|
Electroneum
|
#include "util/data/packed_rrset.h"
Go to the source code of this file.
This file contains helper functions for the validator module. The functions help with NSEC checking, the different NSEC proofs for denial of existence, and proofs for presence of types.
Definition in file val_nsec.h.
| uint8_t* nsec_closest_encloser | ( | uint8_t * | qname, |
| struct ub_packed_rrset_key * | nsec | ||
| ) |
Determine closest encloser of a query name and the NSEC that covers it (and thus disproved it). A name error must have been proven already, otherwise this will be invalid.
| qname | the name queried for. |
| nsec | the nsec RRset. |
| int nsec_has_type | ( | struct ub_packed_rrset_key * | nsec, |
| uint16_t | type | ||
| ) |
Check if type is present in the NSEC typemap
| nsec | the nsec RRset. If there are multiple RRs, then each must have the same typemap, since the typemap represents the types at this domain node. |
| type | type to check for, host order. |
| int nsec_proves_nodata | ( | struct ub_packed_rrset_key * | nsec, |
| struct query_info * | qinfo, | ||
| uint8_t ** | wc | ||
| ) |
Determine if a NSEC proves the NOERROR/NODATA conditions. This will also handle the empty non-terminal (ENT) case and partially handle the wildcard case. If the ownername of 'nsec' is a wildcard, the validator must still be provided proof that qname did not directly exist and that the wildcard is, in fact, *.closest_encloser.
| nsec | the nsec record to check against. |
| qinfo | the query info. |
| wc | if the nodata is proven for a wildcard match, the wildcard closest encloser is returned, else NULL (wc is unchanged). This closest encloser must then match the nameerror given for the nextcloser of qname. |
nsec typemap check, takes an NSEC-type bitmap as argument, checks for type.
| bitmap | pointer to the bitmap part of wireformat rdata. |
| len | length of the bitmap, in bytes. |
| type | the type (in host order) to check for. |
| int val_nsec_check_dlv | ( | struct query_info * | qinfo, |
| struct reply_info * | rep, | ||
| uint8_t ** | nm, | ||
| size_t * | nm_len | ||
| ) |
Determine the DLV result, what to do with NSEC DLV reply.
| qinfo | what was queried for. |
| rep | the nonpositive reply. |
| nm | dlv lookup name, to adjust for new lookup name (if needed). |
| nm_len | length of lookup name. |
| enum sec_status val_nsec_prove_nodata_dsreply | ( | struct module_env * | env, |
| struct val_env * | ve, | ||
| struct query_info * | qinfo, | ||
| struct reply_info * | rep, | ||
| struct key_entry_key * | kkey, | ||
| time_t * | proof_ttl, | ||
| char ** | reason, | ||
| struct module_qstate * | qstate | ||
| ) |
Check DS absence. There is a NODATA reply to a DS that needs checking. NSECs can prove this is not a delegation point, or successfully prove that there is no DS. Or this fails.
| env | module env for rrsig verification routines. |
| ve | validator env for rrsig verification routines. |
| qinfo | the DS queried for. |
| rep | reply received. |
| kkey | key entry to use for verification of signatures. |
| proof_ttl | if secure, the TTL of how long this proof lasts. |
| reason | string explaining why bogus. |
| qstate | qstate with region. |
| int val_nsec_proves_insecuredelegation | ( | struct ub_packed_rrset_key * | nsec, |
| struct query_info * | qinfo | ||
| ) |
Determine if an nsec proves an insecure delegation towards the qname.
| nsec | nsec rrset. |
| qinfo | what was queries for. |
| int val_nsec_proves_name_error | ( | struct ub_packed_rrset_key * | nsec, |
| uint8_t * | qname | ||
| ) |
Determine if the given NSEC proves a NameError (NXDOMAIN) for a given qname.
| nsec | the nsec to check |
| qname | what was queried. |
| int val_nsec_proves_no_wc | ( | struct ub_packed_rrset_key * | nsec, |
| uint8_t * | qname, | ||
| size_t | qnamelen | ||
| ) |
Determine if the given NSEC proves that a wildcard match does not exist.
| nsec | the nsec RRset. |
| qname | the name queried for. |
| qnamelen | length of qname. |
| int val_nsec_proves_positive_wildcard | ( | struct ub_packed_rrset_key * | nsec, |
| struct query_info * | qinf, | ||
| uint8_t * | wc | ||
| ) |
Determine if the given NSEC proves a positive wildcard response.
| nsec | the nsec to check |
| qinf | what was queried. |
| wc | wildcard (without *. label) |