/* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ #ifndef DNS_VALIDATOR_H #define DNS_VALIDATOR_H 1 /***** ***** Module Info *****/ /*! \file dns/validator.h * * \brief * DNS Validator * This is the BIND 9 validator, the module responsible for validating the * rdatasets and negative responses (messages). It makes use of zones in * the view and may fetch RRset to complete trust chains. It implements * DNSSEC as specified in RFC 4033, 4034 and 4035. * * It can also optionally implement ISC's DNSSEC look-aside validation. * * Correct operation is critical to preventing spoofed answers from secure * zones being accepted. * * MP: *\li The module ensures appropriate synchronization of data structures it * creates and manipulates. * * Reliability: *\li No anticipated impact. * * Resources: *\li TBS * * Security: *\li No anticipated impact. * * Standards: *\li RFCs: 1034, 1035, 2181, 4033, 4034, 4035. */ #include <isc/lang.h> #include <isc/event.h> #include <isc/mutex.h> #include <dns/fixedname.h> #include <dns/types.h> #include <dns/rdataset.h> #include <dns/rdatastruct.h> /* for dns_rdata_rrsig_t */ #include <dst/dst.h> /*% * A dns_validatorevent_t is sent when a 'validation' completes. * \brief * 'name', 'rdataset', 'sigrdataset', and 'message' are the values that were * supplied when dns_validator_create() was called. They are returned to the * caller so that they may be freed. * * If the RESULT is ISC_R_SUCCESS and the answer is secure then * proofs[] will contain the names of the NSEC records that hold the * various proofs. Note the same name may appear multiple times. */ typedef struct dns_validatorevent { ISC_EVENT_COMMON(struct dns_validatorevent); dns_validator_t * validator; isc_result_t result; /* * Name and type of the response to be validated. */ dns_name_t * name; dns_rdatatype_t type; /* * Rdata and RRSIG (if any) for positive responses. */ dns_rdataset_t * rdataset; dns_rdataset_t * sigrdataset; /* * The full response. Required for negative responses. * Also required for positive wildcard responses. */ dns_message_t * message; /* * Proofs to be cached. */ dns_name_t * proofs[4]; /* * Optout proof seen. */ isc_boolean_t optout; /* * Answer is secure. */ isc_boolean_t secure; } dns_validatorevent_t; #define DNS_VALIDATOR_NOQNAMEPROOF 0 #define DNS_VALIDATOR_NODATAPROOF 1 #define DNS_VALIDATOR_NOWILDCARDPROOF 2 #define DNS_VALIDATOR_CLOSESTENCLOSER 3 /*% * A validator object represents a validation in progress. * \brief * Clients are strongly discouraged from using this type directly, with * the exception of the 'link' field, which may be used directly for * whatever purpose the client desires. */ struct dns_validator { /* Unlocked. */ unsigned int magic; isc_mutex_t lock; dns_view_t * view; /* Locked by lock. */ unsigned int options; unsigned int attributes; dns_validatorevent_t * event; dns_fetch_t * fetch; dns_validator_t * subvalidator; dns_validator_t * parent; dns_keytable_t * keytable; dns_keynode_t * keynode; dst_key_t * key; dns_rdata_rrsig_t * siginfo; isc_task_t * task; isc_taskaction_t action; void * arg; unsigned int labels; dns_rdataset_t * currentset; isc_boolean_t seensig; dns_rdataset_t * keyset; dns_rdataset_t * dsset; dns_rdataset_t * soaset; dns_rdataset_t * nsecset; dns_rdataset_t * nsec3set; dns_name_t * soaname; dns_rdataset_t frdataset; dns_rdataset_t fsigrdataset; dns_fixedname_t fname; dns_fixedname_t wild; dns_fixedname_t nearest; dns_fixedname_t closest; ISC_LINK(dns_validator_t) link; dns_rdataset_t dlv; dns_fixedname_t dlvsep; isc_boolean_t havedlvsep; isc_boolean_t mustbesecure; unsigned int dlvlabels; unsigned int depth; unsigned int authcount; unsigned int authfail; isc_boolean_t failed; isc_stdtime_t start; }; /*% * dns_validator_create() options. */ #define DNS_VALIDATOR_DLV 0x0001U #define DNS_VALIDATOR_DEFER 0x0002U #define DNS_VALIDATOR_NOCDFLAG 0x0004U #define DNS_VALIDATOR_NONTA 0x0008U /*% Ignore NTA table */ ISC_LANG_BEGINDECLS isc_result_t dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, dns_message_t *message, unsigned int options, isc_task_t *task, isc_taskaction_t action, void *arg, dns_validator_t **validatorp); /*%< * Start a DNSSEC validation. * * This validates a response to the question given by * 'name' and 'type'. * * To validate a positive response, the response data is * given by 'rdataset' and 'sigrdataset'. If 'sigrdataset' * is NULL, the data is presumed insecure and an attempt * is made to prove its insecurity by finding the appropriate * null key. * * The complete response message may be given in 'message', * to make available any authority section NSECs that may be * needed for validation of a response resulting from a * wildcard expansion (though no such wildcard validation * is implemented yet). If the complete response message * is not available, 'message' is NULL. * * To validate a negative response, the complete negative response * message is given in 'message'. The 'rdataset', and * 'sigrdataset' arguments must be NULL, but the 'name' and 'type' * arguments must be provided. * * The validation is performed in the context of 'view'. * * When the validation finishes, a dns_validatorevent_t with * the given 'action' and 'arg' are sent to 'task'. * Its 'result' field will be ISC_R_SUCCESS iff the * response was successfully proven to be either secure or * part of a known insecure domain. * * options: * If DNS_VALIDATOR_DLV is set the caller knows there is not a * trusted key and the validator should immediately attempt to validate * the answer by looking for an appropriate DLV RRset. */ void dns_validator_send(dns_validator_t *validator); /*%< * Send a deferred validation request * * Requires: * 'validator' to points to a valid DNSSEC validator. */ void dns_validator_cancel(dns_validator_t *validator); /*%< * Cancel a DNSSEC validation in progress. * * Requires: *\li 'validator' points to a valid DNSSEC validator, which * may or may not already have completed. * * Ensures: *\li It the validator has not already sent its completion * event, it will send it with result code ISC_R_CANCELED. */ void dns_validator_destroy(dns_validator_t **validatorp); /*%< * Destroy a DNSSEC validator. * * Requires: *\li '*validatorp' points to a valid DNSSEC validator. * \li The validator must have completed and sent its completion * event. * * Ensures: *\li All resources used by the validator are freed. */ ISC_LANG_ENDDECLS #endif /* DNS_VALIDATOR_H */
Name | Type | Size | Permission | Actions |
---|---|---|---|---|
acache.h | File | 13.99 KB | 0644 |
|
acl.h | File | 7.1 KB | 0644 |
|
adb.h | File | 22.03 KB | 0644 |
|
badcache.h | File | 3.28 KB | 0644 |
|
bit.h | File | 856 B | 0644 |
|
byaddr.h | File | 3.89 KB | 0644 |
|
cache.h | File | 7.95 KB | 0644 |
|
callbacks.h | File | 2.22 KB | 0644 |
|
catz.h | File | 11.54 KB | 0644 |
|
cert.h | File | 1.43 KB | 0644 |
|
client.h | File | 21.52 KB | 0644 |
|
clientinfo.h | File | 1.95 KB | 0644 |
|
compress.h | File | 6.51 KB | 0644 |
|
db.h | File | 44.68 KB | 0644 |
|
dbiterator.h | File | 7.26 KB | 0644 |
|
dbtable.h | File | 3.09 KB | 0644 |
|
diff.h | File | 6.82 KB | 0644 |
|
dispatch.h | File | 16.05 KB | 0644 |
|
dlz.h | File | 10.38 KB | 0644 |
|
dlz_dlopen.h | File | 4.54 KB | 0644 |
|
dns64.h | File | 5.51 KB | 0644 |
|
dnssec.h | File | 12 KB | 0644 |
|
dnstap.h | File | 9.2 KB | 0644 |
|
ds.h | File | 1.19 KB | 0644 |
|
dsdigest.h | File | 1.68 KB | 0644 |
|
dyndb.h | File | 4.72 KB | 0644 |
|
ecdb.h | File | 808 B | 0644 |
|
edns.h | File | 721 B | 0644 |
|
enumclass.h | File | 1.19 KB | 0644 |
|
enumtype.h | File | 7.74 KB | 0644 |
|
events.h | File | 3.96 KB | 0644 |
|
fixedname.h | File | 1.56 KB | 0644 |
|
forward.h | File | 3.37 KB | 0644 |
|
geoip.h | File | 2.34 KB | 0644 |
|
ipkeylist.h | File | 2.12 KB | 0644 |
|
iptable.h | File | 1.6 KB | 0644 |
|
journal.h | File | 8.05 KB | 0644 |
|
keydata.h | File | 1.02 KB | 0644 |
|
keyflags.h | File | 1.25 KB | 0644 |
|
keytable.h | File | 9.28 KB | 0644 |
|
keyvalues.h | File | 4.06 KB | 0644 |
|
lib.h | File | 1.16 KB | 0644 |
|
log.h | File | 3.87 KB | 0644 |
|
lookup.h | File | 2.85 KB | 0644 |
|
master.h | File | 11.08 KB | 0644 |
|
masterdump.h | File | 12.35 KB | 0644 |
|
message.h | File | 37.27 KB | 0644 |
|
name.h | File | 36.49 KB | 0644 |
|
ncache.h | File | 4.8 KB | 0644 |
|
nsec.h | File | 2.88 KB | 0644 |
|
nsec3.h | File | 8.17 KB | 0644 |
|
nta.h | File | 4.32 KB | 0644 |
|
opcode.h | File | 1006 B | 0644 |
|
order.h | File | 1.95 KB | 0644 |
|
peer.h | File | 6.06 KB | 0644 |
|
portlist.h | File | 2.05 KB | 0644 |
|
private.h | File | 1.9 KB | 0644 |
|
rbt.h | File | 39.7 KB | 0644 |
|
rcode.h | File | 2.42 KB | 0644 |
|
rdata.h | File | 20.92 KB | 0644 |
|
rdataclass.h | File | 2.2 KB | 0644 |
|
rdatalist.h | File | 2.51 KB | 0644 |
|
rdataset.h | File | 20.47 KB | 0644 |
|
rdatasetiter.h | File | 3.83 KB | 0644 |
|
rdataslab.h | File | 4.29 KB | 0644 |
|
rdatastruct.h | File | 57.57 KB | 0644 |
|
rdatatype.h | File | 2.24 KB | 0644 |
|
request.h | File | 10.89 KB | 0644 |
|
resolver.h | File | 18.63 KB | 0644 |
|
result.h | File | 8.57 KB | 0644 |
|
rootns.h | File | 891 B | 0644 |
|
rpz.h | File | 10.09 KB | 0644 |
|
rriterator.h | File | 4.17 KB | 0644 |
|
rrl.h | File | 6.49 KB | 0644 |
|
sdb.h | File | 7.04 KB | 0644 |
|
sdlz.h | File | 13.87 KB | 0644 |
|
secalg.h | File | 1.67 KB | 0644 |
|
secproto.h | File | 1.52 KB | 0644 |
|
soa.h | File | 2.17 KB | 0644 |
|
ssu.h | File | 8.09 KB | 0644 |
|
stats.h | File | 13.15 KB | 0644 |
|
tcpmsg.h | File | 3.05 KB | 0644 |
|
time.h | File | 1.66 KB | 0644 |
|
timer.h | File | 1.02 KB | 0644 |
|
tkey.h | File | 7.43 KB | 0644 |
|
tsec.h | File | 2.88 KB | 0644 |
|
tsig.h | File | 8.06 KB | 0644 |
|
ttl.h | File | 1.93 KB | 0644 |
|
types.h | File | 13.65 KB | 0644 |
|
update.h | File | 1.61 KB | 0644 |
|
validator.h | File | 7.02 KB | 0644 |
|
version.h | File | 867 B | 0644 |
|
view.h | File | 34.69 KB | 0644 |
|
xfrin.h | File | 2.85 KB | 0644 |
|
zone.h | File | 59.8 KB | 0644 |
|
zonekey.h | File | 763 B | 0644 |
|
zt.h | File | 5.31 KB | 0644 |
|