1 1.8 christos /* $NetBSD: nsec3_50.h,v 1.8 2025/01/26 16:25:32 christos Exp $ */ 2 1.1 christos 3 1.1 christos /* 4 1.1 christos * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 5 1.1 christos * 6 1.6 christos * SPDX-License-Identifier: MPL-2.0 7 1.6 christos * 8 1.1 christos * This Source Code Form is subject to the terms of the Mozilla Public 9 1.1 christos * License, v. 2.0. If a copy of the MPL was not distributed with this 10 1.5 christos * file, you can obtain one at https://mozilla.org/MPL/2.0/. 11 1.1 christos * 12 1.1 christos * See the COPYRIGHT file distributed with this work for additional 13 1.1 christos * information regarding copyright ownership. 14 1.1 christos */ 15 1.1 christos 16 1.7 christos #pragma once 17 1.1 christos 18 1.1 christos /*! 19 1.1 christos * \brief Per RFC 5155 */ 20 1.1 christos 21 1.1 christos #include <isc/iterated_hash.h> 22 1.1 christos 23 1.1 christos typedef struct dns_rdata_nsec3 { 24 1.4 christos dns_rdatacommon_t common; 25 1.4 christos isc_mem_t *mctx; 26 1.4 christos dns_hash_t hash; 27 1.4 christos unsigned char flags; 28 1.4 christos dns_iterations_t iterations; 29 1.4 christos unsigned char salt_length; 30 1.4 christos unsigned char next_length; 31 1.4 christos uint16_t len; 32 1.4 christos unsigned char *salt; 33 1.4 christos unsigned char *next; 34 1.4 christos unsigned char *typebits; 35 1.1 christos } dns_rdata_nsec3_t; 36 1.1 christos 37 1.1 christos /* 38 1.1 christos * The corresponding NSEC3 interval is OPTOUT indicating possible 39 1.1 christos * insecure delegations. 40 1.1 christos */ 41 1.1 christos #define DNS_NSEC3FLAG_OPTOUT 0x01U 42 1.1 christos 43 1.1 christos /*% 44 1.1 christos * The following flags are used in the private-type record (implemented in 45 1.1 christos * lib/dns/private.c) which is used to store NSEC3PARAM data during the 46 1.1 christos * time when it is not legal to have an actual NSEC3PARAM record in the 47 1.1 christos * zone. They are defined here because the private-type record uses the 48 1.1 christos * same flags field for the OPTOUT flag above and for the private flags 49 1.1 christos * below. XXX: This should be considered for refactoring. 50 1.1 christos */ 51 1.1 christos 52 1.1 christos /*% 53 1.1 christos * Non-standard, private type only. 54 1.1 christos * 55 1.1 christos * Create a corresponding NSEC3 chain. 56 1.1 christos * Once the NSEC3 chain is complete this flag will be removed to signal 57 1.1 christos * that there is a complete chain. 58 1.1 christos * 59 1.1 christos * This flag is automatically set when a NSEC3PARAM record is added to 60 1.1 christos * the zone via UPDATE. 61 1.1 christos * 62 1.1 christos * NSEC3PARAM records containing this flag should never be published, 63 1.1 christos * but if they are, they should be ignored by RFC 5155 compliant 64 1.1 christos * nameservers. 65 1.1 christos */ 66 1.1 christos #define DNS_NSEC3FLAG_CREATE 0x80U 67 1.1 christos 68 1.1 christos /*% 69 1.1 christos * Non-standard, private type only. 70 1.1 christos * 71 1.1 christos * The corresponding NSEC3 set is to be removed once the NSEC chain 72 1.1 christos * has been generated. 73 1.1 christos * 74 1.1 christos * This flag is automatically set when the last active NSEC3PARAM record 75 1.1 christos * is removed from the zone via UPDATE. 76 1.1 christos * 77 1.1 christos * NSEC3PARAM records containing this flag should never be published, 78 1.1 christos * but if they are, they should be ignored by RFC 5155 compliant 79 1.1 christos * nameservers. 80 1.1 christos */ 81 1.1 christos #define DNS_NSEC3FLAG_REMOVE 0x40U 82 1.1 christos 83 1.1 christos /*% 84 1.1 christos * Non-standard, private type only. 85 1.1 christos * 86 1.1 christos * When set with the CREATE flag, a corresponding NSEC3 chain will be 87 1.1 christos * created when the zone becomes capable of supporting one (i.e., when it 88 1.1 christos * has a DNSKEY RRset containing at least one NSEC3-capable algorithm). 89 1.1 christos * Without this flag, NSEC3 chain creation would be attempted immediately, 90 1.1 christos * fail, and the private type record would be removed. With it, the NSEC3 91 1.1 christos * parameters are stored until they can be used. When the zone has the 92 1.1 christos * necessary prerequisites for NSEC3, then the INITIAL flag can be cleared, 93 1.1 christos * and the record will be cleaned up normally. 94 1.1 christos * 95 1.1 christos * NSEC3PARAM records containing this flag should never be published, but 96 1.1 christos * if they are, they should be ignored by RFC 5155 compliant nameservers. 97 1.1 christos */ 98 1.1 christos #define DNS_NSEC3FLAG_INITIAL 0x20U 99 1.1 christos 100 1.1 christos /*% 101 1.1 christos * Non-standard, private type only. 102 1.1 christos * 103 1.1 christos * Prevent the creation of a NSEC chain before the last NSEC3 chain 104 1.1 christos * is removed. This will normally only be set when the zone is 105 1.1 christos * transitioning from secure with NSEC3 chains to insecure. 106 1.1 christos * 107 1.1 christos * NSEC3PARAM records containing this flag should never be published, 108 1.1 christos * but if they are, they should be ignored by RFC 5155 compliant 109 1.1 christos * nameservers. 110 1.1 christos */ 111 1.1 christos #define DNS_NSEC3FLAG_NONSEC 0x10U 112
Indexes created Sun Mar 01 05:31:48 UTC 2026