ldns  1.8.3
/build/ldns-60Szi3/ldns-1.8.3/dnssec_sign.c
Go to the documentation of this file.
1#include <ldns/config.h>
2
3#include <ldns/ldns.h>
4
5#include <ldns/dnssec.h>
6#include <ldns/dnssec_sign.h>
7
8#include <strings.h>
9#include <time.h>
10
11#ifdef HAVE_SSL
12/* this entire file is rather useless when you don't have
13 * crypto...
14 */
15#include <openssl/ssl.h>
16#include <openssl/evp.h>
17#include <openssl/rand.h>
18#include <openssl/err.h>
19#include <openssl/md5.h>
20#include <openssl/bn.h>
21#include <openssl/rsa.h>
22#ifdef USE_DSA
23#include <openssl/dsa.h>
24#endif
25#endif /* HAVE_SSL */
26
27#define LDNS_SIGN_WITH_ZONEMD ( LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA384 \
28 | LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA512 )
29
30ldns_rr *
32 const ldns_key *current_key)
33{
34 uint32_t orig_ttl;
35 ldns_rr_class orig_class;
36 time_t now;
37 ldns_rr *current_sig;
38 uint8_t label_count;
39 ldns_rdf *signame;
40
42 0)));
43 /* RFC4035 2.2: not counting the leftmost label if it is a wildcard */
45 label_count --;
46
48
49 /* set the type on the new signature */
50 orig_ttl = ldns_rr_ttl(ldns_rr_list_rr(rrset, 0));
51 orig_class = ldns_rr_get_class(ldns_rr_list_rr(rrset, 0));
52
53 ldns_rr_set_ttl(current_sig, orig_ttl);
54 ldns_rr_set_class(current_sig, orig_class);
55 ldns_rr_set_owner(current_sig,
58 ldns_rr_list_rr(rrset,
59 0))));
60
61 /* fill in what we know of the signature */
62
63 /* set the orig_ttl */
65 current_sig,
67 orig_ttl));
68 /* the signers name */
69 signame = ldns_rdf_clone(ldns_key_pubkey_owner(current_key));
70 ldns_dname2canonical(signame);
72 current_sig,
73 signame);
74 /* label count - get it from the first rr in the rr_list */
76 current_sig,
78 label_count));
79 /* inception, expiration */
80 now = time(NULL);
81 if (ldns_key_inception(current_key) != 0) {
83 current_sig,
86 ldns_key_inception(current_key)));
87 } else {
89 current_sig,
91 }
92 if (ldns_key_expiration(current_key) != 0) {
94 current_sig,
97 ldns_key_expiration(current_key)));
98 } else {
100 current_sig,
103 now + LDNS_DEFAULT_EXP_TIME));
104 }
105
107 current_sig,
109 ldns_key_keytag(current_key)));
110
112 current_sig,
115 ldns_key_algorithm(current_key)));
116
118 current_sig,
122 0))));
123 return current_sig;
124}
125
126#ifdef HAVE_SSL
127ldns_rdf *
129{
130 ldns_rdf *b64rdf = NULL;
131
132 switch(ldns_key_algorithm(current_key)) {
133#ifdef USE_DSA
134 case LDNS_SIGN_DSA:
136 b64rdf = ldns_sign_public_evp(
137 sign_buf,
138 ldns_key_evp_key(current_key),
139# ifdef HAVE_EVP_DSS1
140 EVP_dss1()
141# else
142 EVP_sha1()
143# endif
144 );
145 break;
146#endif /* USE_DSA */
149 b64rdf = ldns_sign_public_evp(
150 sign_buf,
151 ldns_key_evp_key(current_key),
152 EVP_sha1());
153 break;
154#ifdef USE_SHA2
156 b64rdf = ldns_sign_public_evp(
157 sign_buf,
158 ldns_key_evp_key(current_key),
159 EVP_sha256());
160 break;
162 b64rdf = ldns_sign_public_evp(
163 sign_buf,
164 ldns_key_evp_key(current_key),
165 EVP_sha512());
166 break;
167#endif /* USE_SHA2 */
168#ifdef USE_GOST
170 b64rdf = ldns_sign_public_evp(
171 sign_buf,
172 ldns_key_evp_key(current_key),
173 EVP_get_digestbyname("md_gost94"));
174 break;
175#endif /* USE_GOST */
176#ifdef USE_ECDSA
178 b64rdf = ldns_sign_public_evp(
179 sign_buf,
180 ldns_key_evp_key(current_key),
181 EVP_sha256());
182 break;
184 b64rdf = ldns_sign_public_evp(
185 sign_buf,
186 ldns_key_evp_key(current_key),
187 EVP_sha384());
188 break;
189#endif
190#ifdef USE_ED25519
192 b64rdf = ldns_sign_public_evp(
193 sign_buf,
194 ldns_key_evp_key(current_key),
195 NULL);
196 break;
197#endif
198#ifdef USE_ED448
199 case LDNS_SIGN_ED448:
200 b64rdf = ldns_sign_public_evp(
201 sign_buf,
202 ldns_key_evp_key(current_key),
203 NULL);
204 break;
205#endif
206 case LDNS_SIGN_RSAMD5:
207 b64rdf = ldns_sign_public_evp(
208 sign_buf,
209 ldns_key_evp_key(current_key),
210 EVP_md5());
211 break;
212 default:
213 /* do _you_ know this alg? */
214 printf("unknown algorithm, ");
215 printf("is the one used available on this system?\n");
216 break;
217 }
218
219 return b64rdf;
220}
221
228{
229 ldns_rr_list *signatures;
230 ldns_rr_list *rrset_clone;
231 ldns_rr *current_sig;
232 ldns_rdf *b64rdf;
233 ldns_key *current_key;
234 size_t key_count;
235 uint16_t i;
236 ldns_buffer *sign_buf;
237 ldns_rdf *new_owner;
238
239 if (!rrset || ldns_rr_list_rr_count(rrset) < 1 || !keys) {
240 return NULL;
241 }
242
243 new_owner = NULL;
244
245 /* prepare a signature and add all the know data
246 * prepare the rrset. Sign this together. */
247 rrset_clone = ldns_rr_list_clone(rrset);
248 if (!rrset_clone) {
249 return NULL;
250 }
251
252 /* make it canonical */
253 for(i = 0; i < ldns_rr_list_rr_count(rrset_clone); i++) {
254 ldns_rr_set_ttl(ldns_rr_list_rr(rrset_clone, i),
255 ldns_rr_ttl(ldns_rr_list_rr(rrset, 0)));
256 ldns_rr2canonical(ldns_rr_list_rr(rrset_clone, i));
257 }
258 /* sort */
259 ldns_rr_list_sort(rrset_clone);
260
261 signatures = ldns_rr_list_new();
262
263 for (key_count = 0;
264 key_count < ldns_key_list_key_count(keys);
265 key_count++) {
266 if (!ldns_key_use(ldns_key_list_key(keys, key_count))) {
267 continue;
268 }
270 if (!sign_buf) {
271 ldns_rr_list_free(rrset_clone);
272 ldns_rr_list_free(signatures);
273 ldns_rdf_free(new_owner);
274 return NULL;
275 }
276 b64rdf = NULL;
277
278 current_key = ldns_key_list_key(keys, key_count);
279 /* sign all RRs with keys that have ZSKbit, !SEPbit.
280 sign DNSKEY RRs with keys that have ZSKbit&SEPbit */
281 if (ldns_key_flags(current_key) & LDNS_KEY_ZONE_KEY) {
282 current_sig = ldns_create_empty_rrsig(rrset_clone,
283 current_key);
284
285 /* right now, we have: a key, a semi-sig and an rrset. For
286 * which we can create the sig and base64 encode that and
287 * add that to the signature */
288
289 if (ldns_rrsig2buffer_wire(sign_buf, current_sig)
290 != LDNS_STATUS_OK) {
291 ldns_buffer_free(sign_buf);
292 /* ERROR */
293 ldns_rr_list_deep_free(rrset_clone);
294 ldns_rr_free(current_sig);
295 ldns_rr_list_deep_free(signatures);
296 return NULL;
297 }
298
299 /* add the rrset in sign_buf */
300 if (ldns_rr_list2buffer_wire(sign_buf, rrset_clone)
301 != LDNS_STATUS_OK) {
302 ldns_buffer_free(sign_buf);
303 ldns_rr_list_deep_free(rrset_clone);
304 ldns_rr_free(current_sig);
305 ldns_rr_list_deep_free(signatures);
306 return NULL;
307 }
308
309 b64rdf = ldns_sign_public_buffer(sign_buf, current_key);
310
311 if (!b64rdf) {
312 /* signing went wrong */
313 ldns_rr_list_deep_free(rrset_clone);
314 ldns_rr_free(current_sig);
315 ldns_rr_list_deep_free(signatures);
316 return NULL;
317 }
318
319 ldns_rr_rrsig_set_sig(current_sig, b64rdf);
320
321 /* push the signature to the signatures list */
322 ldns_rr_list_push_rr(signatures, current_sig);
323 }
324 ldns_buffer_free(sign_buf); /* restart for the next key */
325 }
326 ldns_rr_list_deep_free(rrset_clone);
327
328 return signatures;
329}
330
331ldns_rdf *
333{
334#ifdef USE_DSA
335 unsigned char *sha1_hash;
336 ldns_rdf *sigdata_rdf;
337 ldns_buffer *b64sig;
338
339 DSA_SIG *sig;
340 const BIGNUM *R, *S;
341 uint8_t *data;
342 size_t pad;
343
345 if (!b64sig) {
346 return NULL;
347 }
348
349 sha1_hash = SHA1((unsigned char*)ldns_buffer_begin(to_sign),
350 ldns_buffer_position(to_sign), NULL);
351 if (!sha1_hash) {
352 ldns_buffer_free(b64sig);
353 return NULL;
354 }
355
356 sig = DSA_do_sign(sha1_hash, SHA_DIGEST_LENGTH, key);
357 if(!sig) {
358 ldns_buffer_free(b64sig);
359 return NULL;
360 }
361
362 data = LDNS_XMALLOC(uint8_t, 1 + 2 * SHA_DIGEST_LENGTH);
363 if(!data) {
364 ldns_buffer_free(b64sig);
365 DSA_SIG_free(sig);
366 return NULL;
367 }
368
369 data[0] = 1;
370# ifdef HAVE_DSA_SIG_GET0
371 DSA_SIG_get0(sig, &R, &S);
372# else
373 R = sig->r;
374 S = sig->s;
375# endif
376 pad = 20 - (size_t) BN_num_bytes(R);
377 if (pad > 0) {
378 memset(data + 1, 0, pad);
379 }
380 BN_bn2bin(R, (unsigned char *) (data + 1) + pad);
381
382 pad = 20 - (size_t) BN_num_bytes(S);
383 if (pad > 0) {
384 memset(data + 1 + SHA_DIGEST_LENGTH, 0, pad);
385 }
386 BN_bn2bin(S, (unsigned char *) (data + 1 + SHA_DIGEST_LENGTH + pad));
387
389 1 + 2 * SHA_DIGEST_LENGTH,
390 data);
391
392 ldns_buffer_free(b64sig);
393 LDNS_FREE(data);
394 DSA_SIG_free(sig);
395
396 return sigdata_rdf;
397#else
398 (void)to_sign; (void)key;
399 return NULL;
400#endif
401}
402
403#ifdef USE_ECDSA
404#ifndef S_SPLINT_S
406static int
407ldns_pkey_is_ecdsa(EVP_PKEY* pkey)
408{
409 EC_KEY* ec;
410 const EC_GROUP* g;
411#ifdef HAVE_EVP_PKEY_GET_BASE_ID
412 if(EVP_PKEY_get_base_id(pkey) != EVP_PKEY_EC)
413 return 0;
414#elif defined(HAVE_EVP_PKEY_BASE_ID)
415 if(EVP_PKEY_base_id(pkey) != EVP_PKEY_EC)
416 return 0;
417#else
418 if(EVP_PKEY_type(pkey->type) != EVP_PKEY_EC)
419 return 0;
420#endif
421 ec = EVP_PKEY_get1_EC_KEY(pkey);
422 g = EC_KEY_get0_group(ec);
423 if(!g) {
424 EC_KEY_free(ec);
425 return 0;
426 }
427 if(EC_GROUP_get_curve_name(g) == NID_X9_62_prime256v1) {
428 EC_KEY_free(ec);
429 return 32; /* 256/8 */
430 }
431 if(EC_GROUP_get_curve_name(g) == NID_secp384r1) {
432 EC_KEY_free(ec);
433 return 48; /* 384/8 */
434 }
435 /* downref the eckey, the original is still inside the pkey */
436 EC_KEY_free(ec);
437 return 0;
438}
439#endif /* splint */
440#endif /* USE_ECDSA */
441
442ldns_rdf *
444 EVP_PKEY *key,
445 const EVP_MD *digest_type)
446{
447 unsigned int siglen;
448 ldns_rdf *sigdata_rdf = NULL;
449 ldns_buffer *b64sig;
450 EVP_MD_CTX *ctx;
451 const EVP_MD *md_type;
452 int r;
453
454 siglen = 0;
456 if (!b64sig) {
457 return NULL;
458 }
459
460 /* initializes a signing context */
461 md_type = digest_type;
462#ifdef USE_ED25519
463 if(EVP_PKEY_id(key) == NID_ED25519) {
464 /* digest must be NULL for ED25519 sign and verify */
465 md_type = NULL;
466 } else
467#endif
468#ifdef USE_ED448
469 if(EVP_PKEY_id(key) == NID_ED448) {
470 md_type = NULL;
471 } else
472#endif
473 if(!md_type) {
474 /* unknown message digest */
475 ldns_buffer_free(b64sig);
476 return NULL;
477 }
478
479#ifdef HAVE_EVP_MD_CTX_NEW
480 ctx = EVP_MD_CTX_new();
481#else
482 ctx = (EVP_MD_CTX*)malloc(sizeof(*ctx));
483 if(ctx) EVP_MD_CTX_init(ctx);
484#endif
485 if(!ctx) {
486 ldns_buffer_free(b64sig);
487 return NULL;
488 }
489
490#if defined(USE_ED25519) || defined(USE_ED448)
491 if(md_type == NULL) {
492 /* for these methods we must use the one-shot DigestSign */
493 r = EVP_DigestSignInit(ctx, NULL, md_type, NULL, key);
494 if(r == 1) {
495 size_t siglen_sizet = ldns_buffer_capacity(b64sig);
496 r = EVP_DigestSign(ctx,
497 (unsigned char*)ldns_buffer_begin(b64sig),
498 &siglen_sizet,
499 (unsigned char*)ldns_buffer_begin(to_sign),
500 ldns_buffer_position(to_sign));
501 siglen = (unsigned int)siglen_sizet;
502 }
503 } else {
504#else
505 r = 0;
506 if(md_type != NULL) {
507#endif
508 r = EVP_SignInit(ctx, md_type);
509 if(r == 1) {
510 r = EVP_SignUpdate(ctx, (unsigned char*)
511 ldns_buffer_begin(to_sign),
512 ldns_buffer_position(to_sign));
513 }
514 if(r == 1) {
515 r = EVP_SignFinal(ctx, (unsigned char*)
516 ldns_buffer_begin(b64sig), &siglen, key);
517 }
518 }
519 if(r != 1) {
520 ldns_buffer_free(b64sig);
521 EVP_MD_CTX_destroy(ctx);
522 return NULL;
523 }
524
525 /* OpenSSL output is different, convert it */
526 r = 0;
527#ifdef USE_DSA
528#ifndef S_SPLINT_S
529 /* unfortunately, OpenSSL output is different from DNS DSA format */
530# ifdef HAVE_EVP_PKEY_GET_BASE_ID
531 if (EVP_PKEY_get_base_id(key) == EVP_PKEY_DSA) {
532# elif defined(HAVE_EVP_PKEY_BASE_ID)
533 if (EVP_PKEY_base_id(key) == EVP_PKEY_DSA) {
534# else
535 if (EVP_PKEY_type(key->type) == EVP_PKEY_DSA) {
536# endif
537 r = 1;
538 sigdata_rdf = ldns_convert_dsa_rrsig_asn12rdf(b64sig, siglen);
539 }
540#endif
541#endif
542#if defined(USE_ECDSA)
543 if(
545 EVP_PKEY_get_base_id(key)
546# elif defined(HAVE_EVP_PKEY_BASE_ID)
547 EVP_PKEY_base_id(key)
548# else
549 EVP_PKEY_type(key->type)
550# endif
551 == EVP_PKEY_EC) {
552# ifdef USE_ECDSA
553 if(ldns_pkey_is_ecdsa(key)) {
554 r = 1;
556 b64sig, (long)siglen, ldns_pkey_is_ecdsa(key));
557 }
558# endif /* USE_ECDSA */
559 }
560#endif /* PKEY_EC */
561 if(r == 0) {
562 /* ok output for other types is the same */
563 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen,
564 ldns_buffer_begin(b64sig));
565 }
566 ldns_buffer_free(b64sig);
567 EVP_MD_CTX_destroy(ctx);
568 return sigdata_rdf;
569}
570
571ldns_rdf *
573{
574 unsigned char *sha1_hash;
575 unsigned int siglen;
576 ldns_rdf *sigdata_rdf;
577 ldns_buffer *b64sig;
578 int result;
579
580 siglen = 0;
582 if (!b64sig) {
583 return NULL;
584 }
585
586 sha1_hash = SHA1((unsigned char*)ldns_buffer_begin(to_sign),
587 ldns_buffer_position(to_sign), NULL);
588 if (!sha1_hash) {
589 ldns_buffer_free(b64sig);
590 return NULL;
591 }
592
593 result = RSA_sign(NID_sha1, sha1_hash, SHA_DIGEST_LENGTH,
594 (unsigned char*)ldns_buffer_begin(b64sig),
595 &siglen, key);
596 if (result != 1) {
597 ldns_buffer_free(b64sig);
598 return NULL;
599 }
600
601 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen,
602 ldns_buffer_begin(b64sig));
603 ldns_buffer_free(b64sig); /* can't free this buffer ?? */
604 return sigdata_rdf;
605}
606
607ldns_rdf *
609{
610 unsigned char *md5_hash;
611 unsigned int siglen;
612 ldns_rdf *sigdata_rdf;
613 ldns_buffer *b64sig;
614
616 if (!b64sig) {
617 return NULL;
618 }
619
620 md5_hash = MD5((unsigned char*)ldns_buffer_begin(to_sign),
621 ldns_buffer_position(to_sign), NULL);
622 if (!md5_hash) {
623 ldns_buffer_free(b64sig);
624 return NULL;
625 }
626
627 RSA_sign(NID_md5, md5_hash, MD5_DIGEST_LENGTH,
628 (unsigned char*)ldns_buffer_begin(b64sig),
629 &siglen, key);
630
631 sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, siglen,
632 ldns_buffer_begin(b64sig));
633 ldns_buffer_free(b64sig);
634 return sigdata_rdf;
635}
636#endif /* HAVE_SSL */
637
641static ldns_status
642ldns_dnssec_addresses_on_glue_list(
643 ldns_dnssec_rrsets *cur_rrset,
644 ldns_rr_list *glue_list)
645{
646 ldns_dnssec_rrs *cur_rrs;
647 while (cur_rrset) {
648 if (cur_rrset->type == LDNS_RR_TYPE_A
649 || cur_rrset->type == LDNS_RR_TYPE_AAAA) {
650 for (cur_rrs = cur_rrset->rrs;
651 cur_rrs;
652 cur_rrs = cur_rrs->next) {
653 if (cur_rrs->rr) {
654 if (!ldns_rr_list_push_rr(glue_list,
655 cur_rrs->rr)) {
656 return LDNS_STATUS_MEM_ERR;
657 /* ldns_rr_list_push_rr()
658 * returns false when unable
659 * to increase the capacity
660 * of the ldns_rr_list
661 */
662 }
663 }
664 }
665 }
666 cur_rrset = cur_rrset->next;
667 }
668 return LDNS_STATUS_OK;
669}
670
673 ldns_rr_list *glue_list)
674{
675 ldns_rbnode_t *node;
676 ldns_dnssec_name *name;
677 ldns_rdf *owner;
678 ldns_rdf *cut = NULL; /* keeps track of zone cuts */
679 /* When the cut is caused by a delegation, below_delegation will be 1.
680 * When caused by a DNAME, below_delegation will be 0.
681 */
682 int below_delegation = -1; /* init suppresses compiler warning */
683 ldns_status s;
684
685 if (!zone || !zone->names) {
686 return LDNS_STATUS_NULL;
687 }
688 for (node = ldns_rbtree_first(zone->names);
689 node != LDNS_RBTREE_NULL;
690 node = ldns_rbtree_next(node)) {
691 name = (ldns_dnssec_name *) node->data;
692 owner = ldns_dnssec_name_name(name);
693
694 if (cut) {
695 /* The previous node was a zone cut, or a subdomain
696 * below a zone cut. Is this node (still) a subdomain
697 * below the cut? Then the name is occluded. Unless
698 * the name contains a SOA, after which we are
699 * authoritative again.
700 *
701 * FIXME! If there are labels in between the SOA and
702 * the cut, going from the authoritative space (below
703 * the SOA) up into occluded space again, will not be
704 * detected with the construct below!
705 */
706 if (ldns_dname_is_subdomain(owner, cut) &&
708 name->rrsets, LDNS_RR_TYPE_SOA)) {
709
710 if (below_delegation && glue_list) {
711 s = ldns_dnssec_addresses_on_glue_list(
712 name->rrsets, glue_list);
713 if (s != LDNS_STATUS_OK) {
714 return s;
715 }
716 }
717 name->is_glue = true; /* Mark occluded name! */
718 continue;
719 } else {
720 cut = NULL;
721 }
722 }
723
724 /* The node is not below a zone cut. Is it a zone cut itself?
725 * Everything below a SOA is authoritative of course; Except
726 * when the name also contains a DNAME :).
727 */
729 name->rrsets, LDNS_RR_TYPE_NS)
731 name->rrsets, LDNS_RR_TYPE_SOA)) {
732 cut = owner;
733 below_delegation = 1;
734 if (glue_list) { /* record glue on the zone cut */
735 s = ldns_dnssec_addresses_on_glue_list(
736 name->rrsets, glue_list);
737 if (s != LDNS_STATUS_OK) {
738 return s;
739 }
740 }
742 name->rrsets, LDNS_RR_TYPE_DNAME)) {
743 cut = owner;
744 below_delegation = 0;
745 }
746 }
747 return LDNS_STATUS_OK;
748}
749
755
758{
759 ldns_rbnode_t *next_node = NULL;
760 ldns_dnssec_name *next_name = NULL;
761 bool done = false;
762
763 if (node == LDNS_RBTREE_NULL) {
764 return NULL;
765 }
766 next_node = node;
767 while (!done) {
768 if (next_node == LDNS_RBTREE_NULL) {
769 return NULL;
770 } else {
771 next_name = (ldns_dnssec_name *)next_node->data;
772 if (!next_name->is_glue) {
773 done = true;
774 } else {
775 next_node = ldns_rbtree_next(next_node);
776 }
777 }
778 }
779 return next_node;
780}
781
784 ldns_rr_list *new_rrs)
785{
786
787 ldns_rbnode_t *first_node, *cur_node, *next_node;
788 ldns_dnssec_name *cur_name, *next_name;
789 ldns_rr *nsec_rr;
790 uint32_t nsec_ttl;
792
793 /* The TTL value for any NSEC RR SHOULD be the same TTL value as the
794 * lesser of the MINIMUM field of the SOA record and the TTL of the SOA
795 * itself. This matches the definition of the TTL for negative
796 * responses in [RFC2308]. (draft-ietf-dnsop-nsec-ttl-01 update of
797 * RFC4035 Section 2.3)
798 */
800
801 /* did the caller actually set it? if not,
802 * fall back to default ttl
803 */
804 if (soa && soa->rrs && soa->rrs->rr) {
805 ldns_rr *soa_rr = soa->rrs->rr;
806 ldns_rdf *min_rdf = ldns_rr_rdf(soa_rr, 6);
807
808 nsec_ttl = min_rdf == NULL
809 || ldns_rr_ttl(soa_rr) < ldns_rdf2native_int32(min_rdf)
810 ? ldns_rr_ttl(soa_rr) : ldns_rdf2native_int32(min_rdf);
811 } else {
812 nsec_ttl = LDNS_DEFAULT_TTL;
813 }
814
816 ldns_rbtree_first(zone->names));
817 cur_node = first_node;
818 if (cur_node) {
820 ldns_rbtree_next(cur_node));
821 } else {
822 next_node = NULL;
823 }
824
825 while (cur_node && next_node) {
826 cur_name = (ldns_dnssec_name *)cur_node->data;
827 next_name = (ldns_dnssec_name *)next_node->data;
828 nsec_rr = ldns_dnssec_create_nsec(cur_name,
829 next_name,
831 ldns_rr_set_ttl(nsec_rr, nsec_ttl);
832 if(ldns_dnssec_name_add_rr(cur_name, nsec_rr)!=LDNS_STATUS_OK){
833 ldns_rr_free(nsec_rr);
834 return LDNS_STATUS_ERR;
835 }
836 ldns_rr_list_push_rr(new_rrs, nsec_rr);
837 cur_node = next_node;
838 if (cur_node) {
840 ldns_rbtree_next(cur_node));
841 }
842 }
843
844 if (cur_node && !next_node) {
845 cur_name = (ldns_dnssec_name *)cur_node->data;
846 next_name = (ldns_dnssec_name *)first_node->data;
847 nsec_rr = ldns_dnssec_create_nsec(cur_name,
848 next_name,
850 ldns_rr_set_ttl(nsec_rr, nsec_ttl);
851 if(ldns_dnssec_name_add_rr(cur_name, nsec_rr)!=LDNS_STATUS_OK){
852 ldns_rr_free(nsec_rr);
853 return LDNS_STATUS_ERR;
854 }
855 ldns_rr_list_push_rr(new_rrs, nsec_rr);
856 } else {
857 printf("error\n");
858 }
859
860 return LDNS_STATUS_OK;
861}
862
863#ifdef HAVE_SSL
864static void
865ldns_hashed_names_node_free(ldns_rbnode_t *node, void *arg) {
866 (void) arg;
867 LDNS_FREE(node);
868}
869
870static ldns_status
871ldns_dnssec_zone_create_nsec3s_mkmap(ldns_dnssec_zone *zone,
872 ldns_rr_list *new_rrs,
873 uint8_t algorithm,
874 uint8_t flags,
875 uint16_t iterations,
876 uint8_t salt_length,
877 uint8_t *salt,
878 ldns_rbtree_t **map)
879{
880 ldns_rbnode_t *first_name_node;
881 ldns_rbnode_t *current_name_node;
882 ldns_dnssec_name *current_name;
884 ldns_rr *nsec_rr;
885 ldns_rr_list *nsec3_list;
886 uint32_t nsec_ttl;
888 ldns_rbnode_t *hashmap_node;
889
890 if (!zone || !new_rrs || !zone->names) {
891 return LDNS_STATUS_ERR;
892 }
893
894 /* The TTL value for any NSEC RR SHOULD be the same TTL value as the
895 * lesser of the MINIMUM field of the SOA record and the TTL of the SOA
896 * itself. This matches the definition of the TTL for negative
897 * responses in [RFC2308]. (draft-ietf-dnsop-nsec-ttl-01 update of
898 * RFC4035 Section 2.3)
899 */
901
902 /* did the caller actually set it? if not,
903 * fall back to default ttl
904 */
905 if (soa && soa->rrs && soa->rrs->rr) {
906 ldns_rr *soa_rr = soa->rrs->rr;
907 ldns_rdf *min_rdf = ldns_rr_rdf(soa_rr, 6);
908
909 nsec_ttl = min_rdf == NULL
910 || ldns_rr_ttl(soa_rr) < ldns_rdf2native_int32(min_rdf)
911 ? ldns_rr_ttl(soa_rr) : ldns_rdf2native_int32(min_rdf);
912 } else {
913 nsec_ttl = LDNS_DEFAULT_TTL;
914 }
915
916 if (ldns_rdf_size(zone->soa->name) > 222) {
918 }
919
920 if (zone->hashed_names) {
922 ldns_hashed_names_node_free, NULL);
923 LDNS_FREE(zone->hashed_names);
924 }
926 if (zone->hashed_names && map) {
927 *map = zone->hashed_names;
928 }
929
930 first_name_node = ldns_dnssec_name_node_next_nonglue(
931 ldns_rbtree_first(zone->names));
932
933 current_name_node = first_name_node;
934
935 while (current_name_node && current_name_node != LDNS_RBTREE_NULL &&
936 result == LDNS_STATUS_OK) {
937
938 current_name = (ldns_dnssec_name *) current_name_node->data;
939 nsec_rr = ldns_dnssec_create_nsec3(current_name,
940 NULL,
941 zone->soa->name,
942 algorithm,
943 flags,
944 iterations,
945 salt_length,
946 salt);
947 /* by default, our nsec based generator adds rrsigs
948 * remove the bitmap for empty nonterminals */
949 if (!current_name->rrsets) {
951 }
952 ldns_rr_set_ttl(nsec_rr, nsec_ttl);
953 result = ldns_dnssec_name_add_rr(current_name, nsec_rr);
954 ldns_rr_list_push_rr(new_rrs, nsec_rr);
955 if (ldns_rr_owner(nsec_rr)) {
956 hashmap_node = LDNS_MALLOC(ldns_rbnode_t);
957 if (hashmap_node == NULL) {
958 return LDNS_STATUS_MEM_ERR;
959 }
960 current_name->hashed_name =
961 ldns_dname_label(ldns_rr_owner(nsec_rr), 0);
962
963 if (current_name->hashed_name == NULL) {
964 LDNS_FREE(hashmap_node);
965 return LDNS_STATUS_MEM_ERR;
966 }
967 hashmap_node->key = current_name->hashed_name;
968 hashmap_node->data = current_name;
969
971 , hashmap_node)) {
972 LDNS_FREE(hashmap_node);
973 }
974 }
975 current_name_node = ldns_dnssec_name_node_next_nonglue(
976 ldns_rbtree_next(current_name_node));
977 }
978 if (result != LDNS_STATUS_OK) {
979 return result;
980 }
981
982 /* Make sorted list of nsec3s (via zone->hashed_names)
983 */
984 nsec3_list = ldns_rr_list_new();
985 if (nsec3_list == NULL) {
986 return LDNS_STATUS_MEM_ERR;
987 }
988 for ( hashmap_node = ldns_rbtree_first(zone->hashed_names)
989 ; hashmap_node != LDNS_RBTREE_NULL
990 ; hashmap_node = ldns_rbtree_next(hashmap_node)
991 ) {
992 nsec_rr = ((ldns_dnssec_name *) hashmap_node->data)->nsec;
993 if (nsec_rr) {
994 ldns_rr_list_push_rr(nsec3_list, nsec_rr);
995 }
996 }
997 result = ldns_dnssec_chain_nsec3_list(nsec3_list);
998 ldns_rr_list_free(nsec3_list);
999
1000 return result;
1001}
1002
1005 ldns_rr_list *new_rrs,
1006 uint8_t algorithm,
1007 uint8_t flags,
1008 uint16_t iterations,
1009 uint8_t salt_length,
1010 uint8_t *salt)
1011{
1012 return ldns_dnssec_zone_create_nsec3s_mkmap(zone, new_rrs, algorithm,
1013 flags, iterations, salt_length, salt, NULL);
1014
1015}
1016#endif /* HAVE_SSL */
1017
1020 , ATTR_UNUSED(ldns_key_list *key_list)
1021 , int (*func)(ldns_rr *, void *)
1022 , void *arg
1023 )
1024{
1025 ldns_dnssec_rrs *base_rrs = signatures;
1026 ldns_dnssec_rrs *cur_rr = base_rrs;
1027 ldns_dnssec_rrs *prev_rr = NULL;
1028 ldns_dnssec_rrs *next_rr;
1029
1030 uint16_t keytag;
1031 size_t i;
1032
1033 if (!cur_rr) {
1034 switch(func(NULL, arg)) {
1037 break;
1040 ldns_key_list_set_use(key_list, false);
1041 break;
1042 default:
1043#ifdef STDERR_MSGS
1044 fprintf(stderr, "[XX] unknown return value from callback\n");
1045#endif
1046 break;
1047 }
1048 return NULL;
1049 }
1050 (void)func(cur_rr->rr, arg);
1051
1052 while (cur_rr) {
1053 next_rr = cur_rr->next;
1054
1055 switch (func(cur_rr->rr, arg)) {
1057 prev_rr = cur_rr;
1058 break;
1060 keytag = ldns_rdf2native_int16(
1061 ldns_rr_rrsig_keytag(cur_rr->rr));
1062 for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
1063 if (ldns_key_keytag(ldns_key_list_key(key_list, i)) ==
1064 keytag) {
1066 false);
1067 }
1068 }
1069 prev_rr = cur_rr;
1070 break;
1072 keytag = ldns_rdf2native_int16(
1073 ldns_rr_rrsig_keytag(cur_rr->rr));
1074 for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
1075 if (ldns_key_keytag(ldns_key_list_key(key_list, i))
1076 == keytag) {
1078 false);
1079 }
1080 }
1081 if (prev_rr) {
1082 prev_rr->next = next_rr;
1083 } else {
1084 base_rrs = next_rr;
1085 }
1086 LDNS_FREE(cur_rr);
1087 break;
1089 if (prev_rr) {
1090 prev_rr->next = next_rr;
1091 } else {
1092 base_rrs = next_rr;
1093 }
1094 LDNS_FREE(cur_rr);
1095 break;
1096 default:
1097#ifdef STDERR_MSGS
1098 fprintf(stderr, "[XX] unknown return value from callback\n");
1099#endif
1100 break;
1101 }
1102 cur_rr = next_rr;
1103 }
1104
1105 return base_rrs;
1106}
1107
1108#ifdef HAVE_SSL
1111 ldns_rr_list *new_rrs,
1112 ldns_key_list *key_list,
1113 int (*func)(ldns_rr *, void*),
1114 void *arg)
1115{
1116 return ldns_dnssec_zone_create_rrsigs_flg(zone, new_rrs, key_list,
1117 func, arg, 0);
1118}
1119
1121static void
1122ldns_key_list_filter_for_dnskey(ldns_key_list *key_list, int flags)
1123{
1124 bool algos[256]
1125#ifndef S_SPLINT_S
1126 = { false }
1127#endif
1128 ;
1129 ldns_signing_algorithm saw_ksk = 0;
1130 ldns_key *key;
1131 size_t i;
1132
1133 if (!ldns_key_list_key_count(key_list))
1134 return;
1135
1136 /* Mark all KSKs */
1137 for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
1138 key = ldns_key_list_key(key_list, i);
1139 if ((ldns_key_flags(key) & LDNS_KEY_SEP_KEY)) {
1140 if (!saw_ksk)
1141 saw_ksk = ldns_key_algorithm(key);
1142 algos[ldns_key_algorithm(key)] = true;
1143 }
1144 }
1145 if (!saw_ksk)
1146 return; /* No KSKs means sign using all ZSKs */
1147
1148 /* Deselect the ZSKs so they do not sign DNSKEY RRs.
1149 * Except with the LDNS_SIGN_WITH_ALL_ALGORITHMS flag, then use it,
1150 * but only if it has an algorithm for which there is no KSK
1151 */
1152 for (i =0; i < ldns_key_list_key_count(key_list); i++) {
1153 key = ldns_key_list_key(key_list, i);
1154 if (!(ldns_key_flags(key) & LDNS_KEY_SEP_KEY)) {
1155 /* We have a ZSK.
1156 * Still use it if it has a unique algorithm though!
1157 */
1158 if ((flags & LDNS_SIGN_WITH_ALL_ALGORITHMS) &&
1159 !algos[ldns_key_algorithm(key)])
1160 algos[ldns_key_algorithm(key)] = true;
1161 else
1162 ldns_key_set_use(key, 0);
1163 }
1164 }
1165}
1166
1168static void
1169ldns_key_list_filter_for_non_dnskey(ldns_key_list *key_list, int flags)
1170{
1171 bool algos[256]
1172#ifndef S_SPLINT_S
1173 = { false }
1174#endif
1175 ;
1176 ldns_signing_algorithm saw_zsk = 0;
1177 ldns_key *key;
1178 size_t i;
1179
1180 if (!ldns_key_list_key_count(key_list))
1181 return;
1182
1183 /* Mark all ZSKs */
1184 for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
1185 key = ldns_key_list_key(key_list, i);
1186 if (!(ldns_key_flags(key) & LDNS_KEY_SEP_KEY)) {
1187 if (!saw_zsk)
1188 saw_zsk = ldns_key_algorithm(key);
1189 algos[ldns_key_algorithm(key)] = true;
1190 }
1191 }
1192 if (!saw_zsk)
1193 return; /* No ZSKs means sign using all KSKs */
1194
1195 /* Deselect the KSKs so they do not sign non DNSKEY RRs.
1196 * Except with the LDNS_SIGN_WITH_ALL_ALGORITHMS flag, then use it,
1197 * but only if it has an algorithm for which there is no ZSK
1198 */
1199 for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
1200 key = ldns_key_list_key(key_list, i);
1201 if((ldns_key_flags(key) & LDNS_KEY_SEP_KEY)) {
1202 /* We have a KSK.
1203 * Still use it if it has a unique algorithm though!
1204 */
1205 if ((flags & LDNS_SIGN_WITH_ALL_ALGORITHMS) &&
1206 !algos[ldns_key_algorithm(key)])
1207 algos[ldns_key_algorithm(key)] = true;
1208 else
1209 ldns_key_set_use(key, 0);
1210 }
1211 }
1212}
1213
1216 , ldns_rr_list *new_rrs
1217 , ldns_key_list *key_list
1218 , int (*func)(ldns_rr *, void*)
1219 , void *arg
1220 , int flags
1221 )
1222{
1223 ldns_status result = LDNS_STATUS_OK;
1224
1225 ldns_rbnode_t *cur_node;
1226 ldns_rr_list *rr_list;
1227
1228 ldns_dnssec_name *cur_name;
1229 ldns_dnssec_rrsets *cur_rrset;
1230 ldns_dnssec_rrs *cur_rr;
1231
1232 ldns_rr_list *siglist;
1233
1234 size_t i;
1235
1236 int on_delegation_point = 0; /* handle partially occluded names */
1237
1238 ldns_rr_list *pubkey_list = ldns_rr_list_new();
1239 for (i = 0; i<ldns_key_list_key_count(key_list); i++) {
1240 ldns_rr_list_push_rr( pubkey_list
1242 key_list, i))
1243 );
1244 }
1245 /* TODO: callback to see is list should be signed */
1246 /* TODO: remove 'old' signatures from signature list */
1247 cur_node = ldns_rbtree_first(zone->names);
1248 while (cur_node != LDNS_RBTREE_NULL) {
1249 cur_name = (ldns_dnssec_name *) cur_node->data;
1250
1251 if (!cur_name->is_glue) {
1252 on_delegation_point = ldns_dnssec_rrsets_contains_type(
1253 cur_name->rrsets, LDNS_RR_TYPE_NS)
1255 cur_name->rrsets, LDNS_RR_TYPE_SOA);
1256 cur_rrset = cur_name->rrsets;
1257 while (cur_rrset) {
1258 /* reset keys to use */
1259 ldns_key_list_set_use(key_list, true);
1260
1261 /* walk through old sigs, remove the old,
1262 and mark which keys (not) to use) */
1263 cur_rrset->signatures =
1265 key_list,
1266 func,
1267 arg);
1268 if(cur_rrset->type == LDNS_RR_TYPE_DNSKEY ||
1269 cur_rrset->type == LDNS_RR_TYPE_CDNSKEY ||
1270 cur_rrset->type == LDNS_RR_TYPE_CDS) {
1271 if(!(flags&LDNS_SIGN_DNSKEY_WITH_ZSK)) {
1272 ldns_key_list_filter_for_dnskey(key_list, flags);
1273 }
1274 } else {
1275 ldns_key_list_filter_for_non_dnskey(key_list, flags);
1276 }
1277
1278 /* TODO: just set count to zero? */
1279 rr_list = ldns_rr_list_new();
1280
1281 cur_rr = cur_rrset->rrs;
1282 while (cur_rr) {
1283 ldns_rr_list_push_rr(rr_list, cur_rr->rr);
1284 cur_rr = cur_rr->next;
1285 }
1286
1287 /* only sign non-delegation RRsets */
1288 /* (glue should have been marked earlier,
1289 * except on the delegation points itself) */
1290 if (!on_delegation_point ||
1291 ldns_rr_list_type(rr_list)
1292 == LDNS_RR_TYPE_DS ||
1293 ldns_rr_list_type(rr_list)
1294 == LDNS_RR_TYPE_NSEC ||
1295 ldns_rr_list_type(rr_list)
1296 == LDNS_RR_TYPE_NSEC3) {
1297 siglist = ldns_sign_public(rr_list, key_list);
1298 for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) {
1299 if (cur_rrset->signatures) {
1300 result = ldns_dnssec_rrs_add_rr(cur_rrset->signatures,
1301 ldns_rr_list_rr(siglist,
1302 i));
1303 } else {
1304 cur_rrset->signatures = ldns_dnssec_rrs_new();
1305 cur_rrset->signatures->rr =
1306 ldns_rr_list_rr(siglist, i);
1307 }
1308 if (new_rrs) {
1309 ldns_rr_list_push_rr(new_rrs,
1310 ldns_rr_list_rr(siglist,
1311 i));
1312 }
1313 }
1314 ldns_rr_list_free(siglist);
1315 }
1316
1317 ldns_rr_list_free(rr_list);
1318
1319 cur_rrset = cur_rrset->next;
1320 }
1321
1322 /* sign the nsec */
1323 ldns_key_list_set_use(key_list, true);
1324 cur_name->nsec_signatures =
1326 key_list,
1327 func,
1328 arg);
1329 ldns_key_list_filter_for_non_dnskey(key_list, flags);
1330
1331 rr_list = ldns_rr_list_new();
1332 ldns_rr_list_push_rr(rr_list, cur_name->nsec);
1333 siglist = ldns_sign_public(rr_list, key_list);
1334
1335 for (i = 0; i < ldns_rr_list_rr_count(siglist); i++) {
1336 if (cur_name->nsec_signatures) {
1337 result = ldns_dnssec_rrs_add_rr(cur_name->nsec_signatures,
1338 ldns_rr_list_rr(siglist, i));
1339 } else {
1341 cur_name->nsec_signatures->rr =
1342 ldns_rr_list_rr(siglist, i);
1343 }
1344 if (new_rrs) {
1345 ldns_rr_list_push_rr(new_rrs,
1346 ldns_rr_list_rr(siglist, i));
1347 }
1348 }
1349
1350 ldns_rr_list_free(siglist);
1351 ldns_rr_list_free(rr_list);
1352 }
1353 cur_node = ldns_rbtree_next(cur_node);
1354 }
1355
1356 ldns_rr_list_deep_free(pubkey_list);
1357 return result;
1358}
1359
1362 ldns_rr_list *new_rrs,
1363 ldns_key_list *key_list,
1364 int (*func)(ldns_rr *, void *),
1365 void *arg)
1366{
1367 return ldns_dnssec_zone_sign_flg(zone, new_rrs, key_list, func, arg, 0);
1368}
1369
1371 ldns_rr_list *new_rrs, ldns_key_list *key_list, int flags);
1374 ldns_rr_list *new_rrs,
1375 ldns_key_list *key_list,
1376 int (*func)(ldns_rr *, void *),
1377 void *arg,
1378 int flags)
1379{
1380 ldns_status result = LDNS_STATUS_OK;
1381 ldns_dnssec_rrsets zonemd_rrset;
1382 bool zonemd_added = false;
1383
1384 if (!zone || !new_rrs || !key_list) {
1385 return LDNS_STATUS_ERR;
1386 }
1387 if (flags & LDNS_SIGN_WITH_ZONEMD) {
1388 ldns_dnssec_rrsets **rrsets_ref = &zone->soa->rrsets;
1389
1390 while (*rrsets_ref
1391 && (*rrsets_ref)->type < LDNS_RR_TYPE_ZONEMD)
1392 rrsets_ref = &(*rrsets_ref)->next;
1393 if (!*rrsets_ref
1394 || (*rrsets_ref)->type > LDNS_RR_TYPE_ZONEMD) {
1395 zonemd_rrset.rrs = NULL;
1396 zonemd_rrset.type = LDNS_RR_TYPE_ZONEMD;
1397 zonemd_rrset.signatures = NULL;
1398 zonemd_rrset.next = *rrsets_ref;
1399 *rrsets_ref = &zonemd_rrset;
1400 zonemd_added = true;
1401 }
1402 }
1403 /* zone is already sorted */
1404 result = ldns_dnssec_zone_mark_glue(zone);
1405 if (result != LDNS_STATUS_OK) {
1406 return result;
1407 }
1408 /* check whether we need to add nsecs */
1409 if ((flags & LDNS_SIGN_NO_KEYS_NO_NSECS)
1410 && ldns_key_list_key_count(key_list) < 1)
1411 ; /* pass */
1412
1413 else if (zone->names
1414 && !((ldns_dnssec_name *)zone->names->root->data)->nsec) {
1415
1416 result = ldns_dnssec_zone_create_nsecs(zone, new_rrs);
1417 if (result != LDNS_STATUS_OK) {
1418 return result;
1419 }
1420 }
1422 new_rrs,
1423 key_list,
1424 func,
1425 arg,
1426 flags);
1427
1428 if (zonemd_added) {
1429 ldns_dnssec_rrsets **rrsets_ref
1430 = &zone->soa->rrsets;
1431
1432 while (*rrsets_ref
1433 && (*rrsets_ref)->type < LDNS_RR_TYPE_ZONEMD)
1434 rrsets_ref = &(*rrsets_ref)->next;
1435 *rrsets_ref = zonemd_rrset.next;
1436 }
1437 return flags & LDNS_SIGN_WITH_ZONEMD
1438 ? dnssec_zone_equip_zonemd(zone, new_rrs, key_list, flags)
1439 : result;
1440}
1441
1444 ldns_rr_list *new_rrs,
1445 ldns_key_list *key_list,
1446 int (*func)(ldns_rr *, void *),
1447 void *arg,
1448 uint8_t algorithm,
1449 uint8_t flags,
1450 uint16_t iterations,
1451 uint8_t salt_length,
1452 uint8_t *salt)
1453{
1454 return ldns_dnssec_zone_sign_nsec3_flg_mkmap(zone, new_rrs, key_list,
1455 func, arg, algorithm, flags, iterations, salt_length, salt, 0,
1456 NULL);
1457}
1458
1461 ldns_rr_list *new_rrs,
1462 ldns_key_list *key_list,
1463 int (*func)(ldns_rr *, void *),
1464 void *arg,
1465 uint8_t algorithm,
1466 uint8_t flags,
1467 uint16_t iterations,
1468 uint8_t salt_length,
1469 uint8_t *salt,
1470 int signflags,
1471 ldns_rbtree_t **map)
1472{
1473 ldns_rr *nsec3, *nsec3param;
1474 ldns_status result = LDNS_STATUS_OK;
1475 bool zonemd_added = false;
1476 ldns_dnssec_rrsets zonemd_rrset;
1477
1478 /* zone is already sorted */
1479 result = ldns_dnssec_zone_mark_glue(zone);
1480 if (result != LDNS_STATUS_OK) {
1481 return result;
1482 }
1483
1484 /* TODO if there are already nsec3s presents and their
1485 * parameters are the same as these, we don't have to recreate
1486 */
1487 if (zone->names) {
1488 /* add empty nonterminals */
1490 if (result != LDNS_STATUS_OK) {
1491 return result;
1492 }
1493
1494 nsec3 = ((ldns_dnssec_name *)zone->names->root->data)->nsec;
1495
1496 /* check whether we need to add nsecs */
1497 if ((signflags & LDNS_SIGN_NO_KEYS_NO_NSECS)
1498 && ldns_key_list_key_count(key_list) < 1)
1499 ; /* pass */
1500
1501 else if (nsec3 && ldns_rr_get_type(nsec3) == LDNS_RR_TYPE_NSEC3) {
1502 /* no need to recreate */
1503 } else {
1505 zone->soa->name,
1507 /* create and add the nsec3param rr */
1508 nsec3param =
1510 ldns_rr_set_owner(nsec3param,
1511 ldns_rdf_clone(zone->soa->name));
1512 ldns_nsec3_add_param_rdfs(nsec3param,
1513 algorithm,
1514 flags,
1515 iterations,
1516 salt_length,
1517 salt);
1518 /* always set bit 7 of the flags to zero, according to
1519 * rfc5155 section 11. The bits are counted from right to left,
1520 * so bit 7 in rfc5155 is bit 0 in ldns */
1521 ldns_set_bit(ldns_rdf_data(ldns_rr_rdf(nsec3param, 1)), 0, 0);
1522 result = ldns_dnssec_zone_add_rr(zone, nsec3param);
1523 if (result != LDNS_STATUS_OK) {
1524 return result;
1525 }
1526 ldns_rr_list_push_rr(new_rrs, nsec3param);
1527 }
1528 if (signflags & LDNS_SIGN_WITH_ZONEMD) {
1529 ldns_dnssec_rrsets **rrsets_ref
1530 = &zone->soa->rrsets;
1531
1532 while (*rrsets_ref
1533 && (*rrsets_ref)->type < LDNS_RR_TYPE_ZONEMD)
1534 rrsets_ref = &(*rrsets_ref)->next;
1535 if (!*rrsets_ref
1536 || (*rrsets_ref)->type > LDNS_RR_TYPE_ZONEMD) {
1537 zonemd_rrset.rrs = NULL;
1538 zonemd_rrset.type = LDNS_RR_TYPE_ZONEMD;
1539 zonemd_rrset.signatures = NULL;
1540 zonemd_rrset.next = *rrsets_ref;
1541 *rrsets_ref = &zonemd_rrset;
1542 zonemd_added = true;
1543 }
1544 }
1545 result = ldns_dnssec_zone_create_nsec3s_mkmap(zone,
1546 new_rrs,
1547 algorithm,
1548 flags,
1549 iterations,
1550 salt_length,
1551 salt,
1552 map);
1553 if (zonemd_added) {
1554 ldns_dnssec_rrsets **rrsets_ref
1555 = &zone->soa->rrsets;
1556
1557 while (*rrsets_ref
1558 && (*rrsets_ref)->type < LDNS_RR_TYPE_ZONEMD)
1559 rrsets_ref = &(*rrsets_ref)->next;
1560 *rrsets_ref = zonemd_rrset.next;
1561 }
1562 if (result != LDNS_STATUS_OK) {
1563 return result;
1564 }
1565 }
1566
1568 new_rrs,
1569 key_list,
1570 func,
1571 arg,
1572 signflags);
1573 }
1574 if (result || !zone->names)
1575 return result;
1576
1577 return signflags & LDNS_SIGN_WITH_ZONEMD
1578 ? dnssec_zone_equip_zonemd(zone, new_rrs, key_list, signflags)
1579 : result;
1580}
1581
1584 ldns_rr_list *new_rrs,
1585 ldns_key_list *key_list,
1586 int (*func)(ldns_rr *, void *),
1587 void *arg,
1588 uint8_t algorithm,
1589 uint8_t flags,
1590 uint16_t iterations,
1591 uint8_t salt_length,
1592 uint8_t *salt,
1593 int signflags)
1594{
1595 return ldns_dnssec_zone_sign_nsec3_flg_mkmap(zone, new_rrs, key_list,
1596 func, arg, algorithm, flags, iterations, salt_length, salt,
1597 signflags, NULL);
1598}
1599
1600ldns_zone *
1602{
1603 ldns_dnssec_zone *dnssec_zone;
1604 ldns_zone *signed_zone;
1605 ldns_rr_list *new_rrs;
1606 size_t i;
1607
1608 signed_zone = ldns_zone_new();
1609 dnssec_zone = ldns_dnssec_zone_new();
1610
1611 (void) ldns_dnssec_zone_add_rr(dnssec_zone, ldns_zone_soa(zone));
1612 ldns_zone_set_soa(signed_zone, ldns_rr_clone(ldns_zone_soa(zone)));
1613
1614 for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(zone)); i++) {
1615 (void) ldns_dnssec_zone_add_rr(dnssec_zone,
1617 i));
1618 ldns_zone_push_rr(signed_zone,
1620 i)));
1621 }
1622
1623 new_rrs = ldns_rr_list_new();
1624 (void) ldns_dnssec_zone_sign(dnssec_zone,
1625 new_rrs,
1626 key_list,
1628 NULL);
1629
1630 for (i = 0; i < ldns_rr_list_rr_count(new_rrs); i++) {
1632 ldns_rr_clone(ldns_rr_list_rr(new_rrs, i)));
1633 }
1634
1635 ldns_rr_list_deep_free(new_rrs);
1636 ldns_dnssec_zone_free(dnssec_zone);
1637
1638 return signed_zone;
1639}
1640
1641ldns_zone *
1642ldns_zone_sign_nsec3(ldns_zone *zone, ldns_key_list *key_list, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt)
1643{
1644 ldns_dnssec_zone *dnssec_zone;
1645 ldns_zone *signed_zone;
1646 ldns_rr_list *new_rrs;
1647 size_t i;
1648
1649 signed_zone = ldns_zone_new();
1650 dnssec_zone = ldns_dnssec_zone_new();
1651
1652 (void) ldns_dnssec_zone_add_rr(dnssec_zone, ldns_zone_soa(zone));
1653 ldns_zone_set_soa(signed_zone, ldns_rr_clone(ldns_zone_soa(zone)));
1654
1655 for (i = 0; i < ldns_rr_list_rr_count(ldns_zone_rrs(zone)); i++) {
1656 (void) ldns_dnssec_zone_add_rr(dnssec_zone,
1658 i));
1659 ldns_zone_push_rr(signed_zone,
1661 i)));
1662 }
1663
1664 new_rrs = ldns_rr_list_new();
1665 (void) ldns_dnssec_zone_sign_nsec3(dnssec_zone,
1666 new_rrs,
1667 key_list,
1669 NULL,
1670 algorithm,
1671 flags,
1672 iterations,
1673 salt_length,
1674 salt);
1675
1676 for (i = 0; i < ldns_rr_list_rr_count(new_rrs); i++) {
1678 ldns_rr_clone(ldns_rr_list_rr(new_rrs, i)));
1679 }
1680
1681 ldns_rr_list_deep_free(new_rrs);
1682 ldns_dnssec_zone_free(dnssec_zone);
1683
1684 return signed_zone;
1685}
1686#endif /* HAVE_SSL */
1687
1688
void ldns_buffer_free(ldns_buffer *buffer)
frees the buffer.
Definition buffer.c:137
ldns_buffer * ldns_buffer_new(size_t capacity)
creates a new buffer with the specified capacity.
Definition buffer.c:16
#define ATTR_UNUSED(x)
Definition common.h:72
#define HAVE_EVP_PKEY_GET_BASE_ID
Definition config.h:121
#define HAVE_EVP_PKEY_BASE_ID
Definition config.h:118
int ldns_dname_compare_v(const void *a, const void *b)
Given in dnssec_zone.c, also used in dnssec_sign.c:w.
int ldns_dname_is_wildcard(const ldns_rdf *dname)
Check if dname is a wildcard, starts with *.
Definition dname.c:456
signed char ldns_dname_is_subdomain(const ldns_rdf *sub, const ldns_rdf *parent)
test whether the name sub falls under parent (i.e.
Definition dname.c:296
void ldns_dname2canonical(const ldns_rdf *rdf)
Put a dname into canonical fmt - ie.
Definition dname.c:280
ldns_rdf * ldns_dname_label(const ldns_rdf *rdf, uint8_t labelpos)
look inside the rdf and if it is an LDNS_RDF_TYPE_DNAME try and retrieve a specific label.
Definition dname.c:560
uint8_t ldns_dname_label_count(const ldns_rdf *r)
count the number of labels inside a LDNS_RDF_DNAME type rdf.
Definition dname.c:214
This module contains base functions for DNSSEC operations (RFC4033 t/m RFC4035).
ldns_rr * ldns_dnssec_create_nsec3(const ldns_dnssec_name *from, const ldns_dnssec_name *to, const ldns_rdf *zone_name, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, const uint8_t *salt)
Creates NSEC3.
Definition dnssec.c:869
#define LDNS_DEFAULT_EXP_TIME
Definition dnssec.h:44
void ldns_nsec3_add_param_rdfs(ldns_rr *rr, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, const uint8_t *salt)
Sets all the NSEC3 options.
Definition dnssec.c:1107
#define LDNS_SIGNATURE_LEAVE_ADD_NEW
return values for the old-signature callback
Definition dnssec.h:47
#define LDNS_SIGNATURE_REMOVE_NO_ADD
Definition dnssec.h:50
int ldns_dnssec_default_replace_signatures(ldns_rr *sig, void *n)
Default callback function to always leave present signatures, and add new ones.
ldns_status ldns_dnssec_chain_nsec3_list(ldns_rr_list *nsec3_rrs)
chains nsec3 list
Definition dnssec.c:1634
#define LDNS_SIGNATURE_REMOVE_ADD_NEW
Definition dnssec.h:49
ldns_rdf * ldns_convert_ecdsa_rrsig_asn1len2rdf(const ldns_buffer *sig, const long sig_len, int num_bytes)
Converts the ECDSA signature from ASN1 representation (as used by OpenSSL) to raw signature data as u...
Definition dnssec.c:1869
ldns_rr * ldns_dnssec_create_nsec(const ldns_dnssec_name *from, const ldns_dnssec_name *to, ldns_rr_type nsec_type)
Creates NSEC.
Definition dnssec.c:815
int ldns_dnssec_rrsets_contains_type(const ldns_dnssec_rrsets *rrsets, ldns_rr_type type)
returns whether a rrset of the given type is found in the rrsets.
Definition dnssec.c:801
#define LDNS_SIGNATURE_LEAVE_NO_ADD
Definition dnssec.h:48
ldns_rdf * ldns_convert_dsa_rrsig_asn12rdf(const ldns_buffer *sig, const long sig_len)
Converts the DSA signature from ASN1 representation (RFC2459, as used by OpenSSL) to raw signature da...
Definition dnssec.c:1746
ldns_rdf * ldns_sign_public_evp(ldns_buffer *to_sign, EVP_PKEY *key, const EVP_MD *digest_type)
Sign data with EVP (general method for different algorithms)
ldns_rr_list * ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys)
use this function to sign with a public/private key alg return the created signatures
#define LDNS_SIGN_WITH_ZONEMD
Definition dnssec_sign.c:27
ldns_zone * ldns_zone_sign(const ldns_zone *zone, ldns_key_list *key_list)
Signs the zone, and returns a newly allocated signed zone.
ldns_zone * ldns_zone_sign_nsec3(ldns_zone *zone, ldns_key_list *key_list, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt)
Signs the zone with NSEC3, and returns a newly allocated signed zone.
ldns_status ldns_dnssec_zone_mark_glue(ldns_dnssec_zone *zone)
Marks the names in the zone that are occluded.
ldns_status ldns_dnssec_zone_mark_and_get_glue(ldns_dnssec_zone *zone, ldns_rr_list *glue_list)
Marks the names in the zone that are occluded.
ldns_rr * ldns_create_empty_rrsig(const ldns_rr_list *rrset, const ldns_key *current_key)
Create an empty RRSIG RR (i.e.
Definition dnssec_sign.c:31
ldns_status ldns_dnssec_zone_create_nsec3s(ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt)
Adds NSEC3 records to the zone.
ldns_status ldns_dnssec_zone_sign(ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int(*func)(ldns_rr *, void *), void *arg)
signs the given zone with the given keys
ldns_status dnssec_zone_equip_zonemd(ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int flags)
ldns_status ldns_dnssec_zone_sign_nsec3_flg(ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int(*func)(ldns_rr *, void *), void *arg, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt, int signflags)
signs the given zone with the given new zone, with NSEC3
ldns_rdf * ldns_sign_public_rsasha1(ldns_buffer *to_sign, RSA *key)
Sign a buffer with the RSA key (hash with SHA1)
ldns_status ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int(*func)(ldns_rr *, void *), void *arg)
Adds signatures to the zone.
ldns_dnssec_rrs * ldns_dnssec_remove_signatures(ldns_dnssec_rrs *signatures, ATTR_UNUSED(ldns_key_list *key_list), int(*func)(ldns_rr *, void *), void *arg)
ldns_rdf * ldns_sign_public_rsamd5(ldns_buffer *to_sign, RSA *key)
Sign a buffer with the RSA key (hash with MD5)
ldns_status ldns_dnssec_zone_sign_nsec3_flg_mkmap(ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int(*func)(ldns_rr *, void *), void *arg, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt, int signflags, ldns_rbtree_t **map)
signs the given zone with the given new zone, with NSEC3
ldns_rbnode_t * ldns_dnssec_name_node_next_nonglue(ldns_rbnode_t *node)
Finds the first dnssec_name node in the rbtree that is not occluded.
ldns_status ldns_dnssec_zone_sign_flg(ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int(*func)(ldns_rr *, void *), void *arg, int flags)
signs the given zone with the given keys
ldns_rdf * ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key)
Sign a buffer with the DSA key (hash with SHA1)
ldns_rdf * ldns_sign_public_buffer(ldns_buffer *sign_buf, ldns_key *current_key)
Sign the buffer which contains the wiredata of an rrset, and the corresponding empty rrsig rr with th...
ldns_status ldns_dnssec_zone_create_nsecs(ldns_dnssec_zone *zone, ldns_rr_list *new_rrs)
Adds NSEC records to the given dnssec_zone.
ldns_status ldns_dnssec_zone_sign_nsec3(ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int(*func)(ldns_rr *, void *), void *arg, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt)
signs the given zone with the given new zone, with NSEC3
ldns_status ldns_dnssec_zone_create_rrsigs_flg(ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int(*func)(ldns_rr *, void *), void *arg, int flags)
Adds signatures to the zone.
#define LDNS_SIGN_DNSKEY_WITH_ZSK
dnssec_verify
Definition dnssec_sign.h:15
#define LDNS_SIGN_WITH_ALL_ALGORITHMS
Definition dnssec_sign.h:16
#define LDNS_SIGN_NO_KEYS_NO_NSECS
Definition dnssec_sign.h:17
ldns_dnssec_zone * ldns_dnssec_zone_new(void)
Creates a new dnssec_zone structure.
ldns_rdf * ldns_dnssec_name_name(const ldns_dnssec_name *name)
Returns the domain name of the given dnssec_name structure.
ldns_dnssec_rrs * ldns_dnssec_rrs_new(void)
Creates a new entry for 1 pointer to an rr and 1 pointer to the next rrs.
Definition dnssec_zone.c:10
ldns_status ldns_dnssec_rrs_add_rr(ldns_dnssec_rrs *rrs, ldns_rr *rr)
Adds an RR to the list of RRs.
Definition dnssec_zone.c:47
ldns_dnssec_rrsets * ldns_dnssec_zone_find_rrset(const ldns_dnssec_zone *zone, const ldns_rdf *dname, ldns_rr_type type)
Find the RRset with the given name and type in the zone.
ldns_dnssec_rrsets * ldns_dnssec_name_find_rrset(const ldns_dnssec_name *name, ldns_rr_type type)
Find the RRset with the given type in within this name structure.
ldns_status ldns_dnssec_name_add_rr(ldns_dnssec_name *name, ldns_rr *rr)
Inserts the given rr at the right place in the current dnssec_name No checking is done whether the na...
ldns_status ldns_dnssec_zone_add_rr(ldns_dnssec_zone *zone, ldns_rr *rr)
Adds the given RR to the zone.
ldns_status ldns_dnssec_zone_add_empty_nonterminals(ldns_dnssec_zone *zone)
Adds explicit dnssec_name structures for the empty nonterminals in this zone.
void ldns_dnssec_zone_free(ldns_dnssec_zone *zone)
Frees the given zone structure, and its rbtree of dnssec_names Individual ldns_rr RRs within those na...
@ LDNS_STATUS_NSEC3_DOMAINNAME_OVERFLOW
Definition error.h:131
@ LDNS_STATUS_NULL
Definition error.h:51
@ LDNS_STATUS_ERR
Definition error.h:37
@ LDNS_STATUS_MEM_ERR
Definition error.h:34
@ LDNS_STATUS_OK
Definition error.h:26
enum ldns_enum_status ldns_status
Definition error.h:146
ldns_status ldns_rrsig2buffer_wire(ldns_buffer *output, const ldns_rr *sigrr)
Converts a rrsig to wireformat BUT EXCLUDE the rrsig rdata This is needed in DNSSEC verification.
Definition host2wire.c:294
ldns_status ldns_rr_list2buffer_wire(ldns_buffer *output, const ldns_rr_list *rrlist)
Copies the rr_list data to the buffer in wire format.
Definition host2wire.c:156
uint32_t ldns_key_expiration(const ldns_key *k)
return the key's expiration date
Definition keys.c:1565
void ldns_key_list_set_use(ldns_key_list *keys, signed char v)
Set the 'use' flag for all keys in the list.
void ldns_key_set_use(ldns_key *k, signed char v)
set the use flag
#define LDNS_KEY_SEP_KEY
Definition keys.h:38
EVP_PKEY * ldns_key_evp_key(const ldns_key *k)
returns the (openssl) EVP struct contained in the key
Definition keys.c:1488
enum ldns_enum_signing_algorithm ldns_signing_algorithm
Definition keys.h:110
ldns_key * ldns_key_list_key(const ldns_key_list *key, size_t nr)
returns a pointer to the key in the list at the given position
Definition keys.c:1453
uint16_t ldns_key_keytag(const ldns_key *k)
return the keytag
Definition keys.c:1571
ldns_signing_algorithm ldns_key_algorithm(const ldns_key *k)
return the signing alg of the key
Definition keys.c:1463
ldns_rr * ldns_key2rr(const ldns_key *k)
converts a ldns_key to a public key rr If the key data exists at an external point,...
Definition keys.c:1803
@ LDNS_SIGN_RSASHA1
Definition keys.h:84
@ LDNS_SIGN_ECDSAP256SHA256
Definition keys.h:95
@ LDNS_SIGN_DSA_NSEC3
Definition keys.h:92
@ LDNS_SIGN_ECC_GOST
Definition keys.h:94
@ LDNS_SIGN_ED448
Definition keys.h:101
@ LDNS_SIGN_ED25519
Definition keys.h:98
@ LDNS_SIGN_RSASHA1_NSEC3
Definition keys.h:88
@ LDNS_SIGN_ECDSAP384SHA384
Definition keys.h:96
@ LDNS_SIGN_RSAMD5
Definition keys.h:83
@ LDNS_SIGN_RSASHA512
Definition keys.h:90
@ LDNS_SIGN_DSA
Definition keys.h:86
@ LDNS_SIGN_RSASHA256
Definition keys.h:89
uint32_t ldns_key_inception(const ldns_key *k)
return the key's inception date
Definition keys.c:1559
ldns_rdf * ldns_key_pubkey_owner(const ldns_key *k)
return the public key's owner
Definition keys.c:1577
signed char ldns_key_use(const ldns_key *k)
return the use flag
Definition keys.c:1477
uint16_t ldns_key_flags(const ldns_key *k)
return the flag of the key
Definition keys.c:1553
#define LDNS_KEY_ZONE_KEY
Definition keys.h:37
size_t ldns_key_list_key_count(const ldns_key_list *key_list)
returns the number of keys in the key list
Definition keys.c:1447
Including this file will include all ldns files, and define some lookup tables.
#define LDNS_DEFAULT_TTL
Definition ldns.h:136
#define LDNS_MAX_PACKETLEN
Definition packet.h:24
void ldns_traverse_postorder(ldns_rbtree_t *tree, void(*func)(ldns_rbnode_t *, void *), void *arg)
Call function for all elements in the redblack tree, such that leaf elements are called before parent...
Definition rbtree.c:666
ldns_rbnode_t * ldns_rbtree_first(const ldns_rbtree_t *rbtree)
Returns first (smallest) node in the tree.
Definition rbtree.c:548
ldns_rbnode_t * ldns_rbtree_next(ldns_rbnode_t *rbtree)
Returns next larger node in the tree.
Definition rbtree.c:574
ldns_rbnode_t * ldns_rbtree_insert(ldns_rbtree_t *rbtree, ldns_rbnode_t *data)
Insert data into the tree.
Definition rbtree.c:242
#define LDNS_RBTREE_NULL
The nullpointer, points to empty node.
Definition rbtree.h:76
ldns_rbtree_t * ldns_rbtree_create(int(*cmpf)(const void *, const void *))
Create new tree (malloced) with given key compare function.
Definition rbtree.c:80
uint8_t * ldns_rdf_data(const ldns_rdf *rd)
returns the data of the rdf.
Definition rdata.c:38
ldns_rdf * ldns_rdf_clone(const ldns_rdf *rd)
clones a rdf structure.
Definition rdata.c:222
ldns_rdf * ldns_rdf_new_frm_data(ldns_rdf_type type, size_t size, const void *data)
allocates a new rdf structure and fills it.
Definition rdata.c:193
void ldns_rdf_deep_free(ldns_rdf *rd)
frees a rdf structure and frees the data.
Definition rdata.c:230
uint32_t ldns_rdf2native_int32(const ldns_rdf *rd)
returns the native uint32_t representation from the rdf.
Definition rdata.c:98
uint16_t ldns_rdf2native_int16(const ldns_rdf *rd)
returns the native uint16_t representation from the rdf.
Definition rdata.c:84
ldns_rdf * ldns_native2rdf_int16(ldns_rdf_type type, uint16_t value)
returns the rdf containing the native uint16_t representation.
Definition rdata.c:132
ldns_rdf * ldns_native2rdf_int8(ldns_rdf_type type, uint8_t value)
returns the rdf containing the native uint8_t repr.
Definition rdata.c:126
@ LDNS_RDF_TYPE_INT32
32 bits
Definition rdata.h:56
@ LDNS_RDF_TYPE_B64
b64 string
Definition rdata.h:68
@ LDNS_RDF_TYPE_TIME
time (32 bits)
Definition rdata.h:84
@ LDNS_RDF_TYPE_INT8
8 bits
Definition rdata.h:52
@ LDNS_RDF_TYPE_INT16
16 bits
Definition rdata.h:54
@ LDNS_RDF_TYPE_ALG
a key algorithm
Definition rdata.h:80
@ LDNS_RDF_TYPE_TYPE
a RR type
Definition rdata.h:74
ldns_rdf * ldns_native2rdf_int32(ldns_rdf_type type, uint32_t value)
returns an rdf that contains the given int32 value.
Definition rdata.c:147
size_t ldns_rdf_size(const ldns_rdf *rd)
returns the size of the rdf.
Definition rdata.c:24
void ldns_rdf_free(ldns_rdf *rd)
frees a rdf structure, leaving the data pointer intact.
Definition rdata.c:241
void ldns_rr_list_free(ldns_rr_list *rr_list)
frees an rr_list structure.
Definition rr.c:1011
uint32_t ldns_rr_ttl(const ldns_rr *rr)
returns the ttl of an rr structure.
Definition rr.c:931
ldns_rdf * ldns_rr_pop_rdf(ldns_rr *rr)
removes a rd_field member, it will be popped from the last position.
Definition rr.c:880
void ldns_rr_list_deep_free(ldns_rr_list *rr_list)
frees an rr_list structure and all rrs contained therein.
Definition rr.c:1020
void ldns_rr_free(ldns_rr *rr)
frees an RR structure
Definition rr.c:81
void ldns_rr_set_owner(ldns_rr *rr, ldns_rdf *owner)
sets the owner in the rr structure.
Definition rr.c:804
ldns_rr_list * ldns_rr_list_new(void)
creates a new rr_list structure.
Definition rr.c:1000
ldns_rr_type ldns_rr_list_type(const ldns_rr_list *rr_list)
Returns the type of the first element of the RR If there are no elements present, 0 is returned.
Definition rr.c:2767
void ldns_rr_list_sort(ldns_rr_list *unsorted)
sorts an rr_list (canonical wire format).
Definition rr.c:1516
ldns_rr * ldns_rr_new_frm_type(ldns_rr_type t)
creates a new rr structure, based on the given type.
Definition rr.c:48
@ LDNS_RR_TYPE_RRSIG
DNSSEC.
Definition rr.h:170
@ LDNS_RR_TYPE_A
a host address
Definition rr.h:80
@ LDNS_RR_TYPE_ZONEMD
Definition rr.h:194
@ LDNS_RR_TYPE_DNSKEY
Definition rr.h:172
@ LDNS_RR_TYPE_SOA
marks the start of a zone of authority
Definition rr.h:90
@ LDNS_RR_TYPE_NSEC
Definition rr.h:171
@ LDNS_RR_TYPE_DNAME
RFC2672.
Definition rr.h:156
@ LDNS_RR_TYPE_DS
RFC4034, RFC3658.
Definition rr.h:164
@ LDNS_RR_TYPE_NSEC3PARAM
Definition rr.h:177
@ LDNS_RR_TYPE_NSEC3
Definition rr.h:176
@ LDNS_RR_TYPE_CDNSKEY
Definition rr.h:191
@ LDNS_RR_TYPE_AAAA
ipv6 address
Definition rr.h:134
@ LDNS_RR_TYPE_NS
an authoritative name server
Definition rr.h:82
@ LDNS_RR_TYPE_CDS
Definition rr.h:190
signed char ldns_rr_list_push_rr(ldns_rr_list *rr_list, const ldns_rr *rr)
pushes an rr to an rrlist.
Definition rr.c:1132
void ldns_rr2canonical(ldns_rr *rr)
converts each dname in a rr to its canonical form.
Definition rr.c:1781
ldns_rdf * ldns_rr_rdf(const ldns_rr *rr, size_t nr)
returns the rdata field member counter.
Definition rr.c:909
size_t ldns_rr_list_rr_count(const ldns_rr_list *rr_list)
returns the number of rr's in an rr_list.
Definition rr.c:957
ldns_rr_type ldns_rr_get_type(const ldns_rr *rr)
returns the type of the rr.
Definition rr.c:943
void ldns_rr_set_ttl(ldns_rr *rr, uint32_t ttl)
sets the ttl in the rr structure.
Definition rr.c:816
ldns_rr * ldns_rr_clone(const ldns_rr *rr)
clones a rr and all its data
Definition rr.c:1400
ldns_rr_class ldns_rr_get_class(const ldns_rr *rr)
returns the class of the rr.
Definition rr.c:949
enum ldns_enum_rr_class ldns_rr_class
Definition rr.h:61
ldns_rr * ldns_rr_list_rr(const ldns_rr_list *rr_list, size_t nr)
returns a specific rr of an rrlist.
Definition rr.c:990
void ldns_rr_set_class(ldns_rr *rr, ldns_rr_class rr_class)
sets the class in the rr.
Definition rr.c:834
ldns_rr_list * ldns_rr_list_clone(const ldns_rr_list *rrlist)
clones an rrlist.
Definition rr.c:1431
ldns_rdf * ldns_rr_owner(const ldns_rr *rr)
returns the owner name of an rr structure.
Definition rr.c:919
bool ldns_rr_rrsig_set_expiration(ldns_rr *r, ldns_rdf *f)
sets the expiration date of a LDNS_RR_TYPE_RRSIG rr
bool ldns_rr_rrsig_set_keytag(ldns_rr *r, ldns_rdf *f)
sets the keytag of a LDNS_RR_TYPE_RRSIG rr
bool ldns_rr_rrsig_set_algorithm(ldns_rr *r, ldns_rdf *f)
sets the algorithm of a LDNS_RR_TYPE_RRSIG rr
bool ldns_rr_rrsig_set_typecovered(ldns_rr *r, ldns_rdf *f)
sets the typecovered of a LDNS_RR_TYPE_RRSIG rr
bool ldns_rr_rrsig_set_labels(ldns_rr *r, ldns_rdf *f)
sets the number of labels of a LDNS_RR_TYPE_RRSIG rr
bool ldns_rr_rrsig_set_inception(ldns_rr *r, ldns_rdf *f)
sets the inception date of a LDNS_RR_TYPE_RRSIG rr
bool ldns_rr_rrsig_set_signame(ldns_rr *r, ldns_rdf *f)
sets the signers name of a LDNS_RR_TYPE_RRSIG rr
ldns_rdf * ldns_rr_rrsig_keytag(const ldns_rr *r)
returns the keytag of a LDNS_RR_TYPE_RRSIG RR
bool ldns_rr_rrsig_set_sig(ldns_rr *r, ldns_rdf *f)
sets the signature data of a LDNS_RR_TYPE_RRSIG rr
bool ldns_rr_rrsig_set_origttl(ldns_rr *r, ldns_rdf *f)
sets the original TTL of a LDNS_RR_TYPE_RRSIG rr
#define R(b, x)
Definition sha2.c:191
The rbnode_t struct definition.
Definition rbtree.h:60
const void * data
pointer to data
Definition rbtree.h:70
const void * key
pointer to sorting key
Definition rbtree.h:68
definition for tree struct
Definition rbtree.h:83
ldns_rbnode_t * root
The root of the red-black tree.
Definition rbtree.h:85
implementation of buffers to ease operations
Definition buffer.h:51
ldns_dnssec_rrs * nsec_signatures
signatures for the NSEC record
Definition dnssec_zone.h:71
ldns_rr * nsec
NSEC pointing to the next name (or NSEC3 pointing to the next NSEC3)
Definition dnssec_zone.h:67
ldns_rdf * hashed_name
pointer to store the hashed name (only used when in an NSEC3 zone
Definition dnssec_zone.h:85
ldns_dnssec_rrsets * rrsets
The rrsets for this name.
Definition dnssec_zone.h:63
signed char is_glue
Unlike what the name is_glue suggests, this field is set to true by ldns_dnssec_zone_mark_glue() or l...
Definition dnssec_zone.h:81
ldns_rdf * name
pointer to a dname containing the name.
Definition dnssec_zone.h:51
ldns_dnssec_rrs * next
Definition dnssec_zone.h:25
ldns_dnssec_rrs * rrs
Definition dnssec_zone.h:34
ldns_dnssec_rrs * signatures
Definition dnssec_zone.h:36
ldns_dnssec_rrsets * next
Definition dnssec_zone.h:37
Structure containing a dnssec zone.
Definition dnssec_zone.h:91
ldns_rbtree_t * hashed_names
tree of ldns_dnssec_names by nsec3 hashes (when applicable)
Definition dnssec_zone.h:97
ldns_rbtree_t * names
tree of ldns_dnssec_names
Definition dnssec_zone.h:95
ldns_dnssec_name * soa
points to the name containing the SOA RR
Definition dnssec_zone.h:93
Same as rr_list, but now for keys.
Definition keys.h:173
General key structure, can contain all types of keys that are used in DNSSEC.
Definition keys.h:122
Resource record data field.
Definition rdata.h:197
List or Set of Resource Records.
Definition rr.h:338
Resource Record.
Definition rr.h:310
DNS Zone.
Definition zone.h:43
#define LDNS_FREE(ptr)
Definition util.h:60
#define LDNS_MALLOC(type)
Memory management macros.
Definition util.h:49
void ldns_set_bit(uint8_t *byte, int bit_nr, signed char value)
sets the specified bit in the specified byte to 1 if value is true, 0 if false The bits are counted f...
Definition util.c:72
#define LDNS_XMALLOC(type, count)
Definition util.h:51
void ldns_zone_set_soa(ldns_zone *z, ldns_rr *soa)
Set the zone's soa record.
Definition zone.c:29
ldns_rr * ldns_zone_soa(const ldns_zone *z)
Return the soa record of a zone.
Definition zone.c:17
signed char ldns_zone_push_rr(ldns_zone *z, ldns_rr *rr)
push an single rr to a zone structure.
Definition zone.c:53
ldns_rr_list * ldns_zone_rrs(const ldns_zone *z)
Get a list of a zone's content.
Definition zone.c:35
ldns_zone * ldns_zone_new(void)
create a new ldns_zone structure
Definition zone.c:165