/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#ifndef DNS_SSU_H
#define DNS_SSU_H 1
/*! \file dns/ssu.h */
#include <isc/lang.h>
#include <dns/acl.h>
#include <dns/types.h>
#include <dst/dst.h>
ISC_LANG_BEGINDECLS
typedef enum {
dns_ssumatchtype_name = 0,
dns_ssumatchtype_subdomain = 1,
dns_ssumatchtype_wildcard = 2,
dns_ssumatchtype_self = 3,
dns_ssumatchtype_selfsub = 4,
dns_ssumatchtype_selfwild = 5,
dns_ssumatchtype_selfkrb5 = 6,
dns_ssumatchtype_selfms = 7,
dns_ssumatchtype_subdomainms = 8,
dns_ssumatchtype_subdomainkrb5 = 9,
dns_ssumatchtype_tcpself = 10,
dns_ssumatchtype_6to4self = 11,
dns_ssumatchtype_external = 12,
dns_ssumatchtype_local = 13,
dns_ssumatchtype_max = 13, /* max value */
dns_ssumatchtype_dlz = 14 /* intentionally higher than _max */
} dns_ssumatchtype_t;
#define DNS_SSUMATCHTYPE_NAME dns_ssumatchtype_name
#define DNS_SSUMATCHTYPE_SUBDOMAIN dns_ssumatchtype_subdomain
#define DNS_SSUMATCHTYPE_WILDCARD dns_ssumatchtype_wildcard
#define DNS_SSUMATCHTYPE_SELF dns_ssumatchtype_self
#define DNS_SSUMATCHTYPE_SELFSUB dns_ssumatchtype_selfsub
#define DNS_SSUMATCHTYPE_SELFWILD dns_ssumatchtype_selfwild
#define DNS_SSUMATCHTYPE_SELFKRB5 dns_ssumatchtype_selfkrb5
#define DNS_SSUMATCHTYPE_SELFMS dns_ssumatchtype_selfms
#define DNS_SSUMATCHTYPE_SUBDOMAINMS dns_ssumatchtype_subdomainms
#define DNS_SSUMATCHTYPE_SUBDOMAINKRB5 dns_ssumatchtype_subdomainkrb5
#define DNS_SSUMATCHTYPE_TCPSELF dns_ssumatchtype_tcpself
#define DNS_SSUMATCHTYPE_6TO4SELF dns_ssumatchtype_6to4self
#define DNS_SSUMATCHTYPE_EXTERNAL dns_ssumatchtype_external
#define DNS_SSUMATCHTYPE_LOCAL dns_ssumatchtype_local
#define DNS_SSUMATCHTYPE_MAX dns_ssumatchtype_max /* max value */
#define DNS_SSUMATCHTYPE_DLZ dns_ssumatchtype_dlz /* intentionally higher than _MAX */
isc_result_t
dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **table);
/*%<
* Creates a table that will be used to store simple-secure-update rules.
* Note: all locking must be provided by the client.
*
* Requires:
*\li 'mctx' is a valid memory context
*\li 'table' is not NULL, and '*table' is NULL
*
* Returns:
*\li ISC_R_SUCCESS
*\li ISC_R_NOMEMORY
*/
isc_result_t
dns_ssutable_createdlz(isc_mem_t *mctx, dns_ssutable_t **tablep,
dns_dlzdb_t *dlzdatabase);
/*%<
* Create an SSU table that contains a dlzdatabase pointer, and a
* single rule with matchtype DNS_SSUMATCHTYPE_DLZ. This type of SSU
* table is used by writeable DLZ drivers to offload authorization for
* updates to the driver.
*/
void
dns_ssutable_attach(dns_ssutable_t *source, dns_ssutable_t **targetp);
/*%<
* Attach '*targetp' to 'source'.
*
* Requires:
*\li 'source' is a valid SSU table
*\li 'targetp' points to a NULL dns_ssutable_t *.
*
* Ensures:
*\li *targetp is attached to source.
*/
void
dns_ssutable_detach(dns_ssutable_t **tablep);
/*%<
* Detach '*tablep' from its simple-secure-update rule table.
*
* Requires:
*\li 'tablep' points to a valid dns_ssutable_t
*
* Ensures:
*\li *tablep is NULL
*\li If '*tablep' is the last reference to the SSU table, all
* resources used by the table will be freed.
*/
isc_result_t
dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
dns_name_t *identity, unsigned int matchtype,
dns_name_t *name, unsigned int ntypes,
dns_rdatatype_t *types);
/*%<
* Adds a new rule to a simple-secure-update rule table. The rule
* either grants or denies update privileges of an identity (or set of
* identities) to modify a name (or set of names) or certain types present
* at that name.
*
* Notes:
*\li If 'matchtype' is of SELF type, this rule only matches if the
* name to be updated matches the signing identity.
*
*\li If 'ntypes' is 0, this rule applies to all types except
* NS, SOA, RRSIG, and NSEC.
*
*\li If 'types' includes ANY, this rule applies to all types
* except NSEC.
*
* Requires:
*\li 'table' is a valid SSU table
*\li 'identity' is a valid absolute name
*\li 'matchtype' must be one of the defined constants.
*\li 'name' is a valid absolute name
*\li If 'ntypes' > 0, 'types' must not be NULL
*
* Returns:
*\li ISC_R_SUCCESS
*\li ISC_R_NOMEMORY
*/
isc_boolean_t
dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
dns_name_t *name, isc_netaddr_t *addr,
dns_rdatatype_t type, const dst_key_t *key);
isc_boolean_t
dns_ssutable_checkrules2(dns_ssutable_t *table, dns_name_t *signer,
dns_name_t *name, isc_netaddr_t *addr,
isc_boolean_t tcp, const dns_aclenv_t *env,
dns_rdatatype_t type, const dst_key_t *key);
/*%<
* Checks that the attempted update of (name, type) is allowed according
* to the rules specified in the simple-secure-update rule table. If
* no rules are matched, access is denied.
*
* Notes:
* In dns_ssutable_checkrules(), 'addr' should only be
* set if the request received via TCP. This provides a
* weak assurance that the request was not spoofed.
* 'addr' is to to validate DNS_SSUMATCHTYPE_TCPSELF
* and DNS_SSUMATCHTYPE_6TO4SELF rules.
*
* In dns_ssutable_checkrules2(), 'addr' can also be passed for
* UDP requests and TCP is specified via the 'tcp' parameter.
* In addition to DNS_SSUMATCHTYPE_TCPSELF and
* tcp_ssumatchtype_6to4self rules, the address
* also be used to check DNS_SSUMATCHTYPE_LOCAL rules.
* If 'addr' is set then 'env' must also be set so that
* requests from non-localhost addresses can be rejected.
*
* For DNS_SSUMATCHTYPE_TCPSELF the addresses are mapped to
* the standard reverse names under IN-ADDR.ARPA and IP6.ARPA.
* RFC 1035, Section 3.5, "IN-ADDR.ARPA domain" and RFC 3596,
* Section 2.5, "IP6.ARPA Domain".
*
* For DNS_SSUMATCHTYPE_6TO4SELF, IPv4 address are converted
* to a 6to4 prefix (48 bits) per the rules in RFC 3056. Only
* the top 48 bits of the IPv6 address are mapped to the reverse
* name. This is independent of whether the most significant 16
* bits match 2002::/16, assigned for 6to4 prefixes, or not.
*
* Requires:
*\li 'table' is a valid SSU table
*\li 'signer' is NULL or a valid absolute name
*\li 'addr' is NULL or a valid network address.
*\li 'aclenv' is NULL or a valid ACL environment.
*\li 'name' is a valid absolute name
*\li if 'addr' is not NULL, 'env' is not NULL.
*/
/*% Accessor functions to extract rule components */
isc_boolean_t dns_ssurule_isgrant(const dns_ssurule_t *rule);
/*% Accessor functions to extract rule components */
dns_name_t * dns_ssurule_identity(const dns_ssurule_t *rule);
/*% Accessor functions to extract rule components */
unsigned int dns_ssurule_matchtype(const dns_ssurule_t *rule);
/*% Accessor functions to extract rule components */
dns_name_t * dns_ssurule_name(const dns_ssurule_t *rule);
/*% Accessor functions to extract rule components */
unsigned int dns_ssurule_types(const dns_ssurule_t *rule,
dns_rdatatype_t **types);
isc_result_t dns_ssutable_firstrule(const dns_ssutable_t *table,
dns_ssurule_t **rule);
/*%<
* Initiates a rule iterator. There is no need to maintain any state.
*
* Returns:
*\li #ISC_R_SUCCESS
*\li #ISC_R_NOMORE
*/
isc_result_t dns_ssutable_nextrule(dns_ssurule_t *rule,
dns_ssurule_t **nextrule);
/*%<
* Returns the next rule in the table.
*
* Returns:
*\li #ISC_R_SUCCESS
*\li #ISC_R_NOMORE
*/
isc_boolean_t
dns_ssu_external_match(dns_name_t *identity, dns_name_t *signer,
dns_name_t *name, isc_netaddr_t *tcpaddr,
dns_rdatatype_t type, const dst_key_t *key,
isc_mem_t *mctx);
/*%<
* Check a policy rule via an external application
*/
isc_result_t
dns_ssu_mtypefromstring(const char *str, dns_ssumatchtype_t *mtype);
/*%<
* Set 'mtype' from 'str'
*
* Requires:
*\li 'str' is not NULL.
*\li 'mtype' is not NULL,
*
* Returns:
*\li #ISC_R_SUCCESS
*\li #ISC_R_NOTFOUND
*/
ISC_LANG_ENDDECLS
#endif /* DNS_SSU_H */
| Name | Type | Size | Permission | Actions |
|---|---|---|---|---|
| acache.h | File | 13.99 KB | 0644 |
|
| acl.h | File | 7.1 KB | 0644 |
|
| adb.h | File | 22.03 KB | 0644 |
|
| badcache.h | File | 3.28 KB | 0644 |
|
| bit.h | File | 856 B | 0644 |
|
| byaddr.h | File | 3.89 KB | 0644 |
|
| cache.h | File | 7.95 KB | 0644 |
|
| callbacks.h | File | 2.22 KB | 0644 |
|
| catz.h | File | 11.54 KB | 0644 |
|
| cert.h | File | 1.43 KB | 0644 |
|
| client.h | File | 21.52 KB | 0644 |
|
| clientinfo.h | File | 1.95 KB | 0644 |
|
| compress.h | File | 6.51 KB | 0644 |
|
| db.h | File | 44.68 KB | 0644 |
|
| dbiterator.h | File | 7.26 KB | 0644 |
|
| dbtable.h | File | 3.09 KB | 0644 |
|
| diff.h | File | 6.82 KB | 0644 |
|
| dispatch.h | File | 16.05 KB | 0644 |
|
| dlz.h | File | 10.38 KB | 0644 |
|
| dlz_dlopen.h | File | 4.54 KB | 0644 |
|
| dns64.h | File | 5.51 KB | 0644 |
|
| dnssec.h | File | 12 KB | 0644 |
|
| dnstap.h | File | 9.2 KB | 0644 |
|
| ds.h | File | 1.19 KB | 0644 |
|
| dsdigest.h | File | 1.68 KB | 0644 |
|
| dyndb.h | File | 4.72 KB | 0644 |
|
| ecdb.h | File | 808 B | 0644 |
|
| edns.h | File | 721 B | 0644 |
|
| enumclass.h | File | 1.19 KB | 0644 |
|
| enumtype.h | File | 7.74 KB | 0644 |
|
| events.h | File | 3.96 KB | 0644 |
|
| fixedname.h | File | 1.56 KB | 0644 |
|
| forward.h | File | 3.37 KB | 0644 |
|
| geoip.h | File | 2.34 KB | 0644 |
|
| ipkeylist.h | File | 2.12 KB | 0644 |
|
| iptable.h | File | 1.6 KB | 0644 |
|
| journal.h | File | 8.05 KB | 0644 |
|
| keydata.h | File | 1.02 KB | 0644 |
|
| keyflags.h | File | 1.25 KB | 0644 |
|
| keytable.h | File | 9.28 KB | 0644 |
|
| keyvalues.h | File | 4.06 KB | 0644 |
|
| lib.h | File | 1.16 KB | 0644 |
|
| log.h | File | 3.87 KB | 0644 |
|
| lookup.h | File | 2.85 KB | 0644 |
|
| master.h | File | 11.08 KB | 0644 |
|
| masterdump.h | File | 12.35 KB | 0644 |
|
| message.h | File | 37.27 KB | 0644 |
|
| name.h | File | 36.49 KB | 0644 |
|
| ncache.h | File | 4.8 KB | 0644 |
|
| nsec.h | File | 2.88 KB | 0644 |
|
| nsec3.h | File | 8.17 KB | 0644 |
|
| nta.h | File | 4.32 KB | 0644 |
|
| opcode.h | File | 1006 B | 0644 |
|
| order.h | File | 1.95 KB | 0644 |
|
| peer.h | File | 6.06 KB | 0644 |
|
| portlist.h | File | 2.05 KB | 0644 |
|
| private.h | File | 1.9 KB | 0644 |
|
| rbt.h | File | 39.7 KB | 0644 |
|
| rcode.h | File | 2.42 KB | 0644 |
|
| rdata.h | File | 20.92 KB | 0644 |
|
| rdataclass.h | File | 2.2 KB | 0644 |
|
| rdatalist.h | File | 2.51 KB | 0644 |
|
| rdataset.h | File | 20.47 KB | 0644 |
|
| rdatasetiter.h | File | 3.83 KB | 0644 |
|
| rdataslab.h | File | 4.29 KB | 0644 |
|
| rdatastruct.h | File | 57.57 KB | 0644 |
|
| rdatatype.h | File | 2.24 KB | 0644 |
|
| request.h | File | 10.89 KB | 0644 |
|
| resolver.h | File | 18.63 KB | 0644 |
|
| result.h | File | 8.57 KB | 0644 |
|
| rootns.h | File | 891 B | 0644 |
|
| rpz.h | File | 10.09 KB | 0644 |
|
| rriterator.h | File | 4.17 KB | 0644 |
|
| rrl.h | File | 6.49 KB | 0644 |
|
| sdb.h | File | 7.04 KB | 0644 |
|
| sdlz.h | File | 13.87 KB | 0644 |
|
| secalg.h | File | 1.67 KB | 0644 |
|
| secproto.h | File | 1.52 KB | 0644 |
|
| soa.h | File | 2.17 KB | 0644 |
|
| ssu.h | File | 8.09 KB | 0644 |
|
| stats.h | File | 13.15 KB | 0644 |
|
| tcpmsg.h | File | 3.05 KB | 0644 |
|
| time.h | File | 1.66 KB | 0644 |
|
| timer.h | File | 1.02 KB | 0644 |
|
| tkey.h | File | 7.43 KB | 0644 |
|
| tsec.h | File | 2.88 KB | 0644 |
|
| tsig.h | File | 8.06 KB | 0644 |
|
| ttl.h | File | 1.93 KB | 0644 |
|
| types.h | File | 13.65 KB | 0644 |
|
| update.h | File | 1.61 KB | 0644 |
|
| validator.h | File | 7.02 KB | 0644 |
|
| version.h | File | 867 B | 0644 |
|
| view.h | File | 34.69 KB | 0644 |
|
| xfrin.h | File | 2.85 KB | 0644 |
|
| zone.h | File | 59.8 KB | 0644 |
|
| zonekey.h | File | 763 B | 0644 |
|
| zt.h | File | 5.31 KB | 0644 |
|