Macros | Functions
dnssec.h File Reference

This module contains base functions for DNSSEC operations (RFC4033 t/m RFC4035). More...

Go to the source code of this file.

Macros

#define LDNS_MAX_KEYLEN   2048
 
#define LDNS_DNSSEC_KEYPROTO   3
 
#define LDNS_DEFAULT_EXP_TIME   2419200 /* 4 weeks */
 
#define LDNS_SIGNATURE_LEAVE_ADD_NEW   0
 return values for the old-signature callback More...
 
#define LDNS_SIGNATURE_LEAVE_NO_ADD   1
 
#define LDNS_SIGNATURE_REMOVE_ADD_NEW   2
 
#define LDNS_SIGNATURE_REMOVE_NO_ADD   3
 
#define LDNS_NSEC3_MAX_ITERATIONS   65535
 

Functions

ldns_rrldns_dnssec_get_rrsig_for_name_and_type (const ldns_rdf *name, const ldns_rr_type type, const ldns_rr_list *rrs)
 Returns the first RRSIG rr that corresponds to the rrset with the given name and type. More...
 
ldns_rrldns_dnssec_get_dnskey_for_rrsig (const ldns_rr *rrsig, const ldns_rr_list *rrs)
 Returns the DNSKEY that corresponds to the given RRSIG rr from the list, if any. More...
 
ldns_rdfldns_nsec_get_bitmap (ldns_rr *nsec)
 Returns the rdata field that contains the bitmap of the covered types of the given NSEC record. More...
 
ldns_rdfldns_dnssec_nsec3_closest_encloser (ldns_rdf *qname, ldns_rr_type qtype, ldns_rr_list *nsec3s)
 Returns the dname of the closest (provable) encloser. More...
 
signed char ldns_dnssec_pkt_has_rrsigs (const ldns_pkt *pkt)
 Checks whether the packet contains rrsigs. More...
 
ldns_rr_listldns_dnssec_pkt_get_rrsigs_for_name_and_type (const ldns_pkt *pkt, ldns_rdf *name, ldns_rr_type type)
 Returns a ldns_rr_list containing the signatures covering the given name and type. More...
 
ldns_rr_listldns_dnssec_pkt_get_rrsigs_for_type (const ldns_pkt *pkt, ldns_rr_type type)
 Returns a ldns_rr_list containing the signatures covering the given type. More...
 
uint16_t ldns_calc_keytag (const ldns_rr *key)
 calculates a keytag of a key for use in DNSSEC. More...
 
uint16_t ldns_calc_keytag_raw (uint8_t *key, size_t keysize)
 Calculates keytag of DNSSEC key, operates on wireformat rdata. More...
 
DSA * ldns_key_buf2dsa (ldns_buffer *key)
 converts a buffer holding key material to a DSA key in openssl. More...
 
DSA * ldns_key_buf2dsa_raw (unsigned char *key, size_t len)
 Like ldns_key_buf2dsa, but uses raw buffer. More...
 
int ldns_digest_evp (unsigned char *data, unsigned int len, unsigned char *dest, const EVP_MD *md)
 Utility function to calculate hash using generic EVP_MD pointer. More...
 
EVP_PKEY * ldns_gost2pkey_raw (unsigned char *key, size_t keylen)
 Converts a holding buffer with key material to EVP PKEY in openssl. More...
 
EVP_PKEY * ldns_ecdsa2pkey_raw (unsigned char *key, size_t keylen, uint8_t algo)
 Converts a holding buffer with key material to EVP PKEY in openssl. More...
 
RSA * ldns_key_buf2rsa (ldns_buffer *key)
 converts a buffer holding key material to a RSA key in openssl. More...
 
RSA * ldns_key_buf2rsa_raw (unsigned char *key, size_t len)
 Like ldns_key_buf2rsa, but uses raw buffer. More...
 
ldns_rrldns_key_rr2ds (const ldns_rr *key, ldns_hash h)
 returns a new DS rr that represents the given key rr. More...
 
ldns_rdfldns_dnssec_create_nsec_bitmap (ldns_rr_type rr_type_list[], size_t size, ldns_rr_type nsec_type)
 Create the type bitmap for an NSEC(3) record. More...
 
int ldns_dnssec_rrsets_contains_type (ldns_dnssec_rrsets *rrsets, ldns_rr_type type)
 returns whether a rrset of the given type is found in the rrsets. More...
 
ldns_rrldns_dnssec_create_nsec (ldns_dnssec_name *from, ldns_dnssec_name *to, ldns_rr_type nsec_type)
 Creates NSEC. More...
 
ldns_rrldns_dnssec_create_nsec3 (ldns_dnssec_name *from, ldns_dnssec_name *to, ldns_rdf *zone_name, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt)
 Creates NSEC3. More...
 
ldns_rrldns_create_nsec (ldns_rdf *cur_owner, ldns_rdf *next_owner, ldns_rr_list *rrs)
 Create a NSEC record. More...
 
ldns_rdfldns_nsec3_hash_name (ldns_rdf *name, uint8_t algorithm, uint16_t iterations, uint8_t salt_length, uint8_t *salt)
 Calculates the hashed name using the given parameters. More...
 
void ldns_nsec3_add_param_rdfs (ldns_rr *rr, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt)
 Sets all the NSEC3 options. More...
 
ldns_rrldns_create_nsec3 (ldns_rdf *cur_owner, ldns_rdf *cur_zone, ldns_rr_list *rrs, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt, signed char emptynonterminal)
 
uint8_t ldns_nsec3_algorithm (const ldns_rr *nsec3_rr)
 Returns the hash algorithm used in the given NSEC3 RR. More...
 
uint8_t ldns_nsec3_flags (const ldns_rr *nsec3_rr)
 Returns flags field. More...
 
signed char ldns_nsec3_optout (const ldns_rr *nsec3_rr)
 Returns true if the opt-out flag has been set in the given NSEC3 RR. More...
 
uint16_t ldns_nsec3_iterations (const ldns_rr *nsec3_rr)
 Returns the number of hash iterations used in the given NSEC3 RR. More...
 
ldns_rdfldns_nsec3_salt (const ldns_rr *nsec3_rr)
 Returns the salt used in the given NSEC3 RR. More...
 
uint8_t ldns_nsec3_salt_length (const ldns_rr *nsec3_rr)
 Returns the length of the salt used in the given NSEC3 RR. More...
 
uint8_t * ldns_nsec3_salt_data (const ldns_rr *nsec3_rr)
 Returns the salt bytes used in the given NSEC3 RR. More...
 
ldns_rdfldns_nsec3_next_owner (const ldns_rr *nsec3_rr)
 Returns the first label of the next ownername in the NSEC3 chain (ie. More...
 
ldns_rdfldns_nsec3_bitmap (const ldns_rr *nsec3_rr)
 Returns the bitmap specifying the covered types of the given NSEC3 RR. More...
 
ldns_rdfldns_nsec3_hash_name_frm_nsec3 (const ldns_rr *nsec, ldns_rdf *name)
 Calculates the hashed name using the parameters of the given NSEC3 RR. More...
 
signed char ldns_nsec_bitmap_covers_type (const ldns_rdf *nsec_bitmap, ldns_rr_type type)
 Checks coverage of NSEC RR type bitmap. More...
 
signed char ldns_nsec_covers_name (const ldns_rr *nsec, const ldns_rdf *name)
 Checks coverage of NSEC(3) RR name span Remember that nsec and name must both be in canonical form (ie use ldns_rr2canonical and ldns_dname2canonical prior to calling this function) More...
 
ldns_status ldns_pkt_verify (ldns_pkt *p, ldns_rr_type t, ldns_rdf *o, ldns_rr_list *k, ldns_rr_list *s, ldns_rr_list *good_keys)
 verify a packet More...
 
ldns_status ldns_pkt_verify_time (ldns_pkt *p, ldns_rr_type t, ldns_rdf *o, ldns_rr_list *k, ldns_rr_list *s, time_t check_time, ldns_rr_list *good_keys)
 verify a packet More...
 
ldns_status ldns_dnssec_chain_nsec3_list (ldns_rr_list *nsec3_rrs)
 chains nsec3 list More...
 
int qsort_rr_compare_nsec3 (const void *a, const void *b)
 compare for nsec3 sort More...
 
void ldns_rr_list_sort_nsec3 (ldns_rr_list *unsorted)
 sort nsec3 list More...
 
int ldns_dnssec_default_add_to_signatures (ldns_rr *sig, void *n)
 Default callback function to always leave present signatures, and add new ones. More...
 
int ldns_dnssec_default_leave_signatures (ldns_rr *sig, void *n)
 Default callback function to always leave present signatures, and add no new ones for the keys of these signatures. More...
 
int ldns_dnssec_default_delete_signatures (ldns_rr *sig, void *n)
 Default callback function to always remove present signatures, but add no new ones. More...
 
int ldns_dnssec_default_replace_signatures (ldns_rr *sig, void *n)
 Default callback function to always leave present signatures, and add new ones. More...
 
ldns_rdfldns_convert_dsa_rrsig_asn12rdf (const ldns_buffer *sig, const long sig_len)
 Converts the DSA signature from ASN1 representation (RFC2459, as used by OpenSSL) to raw signature data as used in DNS (rfc2536) More...
 
ldns_status ldns_convert_dsa_rrsig_rdf2asn1 (ldns_buffer *target_buffer, const ldns_rdf *sig_rdf)
 Converts the RRSIG signature RDF (in rfc2536 format) to a buffer with the signature in rfc2459 format. More...
 
ldns_rdfldns_convert_ecdsa_rrsig_asn12rdf (const ldns_buffer *sig, const long sig_len)
 Converts the ECDSA signature from ASN1 representation (as used by OpenSSL) to raw signature data as used in DNS This routine is only present if ldns is compiled with ecdsa support. More...
 
ldns_status ldns_convert_ecdsa_rrsig_rdf2asn1 (ldns_buffer *target_buffer, const ldns_rdf *sig_rdf)
 Converts the RRSIG signature RDF (from DNS) to a buffer with the signature in ASN1 format as openssl uses it. More...
 

Detailed Description

This module contains base functions for DNSSEC operations (RFC4033 t/m RFC4035).

Since those functions heavily rely op cryptographic operations, this module is dependent on openssl.

Definition in file dnssec.h.

Macro Definition Documentation

#define LDNS_MAX_KEYLEN   2048

Definition at line 41 of file dnssec.h.

#define LDNS_DNSSEC_KEYPROTO   3

Definition at line 42 of file dnssec.h.

#define LDNS_DEFAULT_EXP_TIME   2419200 /* 4 weeks */

Definition at line 44 of file dnssec.h.

#define LDNS_SIGNATURE_LEAVE_ADD_NEW   0

return values for the old-signature callback

Definition at line 47 of file dnssec.h.

#define LDNS_SIGNATURE_LEAVE_NO_ADD   1

Definition at line 48 of file dnssec.h.

#define LDNS_SIGNATURE_REMOVE_ADD_NEW   2

Definition at line 49 of file dnssec.h.

#define LDNS_SIGNATURE_REMOVE_NO_ADD   3

Definition at line 50 of file dnssec.h.

#define LDNS_NSEC3_MAX_ITERATIONS   65535

Definition at line 87 of file dnssec.h.

Function Documentation

ldns_rr* ldns_dnssec_get_rrsig_for_name_and_type ( const ldns_rdf name,
const ldns_rr_type  type,
const ldns_rr_list rrs 
)

Returns the first RRSIG rr that corresponds to the rrset with the given name and type.

Parameters
[in]nameThe dname of the RRset covered by the RRSIG to find
[in]typeThe type of the RRset covered by the RRSIG to find
[in]rrsList of rrs to search in
Returns
Pointer to the first RRsig ldns_rr found, or NULL if it is not present

Definition at line 29 of file dnssec.c.

References i, ldns_dname_compare(), ldns_rdf2rr_type(), ldns_rr_get_type(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), ldns_rr_owner(), ldns_rr_rrsig_typecovered(), LDNS_RR_TYPE_RRSIG, and NULL.

ldns_rr* ldns_dnssec_get_dnskey_for_rrsig ( const ldns_rr rrsig,
const ldns_rr_list rrs 
)

Returns the DNSKEY that corresponds to the given RRSIG rr from the list, if any.

Parameters
[in]rrsigThe rrsig to find the DNSKEY for
[in]rrsThe rr list to find the key in
Returns
The DNSKEY that corresponds to the given RRSIG, or NULL if it was not found.

Definition at line 57 of file dnssec.c.

References i, ldns_calc_keytag(), ldns_dname_compare(), ldns_rdf2native_int16(), ldns_rr_get_type(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), ldns_rr_owner(), ldns_rr_rrsig_keytag(), ldns_rr_rrsig_signame(), LDNS_RR_TYPE_DNSKEY, and NULL.

ldns_rdf* ldns_nsec_get_bitmap ( ldns_rr nsec)

Returns the rdata field that contains the bitmap of the covered types of the given NSEC record.

Parameters
[in]nsecThe nsec to get the covered type bitmap of
Returns
An ldns_rdf containing the bitmap, or NULL on error

Definition at line 84 of file dnssec.c.

References ldns_rr_get_type(), ldns_rr_rdf(), LDNS_RR_TYPE_NSEC, LDNS_RR_TYPE_NSEC3, and NULL.

ldns_rdf* ldns_dnssec_nsec3_closest_encloser ( ldns_rdf qname,
ldns_rr_type  qtype,
ldns_rr_list nsec3s 
)

Returns the dname of the closest (provable) encloser.

signed char ldns_dnssec_pkt_has_rrsigs ( const ldns_pkt pkt)

Checks whether the packet contains rrsigs.

Definition at line 198 of file dnssec.c.

References i, ldns_pkt_ancount(), ldns_pkt_answer(), ldns_pkt_authority(), ldns_pkt_nscount(), ldns_rr_get_type(), ldns_rr_list_rr(), and LDNS_RR_TYPE_RRSIG.

ldns_rr_list* ldns_dnssec_pkt_get_rrsigs_for_name_and_type ( const ldns_pkt pkt,
ldns_rdf name,
ldns_rr_type  type 
)

Returns a ldns_rr_list containing the signatures covering the given name and type.

Definition at line 217 of file dnssec.c.

References ldns_pkt_rr_list_by_name_and_type(), ldns_rdf_free(), ldns_rdf_new(), LDNS_RDF_SIZE_WORD, LDNS_RDF_TYPE_TYPE, ldns_rr_list_deep_free(), ldns_rr_list_subtype_by_rdf(), LDNS_RR_TYPE_RRSIG, and LDNS_SECTION_ANY_NOQUESTION.

ldns_rr_list* ldns_dnssec_pkt_get_rrsigs_for_type ( const ldns_pkt pkt,
ldns_rr_type  type 
)

Returns a ldns_rr_list containing the signatures covering the given type.

Definition at line 244 of file dnssec.c.

References ldns_pkt_rr_list_by_type(), ldns_rdf_free(), ldns_rdf_new(), LDNS_RDF_TYPE_TYPE, ldns_rr_list_deep_free(), ldns_rr_list_subtype_by_rdf(), LDNS_RR_TYPE_RRSIG, and LDNS_SECTION_ANY_NOQUESTION.

uint16_t ldns_calc_keytag ( const ldns_rr key)

calculates a keytag of a key for use in DNSSEC.

Parameters
[in]keythe key as an RR to use for the calc.
Returns
the keytag

Definition at line 271 of file dnssec.c.

References ldns_buffer_free(), ldns_buffer_new(), ldns_calc_keytag_raw(), LDNS_MIN_BUFLEN, ldns_rr_get_type(), ldns_rr_rdata2buffer_wire(), LDNS_RR_TYPE_DNSKEY, and LDNS_RR_TYPE_KEY.

uint16_t ldns_calc_keytag_raw ( uint8_t *  key,
size_t  keysize 
)

Calculates keytag of DNSSEC key, operates on wireformat rdata.

Parameters
[in]keythe key as uncompressed wireformat rdata.
[in]keysizelength of key data.
Returns
the keytag

Definition at line 301 of file dnssec.c.

References i, and LDNS_RSAMD5.

DSA* ldns_key_buf2dsa ( ldns_buffer key)

converts a buffer holding key material to a DSA key in openssl.

Parameters
[in]keythe key to convert
Returns
a DSA * structure with the key material

Definition at line 330 of file dnssec.c.

References ldns_key_buf2dsa_raw().

DSA* ldns_key_buf2dsa_raw ( unsigned char *  key,
size_t  len 
)

Like ldns_key_buf2dsa, but uses raw buffer.

Parameters
[in]keythe uncompressed wireformat of the key.
[in]lenlength of key data
Returns
a DSA * structure with the key material

Definition at line 337 of file dnssec.c.

References dsa, and NULL.

int ldns_digest_evp ( unsigned char *  data,
unsigned int  len,
unsigned char *  dest,
const EVP_MD *  md 
)

Utility function to calculate hash using generic EVP_MD pointer.

Parameters
[in]datathe data to hash.
[in]lenlength of data.
[out]destthe destination of the hash, must be large enough.
[in]mdthe message digest to use.
Returns
true if worked, false on failure.

Definition at line 455 of file dnssec.c.

References NULL.

EVP_PKEY* ldns_gost2pkey_raw ( unsigned char *  key,
size_t  keylen 
)

Converts a holding buffer with key material to EVP PKEY in openssl.

Only available if ldns was compiled with GOST.

Parameters
[in]keydata to convert
[in]keylenlength of the key data
Returns
the key or NULL on error.
EVP_PKEY* ldns_ecdsa2pkey_raw ( unsigned char *  key,
size_t  keylen,
uint8_t  algo 
)

Converts a holding buffer with key material to EVP PKEY in openssl.

Only available if ldns was compiled with ECDSA.

Parameters
[in]keydata to convert
[in]keylenlength of the key data
[in]algoprecise algorithm to initialize ECC group values.
Returns
the key or NULL on error.

Definition at line 1871 of file dnssec_verify.c.

References buf, LDNS_ECDSAP256SHA256, LDNS_ECDSAP384SHA384, and NULL.

RSA* ldns_key_buf2rsa ( ldns_buffer key)

converts a buffer holding key material to a RSA key in openssl.

Parameters
[in]keythe key to convert
Returns
a RSA * structure with the key material

Definition at line 389 of file dnssec.c.

References ldns_key_buf2rsa_raw().

RSA* ldns_key_buf2rsa_raw ( unsigned char *  key,
size_t  len 
)

Like ldns_key_buf2rsa, but uses raw buffer.

Parameters
[in]keythe uncompressed wireformat of the key.
[in]lenlength of key data
Returns
a RSA * structure with the key material

Definition at line 396 of file dnssec.c.

References NULL.

ldns_rr* ldns_key_rr2ds ( const ldns_rr key,
ldns_hash  h 
)
ldns_rdf* ldns_dnssec_create_nsec_bitmap ( ldns_rr_type  rr_type_list[],
size_t  size,
ldns_rr_type  nsec_type 
)

Create the type bitmap for an NSEC(3) record.

Definition at line 658 of file dnssec.c.

References i, LDNS_FREE, ldns_rdf_new_frm_data(), LDNS_RDF_TYPE_NSEC, LDNS_RR_TYPE_NSEC, LDNS_RR_TYPE_NSEC3, ldns_set_bit(), LDNS_XMALLOC, LDNS_XREALLOC, and NULL.

int ldns_dnssec_rrsets_contains_type ( ldns_dnssec_rrsets rrsets,
ldns_rr_type  type 
)

returns whether a rrset of the given type is found in the rrsets.

Parameters
[in]rrsetsthe rrsets to be tested
[in]typethe type to test for
Returns
int 1 if the type was found, 0 otherwise.

Definition at line 757 of file dnssec.c.

References ldns_struct_dnssec_rrsets::next, and ldns_struct_dnssec_rrsets::type.

ldns_rr* ldns_dnssec_create_nsec ( ldns_dnssec_name from,
ldns_dnssec_name to,
ldns_rr_type  nsec_type 
)
ldns_rr* ldns_dnssec_create_nsec3 ( ldns_dnssec_name from,
ldns_dnssec_name to,
ldns_rdf zone_name,
uint8_t  algorithm,
uint8_t  flags,
uint16_t  iterations,
uint8_t  salt_length,
uint8_t *  salt 
)
ldns_rr* ldns_create_nsec ( ldns_rdf cur_owner,
ldns_rdf next_owner,
ldns_rr_list rrs 
)

Create a NSEC record.

Parameters
[in]cur_ownerthe current owner which should be taken as the starting point
[in]next_ownerthe rrlist which the nsec rr should point to
[in]rrsall rrs from the zone, to find all RR types of cur_owner in
Returns
a ldns_rr with the nsec record in it

Definition at line 914 of file dnssec.c.

References i, ldns_dnssec_create_nsec_bitmap(), ldns_rdf_clone(), ldns_rdf_compare(), ldns_rr_get_type(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), ldns_rr_new(), ldns_rr_owner(), ldns_rr_push_rdf(), ldns_rr_set_owner(), ldns_rr_set_type(), LDNS_RR_TYPE_NSEC, LDNS_RR_TYPE_RRSIG, and NULL.

ldns_rdf* ldns_nsec3_hash_name ( ldns_rdf name,
uint8_t  algorithm,
uint16_t  iterations,
uint8_t  salt_length,
uint8_t *  salt 
)

Calculates the hashed name using the given parameters.

Parameters
[in]*nameThe owner name to calculate the hash for
[in]algorithmThe hash algorithm to use
[in]iterationsThe number of hash iterations to use
[in]salt_lengthThe length of the salt in bytes
[in]saltThe salt to use
Returns
The hashed owner name rdf, without the domain name

Definition at line 964 of file dnssec.c.

References int, ldns_b32_ntop_extended_hex(), ldns_dname2canonical(), LDNS_FREE, ldns_rdf_clone(), ldns_rdf_data(), ldns_rdf_deep_free(), ldns_rdf_print(), ldns_rdf_size(), LDNS_SHA1, ldns_sha1(), LDNS_SHA1_DIGEST_LENGTH, LDNS_STATUS_OK, ldns_str2rdf_dname(), LDNS_XMALLOC, and NULL.

void ldns_nsec3_add_param_rdfs ( ldns_rr rr,
uint8_t  algorithm,
uint8_t  flags,
uint16_t  iterations,
uint8_t  salt_length,
uint8_t *  salt 
)

Sets all the NSEC3 options.

The rr to set them in must be initialized with _new() and type LDNS_RR_TYPE_NSEC3

Parameters
[in]*rrThe RR to set the values in
[in]algorithmThe NSEC3 hash algorithm
[in]flagsThe flags field
[in]iterationsThe number of hash iterations
[in]salt_lengthThe length of the salt in bytes
[in]saltThe salt bytes

Definition at line 1057 of file dnssec.c.

References LDNS_FREE, ldns_native2rdf_int16(), ldns_rdf_deep_free(), ldns_rdf_new_frm_data(), LDNS_RDF_TYPE_INT16, LDNS_RDF_TYPE_INT8, LDNS_RDF_TYPE_NSEC3_SALT, ldns_rr_set_rdf(), LDNS_XMALLOC, and NULL.

ldns_rr* ldns_create_nsec3 ( ldns_rdf cur_owner,
ldns_rdf cur_zone,
ldns_rr_list rrs,
uint8_t  algorithm,
uint8_t  flags,
uint16_t  iterations,
uint8_t  salt_length,
uint8_t *  salt,
signed char  emptynonterminal 
)
uint8_t ldns_nsec3_algorithm ( const ldns_rr nsec3_rr)

Returns the hash algorithm used in the given NSEC3 RR.

Parameters
[in]*nsec3_rrThe RR to read from
Returns
The algorithm identifier, or 0 on error

Definition at line 1210 of file dnssec.c.

References ldns_rdf2native_int8(), ldns_rdf_size(), ldns_rr_get_type(), ldns_rr_rdf(), LDNS_RR_TYPE_NSEC3, LDNS_RR_TYPE_NSEC3PARAM, and NULL.

uint8_t ldns_nsec3_flags ( const ldns_rr nsec3_rr)
signed char ldns_nsec3_optout ( const ldns_rr nsec3_rr)

Returns true if the opt-out flag has been set in the given NSEC3 RR.

Parameters
[in]*nsec3_rrThe RR to read from
Returns
true if the RR has type NSEC3 and the opt-out bit has been set, false otherwise

Definition at line 1236 of file dnssec.c.

References ldns_nsec3_flags(), and LDNS_NSEC3_VARS_OPTOUT_MASK.

uint16_t ldns_nsec3_iterations ( const ldns_rr nsec3_rr)

Returns the number of hash iterations used in the given NSEC3 RR.

Parameters
[in]*nsec3_rrThe RR to read from
Returns
The number of iterations

Definition at line 1242 of file dnssec.c.

References ldns_rdf2native_int16(), ldns_rdf_size(), ldns_rr_get_type(), ldns_rr_rdf(), LDNS_RR_TYPE_NSEC3, LDNS_RR_TYPE_NSEC3PARAM, and NULL.

ldns_rdf* ldns_nsec3_salt ( const ldns_rr nsec3_rr)

Returns the salt used in the given NSEC3 RR.

Parameters
[in]*nsec3_rrThe RR to read from
Returns
The salt rdf, or NULL on error

Definition at line 1256 of file dnssec.c.

References ldns_rr_get_type(), ldns_rr_rdf(), LDNS_RR_TYPE_NSEC3, LDNS_RR_TYPE_NSEC3PARAM, and NULL.

uint8_t ldns_nsec3_salt_length ( const ldns_rr nsec3_rr)

Returns the length of the salt used in the given NSEC3 RR.

Parameters
[in]*nsec3_rrThe RR to read from
Returns
The length of the salt in bytes

Definition at line 1268 of file dnssec.c.

References ldns_nsec3_salt(), ldns_rdf_data(), and ldns_rdf_size().

uint8_t* ldns_nsec3_salt_data ( const ldns_rr nsec3_rr)

Returns the salt bytes used in the given NSEC3 RR.

Parameters
[in]*nsec3_rrThe RR to read from
Returns
The salt in bytes, this is alloced, so you need to free it

Definition at line 1279 of file dnssec.c.

References ldns_nsec3_salt(), ldns_rdf_data(), ldns_rdf_size(), LDNS_XMALLOC, and NULL.

ldns_rdf* ldns_nsec3_next_owner ( const ldns_rr nsec3_rr)

Returns the first label of the next ownername in the NSEC3 chain (ie.

without the domain)

Parameters
[in]nsec3_rrThe RR to read from
Returns
The first label of the next owner name in the NSEC3 chain, or NULL on error

Definition at line 1296 of file dnssec.c.

References ldns_rr_get_type(), ldns_rr_rdf(), LDNS_RR_TYPE_NSEC3, and NULL.

ldns_rdf* ldns_nsec3_bitmap ( const ldns_rr nsec3_rr)

Returns the bitmap specifying the covered types of the given NSEC3 RR.

Parameters
[in]*nsec3_rrThe RR to read from
Returns
The covered type bitmap rdf

Definition at line 1306 of file dnssec.c.

References ldns_rr_get_type(), ldns_rr_rdf(), LDNS_RR_TYPE_NSEC3, and NULL.

ldns_rdf* ldns_nsec3_hash_name_frm_nsec3 ( const ldns_rr nsec,
ldns_rdf name 
)

Calculates the hashed name using the parameters of the given NSEC3 RR.

Parameters
[in]*nsecThe RR to use the parameters from
[in]*nameThe owner name to calculate the hash for
Returns
The hashed owner name rdf, without the domain name

Definition at line 1316 of file dnssec.c.

References LDNS_FREE, ldns_nsec3_algorithm(), ldns_nsec3_hash_name(), ldns_nsec3_iterations(), ldns_nsec3_salt_data(), and ldns_nsec3_salt_length().

signed char ldns_nsec_bitmap_covers_type ( const ldns_rdf nsec_bitmap,
ldns_rr_type  type 
)

Checks coverage of NSEC RR type bitmap.

Parameters
[in]nsec_bitmapThe NSEC bitmap rdata field to check
[in]typeThe type to check
Returns
true if the NSEC RR covers the type

Definition at line 1341 of file dnssec.c.

References ldns_get_bit(), ldns_rdf_data(), ldns_rdf_size(), and NULL.

signed char ldns_nsec_covers_name ( const ldns_rr nsec,
const ldns_rdf name 
)

Checks coverage of NSEC(3) RR name span Remember that nsec and name must both be in canonical form (ie use ldns_rr2canonical and ldns_dname2canonical prior to calling this function)

Parameters
[in]nsecThe NSEC RR to check
[in]nameThe owner dname to check, if the nsec record is a NSEC3 record, this should be the hashed name
Returns
true if the NSEC RR covers the owner name

Definition at line 1374 of file dnssec.c.

References ldns_dname_cat(), ldns_dname_compare(), ldns_dname_left_chop(), ldns_dname_new_frm_str(), LDNS_FREE, ldns_get_errorstr_by_id(), ldns_nsec3_next_owner(), ldns_rdf2str(), ldns_rdf_clone(), ldns_rdf_deep_free(), ldns_rr_get_type(), ldns_rr_owner(), ldns_rr_rdf(), LDNS_RR_TYPE_NSEC, LDNS_RR_TYPE_NSEC3, LDNS_STATUS_OK, and NULL.

ldns_status ldns_pkt_verify ( ldns_pkt p,
ldns_rr_type  t,
ldns_rdf o,
ldns_rr_list k,
ldns_rr_list s,
ldns_rr_list good_keys 
)

verify a packet

Parameters
[in]pthe packet
[in]tthe rr set type to check
[in]othe rr set name to check
[in]klist of keys
[in]slist of sigs (may be null)
[out]good_keyskeys which validated the packet
Returns
status

Definition at line 1487 of file dnssec.c.

References ldns_pkt_verify_time(), and NULL.

ldns_status ldns_pkt_verify_time ( ldns_pkt p,
ldns_rr_type  t,
ldns_rdf o,
ldns_rr_list k,
ldns_rr_list s,
time_t  check_time,
ldns_rr_list good_keys 
)

verify a packet

Parameters
[in]pthe packet
[in]tthe rr set type to check
[in]othe rr set name to check
[in]klist of keys
[in]slist of sigs (may be null)
[in]check_timethe time for which the validation is performed
[out]good_keyskeys which validated the packet
Returns
status

Definition at line 1423 of file dnssec.c.

References ldns_pkt_rr_list_by_name_and_type(), ldns_rdf_free(), ldns_rdf_new(), LDNS_RDF_TYPE_TYPE, ldns_rr_list_deep_free(), ldns_rr_list_subtype_by_rdf(), LDNS_RR_TYPE_RRSIG, LDNS_SECTION_ANY_NOQUESTION, LDNS_STATUS_ERR, and ldns_verify_time().

ldns_status ldns_dnssec_chain_nsec3_list ( ldns_rr_list nsec3_rrs)
int qsort_rr_compare_nsec3 ( const void *  a,
const void *  b 
)

compare for nsec3 sort

Definition at line 1548 of file dnssec.c.

References ldns_rdf_compare(), ldns_rr_owner(), and NULL.

void ldns_rr_list_sort_nsec3 ( ldns_rr_list unsorted)

sort nsec3 list

Definition at line 1565 of file dnssec.c.

References ldns_struct_rr_list::_rrs, ldns_rr_list_rr_count(), and qsort_rr_compare_nsec3().

int ldns_dnssec_default_add_to_signatures ( ldns_rr sig,
void *  n 
)

Default callback function to always leave present signatures, and add new ones.

Parameters
[in]sigThe signature to check for removal (unused)
[in]nOptional argument (unused)
Returns
LDNS_SIGNATURE_LEAVE_ADD_NEW
int ldns_dnssec_default_leave_signatures ( ldns_rr sig,
void *  n 
)

Default callback function to always leave present signatures, and add no new ones for the keys of these signatures.

Parameters
[in]sigThe signature to check for removal (unused)
[in]nOptional argument (unused)
Returns
LDNS_SIGNATURE_LEAVE_NO_ADD
int ldns_dnssec_default_delete_signatures ( ldns_rr sig,
void *  n 
)

Default callback function to always remove present signatures, but add no new ones.

Parameters
[in]sigThe signature to check for removal (unused)
[in]nOptional argument (unused)
Returns
LDNS_SIGNATURE_REMOVE_NO_ADD
int ldns_dnssec_default_replace_signatures ( ldns_rr sig,
void *  n 
)

Default callback function to always leave present signatures, and add new ones.

Parameters
[in]sigThe signature to check for removal (unused)
[in]nOptional argument (unused)
Returns
LDNS_SIGNATURE_REMOVE_ADD_NEW
ldns_rdf* ldns_convert_dsa_rrsig_asn12rdf ( const ldns_buffer sig,
const long  sig_len 
)

Converts the DSA signature from ASN1 representation (RFC2459, as used by OpenSSL) to raw signature data as used in DNS (rfc2536)

Parameters
[in]sigThe signature in RFC2459 format
[in]sig_lenThe length of the signature
Returns
a new rdf with the signature

Definition at line 1607 of file dnssec.c.

References LDNS_FREE, ldns_rdf_new(), LDNS_RDF_TYPE_B64, LDNS_XMALLOC, and NULL.

ldns_status ldns_convert_dsa_rrsig_rdf2asn1 ( ldns_buffer target_buffer,
const ldns_rdf sig_rdf 
)

Converts the RRSIG signature RDF (in rfc2536 format) to a buffer with the signature in rfc2459 format.

Parameters
[out]target_bufferbuffer to place the signature data
[in]sig_rdfThe signature rdf to convert
Returns
LDNS_STATUS_OK on success, error code otherwise

Definition at line 1656 of file dnssec.c.

References ldns_buffer_reserve(), ldns_rdf_data(), ldns_rdf_size(), LDNS_STATUS_MEM_ERR, LDNS_STATUS_SSL_ERR, LDNS_STATUS_SYNTAX_RDATA_ERR, NULL, and R.

ldns_rdf* ldns_convert_ecdsa_rrsig_asn12rdf ( const ldns_buffer sig,
const long  sig_len 
)

Converts the ECDSA signature from ASN1 representation (as used by OpenSSL) to raw signature data as used in DNS This routine is only present if ldns is compiled with ecdsa support.

Parameters
[in]sigThe signature in ASN1 format
[in]sig_lenThe length of the signature
Returns
a new rdf with the signature

Definition at line 1709 of file dnssec.c.

References ldns_rdf_new(), LDNS_RDF_TYPE_B64, LDNS_XMALLOC, and NULL.

ldns_status ldns_convert_ecdsa_rrsig_rdf2asn1 ( ldns_buffer target_buffer,
const ldns_rdf sig_rdf 
)

Converts the RRSIG signature RDF (from DNS) to a buffer with the signature in ASN1 format as openssl uses it.

This routine is only present if ldns is compiled with ecdsa support.

Parameters
[out]target_bufferbuffer to place the signature data in ASN1.
[in]sig_rdfThe signature rdf to convert
Returns
LDNS_STATUS_OK on success, error code otherwise

Definition at line 1733 of file dnssec.c.

References ldns_buffer_reserve(), ldns_rdf_data(), ldns_rdf_size(), LDNS_STATUS_ERR, LDNS_STATUS_MEM_ERR, and NULL.