val_nsec.h File Reference

This file contains helper functions for the validator module. More...

#include "util/data/packed_rrset.h"

Functions

enum sec_status val_nsec_prove_nodata_dsreply (struct module_env *env, struct val_env *ve, struct query_info *qinfo, struct reply_info *rep, struct key_entry_key *kkey, uint32_t *proof_ttl)
 Check DS absence.
int nsecbitmap_has_type_rdata (uint8_t *bitmap, size_t len, uint16_t type)
 nsec typemap check, takes an NSEC-type bitmap as argument, checks for type.
int nsec_has_type (struct ub_packed_rrset_key *nsec, uint16_t type)
 Check if type is present in the NSEC typemap.
int nsec_proves_nodata (struct ub_packed_rrset_key *nsec, struct query_info *qinfo, uint8_t **wc)
 Determine if a NSEC proves the NOERROR/NODATA conditions.
int val_nsec_proves_name_error (struct ub_packed_rrset_key *nsec, uint8_t *qname)
 Determine if the given NSEC proves a NameError (NXDOMAIN) for a given qname.
int val_nsec_proves_positive_wildcard (struct ub_packed_rrset_key *nsec, struct query_info *qinf, uint8_t *wc)
 Determine if the given NSEC proves a positive wildcard response.
uint8_t * nsec_closest_encloser (uint8_t *qname, struct ub_packed_rrset_key *nsec)
 Determine closest encloser of a query name and the NSEC that covers it (and thus disproved it).
int val_nsec_proves_no_wc (struct ub_packed_rrset_key *nsec, uint8_t *qname, size_t qnamelen)
 Determine if the given NSEC proves that a wildcard match does not exist.
int val_nsec_check_dlv (struct query_info *qinfo, struct reply_info *rep, uint8_t **nm, size_t *nm_len)
 Determine the DLV result, what to do with NSEC DLV reply.


Detailed Description

This file contains helper functions for the validator module.

The functions help with NSEC checking, the different NSEC proofs for denial of existance, and proofs for presence of types.


Function Documentation

enum sec_status val_nsec_prove_nodata_dsreply ( struct module_env env,
struct val_env ve,
struct query_info qinfo,
struct reply_info rep,
struct key_entry_key kkey,
uint32_t *  proof_ttl 
)

Check DS absence.

There is a NODATA reply to a DS that needs checking. NSECs can prove this is not a delegation point, or sucessfully prove that there is no DS. Or this fails.

Parameters:
env,: module env for rrsig verification routines.
ve,: validator env for rrsig verification routines.
qinfo,: the DS queried for.
rep,: reply received.
kkey,: key entry to use for verification of signatures.
proof_ttl,: if secure, the TTL of how long this proof lasts.
Returns:
security status. SECURE: proved absence of DS. INSECURE: proved that this was not a delegation point. BOGUS: crypto bad, or no absence of DS proven. UNCHECKED: there was no way to prove anything (no NSECs, unknown algo).

References reply_info::an_numrrsets, packed_rrset_key::dname, dname_is_wild(), reply_info::ns_numrrsets, nsec_closest_encloser(), nsec_proves_nodata(), query_info::qclass, query_info::qname, query_info::qname_len, query_dname_compare(), reply_find_rrset_section_ns(), ub_packed_rrset_key::rk, rrset_get_ttl(), reply_info::rrsets, sec_status_bogus, sec_status_insecure, sec_status_secure, sec_status_unchecked, packed_rrset_key::type, ub_packed_rrset_ttl(), val_nsec_proves_name_error(), val_nsec_proves_no_ds(), val_verify_rrset_entry(), VERB_ALGO, and verbose().

Referenced by ds_response_to_ke().

int nsecbitmap_has_type_rdata ( uint8_t *  bitmap,
size_t  len,
uint16_t  type 
)

nsec typemap check, takes an NSEC-type bitmap as argument, checks for type.

Parameters:
bitmap,: pointer to the bitmap part of wireformat rdata.
len,: length of the bitmap, in bytes.
type,: the type (in host order) to check for.
Returns:
true if the type bit was set in the bitmap. false if not, or if the bitmap was malformed in some way.

Referenced by nsec3_has_type(), nsec_has_type(), and unitest_nsec_has_type_rdata().

int nsec_has_type ( struct ub_packed_rrset_key nsec,
uint16_t  type 
)

Check if type is present in the NSEC typemap.

Parameters:
nsec,: the nsec RRset. If there are multiple RRs, then each must have the same typemap, since the typemap represents the types at this domain node.
type,: type to check for, host order.
Returns:
true if present

References packed_rrset_data::count, dname_valid(), nsecbitmap_has_type_rdata(), packed_rrset_data::rr_data, and packed_rrset_data::rr_len.

Referenced by grab_nsec(), nsec_proves_nodata(), val_nsec_check_dlv(), val_nsec_proves_name_error(), and val_nsec_proves_no_ds().

int nsec_proves_nodata ( struct ub_packed_rrset_key nsec,
struct query_info qinfo,
uint8_t **  wc 
)

Determine if a NSEC proves the NOERROR/NODATA conditions.

This will also handle the empty non-terminal (ENT) case and partially handle the wildcard case. If the ownername of 'nsec' is a wildcard, the validator must still be provided proof that qname did not directly exist and that the wildcard is, in fact, *.closest_encloser.

Parameters:
nsec,: the nsec record to check against.
qinfo,: the query info.
wc,: if the nodata is proven for a wildcard match, the wildcard closest encloser is returned, else NULL (wc is unchanged). This closest encloser must then match the nameerror given for the nextcloser of qname.
Returns:
true if NSEC proves this.

References packed_rrset_key::dname, dname_canonical_compare(), dname_is_wild(), packed_rrset_key::dname_len, dname_remove_label(), dname_strict_subdomain_c(), log_assert, nsec_get_next(), nsec_has_type(), query_info::qname, query_info::qtype, query_dname_compare(), and ub_packed_rrset_key::rk.

Referenced by val_neg_dlvlookup(), val_nsec_prove_nodata_dsreply(), validate_cname_noanswer_response(), and validate_nodata_response().

int val_nsec_proves_name_error ( struct ub_packed_rrset_key nsec,
uint8_t *  qname 
)

int val_nsec_proves_positive_wildcard ( struct ub_packed_rrset_key nsec,
struct query_info qinf,
uint8_t *  wc 
)

Determine if the given NSEC proves a positive wildcard response.

Parameters:
nsec,: the nsec to check
qinf,: what was queried.
wc,: wildcard (without *. label)
Returns:
true if proven.

References nsec_closest_encloser(), query_info::qname, query_dname_compare(), and val_nsec_proves_name_error().

Referenced by validate_any_response(), validate_cname_response(), and validate_positive_response().

uint8_t* nsec_closest_encloser ( uint8_t *  qname,
struct ub_packed_rrset_key nsec 
)

Determine closest encloser of a query name and the NSEC that covers it (and thus disproved it).

A name error must have been proven already, otherwise this will be invalid.

Parameters:
qname,: the name queried for.
nsec,: the nsec RRset.
Returns:
closest encloser dname or NULL on error (bad nsec RRset).

References packed_rrset_key::dname, dname_count_labels(), dname_get_shared_topdomain(), nsec_get_next(), and ub_packed_rrset_key::rk.

Referenced by val_nsec_prove_nodata_dsreply(), val_nsec_proves_no_wc(), val_nsec_proves_positive_wildcard(), validate_cname_noanswer_response(), and validate_nodata_response().

int val_nsec_proves_no_wc ( struct ub_packed_rrset_key nsec,
uint8_t *  qname,
size_t  qnamelen 
)

Determine if the given NSEC proves that a wildcard match does not exist.

Parameters:
nsec,: the nsec RRset.
qname,: the name queried for.
qnamelen,: length of qname.
Returns:
true if proven.

References dname_count_labels(), dname_remove_labels(), nsec_closest_encloser(), and val_nsec_proves_name_error().

Referenced by validate_cname_noanswer_response(), and validate_nameerror_response().

int val_nsec_check_dlv ( struct query_info qinfo,
struct reply_info rep,
uint8_t **  nm,
size_t *  nm_len 
)

Determine the DLV result, what to do with NSEC DLV reply.

Parameters:
qinfo,: what was queried for.
rep,: the nonpositive reply.
nm,: dlv lookup name, to adjust for new lookup name (if needed).
nm_len,: length of lookup name.
Returns:
0 on error, 1 if a higher point is found. If the higher point is above the dlv repo anchor, the qname does not exist.

References reply_info::an_numrrsets, dlv_topdomain(), packed_rrset_key::dname, dname_canonical_compare(), dname_remove_label(), dname_strict_subdomain_c(), reply_info::flags, FLAGS_GET_RCODE, log_nametypeclass(), reply_info::ns_numrrsets, nsec_get_next(), nsec_has_type(), query_info::qname, ub_packed_rrset_key::rk, reply_info::rrsets, packed_rrset_key::type, val_nsec_proves_name_error(), and VERB_ALGO.

Referenced by process_dlv_response().


Generated on Thu Mar 26 10:03:54 2009 for unbound by  doxygen 1.5.8