Lines Matching refs:NSEC3
2 * nsec3.c -- nsec3 handling.
10 #ifdef NSEC3
14 #include "nsec3.h"
23 /* compare nsec3 hashes in nsec3 tree */
29 if(!a->nsec3) return (b->nsec3?-1:0);
30 if(!b->nsec3) return 1;
31 if(!a->nsec3->hash_wc) return (b->nsec3->hash_wc?-1:0);
32 if(!b->nsec3->hash_wc) return 1;
33 return memcmp(a->nsec3->hash_wc->hash.hash,
34 b->nsec3->hash_wc->hash.hash, NSEC3_HASH_LEN);
37 /* compare nsec3 hashes in nsec3 wc tree */
43 if(!a->nsec3) return (b->nsec3?-1:0);
44 if(!b->nsec3) return 1;
45 if(!a->nsec3->hash_wc) return (b->nsec3->hash_wc?-1:0);
46 if(!b->nsec3->hash_wc) return 1;
47 return memcmp(a->nsec3->hash_wc->wc.hash,
48 b->nsec3->hash_wc->wc.hash, NSEC3_HASH_LEN);
51 /* compare nsec3 hashes in nsec3 ds tree */
57 if(!a->nsec3) return (b->nsec3?-1:0);
58 if(!b->nsec3) return 1;
59 if(!a->nsec3->ds_parent_hash) return (b->nsec3->ds_parent_hash?-1:0);
60 if(!b->nsec3->ds_parent_hash) return 1;
61 return memcmp(a->nsec3->ds_parent_hash->hash,
62 b->nsec3->ds_parent_hash->hash, NSEC3_HASH_LEN);
65 /* compare base32-encoded nsec3 hashes in nsec3 rr tree, they are
130 #define STORE_HASH(x,y) memmove(domain->nsec3->x,y,NSEC3_HASH_LEN); domain->nsec3->have_##x =1;
138 if(domain->nsec3->hash_wc) {
142 domain->nsec3->hash_wc = (nsec3_hash_wc_node_type *)
144 domain->nsec3->hash_wc->hash.node.key = NULL;
145 domain->nsec3->hash_wc->wc.node.key = NULL;
146 nsec3_hash_and_store(zone, dname, domain->nsec3->hash_wc->hash.hash);
149 nsec3_hash_and_store(zone, wcard, domain->nsec3->hash_wc->wc.hash);
156 if(domain->nsec3->ds_parent_hash) {
160 domain->nsec3->ds_parent_hash = (nsec3_hash_node_type *)
162 domain->nsec3->ds_parent_hash->node.key = NULL;
163 nsec3_hash_and_store(zone, dname, domain->nsec3->ds_parent_hash->hash);
218 log_msg(LOG_ERR, "%s NSEC3PARAM entry: hash(apex) has no NSEC3 RRset.",
233 log_msg(LOG_ERR, "%s NSEC3PARAM entry: hash(apex) NSEC3 has no SOA flag.",
351 if(domain->nsec3 && domain->nsec3->nsec3_node.key) {
353 rbnode_type* r = rbtree_previous(&domain->nsec3->nsec3_node);
406 if(walk->nsec3) {
408 walk->nsec3->nsec3_node.key = NULL;
409 walk->nsec3->nsec3_cover = NULL;
410 walk->nsec3->nsec3_wcard_child_cover = NULL;
411 walk->nsec3->nsec3_is_exact = 0;
412 if (walk->nsec3->hash_wc) {
414 walk->nsec3->hash_wc,
416 walk->nsec3->hash_wc = NULL;
420 walk->nsec3->nsec3_ds_parent_cover = NULL;
421 walk->nsec3->nsec3_ds_parent_is_exact = 0;
422 if (walk->nsec3->ds_parent_hash) {
424 walk->nsec3->ds_parent_hash,
426 walk->nsec3->ds_parent_hash = NULL;
435 /* see if domain name is part of (existing names in) the nsec3 zone */
522 /* nsec3tree is sorted by b32 encoded domain name of the NSEC3 */
561 cmp_hash_tree, domain, &domain->nsec3->hash_wc->hash.node);
563 cmp_wchash_tree, domain, &domain->nsec3->hash_wc->wc.node);
566 exact = nsec3_find_cover(zone, domain->nsec3->hash_wc->hash.hash,
567 sizeof(domain->nsec3->hash_wc->hash.hash), &result);
568 domain->nsec3->nsec3_cover = result;
570 domain->nsec3
571 else domain->nsec3->nsec3_is_exact = 0;
574 (void)nsec3_find_cover(zone, domain->nsec3->hash_wc->wc.hash,
575 sizeof(domain->nsec3->hash_wc->wc.hash), &result);
576 domain->nsec3->nsec3_wcard_child_cover = result;
591 exact = nsec3_find_cover(zone, domain->nsec3->ds_parent_hash->hash,
592 sizeof(domain->nsec3->ds_parent_hash->hash), &result);
593 domain->nsec3->nsec3_ds_parent_is_exact = exact != 0;
594 domain->nsec3->nsec3_ds_parent_cover = result;
597 cmp_dshash_tree, domain, &domain->nsec3->ds_parent_hash->node);
609 /* not NSEC3 */
623 cmp_nsec3_tree, domain, &domain->nsec3->nsec3_node);
657 VERBOSITY(1, (LOG_INFO, "nsec3 %s %d %%",
685 { memcpy(d->nsec3->hash_wc->hash.hash, hash, NSEC3_HASH_LEN); }
689 { memcpy(d->nsec3->hash_wc->wc.hash, hash, NSEC3_HASH_LEN); }
693 { memcpy(d->nsec3->ds_parent_hash->hash, hash, NSEC3_HASH_LEN); }
714 d.nsec3 = &n;
748 d.nsec3 = &n;
769 domain_type* end, domain_type* nsec3)
775 /* because the nodes are on the prehashlist, the domain->nsec3 is
783 ((domain_type*)(p->key))->nsec3->nsec3_cover = nsec3;
784 ((domain_type*)(p->key))->nsec3->nsec3_is_exact = 1;
789 ((domain_type*)(pds->key))->nsec3->
790 nsec3_ds_parent_cover = nsec3;
791 ((domain_type*)(pds->key))->nsec3->
814 ((domain_type*)(p->key))->nsec3->nsec3_cover = nsec3;
815 ((domain_type*)(p->key))->nsec3->nsec3_is_exact = 0;
819 ((domain_type*)(pwc->key))->nsec3->
820 nsec3_wcard_child_cover = nsec3;
824 ((domain_type*)(pds->key))->nsec3->
825 nsec3_ds_parent_cover = nsec3;
826 ((domain_type*)(pds->key))->nsec3->
836 /* in the hashtree, wchashtree, dshashtree walk through to next NSEC3
838 * the first domain can be is_exact. If it is the last NSEC3, also
843 * domain->nsec3 is allocated and need not be allocated here */
844 assert(domain->nsec3 && domain->nsec3->nsec3_node.key);
845 nx = rbtree_next(&domain->nsec3->nsec3_node);
847 /* process until next nsec3 */
851 /* first is root, but then comes the first nsec3 */
876 for(d = db->domains->prehash_list; d; d = d->nsec3->prehash_next) {
888 /* add the NSEC3 rrset to the query answer at the given domain */
922 snprintf(reversebuf, sizeof(reversebuf), "(no name in the zone hashes to this nsec3 record)");
925 if(walk->nsec3 && walk->nsec3->nsec3_cover == cover) {
928 walk->nsec3->nsec3_is_exact?"exact":"no_exact_hash_match");
929 if(walk->nsec3->nsec3_is_exact)
932 if(walk->nsec3 && walk->nsec3->nsec3_ds_parent_cover == cover) {
935 walk->nsec3->nsec3_ds_parent_is_exact?"exact":"no_exact_hash_match");
936 if(walk->nsec3->nsec3_ds_parent_is_exact)
944 VERBOSITY(3, (LOG_ERR, "nsec3 hash collision for name=%s hash=%s reverse=%s",
950 EDE_OTHER, "NSEC3 hash collision");
970 if(closest_encloser->nsec3 && closest_encloser->nsec3->nsec3_is_exact)
972 closest_encloser->nsec3->nsec3_cover);
992 if(domain->nsec3 && domain->nsec3->nsec3_ds_parent_is_exact) {
993 /* use NSEC3 record from above the zone cut. */
995 domain->nsec3->nsec3_ds_parent_cover);
996 } else if (!delegpt && domain->nsec3 && domain->nsec3->nsec3_is_exact
997 && nsec3_domain_part_of_zone(domain->nsec3->nsec3_cover,
1000 domain->nsec3->nsec3_cover);
1006 while(par && (!par->nsec3 || !par->nsec3->nsec3_is_exact))
1012 if(!par->nsec3) return;
1014 par->nsec3->nsec3_cover);
1016 the one below it has no exact nsec3, disprove it.
1018 if(prev_par && prev_par->nsec3) {
1020 !prev_par->nsec3->nsec3_is_exact);
1022 prev_par->nsec3->nsec3_cover);
1029 * we add the nsec3 here to complete the closest
1033 if(domain->nsec3) {
1035 domain->nsec3->nsec3_ds_parent_cover);
1053 if(original->nsec3 && original->nsec3->nsec3_is_exact)
1055 original->nsec3->nsec3_cover);
1065 /* in other words: nsec3 matching closest encloser */
1066 if(original->parent && original->parent->nsec3 &&
1067 original->parent->nsec3->nsec3_is_exact)
1069 original->parent->nsec3->nsec3_cover);
1078 /* in other words: nsec3 matching closest encloser */
1079 if(original->parent && original->parent->nsec3 &&
1080 original->parent->nsec3->nsec3_is_exact)
1082 original->parent->nsec3->nsec3_cover);
1084 /* in other words: nsec3 matching source of synthesis */
1085 if(original->nsec3)
1087 original->nsec3->nsec3_cover);
1089 else { /* add nsec3 to prove rrset does not exist */
1090 if(original->nsec3) {
1091 if(!original->nsec3->nsec3_is_exact) {
1093 while(original->parent && original->parent->nsec3 && !original->parent->nsec3->nsec3_is_exact)
1097 original->nsec3->nsec3_cover);
1098 if(!original->nsec3->nsec3_is_exact) {
1099 if(original->parent && original->parent->nsec3 && original->parent->nsec3->nsec3_is_exact)
1101 original->parent->nsec3->nsec3_cover);
1119 /* check for only NSEC3/RRSIG */
1144 /* there is a match, this has 1 RRset, which is NSEC3, but qtype is not. */
1152 /* act as if the NSEC3 domain did not exist, name error */
1155 if(query->zone->apex->nsec3 &&
1156 query->zone->apex->nsec3->nsec3_is_exact)
1158 query->zone->apex->nsec3->nsec3_cover);
1159 /* disprove the nsec3 record. */
1160 if(closest_encloser->nsec3)
1161 nsec3_add_rrset(query, answer, AUTHORITY_SECTION, closest_encloser->nsec3->nsec3_cover);
1163 if(query->zone->apex->nsec3)
1165 query->zone->apex->nsec3->nsec3_wcard_child_cover);
1168 /* wildcard and nsec3 domain clash. server failure. */
1173 EDE_OTHER, "Wildcard and NSEC3 domain clash");
1184 /* this looks like a NSEC3 domain, but is actually an empty non-terminal. */
1192 if(closest_encloser->nsec3)
1194 closest_encloser->nsec3->nsec3_wcard_child_cover);
1198 #endif /* NSEC3 */
Indexes created Fri Apr 24 00:22:58 UTC 2026