#include "util/data/packed_rrset.h"
Functions | |
enum sec_status | val_nsec_prove_nodata_dsreply (struct module_env *env, struct val_env *ve, struct query_info *qinfo, struct reply_info *rep, struct key_entry_key *kkey, uint32_t *proof_ttl) |
Check DS absence. | |
int | nsecbitmap_has_type_rdata (uint8_t *bitmap, size_t len, uint16_t type) |
nsec typemap check, takes an NSEC-type bitmap as argument, checks for type. | |
int | nsec_proves_nodata (struct ub_packed_rrset_key *nsec, struct query_info *qinfo, uint8_t **wc) |
Determine if a NSEC proves the NOERROR/NODATA conditions. | |
int | val_nsec_proves_name_error (struct ub_packed_rrset_key *nsec, uint8_t *qname) |
Determine if the given NSEC proves a NameError (NXDOMAIN) for a given qname. | |
int | val_nsec_proves_positive_wildcard (struct ub_packed_rrset_key *nsec, struct query_info *qinf, uint8_t *wc) |
Determine if the given NSEC proves a positive wildcard response. | |
uint8_t * | nsec_closest_encloser (uint8_t *qname, struct ub_packed_rrset_key *nsec) |
Determine closest encloser of a query name and the NSEC that covers it (and thus disproved it). | |
int | val_nsec_proves_no_wc (struct ub_packed_rrset_key *nsec, uint8_t *qname, size_t qnamelen) |
Determine if the given NSEC proves that a wildcard match does not exist. |
The functions help with NSEC checking, the different NSEC proofs for denial of existance, and proofs for presence of types.
enum sec_status val_nsec_prove_nodata_dsreply | ( | struct module_env * | env, | |
struct val_env * | ve, | |||
struct query_info * | qinfo, | |||
struct reply_info * | rep, | |||
struct key_entry_key * | kkey, | |||
uint32_t * | proof_ttl | |||
) |
Check DS absence.
There is a NODATA reply to a DS that needs checking. NSECs can prove this is not a delegation point, or sucessfully prove that there is no DS. Or this fails.
env,: | module env for rrsig verification routines. | |
ve,: | validator env for rrsig verification routines. | |
qinfo,: | the DS queried for. | |
rep,: | reply received. | |
kkey,: | key entry to use for verification of signatures. | |
proof_ttl,: | if secure, the TTL of how long this proof lasts. |
References reply_info::an_numrrsets, packed_rrset_key::dname, dname_is_wild(), reply_info::ns_numrrsets, nsec_closest_encloser(), nsec_proves_nodata(), query_info::qclass, query_info::qname, query_info::qname_len, query_dname_compare(), reply_find_rrset_section_ns(), ub_packed_rrset_key::rk, rrset_get_ttl(), reply_info::rrsets, sec_status_bogus, sec_status_insecure, sec_status_secure, sec_status_unchecked, packed_rrset_key::type, ub_packed_rrset_ttl(), val_nsec_proves_name_error(), val_nsec_proves_no_ds(), val_verify_rrset_entry(), VERB_ALGO, and verbose().
Referenced by ds_response_to_ke().
int nsecbitmap_has_type_rdata | ( | uint8_t * | bitmap, | |
size_t | len, | |||
uint16_t | type | |||
) |
nsec typemap check, takes an NSEC-type bitmap as argument, checks for type.
bitmap,: | pointer to the bitmap part of wireformat rdata. | |
len,: | length of the bitmap, in bytes. | |
type,: | the type (in host order) to check for. |
Referenced by nsec3_has_type(), nsec_has_type(), and unitest_nsec_has_type_rdata().
int nsec_proves_nodata | ( | struct ub_packed_rrset_key * | nsec, | |
struct query_info * | qinfo, | |||
uint8_t ** | wc | |||
) |
Determine if a NSEC proves the NOERROR/NODATA conditions.
This will also handle the empty non-terminal (ENT) case and partially handle the wildcard case. If the ownername of 'nsec' is a wildcard, the validator must still be provided proof that qname did not directly exist and that the wildcard is, in fact, *.closest_encloser.
nsec,: | the nsec record to check against. | |
qinfo,: | the query info. | |
wc,: | if the nodata is proven for a wildcard match, the wildcard closest encloser is returned, else NULL (wc is unchanged). This closest encloser must then match the nameerror given for the nextcloser of qname. |
References packed_rrset_key::dname, dname_canonical_compare(), dname_is_wild(), packed_rrset_key::dname_len, dname_remove_label(), dname_strict_subdomain_c(), log_assert, nsec_get_next(), nsec_has_type(), query_info::qname, query_info::qtype, query_dname_compare(), and ub_packed_rrset_key::rk.
Referenced by val_nsec_prove_nodata_dsreply(), validate_cname_noanswer_response(), and validate_nodata_response().
int val_nsec_proves_name_error | ( | struct ub_packed_rrset_key * | nsec, | |
uint8_t * | qname | |||
) |
Determine if the given NSEC proves a NameError (NXDOMAIN) for a given qname.
nsec,: | the nsec to check | |
qname,: | what was queried. |
References packed_rrset_key::dname, dname_canonical_compare(), dname_strict_subdomain_c(), dname_subdomain_c(), nsec_get_next(), nsec_has_type(), query_dname_compare(), and ub_packed_rrset_key::rk.
Referenced by val_nsec_prove_nodata_dsreply(), val_nsec_proves_no_wc(), val_nsec_proves_positive_wildcard(), validate_cname_noanswer_response(), validate_nameerror_response(), and validate_nodata_response().
int val_nsec_proves_positive_wildcard | ( | struct ub_packed_rrset_key * | nsec, | |
struct query_info * | qinf, | |||
uint8_t * | wc | |||
) |
Determine if the given NSEC proves a positive wildcard response.
nsec,: | the nsec to check | |
qinf,: | what was queried. | |
wc,: | wildcard (without *. label) |
References nsec_closest_encloser(), query_info::qname, query_dname_compare(), and val_nsec_proves_name_error().
Referenced by validate_any_response(), validate_cname_response(), and validate_positive_response().
uint8_t* nsec_closest_encloser | ( | uint8_t * | qname, | |
struct ub_packed_rrset_key * | nsec | |||
) |
Determine closest encloser of a query name and the NSEC that covers it (and thus disproved it).
A name error must have been proven already, otherwise this will be invalid.
qname,: | the name queried for. | |
nsec,: | the nsec RRset. |
References packed_rrset_key::dname, dname_count_labels(), dname_get_shared_topdomain(), nsec_get_next(), and ub_packed_rrset_key::rk.
Referenced by val_nsec_prove_nodata_dsreply(), val_nsec_proves_no_wc(), val_nsec_proves_positive_wildcard(), validate_cname_noanswer_response(), and validate_nodata_response().
int val_nsec_proves_no_wc | ( | struct ub_packed_rrset_key * | nsec, | |
uint8_t * | qname, | |||
size_t | qnamelen | |||
) |
Determine if the given NSEC proves that a wildcard match does not exist.
nsec,: | the nsec RRset. | |
qname,: | the name queried for. | |
qnamelen,: | length of qname. |
References dname_count_labels(), dname_remove_labels(), nsec_closest_encloser(), and val_nsec_proves_name_error().
Referenced by validate_cname_noanswer_response(), and validate_nameerror_response().