then we need to examine it to determine if NSEC3 chain has
* been requested to be built otherwise a NSEC chain needs to be built.
*/
#define REMOVE(x) (((x) & DNS_NSEC3FLAG_REMOVE) != 0)
#define CREATE(x) (((x) & DNS_NSEC3FLAG_CREATE) != 0)
#define INITIAL(x) (((x) & DNS_NSEC3FLAG_INITIAL) != 0)
#define NONSEC(x) (((x) & DNS_NSEC3FLAG_NONSEC) != 0)
#define CHECK(x) do { \
result = (x); \
if (result != ISC_R_SUCCESS) \
goto failure; \
} while (0)
/*
* Work out if 'param' should be ignored or not (i.e. it is in the process
* of being removed).
*
* Note: we 'belt-and-braces' here by also checking for a CREATE private
* record and keep the param record in this case.
*/
static isc_boolean_t
result == ISC_R_SUCCESS;
unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
continue;
/*
* We are going to create a new NSEC3 chain so it
* doesn't matter if we are removing this one.
*/
return (ISC_FALSE);
continue;
/*
* The removal of this NSEC3 chain does NOT cause a
* NSEC chain to be created so we don't need to tell
* the caller that it will be removed.
*/
return (ISC_FALSE);
return (ISC_TRUE);
}
return (ISC_FALSE);
}
{
unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
unsigned int count;
goto failure;
0, (isc_stdtime_t) 0, &nsec3paramset,
NULL);
goto failure;
if (dns_rdataset_isassociated(&nsecset) &&
if (build_nsec != NULL)
*build_nsec = ISC_TRUE;
if (build_nsec3 != NULL)
*build_nsec3 = ISC_TRUE;
goto success;
}
if (privatetype != (dns_rdatatype_t)0) {
0, (isc_stdtime_t) 0,
&privateset, NULL);
goto failure;
}
/*
* Look to see if we also need to be creating a NSEC3 chain.
*/
if (dns_rdataset_isassociated(&nsecset)) {
if (build_nsec != NULL)
*build_nsec = ISC_TRUE;
if (build_nsec3 != NULL)
*build_nsec3 = ISC_FALSE;
if (!dns_rdataset_isassociated(&privateset))
goto success;
result == ISC_R_SUCCESS;
continue;
continue;
if (build_nsec3 != NULL)
*build_nsec3 = ISC_TRUE;
break;
}
goto success;
}
if (dns_rdataset_isassociated(&nsec3paramset)) {
if (build_nsec3 != NULL)
*build_nsec3 = ISC_TRUE;
if (build_nsec != NULL)
*build_nsec = ISC_FALSE;
if (!dns_rdataset_isassociated(&privateset))
goto success;
/*
* If we are in the process of building a new NSEC3 chain
* then we don't need to build a NSEC chain.
*/
result == ISC_R_SUCCESS;
continue;
goto success;
}
/*
* Check to see if there will be a active NSEC3CHAIN once
* the changes queued complete.
*/
count = 0;
result == ISC_R_SUCCESS;
/*
* If there is more that one NSEC3 chain present then
* we don't need to construct a NSEC chain.
*/
if (++count > 1)
goto success;
continue;
/*
* We still have a good NSEC3 chain or we are
* not creating a NSEC chain as NONSEC is set.
*/
goto success;
}
/*
* The last NSEC3 chain is being removed and does not have
* have NONSEC set.
*/
if (build_nsec != NULL)
*build_nsec = ISC_TRUE;
goto success;
}
if (build_nsec != NULL)
*build_nsec = ISC_FALSE;
if (build_nsec3 != NULL)
*build_nsec3 = ISC_FALSE;
if (!dns_rdataset_isassociated(&privateset))
goto success;
result == ISC_R_SUCCESS;
/*
* Look for record that says we are signing the
* zone with a key.
*/
} else {
}
}
if (signing) {
if (nsec3chain) {
if (build_nsec3 != NULL)
*build_nsec3 = ISC_TRUE;
} else {
if (build_nsec != NULL)
*build_nsec = ISC_TRUE;
}
}
if (dns_rdataset_isassociated(&nsecset))
return (result);
}
return (ISC_R_NOTFOUND);
unsigned char nsec3buf[DNS_NSEC3PARAM_BUFFERSIZE];
unsigned char newbuf[DNS_NSEC3PARAM_BUFFERSIZE];
isc_buffer_t b;
sizeof(nsec3buf)))
if (init)
else if (delete)
else
&nsec3param, &b));
else if (delete)
else if (complete)
else
} else
return (ISC_R_NOTFOUND);
isc_buffer_putuint8(buf, 0);
return (result);
}