#include "util/data/packed_rrset.h"
Functions | |
enum sec_status | val_nsec_prove_nodata_dsreply (struct module_env *env, struct val_env *ve, struct query_info *qinfo, struct reply_info *rep, struct key_entry_key *kkey, uint32_t *proof_ttl) |
Check DS absence. | |
int | nsecbitmap_has_type_rdata (uint8_t *bitmap, size_t len, uint16_t type) |
nsec typemap check, takes an NSEC-type bitmap as argument, checks for type. | |
int | nsec_has_type (struct ub_packed_rrset_key *nsec, uint16_t type) |
Check if type is present in the NSEC typemap. | |
int | nsec_proves_nodata (struct ub_packed_rrset_key *nsec, struct query_info *qinfo, uint8_t **wc) |
Determine if a NSEC proves the NOERROR/NODATA conditions. | |
int | val_nsec_proves_name_error (struct ub_packed_rrset_key *nsec, uint8_t *qname) |
Determine if the given NSEC proves a NameError (NXDOMAIN) for a given qname. | |
int | val_nsec_proves_positive_wildcard (struct ub_packed_rrset_key *nsec, struct query_info *qinf, uint8_t *wc) |
Determine if the given NSEC proves a positive wildcard response. | |
uint8_t * | nsec_closest_encloser (uint8_t *qname, struct ub_packed_rrset_key *nsec) |
Determine closest encloser of a query name and the NSEC that covers it (and thus disproved it). | |
int | val_nsec_proves_no_wc (struct ub_packed_rrset_key *nsec, uint8_t *qname, size_t qnamelen) |
Determine if the given NSEC proves that a wildcard match does not exist. | |
int | val_nsec_check_dlv (struct query_info *qinfo, struct reply_info *rep, uint8_t **nm, size_t *nm_len) |
Determine the DLV result, what to do with NSEC DLV reply. |
The functions help with NSEC checking, the different NSEC proofs for denial of existance, and proofs for presence of types.
enum sec_status val_nsec_prove_nodata_dsreply | ( | struct module_env * | env, | |
struct val_env * | ve, | |||
struct query_info * | qinfo, | |||
struct reply_info * | rep, | |||
struct key_entry_key * | kkey, | |||
uint32_t * | proof_ttl | |||
) |
Check DS absence.
There is a NODATA reply to a DS that needs checking. NSECs can prove this is not a delegation point, or sucessfully prove that there is no DS. Or this fails.
env,: | module env for rrsig verification routines. | |
ve,: | validator env for rrsig verification routines. | |
qinfo,: | the DS queried for. | |
rep,: | reply received. | |
kkey,: | key entry to use for verification of signatures. | |
proof_ttl,: | if secure, the TTL of how long this proof lasts. |
References reply_info::an_numrrsets, packed_rrset_key::dname, dname_is_wild(), reply_info::ns_numrrsets, nsec_closest_encloser(), nsec_proves_nodata(), query_info::qclass, query_info::qname, query_info::qname_len, query_dname_compare(), reply_find_rrset_section_ns(), ub_packed_rrset_key::rk, rrset_get_ttl(), reply_info::rrsets, sec_status_bogus, sec_status_insecure, sec_status_secure, sec_status_unchecked, packed_rrset_key::type, ub_packed_rrset_ttl(), val_nsec_proves_name_error(), val_nsec_proves_no_ds(), val_verify_rrset_entry(), VERB_ALGO, and verbose().
Referenced by ds_response_to_ke().
int nsecbitmap_has_type_rdata | ( | uint8_t * | bitmap, | |
size_t | len, | |||
uint16_t | type | |||
) |
nsec typemap check, takes an NSEC-type bitmap as argument, checks for type.
bitmap,: | pointer to the bitmap part of wireformat rdata. | |
len,: | length of the bitmap, in bytes. | |
type,: | the type (in host order) to check for. |
Referenced by nsec3_has_type(), nsec_has_type(), and unitest_nsec_has_type_rdata().
int nsec_has_type | ( | struct ub_packed_rrset_key * | nsec, | |
uint16_t | type | |||
) |
Check if type is present in the NSEC typemap.
nsec,: | the nsec RRset. If there are multiple RRs, then each must have the same typemap, since the typemap represents the types at this domain node. | |
type,: | type to check for, host order. |
References packed_rrset_data::count, dname_valid(), nsecbitmap_has_type_rdata(), packed_rrset_data::rr_data, and packed_rrset_data::rr_len.
Referenced by find_add_ds(), grab_nsec(), nsec_proves_nodata(), val_nsec_check_dlv(), val_nsec_proves_name_error(), and val_nsec_proves_no_ds().
int nsec_proves_nodata | ( | struct ub_packed_rrset_key * | nsec, | |
struct query_info * | qinfo, | |||
uint8_t ** | wc | |||
) |
Determine if a NSEC proves the NOERROR/NODATA conditions.
This will also handle the empty non-terminal (ENT) case and partially handle the wildcard case. If the ownername of 'nsec' is a wildcard, the validator must still be provided proof that qname did not directly exist and that the wildcard is, in fact, *.closest_encloser.
nsec,: | the nsec record to check against. | |
qinfo,: | the query info. | |
wc,: | if the nodata is proven for a wildcard match, the wildcard closest encloser is returned, else NULL (wc is unchanged). This closest encloser must then match the nameerror given for the nextcloser of qname. |
References packed_rrset_key::dname, dname_canonical_compare(), dname_is_wild(), packed_rrset_key::dname_len, dname_remove_label(), dname_strict_subdomain_c(), log_assert, nsec_get_next(), nsec_has_type(), query_info::qname, query_info::qtype, query_dname_compare(), and ub_packed_rrset_key::rk.
Referenced by val_neg_dlvlookup(), val_nsec_prove_nodata_dsreply(), validate_cname_noanswer_response(), and validate_nodata_response().
int val_nsec_proves_name_error | ( | struct ub_packed_rrset_key * | nsec, | |
uint8_t * | qname | |||
) |
Determine if the given NSEC proves a NameError (NXDOMAIN) for a given qname.
nsec,: | the nsec to check | |
qname,: | what was queried. |
References packed_rrset_key::dname, dname_canonical_compare(), dname_strict_subdomain_c(), dname_subdomain_c(), nsec_get_next(), nsec_has_type(), query_dname_compare(), and ub_packed_rrset_key::rk.
Referenced by val_neg_dlvlookup(), val_nsec_check_dlv(), val_nsec_prove_nodata_dsreply(), val_nsec_proves_no_wc(), val_nsec_proves_positive_wildcard(), validate_cname_noanswer_response(), validate_nameerror_response(), and validate_nodata_response().
int val_nsec_proves_positive_wildcard | ( | struct ub_packed_rrset_key * | nsec, | |
struct query_info * | qinf, | |||
uint8_t * | wc | |||
) |
Determine if the given NSEC proves a positive wildcard response.
nsec,: | the nsec to check | |
qinf,: | what was queried. | |
wc,: | wildcard (without *. label) |
References nsec_closest_encloser(), query_info::qname, query_dname_compare(), and val_nsec_proves_name_error().
Referenced by validate_any_response(), validate_cname_response(), and validate_positive_response().
uint8_t* nsec_closest_encloser | ( | uint8_t * | qname, | |
struct ub_packed_rrset_key * | nsec | |||
) |
Determine closest encloser of a query name and the NSEC that covers it (and thus disproved it).
A name error must have been proven already, otherwise this will be invalid.
qname,: | the name queried for. | |
nsec,: | the nsec RRset. |
References packed_rrset_key::dname, dname_count_labels(), dname_get_shared_topdomain(), nsec_get_next(), and ub_packed_rrset_key::rk.
Referenced by val_nsec_prove_nodata_dsreply(), val_nsec_proves_no_wc(), val_nsec_proves_positive_wildcard(), validate_cname_noanswer_response(), and validate_nodata_response().
int val_nsec_proves_no_wc | ( | struct ub_packed_rrset_key * | nsec, | |
uint8_t * | qname, | |||
size_t | qnamelen | |||
) |
Determine if the given NSEC proves that a wildcard match does not exist.
nsec,: | the nsec RRset. | |
qname,: | the name queried for. | |
qnamelen,: | length of qname. |
References dname_count_labels(), dname_remove_labels(), nsec_closest_encloser(), and val_nsec_proves_name_error().
Referenced by validate_cname_noanswer_response(), and validate_nameerror_response().
int val_nsec_check_dlv | ( | struct query_info * | qinfo, | |
struct reply_info * | rep, | |||
uint8_t ** | nm, | |||
size_t * | nm_len | |||
) |
Determine the DLV result, what to do with NSEC DLV reply.
qinfo,: | what was queried for. | |
rep,: | the nonpositive reply. | |
nm,: | dlv lookup name, to adjust for new lookup name (if needed). | |
nm_len,: | length of lookup name. |
References reply_info::an_numrrsets, dlv_topdomain(), packed_rrset_key::dname, dname_canonical_compare(), dname_remove_label(), dname_strict_subdomain_c(), reply_info::flags, FLAGS_GET_RCODE, log_nametypeclass(), reply_info::ns_numrrsets, nsec_get_next(), nsec_has_type(), query_info::qname, ub_packed_rrset_key::rk, reply_info::rrsets, packed_rrset_key::type, val_nsec_proves_name_error(), and VERB_ALGO.
Referenced by process_dlv_response().