dnssec.h File Reference

This module contains base functions for DNSSEC operations (RFC4033 t/m RFC4035). More...

Go to the source code of this file.

Defines

#define LDNS_MAX_KEYLEN   2048
#define LDNS_DNSSEC_KEYPROTO   3
#define LDNS_DEFAULT_EXP_TIME   2419200
#define LDNS_SIGNATURE_LEAVE_ADD_NEW   0
 return values for the old-signature callback
#define LDNS_SIGNATURE_LEAVE_NO_ADD   1
#define LDNS_SIGNATURE_REMOVE_ADD_NEW   2
#define LDNS_SIGNATURE_REMOVE_NO_ADD   3
#define LDNS_NSEC3_MAX_ITERATIONS   65535

Functions

ldns_rrldns_dnssec_get_rrsig_for_name_and_type (const ldns_rdf *name, const ldns_rr_type type, const ldns_rr_list *rrs)
 Returns the first RRSIG rr that corresponds to the rrset with the given name and type.
ldns_rrldns_dnssec_get_dnskey_for_rrsig (const ldns_rr *rrsig, const ldns_rr_list *rrs)
 Returns the DNSKEY that corresponds to the given RRSIG rr from the list, if any.
ldns_rdfldns_nsec_get_bitmap (ldns_rr *nsec)
 Returns the rdata field that contains the bitmap of the covered types of the given NSEC record.
ldns_rdfldns_dnssec_nsec3_closest_encloser (ldns_rdf *qname, ldns_rr_type qtype, ldns_rr_list *nsec3s)
 Returns the dname of the closest (provable) encloser.
signed char ldns_dnssec_pkt_has_rrsigs (const ldns_pkt *pkt)
 Checks whether the packet contains rrsigs.
ldns_rr_listldns_dnssec_pkt_get_rrsigs_for_name_and_type (const ldns_pkt *pkt, ldns_rdf *name, ldns_rr_type type)
 Returns a ldns_rr_list containing the signatures covering the given name and type.
ldns_rr_listldns_dnssec_pkt_get_rrsigs_for_type (const ldns_pkt *pkt, ldns_rr_type type)
 Returns a ldns_rr_list containing the signatures covering the given type.
uint16_t ldns_calc_keytag (const ldns_rr *key)
 calculates a keytag of a key for use in DNSSEC.
uint16_t ldns_calc_keytag_raw (uint8_t *key, size_t keysize)
 Calculates keytag of DNSSEC key, operates on wireformat rdata.
DSA * ldns_key_buf2dsa (ldns_buffer *key)
 converts a buffer holding key material to a DSA key in openssl.
DSA * ldns_key_buf2dsa_raw (unsigned char *key, size_t len)
 Like ldns_key_buf2dsa, but uses raw buffer.
int ldns_digest_evp (unsigned char *data, unsigned int len, unsigned char *dest, const EVP_MD *md)
 Utility function to calculate hash using generic EVP_MD pointer.
EVP_PKEY * ldns_gost2pkey_raw (unsigned char *key, size_t keylen)
 Converts a holding buffer with key material to EVP PKEY in openssl.
EVP_PKEY * ldns_ecdsa2pkey_raw (unsigned char *key, size_t keylen, uint8_t algo)
 Converts a holding buffer with key material to EVP PKEY in openssl.
RSA * ldns_key_buf2rsa (ldns_buffer *key)
 converts a buffer holding key material to a RSA key in openssl.
RSA * ldns_key_buf2rsa_raw (unsigned char *key, size_t len)
 Like ldns_key_buf2rsa, but uses raw buffer.
ldns_rrldns_key_rr2ds (const ldns_rr *key, ldns_hash h)
 returns a new DS rr that represents the given key rr.
ldns_rdfldns_dnssec_create_nsec_bitmap (ldns_rr_type rr_type_list[], size_t size, ldns_rr_type nsec_type)
 Create the type bitmap for an NSEC(3) record.
int ldns_dnssec_rrsets_contains_type (ldns_dnssec_rrsets *rrsets, ldns_rr_type type)
 returns whether a rrset of the given type is found in the rrsets.
ldns_rrldns_dnssec_create_nsec (ldns_dnssec_name *from, ldns_dnssec_name *to, ldns_rr_type nsec_type)
 Creates NSEC.
ldns_rrldns_dnssec_create_nsec3 (ldns_dnssec_name *from, ldns_dnssec_name *to, ldns_rdf *zone_name, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt)
 Creates NSEC3.
ldns_rrldns_create_nsec (ldns_rdf *cur_owner, ldns_rdf *next_owner, ldns_rr_list *rrs)
 Create a NSEC record.
ldns_rdfldns_nsec3_hash_name (ldns_rdf *name, uint8_t algorithm, uint16_t iterations, uint8_t salt_length, uint8_t *salt)
 Calculates the hashed name using the given parameters.
void ldns_nsec3_add_param_rdfs (ldns_rr *rr, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt)
 Sets all the NSEC3 options.
ldns_rrldns_create_nsec3 (ldns_rdf *cur_owner, ldns_rdf *cur_zone, ldns_rr_list *rrs, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt, signed char emptynonterminal)
uint8_t ldns_nsec3_algorithm (const ldns_rr *nsec3_rr)
 Returns the hash algorithm used in the given NSEC3 RR.
uint8_t ldns_nsec3_flags (const ldns_rr *nsec3_rr)
 Returns flags field.
signed char ldns_nsec3_optout (const ldns_rr *nsec3_rr)
 Returns true if the opt-out flag has been set in the given NSEC3 RR.
uint16_t ldns_nsec3_iterations (const ldns_rr *nsec3_rr)
 Returns the number of hash iterations used in the given NSEC3 RR.
ldns_rdfldns_nsec3_salt (const ldns_rr *nsec3_rr)
 Returns the salt used in the given NSEC3 RR.
uint8_t ldns_nsec3_salt_length (const ldns_rr *nsec3_rr)
 Returns the length of the salt used in the given NSEC3 RR.
uint8_t * ldns_nsec3_salt_data (const ldns_rr *nsec3_rr)
 Returns the salt bytes used in the given NSEC3 RR.
ldns_rdfldns_nsec3_next_owner (const ldns_rr *nsec3_rr)
 Returns the first label of the next ownername in the NSEC3 chain (ie.
ldns_rdfldns_nsec3_bitmap (const ldns_rr *nsec3_rr)
 Returns the bitmap specifying the covered types of the given NSEC3 RR.
ldns_rdfldns_nsec3_hash_name_frm_nsec3 (const ldns_rr *nsec, ldns_rdf *name)
 Calculates the hashed name using the parameters of the given NSEC3 RR.
signed char ldns_nsec_bitmap_covers_type (const ldns_rdf *nsec_bitmap, ldns_rr_type type)
 Checks coverage of NSEC RR type bitmap.
signed char ldns_nsec_covers_name (const ldns_rr *nsec, const ldns_rdf *name)
 Checks coverage of NSEC(3) RR name span Remember that nsec and name must both be in canonical form (ie use ldns_rr2canonical and ldns_dname2canonical prior to calling this function).
ldns_status ldns_pkt_verify (ldns_pkt *p, ldns_rr_type t, ldns_rdf *o, ldns_rr_list *k, ldns_rr_list *s, ldns_rr_list *good_keys)
 verify a packet
ldns_status ldns_pkt_verify_time (ldns_pkt *p, ldns_rr_type t, ldns_rdf *o, ldns_rr_list *k, ldns_rr_list *s, time_t check_time, ldns_rr_list *good_keys)
 verify a packet
ldns_status ldns_dnssec_chain_nsec3_list (ldns_rr_list *nsec3_rrs)
 chains nsec3 list
int qsort_rr_compare_nsec3 (const void *a, const void *b)
 compare for nsec3 sort
void ldns_rr_list_sort_nsec3 (ldns_rr_list *unsorted)
 sort nsec3 list
int ldns_dnssec_default_add_to_signatures (ldns_rr *sig, void *n)
 Default callback function to always leave present signatures, and add new ones.
int ldns_dnssec_default_leave_signatures (ldns_rr *sig, void *n)
 Default callback function to always leave present signatures, and add no new ones for the keys of these signatures.
int ldns_dnssec_default_delete_signatures (ldns_rr *sig, void *n)
 Default callback function to always remove present signatures, but add no new ones.
int ldns_dnssec_default_replace_signatures (ldns_rr *sig, void *n)
 Default callback function to always leave present signatures, and add new ones.
ldns_rdfldns_convert_dsa_rrsig_asn12rdf (const ldns_buffer *sig, const long sig_len)
 Converts the DSA signature from ASN1 representation (RFC2459, as used by OpenSSL) to raw signature data as used in DNS (rfc2536).
ldns_status ldns_convert_dsa_rrsig_rdf2asn1 (ldns_buffer *target_buffer, const ldns_rdf *sig_rdf)
 Converts the RRSIG signature RDF (in rfc2536 format) to a buffer with the signature in rfc2459 format.
ldns_rdfldns_convert_ecdsa_rrsig_asn12rdf (const ldns_buffer *sig, const long sig_len)
 Converts the ECDSA signature from ASN1 representation (as used by OpenSSL) to raw signature data as used in DNS This routine is only present if ldns is compiled with ecdsa support.
ldns_status ldns_convert_ecdsa_rrsig_rdf2asn1 (ldns_buffer *target_buffer, const ldns_rdf *sig_rdf)
 Converts the RRSIG signature RDF (from DNS) to a buffer with the signature in ASN1 format as openssl uses it.


Detailed Description

This module contains base functions for DNSSEC operations (RFC4033 t/m RFC4035).

Since those functions heavily rely op cryptographic operations, this module is dependent on openssl.

Definition in file dnssec.h.


Define Documentation

#define LDNS_MAX_KEYLEN   2048

Definition at line 41 of file dnssec.h.

#define LDNS_DNSSEC_KEYPROTO   3

Definition at line 42 of file dnssec.h.

#define LDNS_DEFAULT_EXP_TIME   2419200

Definition at line 44 of file dnssec.h.

#define LDNS_SIGNATURE_LEAVE_ADD_NEW   0

return values for the old-signature callback

Definition at line 47 of file dnssec.h.

#define LDNS_SIGNATURE_LEAVE_NO_ADD   1

Definition at line 48 of file dnssec.h.

#define LDNS_SIGNATURE_REMOVE_ADD_NEW   2

Definition at line 49 of file dnssec.h.

#define LDNS_SIGNATURE_REMOVE_NO_ADD   3

Definition at line 50 of file dnssec.h.

#define LDNS_NSEC3_MAX_ITERATIONS   65535

Definition at line 87 of file dnssec.h.


Function Documentation

ldns_rr* ldns_dnssec_get_rrsig_for_name_and_type ( const ldns_rdf name,
const ldns_rr_type  type,
const ldns_rr_list rrs 
)

Returns the first RRSIG rr that corresponds to the rrset with the given name and type.

Parameters:
[in] name The dname of the RRset covered by the RRSIG to find
[in] type The type of the RRset covered by the RRSIG to find
[in] rrs List of rrs to search in
Returns:
Pointer to the first RRsig ldns_rr found, or NULL if it is not present

Definition at line 29 of file dnssec.c.

References ldns_dname_compare(), ldns_rdf2rr_type(), ldns_rr_get_type(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), ldns_rr_owner(), ldns_rr_rrsig_typecovered(), and LDNS_RR_TYPE_RRSIG.

ldns_rr* ldns_dnssec_get_dnskey_for_rrsig ( const ldns_rr rrsig,
const ldns_rr_list rrs 
)

Returns the DNSKEY that corresponds to the given RRSIG rr from the list, if any.

Parameters:
[in] rrsig The rrsig to find the DNSKEY for
[in] rrs The rr list to find the key in
Returns:
The DNSKEY that corresponds to the given RRSIG, or NULL if it was not found.

Definition at line 57 of file dnssec.c.

References ldns_calc_keytag(), ldns_dname_compare(), ldns_rdf2native_int16(), ldns_rr_get_type(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), ldns_rr_owner(), ldns_rr_rrsig_keytag(), ldns_rr_rrsig_signame(), and LDNS_RR_TYPE_DNSKEY.

ldns_rdf* ldns_nsec_get_bitmap ( ldns_rr nsec  ) 

Returns the rdata field that contains the bitmap of the covered types of the given NSEC record.

Parameters:
[in] nsec The nsec to get the covered type bitmap of
Returns:
An ldns_rdf containing the bitmap, or NULL on error

Definition at line 84 of file dnssec.c.

References ldns_rr_get_type(), ldns_rr_rdf(), LDNS_RR_TYPE_NSEC, and LDNS_RR_TYPE_NSEC3.

ldns_rdf* ldns_dnssec_nsec3_closest_encloser ( ldns_rdf qname,
ldns_rr_type  qtype,
ldns_rr_list nsec3s 
)

Returns the dname of the closest (provable) encloser.

signed char ldns_dnssec_pkt_has_rrsigs ( const ldns_pkt pkt  ) 

Checks whether the packet contains rrsigs.

Definition at line 198 of file dnssec.c.

References ldns_pkt_ancount(), ldns_pkt_answer(), ldns_pkt_authority(), ldns_pkt_nscount(), ldns_rr_get_type(), ldns_rr_list_rr(), and LDNS_RR_TYPE_RRSIG.

ldns_rr_list* ldns_dnssec_pkt_get_rrsigs_for_name_and_type ( const ldns_pkt pkt,
ldns_rdf name,
ldns_rr_type  type 
)

Returns a ldns_rr_list containing the signatures covering the given name and type.

Definition at line 217 of file dnssec.c.

References ldns_pkt_rr_list_by_name_and_type(), ldns_rdf_free(), ldns_rdf_new(), LDNS_RDF_SIZE_WORD, LDNS_RDF_TYPE_TYPE, ldns_rr_list_deep_free(), ldns_rr_list_subtype_by_rdf(), LDNS_RR_TYPE_RRSIG, and LDNS_SECTION_ANY_NOQUESTION.

ldns_rr_list* ldns_dnssec_pkt_get_rrsigs_for_type ( const ldns_pkt pkt,
ldns_rr_type  type 
)

Returns a ldns_rr_list containing the signatures covering the given type.

Definition at line 244 of file dnssec.c.

References ldns_pkt_rr_list_by_type(), ldns_rdf_free(), ldns_rdf_new(), LDNS_RDF_TYPE_TYPE, ldns_rr_list_deep_free(), ldns_rr_list_subtype_by_rdf(), LDNS_RR_TYPE_RRSIG, and LDNS_SECTION_ANY_NOQUESTION.

uint16_t ldns_calc_keytag ( const ldns_rr key  ) 

calculates a keytag of a key for use in DNSSEC.

Parameters:
[in] key the key as an RR to use for the calc.
Returns:
the keytag

Definition at line 271 of file dnssec.c.

References ldns_buffer_free(), ldns_buffer_new(), ldns_calc_keytag_raw(), LDNS_MIN_BUFLEN, ldns_rr_get_type(), ldns_rr_rdata2buffer_wire(), LDNS_RR_TYPE_DNSKEY, and LDNS_RR_TYPE_KEY.

uint16_t ldns_calc_keytag_raw ( uint8_t *  key,
size_t  keysize 
)

Calculates keytag of DNSSEC key, operates on wireformat rdata.

Parameters:
[in] key the key as uncompressed wireformat rdata.
[in] keysize length of key data.
Returns:
the keytag

Definition at line 301 of file dnssec.c.

References LDNS_RSAMD5.

DSA* ldns_key_buf2dsa ( ldns_buffer key  ) 

converts a buffer holding key material to a DSA key in openssl.

Parameters:
[in] key the key to convert
Returns:
a DSA * structure with the key material

Definition at line 330 of file dnssec.c.

References ldns_key_buf2dsa_raw().

DSA* ldns_key_buf2dsa_raw ( unsigned char *  key,
size_t  len 
)

Like ldns_key_buf2dsa, but uses raw buffer.

Parameters:
[in] key the uncompressed wireformat of the key.
[in] len length of key data
Returns:
a DSA * structure with the key material

Definition at line 337 of file dnssec.c.

int ldns_digest_evp ( unsigned char *  data,
unsigned int  len,
unsigned char *  dest,
const EVP_MD *  md 
)

Utility function to calculate hash using generic EVP_MD pointer.

Parameters:
[in] data the data to hash.
[in] len length of data.
[out] dest the destination of the hash, must be large enough.
[in] md the message digest to use.
Returns:
true if worked, false on failure.

Definition at line 455 of file dnssec.c.

EVP_PKEY* ldns_gost2pkey_raw ( unsigned char *  key,
size_t  keylen 
)

Converts a holding buffer with key material to EVP PKEY in openssl.

Only available if ldns was compiled with GOST.

Parameters:
[in] key data to convert
[in] keylen length of the key data
Returns:
the key or NULL on error.

EVP_PKEY* ldns_ecdsa2pkey_raw ( unsigned char *  key,
size_t  keylen,
uint8_t  algo 
)

Converts a holding buffer with key material to EVP PKEY in openssl.

Only available if ldns was compiled with ECDSA.

Parameters:
[in] key data to convert
[in] keylen length of the key data
[in] algo precise algorithm to initialize ECC group values.
Returns:
the key or NULL on error.

RSA* ldns_key_buf2rsa ( ldns_buffer key  ) 

converts a buffer holding key material to a RSA key in openssl.

Parameters:
[in] key the key to convert
Returns:
a RSA * structure with the key material

Definition at line 389 of file dnssec.c.

References ldns_key_buf2rsa_raw().

RSA* ldns_key_buf2rsa_raw ( unsigned char *  key,
size_t  len 
)

Like ldns_key_buf2rsa, but uses raw buffer.

Parameters:
[in] key the uncompressed wireformat of the key.
[in] len length of key data
Returns:
a RSA * structure with the key material

Definition at line 396 of file dnssec.c.

ldns_rr* ldns_key_rr2ds ( const ldns_rr key,
ldns_hash  h 
)

returns a new DS rr that represents the given key rr.

Parameters:
[in] *key the key to convert
[in] h the hash to use LDNS_SHA1/LDNS_SHA256
Returns:
ldns_rr* a new rr pointer to a DS

Definition at line 474 of file dnssec.c.

References ldns_buffer_free(), ldns_buffer_new(), ldns_calc_keytag(), ldns_digest_evp(), ldns_dname2canonical(), LDNS_FREE, LDNS_HASH_GOST, ldns_key_EVP_load_gost_id(), LDNS_MAX_PACKETLEN, ldns_rdf2buffer_wire(), ldns_rdf_clone(), ldns_rdf_deep_free(), ldns_rdf_new_frm_data(), LDNS_RDF_TYPE_HEX, LDNS_RDF_TYPE_INT16, LDNS_RDF_TYPE_INT8, ldns_rr_free(), ldns_rr_get_class(), ldns_rr_get_type(), ldns_rr_new(), ldns_rr_owner(), ldns_rr_push_rdf(), ldns_rr_rdata2buffer_wire(), ldns_rr_rdf(), ldns_rr_set_class(), ldns_rr_set_owner(), ldns_rr_set_ttl(), ldns_rr_set_type(), ldns_rr_ttl(), LDNS_RR_TYPE_DNSKEY, LDNS_RR_TYPE_DS, ldns_sha1(), LDNS_SHA1, LDNS_SHA1_DIGEST_LENGTH, ldns_sha256(), LDNS_SHA256, LDNS_SHA256_DIGEST_LENGTH, LDNS_SHA384, LDNS_STATUS_OK, and LDNS_XMALLOC.

ldns_rdf* ldns_dnssec_create_nsec_bitmap ( ldns_rr_type  rr_type_list[],
size_t  size,
ldns_rr_type  nsec_type 
)

Create the type bitmap for an NSEC(3) record.

Definition at line 658 of file dnssec.c.

References LDNS_FREE, ldns_rdf_new_frm_data(), LDNS_RDF_TYPE_NSEC, LDNS_RR_TYPE_NSEC, LDNS_RR_TYPE_NSEC3, ldns_set_bit(), LDNS_XMALLOC, and LDNS_XREALLOC.

int ldns_dnssec_rrsets_contains_type ( ldns_dnssec_rrsets rrsets,
ldns_rr_type  type 
)

returns whether a rrset of the given type is found in the rrsets.

Parameters:
[in] rrsets the rrsets to be tested
[in] type the type to test for
Returns:
int 1 if the type was found, 0 otherwise.

Definition at line 757 of file dnssec.c.

References ldns_struct_dnssec_rrsets::next, and ldns_struct_dnssec_rrsets::type.

ldns_rr* ldns_dnssec_create_nsec ( ldns_dnssec_name from,
ldns_dnssec_name to,
ldns_rr_type  nsec_type 
)

Creates NSEC.

Definition at line 771 of file dnssec.c.

References ldns_dnssec_create_nsec_bitmap(), ldns_dnssec_name_name(), ldns_dnssec_rrsets_contains_type(), ldns_rdf_clone(), ldns_rr_new(), ldns_rr_push_rdf(), ldns_rr_set_owner(), ldns_rr_set_type(), LDNS_RR_TYPE_DS, LDNS_RR_TYPE_NS, LDNS_RR_TYPE_NSEC, LDNS_RR_TYPE_RRSIG, LDNS_RR_TYPE_SOA, ldns_struct_dnssec_rrsets::next, ldns_struct_dnssec_name::rrsets, and ldns_struct_dnssec_rrsets::type.

ldns_rr* ldns_dnssec_create_nsec3 ( ldns_dnssec_name from,
ldns_dnssec_name to,
ldns_rdf zone_name,
uint8_t  algorithm,
uint8_t  flags,
uint16_t  iterations,
uint8_t  salt_length,
uint8_t *  salt 
)

Creates NSEC3.

Definition at line 825 of file dnssec.c.

References ldns_struct_dnssec_name::hashed_name, ldns_dname_cat(), ldns_dnssec_create_nsec_bitmap(), ldns_dnssec_name_name(), ldns_dnssec_rrsets_contains_type(), ldns_nsec3_add_param_rdfs(), ldns_nsec3_hash_name(), ldns_rdf_clone(), ldns_rr_free(), ldns_rr_new_frm_type(), ldns_rr_owner(), ldns_rr_push_rdf(), ldns_rr_set_owner(), ldns_rr_set_rdf(), LDNS_RR_TYPE_DS, LDNS_RR_TYPE_NS, LDNS_RR_TYPE_NSEC3, LDNS_RR_TYPE_RRSIG, LDNS_RR_TYPE_SOA, LDNS_STATUS_OK, ldns_struct_dnssec_rrsets::next, ldns_struct_dnssec_name::rrsets, and ldns_struct_dnssec_rrsets::type.

ldns_rr* ldns_create_nsec ( ldns_rdf cur_owner,
ldns_rdf next_owner,
ldns_rr_list rrs 
)

Create a NSEC record.

Parameters:
[in] cur_owner the current owner which should be taken as the starting point
[in] next_owner the rrlist which the nsec rr should point to
[in] rrs all rrs from the zone, to find all RR types of cur_owner in
Returns:
a ldns_rr with the nsec record in it

Definition at line 914 of file dnssec.c.

References ldns_dnssec_create_nsec_bitmap(), ldns_rdf_clone(), ldns_rdf_compare(), ldns_rr_get_type(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), ldns_rr_new(), ldns_rr_owner(), ldns_rr_push_rdf(), ldns_rr_set_owner(), ldns_rr_set_type(), LDNS_RR_TYPE_NSEC, and LDNS_RR_TYPE_RRSIG.

ldns_rdf* ldns_nsec3_hash_name ( ldns_rdf name,
uint8_t  algorithm,
uint16_t  iterations,
uint8_t  salt_length,
uint8_t *  salt 
)

Calculates the hashed name using the given parameters.

Parameters:
[in] *name The owner name to calculate the hash for
[in] algorithm The hash algorithm to use
[in] iterations The number of hash iterations to use
[in] salt_length The length of the salt in bytes
[in] salt The salt to use
Returns:
The hashed owner name rdf, without the domain name

Definition at line 964 of file dnssec.c.

References ldns_b32_ntop_extended_hex(), ldns_dname2canonical(), LDNS_FREE, ldns_rdf_clone(), ldns_rdf_data(), ldns_rdf_deep_free(), ldns_rdf_print(), ldns_rdf_size(), ldns_sha1(), LDNS_SHA1, LDNS_SHA1_DIGEST_LENGTH, LDNS_STATUS_OK, ldns_str2rdf_dname(), and LDNS_XMALLOC.

void ldns_nsec3_add_param_rdfs ( ldns_rr rr,
uint8_t  algorithm,
uint8_t  flags,
uint16_t  iterations,
uint8_t  salt_length,
uint8_t *  salt 
)

Sets all the NSEC3 options.

The rr to set them in must be initialized with _new() and type LDNS_RR_TYPE_NSEC3

Parameters:
[in] *rr The RR to set the values in
[in] algorithm The NSEC3 hash algorithm
[in] flags The flags field
[in] iterations The number of hash iterations
[in] salt_length The length of the salt in bytes
[in] salt The salt bytes

Definition at line 1057 of file dnssec.c.

References LDNS_FREE, ldns_native2rdf_int16(), ldns_rdf_deep_free(), ldns_rdf_new_frm_data(), LDNS_RDF_TYPE_INT16, LDNS_RDF_TYPE_INT8, LDNS_RDF_TYPE_NSEC3_SALT, ldns_rr_set_rdf(), and LDNS_XMALLOC.

ldns_rr* ldns_create_nsec3 ( ldns_rdf cur_owner,
ldns_rdf cur_zone,
ldns_rr_list rrs,
uint8_t  algorithm,
uint8_t  flags,
uint16_t  iterations,
uint8_t  salt_length,
uint8_t *  salt,
signed char  emptynonterminal 
)

uint8_t ldns_nsec3_algorithm ( const ldns_rr nsec3_rr  ) 

Returns the hash algorithm used in the given NSEC3 RR.

Parameters:
[in] *nsec3_rr The RR to read from
Returns:
The algorithm identifier, or 0 on error

Definition at line 1210 of file dnssec.c.

References ldns_rdf2native_int8(), ldns_rdf_size(), ldns_rr_get_type(), ldns_rr_rdf(), LDNS_RR_TYPE_NSEC3, and LDNS_RR_TYPE_NSEC3PARAM.

uint8_t ldns_nsec3_flags ( const ldns_rr nsec3_rr  ) 

Returns flags field.

Definition at line 1223 of file dnssec.c.

References ldns_rdf2native_int8(), ldns_rdf_size(), ldns_rr_get_type(), ldns_rr_rdf(), LDNS_RR_TYPE_NSEC3, and LDNS_RR_TYPE_NSEC3PARAM.

signed char ldns_nsec3_optout ( const ldns_rr nsec3_rr  ) 

Returns true if the opt-out flag has been set in the given NSEC3 RR.

Parameters:
[in] *nsec3_rr The RR to read from
Returns:
true if the RR has type NSEC3 and the opt-out bit has been set, false otherwise

Definition at line 1236 of file dnssec.c.

References ldns_nsec3_flags(), and LDNS_NSEC3_VARS_OPTOUT_MASK.

uint16_t ldns_nsec3_iterations ( const ldns_rr nsec3_rr  ) 

Returns the number of hash iterations used in the given NSEC3 RR.

Parameters:
[in] *nsec3_rr The RR to read from
Returns:
The number of iterations

Definition at line 1242 of file dnssec.c.

References ldns_rdf2native_int16(), ldns_rdf_size(), ldns_rr_get_type(), ldns_rr_rdf(), LDNS_RR_TYPE_NSEC3, and LDNS_RR_TYPE_NSEC3PARAM.

ldns_rdf* ldns_nsec3_salt ( const ldns_rr nsec3_rr  ) 

Returns the salt used in the given NSEC3 RR.

Parameters:
[in] *nsec3_rr The RR to read from
Returns:
The salt rdf, or NULL on error

Definition at line 1256 of file dnssec.c.

References ldns_rr_get_type(), ldns_rr_rdf(), LDNS_RR_TYPE_NSEC3, and LDNS_RR_TYPE_NSEC3PARAM.

uint8_t ldns_nsec3_salt_length ( const ldns_rr nsec3_rr  ) 

Returns the length of the salt used in the given NSEC3 RR.

Parameters:
[in] *nsec3_rr The RR to read from
Returns:
The length of the salt in bytes

Definition at line 1268 of file dnssec.c.

References ldns_nsec3_salt(), ldns_rdf_data(), and ldns_rdf_size().

uint8_t* ldns_nsec3_salt_data ( const ldns_rr nsec3_rr  ) 

Returns the salt bytes used in the given NSEC3 RR.

Parameters:
[in] *nsec3_rr The RR to read from
Returns:
The salt in bytes, this is alloced, so you need to free it

Definition at line 1279 of file dnssec.c.

References ldns_nsec3_salt(), ldns_rdf_data(), ldns_rdf_size(), and LDNS_XMALLOC.

ldns_rdf* ldns_nsec3_next_owner ( const ldns_rr nsec3_rr  ) 

Returns the first label of the next ownername in the NSEC3 chain (ie.

without the domain)

Parameters:
[in] nsec3_rr The RR to read from
Returns:
The first label of the next owner name in the NSEC3 chain, or NULL on error

Definition at line 1296 of file dnssec.c.

References ldns_rr_get_type(), ldns_rr_rdf(), and LDNS_RR_TYPE_NSEC3.

ldns_rdf* ldns_nsec3_bitmap ( const ldns_rr nsec3_rr  ) 

Returns the bitmap specifying the covered types of the given NSEC3 RR.

Parameters:
[in] *nsec3_rr The RR to read from
Returns:
The covered type bitmap rdf

Definition at line 1306 of file dnssec.c.

References ldns_rr_get_type(), ldns_rr_rdf(), and LDNS_RR_TYPE_NSEC3.

ldns_rdf* ldns_nsec3_hash_name_frm_nsec3 ( const ldns_rr nsec,
ldns_rdf name 
)

Calculates the hashed name using the parameters of the given NSEC3 RR.

Parameters:
[in] *nsec The RR to use the parameters from
[in] *name The owner name to calculate the hash for
Returns:
The hashed owner name rdf, without the domain name

Definition at line 1316 of file dnssec.c.

References LDNS_FREE, ldns_nsec3_algorithm(), ldns_nsec3_hash_name(), ldns_nsec3_iterations(), ldns_nsec3_salt_data(), and ldns_nsec3_salt_length().

signed char ldns_nsec_bitmap_covers_type ( const ldns_rdf nsec_bitmap,
ldns_rr_type  type 
)

Checks coverage of NSEC RR type bitmap.

Parameters:
[in] nsec_bitmap The NSEC bitmap rdata field to check
[in] type The type to check
Returns:
true if the NSEC RR covers the type

Definition at line 1341 of file dnssec.c.

References ldns_get_bit(), ldns_rdf_data(), and ldns_rdf_size().

signed char ldns_nsec_covers_name ( const ldns_rr nsec,
const ldns_rdf name 
)

Checks coverage of NSEC(3) RR name span Remember that nsec and name must both be in canonical form (ie use ldns_rr2canonical and ldns_dname2canonical prior to calling this function).

Parameters:
[in] nsec The NSEC RR to check
[in] name The owner dname to check, if the nsec record is a NSEC3 record, this should be the hashed name
Returns:
true if the NSEC RR covers the owner name

Definition at line 1374 of file dnssec.c.

References ldns_dname_cat(), ldns_dname_compare(), ldns_dname_left_chop(), ldns_dname_new_frm_str(), LDNS_FREE, ldns_get_errorstr_by_id(), ldns_nsec3_next_owner(), ldns_rdf2str(), ldns_rdf_clone(), ldns_rdf_deep_free(), ldns_rr_get_type(), ldns_rr_owner(), ldns_rr_rdf(), LDNS_RR_TYPE_NSEC, LDNS_RR_TYPE_NSEC3, and LDNS_STATUS_OK.

ldns_status ldns_pkt_verify ( ldns_pkt p,
ldns_rr_type  t,
ldns_rdf o,
ldns_rr_list k,
ldns_rr_list s,
ldns_rr_list good_keys 
)

verify a packet

Parameters:
[in] p the packet
[in] t the rr set type to check
[in] o the rr set name to check
[in] k list of keys
[in] s list of sigs (may be null)
[out] good_keys keys which validated the packet
Returns:
status

Definition at line 1487 of file dnssec.c.

References ldns_pkt_verify_time().

ldns_status ldns_pkt_verify_time ( ldns_pkt p,
ldns_rr_type  t,
ldns_rdf o,
ldns_rr_list k,
ldns_rr_list s,
time_t  check_time,
ldns_rr_list good_keys 
)

verify a packet

Parameters:
[in] p the packet
[in] t the rr set type to check
[in] o the rr set name to check
[in] k list of keys
[in] s list of sigs (may be null)
[in] check_time the time for which the validation is performed
[out] good_keys keys which validated the packet
Returns:
status

Definition at line 1423 of file dnssec.c.

References ldns_pkt_rr_list_by_name_and_type(), ldns_rdf_free(), ldns_rdf_new(), LDNS_RDF_TYPE_TYPE, ldns_rr_list_deep_free(), ldns_rr_list_subtype_by_rdf(), LDNS_RR_TYPE_RRSIG, LDNS_SECTION_ANY_NOQUESTION, LDNS_STATUS_ERR, and ldns_verify_time().

ldns_status ldns_dnssec_chain_nsec3_list ( ldns_rr_list nsec3_rrs  ) 

chains nsec3 list

Definition at line 1495 of file dnssec.c.

References ldns_dname_label(), LDNS_FREE, ldns_rdf2str(), ldns_rdf_deep_free(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), ldns_rr_owner(), ldns_rr_set_rdf(), LDNS_STATUS_OK, and ldns_str2rdf_b32_ext().

int qsort_rr_compare_nsec3 ( const void *  a,
const void *  b 
)

compare for nsec3 sort

Definition at line 1548 of file dnssec.c.

References ldns_rdf_compare(), and ldns_rr_owner().

void ldns_rr_list_sort_nsec3 ( ldns_rr_list unsorted  ) 

sort nsec3 list

Definition at line 1565 of file dnssec.c.

References ldns_struct_rr_list::_rrs, ldns_rr_list_rr_count(), and qsort_rr_compare_nsec3().

int ldns_dnssec_default_add_to_signatures ( ldns_rr sig,
void *  n 
)

Default callback function to always leave present signatures, and add new ones.

Parameters:
[in] sig The signature to check for removal (unused)
[in] n Optional argument (unused)
Returns:
LDNS_SIGNATURE_LEAVE_ADD_NEW

int ldns_dnssec_default_leave_signatures ( ldns_rr sig,
void *  n 
)

Default callback function to always leave present signatures, and add no new ones for the keys of these signatures.

Parameters:
[in] sig The signature to check for removal (unused)
[in] n Optional argument (unused)
Returns:
LDNS_SIGNATURE_LEAVE_NO_ADD

int ldns_dnssec_default_delete_signatures ( ldns_rr sig,
void *  n 
)

Default callback function to always remove present signatures, but add no new ones.

Parameters:
[in] sig The signature to check for removal (unused)
[in] n Optional argument (unused)
Returns:
LDNS_SIGNATURE_REMOVE_NO_ADD

int ldns_dnssec_default_replace_signatures ( ldns_rr sig,
void *  n 
)

Default callback function to always leave present signatures, and add new ones.

Parameters:
[in] sig The signature to check for removal (unused)
[in] n Optional argument (unused)
Returns:
LDNS_SIGNATURE_REMOVE_ADD_NEW

ldns_rdf* ldns_convert_dsa_rrsig_asn12rdf ( const ldns_buffer sig,
const long  sig_len 
)

Converts the DSA signature from ASN1 representation (RFC2459, as used by OpenSSL) to raw signature data as used in DNS (rfc2536).

Parameters:
[in] sig The signature in RFC2459 format
[in] sig_len The length of the signature
Returns:
a new rdf with the signature

Definition at line 1607 of file dnssec.c.

References LDNS_FREE, ldns_rdf_new(), LDNS_RDF_TYPE_B64, and LDNS_XMALLOC.

ldns_status ldns_convert_dsa_rrsig_rdf2asn1 ( ldns_buffer target_buffer,
const ldns_rdf sig_rdf 
)

Converts the RRSIG signature RDF (in rfc2536 format) to a buffer with the signature in rfc2459 format.

Parameters:
[out] target_buffer buffer to place the signature data
[in] sig_rdf The signature rdf to convert
Returns:
LDNS_STATUS_OK on success, error code otherwise

Definition at line 1656 of file dnssec.c.

References ldns_buffer_reserve(), ldns_rdf_data(), ldns_rdf_size(), LDNS_STATUS_MEM_ERR, LDNS_STATUS_SSL_ERR, LDNS_STATUS_SYNTAX_RDATA_ERR, and R.

ldns_rdf* ldns_convert_ecdsa_rrsig_asn12rdf ( const ldns_buffer sig,
const long  sig_len 
)

Converts the ECDSA signature from ASN1 representation (as used by OpenSSL) to raw signature data as used in DNS This routine is only present if ldns is compiled with ecdsa support.

Parameters:
[in] sig The signature in ASN1 format
[in] sig_len The length of the signature
Returns:
a new rdf with the signature

ldns_status ldns_convert_ecdsa_rrsig_rdf2asn1 ( ldns_buffer target_buffer,
const ldns_rdf sig_rdf 
)

Converts the RRSIG signature RDF (from DNS) to a buffer with the signature in ASN1 format as openssl uses it.

This routine is only present if ldns is compiled with ecdsa support.

Parameters:
[out] target_buffer buffer to place the signature data in ASN1.
[in] sig_rdf The signature rdf to convert
Returns:
LDNS_STATUS_OK on success, error code otherwise


Generated on 8 Apr 2014 for ldns by  doxygen 1.4.7