dnssec.h
Go to the documentation of this file.
1 /*
2  * dnssec.h -- defines for the Domain Name System (SEC) (DNSSEC)
3  *
4  * Copyright (c) 2005-2008, NLnet Labs. All rights reserved.
5  *
6  * See LICENSE for the license.
7  *
8  * A bunch of defines that are used in the DNS
9  */
10 
23 #ifndef LDNS_DNSSEC_H
24 #define LDNS_DNSSEC_H
25 
26 #include <ldns/common.h>
27 #if LDNS_BUILD_CONFIG_HAVE_SSL
28 #include <openssl/ssl.h>
29 #include <openssl/evp.h>
30 #endif /* LDNS_BUILD_CONFIG_HAVE_SSL */
31 #include <ldns/packet.h>
32 #include <ldns/keys.h>
33 #include <ldns/zone.h>
34 #include <ldns/resolver.h>
35 #include <ldns/dnssec_zone.h>
36 
37 #ifdef __cplusplus
38 extern "C" {
39 #endif
40 
41 #define LDNS_MAX_KEYLEN 2048
42 #define LDNS_DNSSEC_KEYPROTO 3
43 /* default time before sigs expire */
44 #define LDNS_DEFAULT_EXP_TIME 2419200 /* 4 weeks */
45 
47 #define LDNS_SIGNATURE_LEAVE_ADD_NEW 0
48 #define LDNS_SIGNATURE_LEAVE_NO_ADD 1
49 #define LDNS_SIGNATURE_REMOVE_ADD_NEW 2
50 #define LDNS_SIGNATURE_REMOVE_NO_ADD 3
51 
62 ldns_rr *ldns_dnssec_get_rrsig_for_name_and_type(const ldns_rdf *name,
63  const ldns_rr_type type,
64  const ldns_rr_list *rrs);
65 
75 ldns_rr *ldns_dnssec_get_dnskey_for_rrsig(const ldns_rr *rrsig, const ldns_rr_list *rrs);
76 
84 ldns_rdf *ldns_nsec_get_bitmap(const ldns_rr *nsec);
85 
86 
87 #define LDNS_NSEC3_MAX_ITERATIONS 65535
88 
92 ldns_rdf *
93 ldns_dnssec_nsec3_closest_encloser(const ldns_rdf *qname,
94  ldns_rr_type qtype,
95  const ldns_rr_list *nsec3s);
96 
100 bool
101 ldns_dnssec_pkt_has_rrsigs(const ldns_pkt *pkt);
102 
107 ldns_rr_list *ldns_dnssec_pkt_get_rrsigs_for_name_and_type(const ldns_pkt *pkt, const ldns_rdf *name, ldns_rr_type type);
108 
112 ldns_rr_list *ldns_dnssec_pkt_get_rrsigs_for_type(const ldns_pkt *pkt, ldns_rr_type type);
113 
120 uint16_t ldns_calc_keytag(const ldns_rr *key);
121 
128 uint16_t ldns_calc_keytag_raw(const uint8_t* key, size_t keysize);
129 
130 #if LDNS_BUILD_CONFIG_HAVE_SSL
137 DSA *ldns_key_buf2dsa(const ldns_buffer *key);
144 DSA *ldns_key_buf2dsa_raw(const unsigned char* key, size_t len);
145 
154 int ldns_digest_evp(const unsigned char* data, unsigned int len,
155  unsigned char* dest, const EVP_MD* md);
156 
164 EVP_PKEY* ldns_gost2pkey_raw(const unsigned char* key, size_t keylen);
165 
174 EVP_PKEY* ldns_ecdsa2pkey_raw(const unsigned char* key, size_t keylen, uint8_t algo);
175 
183 EVP_PKEY* ldns_ed255192pkey_raw(const unsigned char* key, size_t keylen);
184 
192 EVP_PKEY* ldns_ed4482pkey_raw(const unsigned char* key, size_t keylen);
193 
194 #endif /* LDNS_BUILD_CONFIG_HAVE_SSL */
195 
196 #if LDNS_BUILD_CONFIG_HAVE_SSL
203 RSA *ldns_key_buf2rsa(const ldns_buffer *key);
204 
211 RSA *ldns_key_buf2rsa_raw(const unsigned char* key, size_t len);
212 #endif /* LDNS_BUILD_CONFIG_HAVE_SSL */
213 
222 ldns_rr *ldns_key_rr2ds(const ldns_rr *key, ldns_hash h);
223 
227 ldns_rdf *
228 ldns_dnssec_create_nsec_bitmap(ldns_rr_type rr_type_list[],
229  size_t size,
230  ldns_rr_type nsec_type);
231 
239 int
240 ldns_dnssec_rrsets_contains_type(const ldns_dnssec_rrsets *rrsets, ldns_rr_type type);
241 
245 ldns_rr *
246 ldns_dnssec_create_nsec(const ldns_dnssec_name *from,
247  const ldns_dnssec_name *to,
248  ldns_rr_type nsec_type);
249 
250 
254 ldns_rr *
255 ldns_dnssec_create_nsec3(const ldns_dnssec_name *from,
256  const ldns_dnssec_name *to,
257  const ldns_rdf *zone_name,
258  uint8_t algorithm,
259  uint8_t flags,
260  uint16_t iterations,
261  uint8_t salt_length,
262  const uint8_t *salt);
263 
271 ldns_rr * ldns_create_nsec(ldns_rdf *cur_owner, ldns_rdf *next_owner, ldns_rr_list *rrs);
272 
282 ldns_rdf *ldns_nsec3_hash_name(const ldns_rdf *name, uint8_t algorithm, uint16_t iterations, uint8_t salt_length, const uint8_t *salt);
283 
294 void ldns_nsec3_add_param_rdfs(ldns_rr *rr,
295  uint8_t algorithm,
296  uint8_t flags,
297  uint16_t iterations,
298  uint8_t salt_length,
299  const uint8_t *salt);
300 
301 /* this will NOT return the NSEC3 completed, you will have to run the
302  finalize function on the rrlist later! */
303 ldns_rr *
304 ldns_create_nsec3(const ldns_rdf *cur_owner,
305  const ldns_rdf *cur_zone,
306  const ldns_rr_list *rrs,
307  uint8_t algorithm,
308  uint8_t flags,
309  uint16_t iterations,
310  uint8_t salt_length,
311  const uint8_t *salt,
312  bool emptynonterminal);
313 
319 uint8_t ldns_nsec3_algorithm(const ldns_rr *nsec3_rr);
320 
324 uint8_t
325 ldns_nsec3_flags(const ldns_rr *nsec3_rr);
326 
332 bool ldns_nsec3_optout(const ldns_rr *nsec3_rr);
333 
339 uint16_t ldns_nsec3_iterations(const ldns_rr *nsec3_rr);
340 
346 ldns_rdf *ldns_nsec3_salt(const ldns_rr *nsec3_rr);
347 
353 uint8_t ldns_nsec3_salt_length(const ldns_rr *nsec3_rr);
354 
360 uint8_t *ldns_nsec3_salt_data(const ldns_rr *nsec3_rr);
361 
367 ldns_rdf *ldns_nsec3_next_owner(const ldns_rr *nsec3_rr);
368 
374 ldns_rdf *ldns_nsec3_bitmap(const ldns_rr *nsec3_rr);
375 
382 ldns_rdf *ldns_nsec3_hash_name_frm_nsec3(const ldns_rr *nsec, const ldns_rdf *name);
383 
390 bool ldns_nsec_bitmap_covers_type(const ldns_rdf* bitmap, ldns_rr_type type);
391 
399 ldns_status ldns_nsec_bitmap_set_type(ldns_rdf* bitmap, ldns_rr_type type);
400 
408 ldns_status ldns_nsec_bitmap_clear_type(ldns_rdf* bitmap, ldns_rr_type type);
409 
420 bool ldns_nsec_covers_name(const ldns_rr *nsec, const ldns_rdf *name);
421 
422 #if LDNS_BUILD_CONFIG_HAVE_SSL
434 ldns_status ldns_pkt_verify(const ldns_pkt *p, ldns_rr_type t, const ldns_rdf *o, const ldns_rr_list *k, const ldns_rr_list *s, ldns_rr_list *good_keys);
435 
448 ldns_status ldns_pkt_verify_time(const ldns_pkt *p, ldns_rr_type t, const ldns_rdf *o, const ldns_rr_list *k, const ldns_rr_list *s, time_t check_time, ldns_rr_list *good_keys);
449 
450 #endif
451 
455 ldns_status
456 ldns_dnssec_chain_nsec3_list(ldns_rr_list *nsec3_rrs);
457 
461 int
462 qsort_rr_compare_nsec3(const void *a, const void *b);
463 
467 void
468 ldns_rr_list_sort_nsec3(ldns_rr_list *unsorted);
469 
477 int ldns_dnssec_default_add_to_signatures(ldns_rr *sig, void *n);
485 int ldns_dnssec_default_leave_signatures(ldns_rr *sig, void *n);
493 int ldns_dnssec_default_delete_signatures(ldns_rr *sig, void *n);
501 int ldns_dnssec_default_replace_signatures(ldns_rr *sig, void *n);
502 
503 #if LDNS_BUILD_CONFIG_HAVE_SSL
512 ldns_rdf *
513 ldns_convert_dsa_rrsig_asn12rdf(const ldns_buffer *sig,
514  const long sig_len);
515 
524 ldns_status
525 ldns_convert_dsa_rrsig_rdf2asn1(ldns_buffer *target_buffer,
526  const ldns_rdf *sig_rdf);
527 
542 ldns_rdf *
543 ldns_convert_ecdsa_rrsig_asn1len2rdf(const ldns_buffer *sig,
544  const long sig_len, int num_bytes);
545 
555 ldns_status
556 ldns_convert_ecdsa_rrsig_rdf2asn1(ldns_buffer *target_buffer,
557  const ldns_rdf *sig_rdf);
558 
559 #endif /* LDNS_BUILD_CONFIG_HAVE_SSL */
560 
561 #ifdef __cplusplus
562 }
563 #endif
564 
565 #endif /* LDNS_DNSSEC_H */
common.h
Common definitions for LDNS.
ldns_digest_evp
int ldns_digest_evp(const unsigned char *data, unsigned int len, unsigned char *dest, const EVP_MD *md)
Utility function to calculate hash using generic EVP_MD pointer.
Definition: dnssec.c:489
ldns_key_buf2rsa
RSA * ldns_key_buf2rsa(const ldns_buffer *key)
converts a buffer holding key material to a RSA key in openssl.
Definition: dnssec.c:414
ldns_nsec_get_bitmap
ldns_rdf * ldns_nsec_get_bitmap(const ldns_rr *nsec)
Returns the rdata field that contains the bitmap of the covered types of the given NSEC record.
Definition: dnssec.c:89
ldns_ed255192pkey_raw
EVP_PKEY * ldns_ed255192pkey_raw(const unsigned char *key, size_t keylen)
Converts a holding buffer with key material to EVP PKEY in openssl.
Definition: dnssec_verify.c:1872
ldns_dnssec_create_nsec3
ldns_rr * ldns_dnssec_create_nsec3(const ldns_dnssec_name *from, const ldns_dnssec_name *to, const ldns_rdf *zone_name, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, const uint8_t *salt)
Creates NSEC3.
Definition: dnssec.c:869
ldns_create_nsec3
ldns_rr * ldns_create_nsec3(const ldns_rdf *cur_owner, const ldns_rdf *cur_zone, const ldns_rr_list *rrs, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, const uint8_t *salt, bool emptynonterminal)
Definition: dnssec.c:1178
ldns_nsec3_iterations
uint16_t ldns_nsec3_iterations(const ldns_rr *nsec3_rr)
Returns the number of hash iterations used in the given NSEC3 RR.
Definition: dnssec.c:1292
ldns_dnssec_pkt_has_rrsigs
bool ldns_dnssec_pkt_has_rrsigs(const ldns_pkt *pkt)
Checks whether the packet contains rrsigs.
Definition: dnssec.c:204
ldns_rr_list_sort_nsec3
void ldns_rr_list_sort_nsec3(ldns_rr_list *unsorted)
sort nsec3 list
Definition: dnssec.c:1704
ldns_convert_ecdsa_rrsig_rdf2asn1
ldns_status ldns_convert_ecdsa_rrsig_rdf2asn1(ldns_buffer *target_buffer, const ldns_rdf *sig_rdf)
Converts the RRSIG signature RDF (from DNS) to a buffer with the signature in ASN1 format as openssl ...
Definition: dnssec.c:1907
ldns_convert_dsa_rrsig_asn12rdf
ldns_rdf * ldns_convert_dsa_rrsig_asn12rdf(const ldns_buffer *sig, const long sig_len)
Converts the DSA signature from ASN1 representation (RFC2459, as used by OpenSSL) to raw signature da...
Definition: dnssec.c:1746
ldns_dnssec_nsec3_closest_encloser
ldns_rdf * ldns_dnssec_nsec3_closest_encloser(const ldns_rdf *qname, ldns_rr_type qtype, const ldns_rr_list *nsec3s)
Returns the dname of the closest (provable) encloser.
ldns_dnssec_get_dnskey_for_rrsig
ldns_rr * ldns_dnssec_get_dnskey_for_rrsig(const ldns_rr *rrsig, const ldns_rr_list *rrs)
Returns the DNSKEY that corresponds to the given RRSIG rr from the list, if any.
Definition: dnssec.c:62
ldns_dnssec_get_rrsig_for_name_and_type
ldns_rr * ldns_dnssec_get_rrsig_for_name_and_type(const ldns_rdf *name, const ldns_rr_type type, const ldns_rr_list *rrs)
Returns the first RRSIG rr that corresponds to the rrset with the given name and type.
Definition: dnssec.c:34
ldns_nsec3_add_param_rdfs
void ldns_nsec3_add_param_rdfs(ldns_rr *rr, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, const uint8_t *salt)
Sets all the NSEC3 options.
Definition: dnssec.c:1107
ldns_convert_ecdsa_rrsig_asn1len2rdf
ldns_rdf * ldns_convert_ecdsa_rrsig_asn1len2rdf(const ldns_buffer *sig, const long sig_len, int num_bytes)
Converts the ECDSA signature from ASN1 representation (as used by OpenSSL) to raw signature data as u...
Definition: dnssec.c:1869
ldns_ed4482pkey_raw
EVP_PKEY * ldns_ed4482pkey_raw(const unsigned char *key, size_t keylen)
Converts a holding buffer with key material to EVP PKEY in openssl.
Definition: dnssec_verify.c:1910
ldns_key_buf2rsa_raw
RSA * ldns_key_buf2rsa_raw(const unsigned char *key, size_t len)
Like ldns_key_buf2rsa, but uses raw buffer.
Definition: dnssec.c:421
ldns_calc_keytag_raw
uint16_t ldns_calc_keytag_raw(const uint8_t *key, size_t keysize)
Calculates keytag of DNSSEC key, operates on wireformat rdata.
Definition: dnssec.c:307
ldns_calc_keytag
uint16_t ldns_calc_keytag(const ldns_rr *key)
calculates a keytag of a key for use in DNSSEC.
Definition: dnssec.c:277
ldns_nsec3_salt_length
uint8_t ldns_nsec3_salt_length(const ldns_rr *nsec3_rr)
Returns the length of the salt used in the given NSEC3 RR.
Definition: dnssec.c:1318
ldns_nsec3_flags
uint8_t ldns_nsec3_flags(const ldns_rr *nsec3_rr)
Returns flags field.
Definition: dnssec.c:1273
ldns_dnssec_create_nsec
ldns_rr * ldns_dnssec_create_nsec(const ldns_dnssec_name *from, const ldns_dnssec_name *to, ldns_rr_type nsec_type)
Creates NSEC.
Definition: dnssec.c:815
ldns_dnssec_default_leave_signatures
int ldns_dnssec_default_leave_signatures(ldns_rr *sig, void *n)
Default callback function to always leave present signatures, and add no new ones for the keys of the...
ldns_gost2pkey_raw
EVP_PKEY * ldns_gost2pkey_raw(const unsigned char *key, size_t keylen)
Converts a holding buffer with key material to EVP PKEY in openssl.
ldns_nsec_bitmap_covers_type
bool ldns_nsec_bitmap_covers_type(const ldns_rdf *bitmap, ldns_rr_type type)
Check if RR type t is enumerated and set in the RR type bitmap rdf.
Definition: dnssec.c:1393
ldns_create_nsec
ldns_rr * ldns_create_nsec(ldns_rdf *cur_owner, ldns_rdf *next_owner, ldns_rr_list *rrs)
Create a NSEC record.
Definition: dnssec.c:958
ldns_nsec3_salt_data
uint8_t * ldns_nsec3_salt_data(const ldns_rr *nsec3_rr)
Returns the salt bytes used in the given NSEC3 RR.
Definition: dnssec.c:1329
ldns_nsec3_optout
bool ldns_nsec3_optout(const ldns_rr *nsec3_rr)
Returns true if the opt-out flag has been set in the given NSEC3 RR.
Definition: dnssec.c:1286
ldns_dnssec_default_replace_signatures
int ldns_dnssec_default_replace_signatures(ldns_rr *sig, void *n)
Default callback function to always leave present signatures, and add new ones.
ldns_dnssec_create_nsec_bitmap
ldns_rdf * ldns_dnssec_create_nsec_bitmap(ldns_rr_type rr_type_list[], size_t size, ldns_rr_type nsec_type)
Create the type bitmap for an NSEC(3) record.
Definition: dnssec.c:719
ldns_convert_dsa_rrsig_rdf2asn1
ldns_status ldns_convert_dsa_rrsig_rdf2asn1(ldns_buffer *target_buffer, const ldns_rdf *sig_rdf)
Converts the RRSIG signature RDF (in rfc2536 format) to a buffer with the signature in rfc2459 format...
Definition: dnssec.c:1807
ldns_pkt_verify_time
ldns_status ldns_pkt_verify_time(const ldns_pkt *p, ldns_rr_type t, const ldns_rdf *o, const ldns_rr_list *k, const ldns_rr_list *s, time_t check_time, ldns_rr_list *good_keys)
verify a packet
Definition: dnssec.c:1559
ldns_dnssec_pkt_get_rrsigs_for_name_and_type
ldns_rr_list * ldns_dnssec_pkt_get_rrsigs_for_name_and_type(const ldns_pkt *pkt, const ldns_rdf *name, ldns_rr_type type)
Returns a ldns_rr_list containing the signatures covering the given name and type.
Definition: dnssec.c:223
ldns_nsec3_algorithm
uint8_t ldns_nsec3_algorithm(const ldns_rr *nsec3_rr)
Returns the hash algorithm used in the given NSEC3 RR.
Definition: dnssec.c:1260
ldns_nsec_bitmap_set_type
ldns_status ldns_nsec_bitmap_set_type(ldns_rdf *bitmap, ldns_rr_type type)
Checks if RR type t is enumerated in the type bitmap rdf and sets the bit.
Definition: dnssec.c:1430
ldns_nsec3_bitmap
ldns_rdf * ldns_nsec3_bitmap(const ldns_rr *nsec3_rr)
Returns the bitmap specifying the covered types of the given NSEC3 RR.
Definition: dnssec.c:1358
ldns_dnssec_default_delete_signatures
int ldns_dnssec_default_delete_signatures(ldns_rr *sig, void *n)
Default callback function to always remove present signatures, but add no new ones.
ldns_key_buf2dsa_raw
DSA * ldns_key_buf2dsa_raw(const unsigned char *key, size_t len)
Like ldns_key_buf2dsa, but uses raw buffer.
Definition: dnssec.c:344
ldns_nsec_bitmap_clear_type
ldns_status ldns_nsec_bitmap_clear_type(ldns_rdf *bitmap, ldns_rr_type type)
Checks if RR type t is enumerated in the type bitmap rdf and clears the bit.
Definition: dnssec.c:1468
ldns_nsec3_hash_name_frm_nsec3
ldns_rdf * ldns_nsec3_hash_name_frm_nsec3(const ldns_rr *nsec, const ldns_rdf *name)
Calculates the hashed name using the parameters of the given NSEC3 RR.
Definition: dnssec.c:1368
ldns_pkt_verify
ldns_status ldns_pkt_verify(const ldns_pkt *p, ldns_rr_type t, const ldns_rdf *o, const ldns_rr_list *k, const ldns_rr_list *s, ldns_rr_list *good_keys)
verify a packet
Definition: dnssec.c:1626
ldns_key_rr2ds
ldns_rr * ldns_key_rr2ds(const ldns_rr *key, ldns_hash h)
returns a new DS rr that represents the given key rr.
Definition: dnssec.c:508
ldns_dnssec_chain_nsec3_list
ldns_status ldns_dnssec_chain_nsec3_list(ldns_rr_list *nsec3_rrs)
chains nsec3 list
Definition: dnssec.c:1634
ldns_dnssec_pkt_get_rrsigs_for_type
ldns_rr_list * ldns_dnssec_pkt_get_rrsigs_for_type(const ldns_pkt *pkt, ldns_rr_type type)
Returns a ldns_rr_list containing the signatures covering the given type.
Definition: dnssec.c:250
ldns_nsec3_next_owner
ldns_rdf * ldns_nsec3_next_owner(const ldns_rr *nsec3_rr)
Returns the first label of the next ownername in the NSEC3 chain (ie.
Definition: dnssec.c:1348
ldns_key_buf2dsa
DSA * ldns_key_buf2dsa(const ldns_buffer *key)
converts a buffer holding key material to a DSA key in openssl.
Definition: dnssec.c:337
ldns_nsec3_salt
ldns_rdf * ldns_nsec3_salt(const ldns_rr *nsec3_rr)
Returns the salt used in the given NSEC3 RR.
Definition: dnssec.c:1306
ldns_ecdsa2pkey_raw
EVP_PKEY * ldns_ecdsa2pkey_raw(const unsigned char *key, size_t keylen, uint8_t algo)
Converts a holding buffer with key material to EVP PKEY in openssl.
Definition: dnssec_verify.c:1948
ldns_dnssec_default_add_to_signatures
int ldns_dnssec_default_add_to_signatures(ldns_rr *sig, void *n)
Default callback function to always leave present signatures, and add new ones.
ldns_nsec3_hash_name
ldns_rdf * ldns_nsec3_hash_name(const ldns_rdf *name, uint8_t algorithm, uint16_t iterations, uint8_t salt_length, const uint8_t *salt)
Calculates the hashed name using the given parameters.
Definition: dnssec.c:1008
ldns_nsec_covers_name
bool ldns_nsec_covers_name(const ldns_rr *nsec, const ldns_rdf *name)
Checks coverage of NSEC(3) RR name span Remember that nsec and name must both be in canonical form (i...
Definition: dnssec.c:1508
qsort_rr_compare_nsec3
int qsort_rr_compare_nsec3(const void *a, const void *b)
compare for nsec3 sort
Definition: dnssec.c:1687
ldns_dnssec_rrsets_contains_type
int ldns_dnssec_rrsets_contains_type(const ldns_dnssec_rrsets *rrsets, ldns_rr_type type)
returns whether a rrset of the given type is found in the rrsets.
Definition: dnssec.c:801
dnssec_zone.h
ldns_status
enum ldns_enum_status ldns_status
Definition: error.h:146
keys.h
Addendum to dnssec.h, this module contains key and algorithm definitions and functions.
ldns_hash
enum ldns_enum_hash ldns_hash
Definition: keys.h:76
packet.h
Contains the definition of ldns_pkt and its parts, as well as functions to manipulate those.
resolver.h
Defines the ldns_resolver structure, a stub resolver that can send queries and parse answers.
ldns_rr_type
enum ldns_enum_rr_type ldns_rr_type
Definition: rr.h:243
ldns_struct_buffer
implementation of buffers to ease operations
Definition: buffer.h:51
ldns_struct_dnssec_name
Definition: dnssec_zone.h:46
ldns_struct_dnssec_rrsets
Definition: dnssec_zone.h:33
ldns_struct_pkt
DNS packet.
Definition: packet.h:235
ldns_struct_rdf
Resource record data field.
Definition: rdata.h:197
ldns_struct_rr_list
List or Set of Resource Records.
Definition: rr.h:338
ldns_struct_rr
Resource Record.
Definition: rr.h:310
zone.h
zone.h