Home | History | Annotate | Download | only in dns

Lines Matching defs:nsec3

1 /*	$NetBSD: nsec3.c,v 1.1 2024/02/18 20:57:32 christos Exp $	*/
35 #include <dns/nsec3.h>
199 	dns_rdata_nsec3_t nsec3;
208 	result = dns_rdata_tostruct(rdata, &nsec3, NULL);
212 	for (i = 0; i < nsec3.len; i += len) {
213 		INSIST(i + 2 <= nsec3.len);
214 		window = nsec3.typebits[i];
215 		len = nsec3.typebits[i + 1];
218 		INSIST(i + len <= nsec3.len);
226 			present = dns_nsec_isset(&nsec3.typebits[i],
231 	dns_rdata_freestruct(&nsec3);
393 match_nsec3param(const dns_rdata_nsec3_t *nsec3,
395 	if (nsec3->hash == nsec3param->hash &&
396 	    nsec3->iterations == nsec3param->iterations &&
397 	    nsec3->salt_length == nsec3param->salt_length &&
398 	    !memcmp(nsec3->salt, nsec3param->salt, nsec3->salt_length))
406  * Delete NSEC3 records at "name" which match "param", recording the
414 	dns_rdata_nsec3_t nsec3;
443 		CHECK(dns_rdata_tostruct(&rdata, &nsec3, NULL));
445 		if (!match_nsec3param(&nsec3, nsec3param)) {
522 find_nsec3(dns_rdata_nsec3_t *nsec3, dns_rdataset_t *rdataset,
531 		CHECK(dns_rdata_tostruct(&rdata, nsec3, NULL));
533 		if (match_nsec3param(nsec3, nsec3param)) {
557 	dns_rdata_nsec3_t nsec3;
597 	 * If this is the first NSEC3 in the chain nexthash will
607 	 * a reference to it until we have added the NSEC3.
620 	 * If we updating a existing NSEC3 then find its
624 		result = find_nsec3(&nsec3, &rdataset, nsec3param);
627 				flags = nsec3.flags;
629 			next_length = nsec3.next_length;
631 			memmove(nexthash, nsec3.next, next_length);
634 			 * If the NSEC3 is not for a unsecure delegation then
637 			 * remove the NSEC3 record or not by examining the
638 			 * previous NSEC3 record.
658 	 * Find the previous NSEC3 (if any) and update it if required.
677 		result = find_nsec3(&nsec3, &rdataset, nsec3param);
689 			 * If we have OPTOUT set in the previous NSEC3 record
690 			 * we actually need to delete the NSEC3 record.
691 			 * Otherwise we just need to replace the NSEC3 record.
693 			if (OPTOUT(nsec3.flags)) {
704 			if (OPTOUT(nsec3.flags) && unsecure) {
710 		old_next = nsec3.next;
711 		old_length = nsec3.next_length;
714 		 * Delete the old previous NSEC3.
719 		 * Fixup the previous NSEC3.
721 		nsec3.next = nexthash;
722 		nsec3.next_length = (unsigned char)next_length;
725 					   dns_rdatatype_nsec3, &nsec3,
733 			flags = nsec3.flags;
742 	 * Create the NSEC3 RDATA.
751 	 * Delete the old NSEC3 and record the change.
755 	 * Add the new NSEC3 and record the change.
765 	 * Add missing NSEC3 records for empty nodes
785 		 * a reference to it until we have added the NSEC3
793 			result = find_nsec3(&nsec3, &rdataset, nsec3param);
805 		 * Find the previous NSEC3 and update it.
824 			result = find_nsec3(&nsec3, &rdataset, nsec3param);
833 			old_next = nsec3.next;
834 			old_length = nsec3.next_length;
837 			 * Delete the old previous NSEC3.
842 			 * Fixup the previous NSEC3.
844 			nsec3.next = nexthash;
845 			nsec3.next_length = (unsigned char)next_length;
848 						   dns_rdatatype_nsec3, &nsec3,
857 				flags = nsec3.flags;
867 		 * Create the NSEC3 RDATA for the empty node.
873 		 * Delete the old NSEC3 and record the change.
878 		 * Add the new NSEC3 and record the change.
908  * Add NSEC3 records for "name", recording the change in "diff".
909  * The existing NSEC3 records are removed.
923 	 * Find the NSEC3 parameters for this zone.
942 	 * Update each active NSEC3 chain.
1126 	 * Cause all NSEC3 chains to be deleted.
1195 		 * Private NSEC3 record length >= 6.
1253 	 * Find the NSEC3 parameters for this zone.
1277 	 * Update each active NSEC3 chain.
1308 	 * Update each active NSEC3 chain.
1357  * Determine whether any NSEC3 records that were associated with
1406 	dns_rdata_nsec3_t nsec3;
1437 	 * If this is the first NSEC3 in the chain nexthash will
1467 	 * If we find a existing NSEC3 for this chain then save the
1470 	result = find_nsec3(&nsec3, &rdataset, nsec3param);
1472 		next_length = nsec3.next_length;
1474 		memmove(nexthash, nsec3.next, next_length);
1485 	 * Find the previous NSEC3 and update it.
1503 		result = find_nsec3(&nsec3, &rdataset, nsec3param);
1513 		 * Delete the old previous NSEC3.
1518 		 * Fixup the previous NSEC3.
1520 		nsec3.next = nexthash;
1521 		nsec3.next_length = (unsigned char)next_length;
1523 			nsec3.flags = nsec3param->flags & DNS_NSEC3FLAG_OPTOUT;
1527 					   dns_rdatatype_nsec3, &nsec3,
1538 	 * Delete the old NSEC3 and record the change.
1543 	 *  Delete NSEC3 records for now non active nodes.
1583 		result = find_nsec3(&nsec3, &rdataset, nsec3param);
1585 			next_length = nsec3.next_length;
1587 			memmove(nexthash, nsec3.next, next_length);
1613 			result = find_nsec3(&nsec3, &rdataset, nsec3param);
1623 			 * Delete the old previous NSEC3.
1628 			 * Fixup the previous NSEC3.
1630 			nsec3.next = nexthash;
1631 			nsec3.next_length = (unsigned char)next_length;
1634 						   dns_rdatatype_nsec3, &nsec3,
1648 		 * Delete the old NSEC3 and record the change.
1687 	 * Find the NSEC3 parameters for this zone.
1705 	 * Update each active NSEC3 chain.
1739 	 * Update each NSEC3 chain being built.
1911 	dns_rdata_nsec3_t nsec3;
1938 		(*logit)(arg, ISC_LOG_DEBUG(3), "failure processing NSEC3 set");
1944 	result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
1949 	(*logit)(arg, ISC_LOG_DEBUG(3), "looking for relevant NSEC3");
1955 	 * NSEC3 records must have two or more labels to be valid.
1962 	 * Strip off the NSEC3 hash to get the zone.
1995 	 * Only set unknown once we are sure that this NSEC3 is from
1998 	if (!dns_nsec3_supportedhash(nsec3.hash)) {
2019 	if (isc_buffer_usedlength(&buffer) != nsec3.next_length) {
2024 	 * Work out what this NSEC3 covers.
2027 	scope = memcmp(owner, nsec3.next, nsec3.next_length);
2039 		 * If there are too many iterations reject the NSEC3 record.
2041 		if (nsec3.iterations > DNS_NSEC3_MAXITERATIONS) {
2045 		length = isc_iterated_hash(hash, nsec3.hash, nsec3.iterations,
2046 					   nsec3.salt, nsec3.salt_length,
2051 		if (length != nsec3.next_length) {
2054 				 nsec3.next_length);
2069 					 * This NSEC3 record is from somewhere
2075 						 "ignoring parent NSEC3");
2080 				 * This NSEC3 record is from the child.
2084 					 "ignoring child NSEC3");
2096 					 "NSEC3 proves name exists (owner) "
2102 				 "NSEC3 proves CNAME exists");
2111 			 * This NSEC3 record is from somewhere higher in
2116 				 "ignoring parent NSEC3");
2136 					 "NSEC3 indicates potential closest "
2144 				 "NSEC3 at super-domain %s", namebuf);
2160 		     memcmp(hash, nsec3.next, length) < 0) ||
2162 		     (order > 0 || memcmp(hash, nsec3.next, length) < 0)))
2166 				 "NSEC3 proves "
2180 				*optout = ((nsec3.flags &
2183 					 (*optout ? "NSEC3 indicates optout"
2184 						  : "NSEC3 indicates secure "