nsec3_50.h revision 0f467ed4d4a732003941247d26f05596e25f357b
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews/*
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * Copyright (C) 2008, 2011 Internet Systems Consortium, Inc. ("ISC")
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews *
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * Permission to use, copy, modify, and/or distribute this software for any
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * purpose with or without fee is hereby granted, provided that the above
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * copyright notice and this permission notice appear in all copies.
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews *
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * PERFORMANCE OF THIS SOFTWARE.
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews */
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews
bed8e84810a80dad3d37870be927d1dfd015f480Mark Andrews#ifndef GENERIC_NSEC3_50_H
3761c433912beabe43abeed2c3513b6201c59f64Mark Andrews#define GENERIC_NSEC3_50_H 1
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews/* $Id: nsec3_50.h,v 1.6 2011/06/10 23:47:32 tbox Exp $ */
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews/*!
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * \brief Per RFC 5155 */
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews
a98551ef592e9be6008e0141ceeb32efd586c5efMark Andrews#include <isc/iterated_hash.h>
a98551ef592e9be6008e0141ceeb32efd586c5efMark Andrews
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrewstypedef struct dns_rdata_nsec3 {
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews dns_rdatacommon_t common;
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews isc_mem_t *mctx;
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews dns_hash_t hash;
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews unsigned char flags;
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews dns_iterations_t iterations;
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews unsigned char salt_length;
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews unsigned char next_length;
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews isc_uint16_t len;
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews unsigned char *salt;
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews unsigned char *next;
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews unsigned char *typebits;
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews} dns_rdata_nsec3_t;
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews/*
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * The corresponding NSEC3 interval is OPTOUT indicating possible
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * insecure delegations.
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews */
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews#define DNS_NSEC3FLAG_OPTOUT 0x01U
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews/*%
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * The following flags are used in the private-type record (implemented in
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * lib/dns/private.c) which is used to store NSEC3PARAM data during the
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * time when it is not legal to have an actual NSEC3PARAM record in the
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * zone. They are defined here because the private-type record uses the
bed8e84810a80dad3d37870be927d1dfd015f480Mark Andrews * same flags field for the OPTOUT flag above and for the private flags
bed8e84810a80dad3d37870be927d1dfd015f480Mark Andrews * below. XXX: This should be considered for refactoring.
bed8e84810a80dad3d37870be927d1dfd015f480Mark Andrews */
bed8e84810a80dad3d37870be927d1dfd015f480Mark Andrews
bed8e84810a80dad3d37870be927d1dfd015f480Mark Andrews/*%
bed8e84810a80dad3d37870be927d1dfd015f480Mark Andrews * Non-standard, private type only.
bed8e84810a80dad3d37870be927d1dfd015f480Mark Andrews *
bed8e84810a80dad3d37870be927d1dfd015f480Mark Andrews * Create a corresponding NSEC3 chain.
bed8e84810a80dad3d37870be927d1dfd015f480Mark Andrews * Once the NSEC3 chain is complete this flag will be removed to signal
bed8e84810a80dad3d37870be927d1dfd015f480Mark Andrews * that there is a complete chain.
bed8e84810a80dad3d37870be927d1dfd015f480Mark Andrews *
bed8e84810a80dad3d37870be927d1dfd015f480Mark Andrews * This flag is automatically set when a NSEC3PARAM record is added to
bed8e84810a80dad3d37870be927d1dfd015f480Mark Andrews * the zone via UPDATE.
bed8e84810a80dad3d37870be927d1dfd015f480Mark Andrews *
bed8e84810a80dad3d37870be927d1dfd015f480Mark Andrews * NSEC3PARAM records containing this flag should never be published,
bed8e84810a80dad3d37870be927d1dfd015f480Mark Andrews * but if they are, they should be ignored by RFC 5155 compliant
bed8e84810a80dad3d37870be927d1dfd015f480Mark Andrews * nameservers.
bed8e84810a80dad3d37870be927d1dfd015f480Mark Andrews */
bed8e84810a80dad3d37870be927d1dfd015f480Mark Andrews#define DNS_NSEC3FLAG_CREATE 0x80U
bed8e84810a80dad3d37870be927d1dfd015f480Mark Andrews
bed8e84810a80dad3d37870be927d1dfd015f480Mark Andrews/*%
a98551ef592e9be6008e0141ceeb32efd586c5efMark Andrews * Non-standard, private type only.
a98551ef592e9be6008e0141ceeb32efd586c5efMark Andrews *
a98551ef592e9be6008e0141ceeb32efd586c5efMark Andrews * The corresponding NSEC3 set is to be removed once the NSEC chain
bed8e84810a80dad3d37870be927d1dfd015f480Mark Andrews * has been generated.
bed8e84810a80dad3d37870be927d1dfd015f480Mark Andrews *
bed8e84810a80dad3d37870be927d1dfd015f480Mark Andrews * This flag is automatically set when the last active NSEC3PARAM record
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * is removed from the zone via UPDATE.
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews *
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * NSEC3PARAM records containing this flag should never be published,
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * but if they are, they should be ignored by RFC 5155 compliant
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * nameservers.
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews */
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews#define DNS_NSEC3FLAG_REMOVE 0x40U
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews/*%
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * Non-standard, private type only.
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews *
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * When set with the CREATE flag, a corresponding NSEC3 chain will be
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * created when the zone becomes capable of supporting one (i.e., when it
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * has a DNSKEY RRset containing at least one NSEC3-capable algorithm).
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * Without this flag, NSEC3 chain creation would be attempted immediately,
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * fail, and the private type record would be removed. With it, the NSEC3
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * parameters are stored until they can be used. When the zone has the
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * necessary prerequisites for NSEC3, then the INITIAL flag can be cleared,
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * and the record will be cleaned up normally.
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews *
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * NSEC3PARAM records containing this flag should never be published, but
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * if they are, they should be ignored by RFC 5155 compliant nameservers.
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews */
3d5cad69ec20157912e95cf3b79316dfb0a314f3Mark Andrews#define DNS_NSEC3FLAG_INITIAL 0x20U
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews
3d5cad69ec20157912e95cf3b79316dfb0a314f3Mark Andrews/*%
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * Non-standard, private type only.
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews *
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * Prevent the creation of a NSEC chain before the last NSEC3 chain
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * is removed. This will normally only be set when the zone is
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * transitioning from secure with NSEC3 chains to insecure.
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews *
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * NSEC3PARAM records containing this flag should never be published,
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * but if they are, they should be ignored by RFC 5155 compliant
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews * nameservers.
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews */
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews#define DNS_NSEC3FLAG_NONSEC 0x10U
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews#endif /* GENERIC_NSEC3_50_H */
5d51e67c3b4f35c1be742574aacc1d88fe6ed444Mark Andrews