1 1.1 christos /* 2 1.1 christos * validator/val_nsec.h - validator NSEC denial of existence functions. 3 1.1 christos * 4 1.1 christos * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 1.1 christos * 6 1.1 christos * This software is open source. 7 1.1 christos * 8 1.1 christos * Redistribution and use in source and binary forms, with or without 9 1.1 christos * modification, are permitted provided that the following conditions 10 1.1 christos * are met: 11 1.1 christos * 12 1.1 christos * Redistributions of source code must retain the above copyright notice, 13 1.1 christos * this list of conditions and the following disclaimer. 14 1.1 christos * 15 1.1 christos * Redistributions in binary form must reproduce the above copyright notice, 16 1.1 christos * this list of conditions and the following disclaimer in the documentation 17 1.1 christos * and/or other materials provided with the distribution. 18 1.1 christos * 19 1.1 christos * Neither the name of the NLNET LABS nor the names of its contributors may 20 1.1 christos * be used to endorse or promote products derived from this software without 21 1.1 christos * specific prior written permission. 22 1.1 christos * 23 1.1 christos * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 1.1 christos * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 1.1 christos * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 1.1 christos * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 1.1 christos * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 1.1 christos * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 1.1 christos * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 1.1 christos * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 1.1 christos * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 1.1 christos * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 1.1 christos * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 1.1 christos */ 35 1.1 christos 36 1.1 christos /** 37 1.1 christos * \file 38 1.1 christos * 39 1.1 christos * This file contains helper functions for the validator module. 40 1.1 christos * The functions help with NSEC checking, the different NSEC proofs 41 1.1 christos * for denial of existence, and proofs for presence of types. 42 1.1 christos */ 43 1.1 christos 44 1.1 christos #ifndef VALIDATOR_VAL_NSEC_H 45 1.1 christos #define VALIDATOR_VAL_NSEC_H 46 1.1 christos #include "util/data/packed_rrset.h" 47 1.1.1.4 christos #include "sldns/rrdef.h" 48 1.1 christos struct val_env; 49 1.1 christos struct module_env; 50 1.1.1.2 christos struct module_qstate; 51 1.1 christos struct ub_packed_rrset_key; 52 1.1 christos struct reply_info; 53 1.1 christos struct query_info; 54 1.1 christos struct key_entry_key; 55 1.1 christos 56 1.1 christos /** 57 1.1 christos * Check DS absence. 58 1.1 christos * There is a NODATA reply to a DS that needs checking. 59 1.1 christos * NSECs can prove this is not a delegation point, or successfully prove 60 1.1 christos * that there is no DS. Or this fails. 61 1.1 christos * 62 1.1 christos * @param env: module env for rrsig verification routines. 63 1.1 christos * @param ve: validator env for rrsig verification routines. 64 1.1 christos * @param qinfo: the DS queried for. 65 1.1 christos * @param rep: reply received. 66 1.1 christos * @param kkey: key entry to use for verification of signatures. 67 1.1 christos * @param proof_ttl: if secure, the TTL of how long this proof lasts. 68 1.1 christos * @param reason: string explaining why bogus. 69 1.1.1.4 christos * @param reason_bogus: relevant EDE code for validation failure. 70 1.1.1.2 christos * @param qstate: qstate with region. 71 1.1.1.5 christos * @param reasonbuf: buffer to use for fail reason string print. 72 1.1.1.5 christos * @param reasonlen: length of reasonbuf. 73 1.1 christos * @return security status. 74 1.1 christos * SECURE: proved absence of DS. 75 1.1 christos * INSECURE: proved that this was not a delegation point. 76 1.1 christos * BOGUS: crypto bad, or no absence of DS proven. 77 1.1 christos * UNCHECKED: there was no way to prove anything (no NSECs, unknown algo). 78 1.1 christos */ 79 1.1 christos enum sec_status val_nsec_prove_nodata_dsreply(struct module_env* env, 80 1.1 christos struct val_env* ve, struct query_info* qinfo, 81 1.1 christos struct reply_info* rep, struct key_entry_key* kkey, 82 1.1.1.4 christos time_t* proof_ttl, char** reason, sldns_ede_code* reason_bogus, 83 1.1.1.5 christos struct module_qstate* qstate, char* reasonbuf, size_t reasonlen); 84 1.1 christos 85 1.1 christos /** 86 1.1 christos * nsec typemap check, takes an NSEC-type bitmap as argument, checks for type. 87 1.1 christos * @param bitmap: pointer to the bitmap part of wireformat rdata. 88 1.1 christos * @param len: length of the bitmap, in bytes. 89 1.1 christos * @param type: the type (in host order) to check for. 90 1.1 christos * @return true if the type bit was set in the bitmap. false if not, or 91 1.1 christos * if the bitmap was malformed in some way. 92 1.1 christos */ 93 1.1 christos int nsecbitmap_has_type_rdata(uint8_t* bitmap, size_t len, uint16_t type); 94 1.1 christos 95 1.1 christos /** 96 1.1 christos * Check if type is present in the NSEC typemap 97 1.1 christos * @param nsec: the nsec RRset. 98 1.1 christos * If there are multiple RRs, then each must have the same typemap, 99 1.1 christos * since the typemap represents the types at this domain node. 100 1.1 christos * @param type: type to check for, host order. 101 1.1 christos * @return true if present 102 1.1 christos */ 103 1.1 christos int nsec_has_type(struct ub_packed_rrset_key* nsec, uint16_t type); 104 1.1 christos 105 1.1 christos /** 106 1.1 christos * Determine if a NSEC proves the NOERROR/NODATA conditions. This will also 107 1.1 christos * handle the empty non-terminal (ENT) case and partially handle the 108 1.1 christos * wildcard case. If the ownername of 'nsec' is a wildcard, the validator 109 1.1 christos * must still be provided proof that qname did not directly exist and that 110 1.1 christos * the wildcard is, in fact, *.closest_encloser. 111 1.1 christos * 112 1.1 christos * @param nsec: the nsec record to check against. 113 1.1 christos * @param qinfo: the query info. 114 1.1 christos * @param wc: if the nodata is proven for a wildcard match, the wildcard 115 1.1 christos * closest encloser is returned, else NULL (wc is unchanged). 116 1.1 christos * This closest encloser must then match the nameerror given for the 117 1.1 christos * nextcloser of qname. 118 1.1 christos * @return true if NSEC proves this. 119 1.1 christos */ 120 1.1 christos int nsec_proves_nodata(struct ub_packed_rrset_key* nsec, 121 1.1 christos struct query_info* qinfo, uint8_t** wc); 122 1.1 christos 123 1.1 christos /** 124 1.1 christos * Determine if the given NSEC proves a NameError (NXDOMAIN) for a given 125 1.1 christos * qname. 126 1.1 christos * 127 1.1 christos * @param nsec: the nsec to check 128 1.1 christos * @param qname: what was queried. 129 1.1 christos * @return true if proven. 130 1.1 christos */ 131 1.1 christos int val_nsec_proves_name_error(struct ub_packed_rrset_key* nsec, 132 1.1 christos uint8_t* qname); 133 1.1 christos 134 1.1 christos /** 135 1.1 christos * Determine if the given NSEC proves a positive wildcard response. 136 1.1 christos * @param nsec: the nsec to check 137 1.1 christos * @param qinf: what was queried. 138 1.1 christos * @param wc: wildcard (without *. label) 139 1.1 christos * @return true if proven. 140 1.1 christos */ 141 1.1 christos int val_nsec_proves_positive_wildcard(struct ub_packed_rrset_key* nsec, 142 1.1 christos struct query_info* qinf, uint8_t* wc); 143 1.1 christos 144 1.1 christos /** 145 1.1 christos * Determine closest encloser of a query name and the NSEC that covers it 146 1.1 christos * (and thus disproved it). 147 1.1 christos * A name error must have been proven already, otherwise this will be invalid. 148 1.1 christos * @param qname: the name queried for. 149 1.1 christos * @param nsec: the nsec RRset. 150 1.1 christos * @return closest encloser dname or NULL on error (bad nsec RRset). 151 1.1 christos */ 152 1.1 christos uint8_t* nsec_closest_encloser(uint8_t* qname, 153 1.1 christos struct ub_packed_rrset_key* nsec); 154 1.1 christos 155 1.1 christos /** 156 1.1 christos * Determine if the given NSEC proves that a wildcard match does not exist. 157 1.1 christos * 158 1.1 christos * @param nsec: the nsec RRset. 159 1.1 christos * @param qname: the name queried for. 160 1.1 christos * @param qnamelen: length of qname. 161 1.1 christos * @return true if proven. 162 1.1 christos */ 163 1.1 christos int val_nsec_proves_no_wc(struct ub_packed_rrset_key* nsec, uint8_t* qname, 164 1.1 christos size_t qnamelen); 165 1.1 christos 166 1.1 christos /** 167 1.1 christos * Determine if an nsec proves an insecure delegation towards the qname. 168 1.1 christos * @param nsec: nsec rrset. 169 1.1 christos * @param qinfo: what was queries for. 170 1.1 christos * @return 0 if not, 1 if an NSEC that signals an insecure delegation to 171 1.1 christos * the qname. 172 1.1 christos */ 173 1.1 christos int val_nsec_proves_insecuredelegation(struct ub_packed_rrset_key* nsec, 174 1.1 christos struct query_info* qinfo); 175 1.1 christos 176 1.1 christos #endif /* VALIDATOR_VAL_NSEC_H */ 177
Indexes created Mon Mar 02 05:31:46 UTC 2026