nsec3_50.h revision 0c27b3fe77ac1d5094ba3521e8142d9e7973133f
/*
* Copyright (C) 2008, 2011, 2012, 2016 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#ifndef GENERIC_NSEC3_50_H
#define GENERIC_NSEC3_50_H 1
/* $Id$ */
/*!
* \brief Per RFC 5155 */
#include <isc/iterated_hash.h>
typedef struct dns_rdata_nsec3 {
dns_rdatacommon_t common;
isc_mem_t *mctx;
dns_hash_t hash;
unsigned char flags;
dns_iterations_t iterations;
unsigned char salt_length;
unsigned char next_length;
isc_uint16_t len;
unsigned char *salt;
unsigned char *next;
unsigned char *typebits;
} dns_rdata_nsec3_t;
/*
* The corresponding NSEC3 interval is OPTOUT indicating possible
* insecure delegations.
*/
#define DNS_NSEC3FLAG_OPTOUT 0x01U
/*%
* The following flags are used in the private-type record (implemented in
* lib/dns/private.c) which is used to store NSEC3PARAM data during the
* time when it is not legal to have an actual NSEC3PARAM record in the
* zone. They are defined here because the private-type record uses the
* same flags field for the OPTOUT flag above and for the private flags
* below. XXX: This should be considered for refactoring.
*/
/*%
* Non-standard, private type only.
*
* Create a corresponding NSEC3 chain.
* Once the NSEC3 chain is complete this flag will be removed to signal
* that there is a complete chain.
*
* This flag is automatically set when a NSEC3PARAM record is added to
* the zone via UPDATE.
*
* NSEC3PARAM records containing this flag should never be published,
* but if they are, they should be ignored by RFC 5155 compliant
* nameservers.
*/
#define DNS_NSEC3FLAG_CREATE 0x80U
/*%
* Non-standard, private type only.
*
* The corresponding NSEC3 set is to be removed once the NSEC chain
* has been generated.
*
* This flag is automatically set when the last active NSEC3PARAM record
* is removed from the zone via UPDATE.
*
* NSEC3PARAM records containing this flag should never be published,
* but if they are, they should be ignored by RFC 5155 compliant
* nameservers.
*/
#define DNS_NSEC3FLAG_REMOVE 0x40U
/*%
* Non-standard, private type only.
*
* When set with the CREATE flag, a corresponding NSEC3 chain will be
* created when the zone becomes capable of supporting one (i.e., when it
* has a DNSKEY RRset containing at least one NSEC3-capable algorithm).
* Without this flag, NSEC3 chain creation would be attempted immediately,
* fail, and the private type record would be removed. With it, the NSEC3
* parameters are stored until they can be used. When the zone has the
* necessary prerequisites for NSEC3, then the INITIAL flag can be cleared,
* and the record will be cleaned up normally.
*
* NSEC3PARAM records containing this flag should never be published, but
* if they are, they should be ignored by RFC 5155 compliant nameservers.
*/
#define DNS_NSEC3FLAG_INITIAL 0x20U
/*%
* Non-standard, private type only.
*
* Prevent the creation of a NSEC chain before the last NSEC3 chain
* is removed. This will normally only be set when the zone is
* transitioning from secure with NSEC3 chains to insecure.
*
* NSEC3PARAM records containing this flag should never be published,
* but if they are, they should be ignored by RFC 5155 compliant
* nameservers.
*/
#define DNS_NSEC3FLAG_NONSEC 0x10U
#endif /* GENERIC_NSEC3_50_H */