resolved-dns-dnssec.h revision b652d4a2099d1c167584dcc1d179d47c58dc38a2
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen This file is part of systemd.
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen Copyright 2015 Lennart Poettering
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen systemd is free software; you can redistribute it and/or modify it
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen under the terms of the GNU Lesser General Public License as published by
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen the Free Software Foundation; either version 2.1 of the License, or
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen (at your option) any later version.
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen systemd is distributed in the hope that it will be useful, but
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen WITHOUT ANY WARRANTY; without even the implied warranty of
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen Lesser General Public License for more details.
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen You should have received a copy of the GNU Lesser General Public License
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen along with systemd; If not, see <http://www.gnu.org/licenses/>.
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen /* No DNSSEC validation is done */
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen /* Validate locally, if the server knows DO, but if not,
02b59d57e0c08231645120077f651151f5bb2babTom Gundersen * don't. Don't trust the AD bit. If the server doesn't do
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen * DNSSEC properly, downgrade to non-DNSSEC operation. Of
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen * course, we then are vulnerable to a downgrade attack, but
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen * that's life and what is configured. */
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen /* Insist on DNSSEC server support, and rather fail than downgrading. */
02b59d57e0c08231645120077f651151f5bb2babTom Gundersen /* These four are returned by dnssec_verify_rrset() */
02b59d57e0c08231645120077f651151f5bb2babTom Gundersen /* These two are added by dnssec_verify_rrset_search() */
02b59d57e0c08231645120077f651151f5bb2babTom Gundersen /* These two are added by the DnsTransaction logic */
02b59d57e0c08231645120077f651151f5bb2babTom Gundersen#define DNSSEC_CANONICAL_HOSTNAME_MAX (DNS_HOSTNAME_MAX + 2)
02b59d57e0c08231645120077f651151f5bb2babTom Gundersen/* The longest digest we'll ever generate, of all digest algorithms we support */
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersenint dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey);
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersenint dnssec_key_match_rrsig(const DnsResourceKey *key, DnsResourceRecord *rrsig);
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersenint dnssec_verify_rrset(DnsAnswer *answer, DnsResourceKey *key, DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, usec_t realtime, DnssecResult *result);
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersenint dnssec_verify_rrset_search(DnsAnswer *answer, DnsResourceKey *key, DnsAnswer *validated_dnskeys, usec_t realtime, DnssecResult *result);
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersenint dnssec_verify_dnskey(DnsResourceRecord *dnskey, DnsResourceRecord *ds);
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersenint dnssec_verify_dnskey_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds);
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersenint dnssec_has_rrsig(DnsAnswer *a, const DnsResourceKey *key);
02b59d57e0c08231645120077f651151f5bb2babTom Gundersenuint16_t dnssec_keytag(DnsResourceRecord *dnskey);
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersenint dnssec_canonicalize(const char *n, char *buffer, size_t buffer_max);
f048a16b464295a4e0a4f4c1210f06343ad31231Tom Gundersenint dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret);
6ae115c1fe95611b39d2f20cfcea3d385429f59eTom Gundersen DNSSEC_NSEC_NO_RR, /* No suitable NSEC/NSEC3 RR found */
6ae115c1fe95611b39d2f20cfcea3d385429f59eTom Gundersenint dnssec_test_nsec(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result, bool *authenticated);
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersenconst char* dnssec_mode_to_string(DnssecMode m) _const_;
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom GundersenDnssecMode dnssec_mode_from_string(const char *s) _pure_;
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersenconst char* dnssec_result_to_string(DnssecResult m) _const_;