Lines Matching defs:nsec3
68 #include <dns/nsec3.h>
801 * a NSEC3 chain only the non-NSEC3 nodes will be iterated. If we are
802 * removing a NSEC3 chain then both NSEC3 and non-NSEC3 nodes will be
805 * 'nsec3param' contains the parameters of the NSEC3 chain being created
811 * NSEC3 chain, a NSEC record is seen.
814 * of a NSEC3 chain, 'seen_nsec' is true. If 'delete_nsec' is true then we
3739 * Initiate adding/removing NSEC3 records belonging to the chain defined by the
3768 * If this zone is not NSEC3-capable, attempting to remove any NSEC3
3783 * adding/removing records belonging to this NSEC3 chain between
3805 * Log NSEC3 parameters defined by supplied NSEC3PARAM RDATA.
3850 * If the NSEC3 chain defined by the supplied NSEC3PARAM RDATA is
3852 * simultaneously adding and removing records for the same NSEC3 chain.
3873 * creating NSEC3 records for NSEC3 records.
3888 * NSEC3 chain. Append the structure initialized above to the
3923 * Find private-type records at the zone apex which signal that an NSEC3 chain
3962 * In order to create NSEC3 chains we need the DNSKEY RRset at zone
4005 * it can kick off adding or removing NSEC3 records.
4126 * can regenerate all the NSEC3 chains.
4134 "nsec3 test \"unknown\" hash algorithm "
4141 "unsupported nsec3 hash algorithm"
4150 "unsupported nsec3 hash "
4159 * Warn if the zone has excessive NSEC3 iterations.
4175 "no supported nsec3 hash algorithm");
7683 bool nsec3;
7721 (*seen).nsec3 = true;
7764 * Going from insecure to NSEC3.
7765 * Don't generate NSEC3 records for NSEC3 records.
7767 if (build_nsec3 && !seen.nsec3 && seen.rr) {
7775 * Don't generate NSEC records for NSEC3 records.
7777 if (build_nsec && !seen.nsec3 && !seen.nsec && seen.rr) {
8004 * Rebuild the NSEC/NSEC3 record for the origin as we no
8027 * processing status of given NSEC3 chain:
8032 * - remove all NSEC3PARAM records matching the relevant NSEC3 chain,
8035 * the relevant NSEC3 chain.
8039 * NSEC3PARAM record which matches the relevant NSEC3 chain and has the
8042 * - If given NSEC3 chain is being added, add an NSEC3PARAM record contained
8044 * 0, indicating that this NSEC3 chain is now complete for this zone.
8046 * Note that this function is called at different processing stages for NSEC3
8280 dns_rdata_nsec3_t nsec3;
8299 CHECK(dns_rdata_tostruct(&rdata, &nsec3, NULL));
8300 if (nsec3.hash != param->hash ||
8301 nsec3.iterations != param->iterations ||
8302 nsec3.salt_length != param->salt_length ||
8303 memcmp(nsec3.salt, param->salt, nsec3.salt_length))
8382 * Found an active NSEC3 chain.
8488 * Incrementally build and sign a new NSEC3 chain using the parameters
8598 * Generate new NSEC3 chains first.
8601 * updating the NSEC3 chain by calling dns_nsec3_addnsec3() for each of
8611 * The above is repeated until all requested NSEC3 chain changes are
8692 INSIST(!seen.nsec3);
8814 * removing an NSEC3 chain. It starts with determining whether the
8815 * zone needs to switch from NSEC3 to NSEC; if so, it first builds an
8817 * then goes on to remove NSEC3 records be iterating over all nodes
8819 * it starts removing NSEC3 records immediately. Rules for processing
8845 * of removing this NSEC3 chain.
8890 * Delete the NSEC3 records.
8938 if (!seen.rr || seen.nsec3 || seen.nsec) {
8964 * We can now remove the NSEC3 chain.
9020 * We may need to update the NSEC/NSEC3 records for the zone apex.
9084 * Add / update signatures for the NSEC3 records.
9416 * NSEC only DNSKEYs are present with NSEC3 chains.
9425 bool nseconly = false, nsec3 = false;
9438 if (nseconly && nsec3) {
9447 nsec3 = true;
9489 /* Check existing DB for NSEC3 */
9490 if (!nsec3) {
9491 CHECK(dns_nsec3_activex(db, ver, false, privatetype, &nsec3));
9495 if (!nsec3) {
9498 nsec3 = dns_kasp_nsec3(kasp);
9502 /* Refuse to allow NSEC3 with NSEC-only keys */
9503 if (nseconly && nsec3) {
9627 "wait building NSEC3 chain until "
17386 * multiple simultaneous nsec3 chains are annoyingly legal -- this
17422 * walk private type records, converting them to nsec3 parameters
17478 * Copy the remaining private records so the nsec/nsec3
17693 * the old nsec3 parameters and insert them into db
20421 * If set, transform the NSEC3 salt into human-readable form so that it can be
22884 * introduce a zone with NSEC only DNSKEYs along with NSEC3
22892 "NSEC only DNSKEYs and NSEC3 chains not "
23034 * Cause the zone to add/delete NSEC3 chains for the
23071 * Activate any NSEC3 chain updates that may have
23974 * Check whether NSEC3 chain addition or removal specified by the private-type
24023 * Do we need to look up the NSEC3 parameters?
24052 /* Update NSEC3 parameters. */
24121 * We need to remove any existing NSEC3 chains if the supplied NSEC3
24132 * We're creating an NSEC3 chain. Add the private-type record
24135 * If the zone is not currently capable of supporting an NSEC3
24139 * used later when NSEC3 becomes available.
24160 * called below in order to kick off adding/removing relevant NSEC3
24216 * otherwise the NSEC3 salt must match the requested salt value too.
24379 * the NSEC3 changes requested for the zone:
24381 * - if NSEC3 is to be disabled ("-nsec3param none"), only set the "nsec"
24384 * signal that the zone should be signed using NSEC instead of NSEC3,
24414 * First check if the requested NSEC3 parameters are already
24458 * nsec3 specific param set in
24482 "setnsec3param:nsec3 %u %u %u %u:%s",
Indexes created Sun Mar 01 05:31:48 UTC 2026