X7ROOT File Manager
Current Path:
/usr/include/bind9/dns
usr
/
include
/
bind9
/
dns
/
ðŸ“
..
📄
acache.h
(13.9 KB)
📄
acl.h
(7.07 KB)
📄
adb.h
(22.07 KB)
📄
badcache.h
(3.29 KB)
📄
bit.h
(807 B)
📄
byaddr.h
(3.91 KB)
📄
cache.h
(8.44 KB)
📄
callbacks.h
(2.22 KB)
📄
catz.h
(11.56 KB)
📄
cert.h
(1.43 KB)
📄
client.h
(21.53 KB)
📄
clientinfo.h
(1.96 KB)
📄
compress.h
(6.49 KB)
📄
db.h
(45.48 KB)
📄
dbiterator.h
(7.25 KB)
📄
dbtable.h
(3.09 KB)
📄
diff.h
(6.82 KB)
📄
dispatch.h
(16.04 KB)
📄
dlz.h
(10.37 KB)
📄
dlz_dlopen.h
(4.57 KB)
📄
dns64.h
(5.5 KB)
📄
dnssec.h
(11.83 KB)
📄
dnstap.h
(9.14 KB)
📄
ds.h
(1.2 KB)
📄
dsdigest.h
(1.68 KB)
📄
dyndb.h
(4.72 KB)
📄
ecdb.h
(809 B)
📄
edns.h
(722 B)
📄
enumclass.h
(1.19 KB)
📄
enumtype.h
(8.11 KB)
📄
events.h
(3.96 KB)
📄
fixedname.h
(1.62 KB)
📄
forward.h
(3.37 KB)
📄
geoip.h
(2.73 KB)
📄
ipkeylist.h
(2.13 KB)
📄
iptable.h
(1.58 KB)
📄
journal.h
(8.03 KB)
📄
keydata.h
(1.03 KB)
📄
keyflags.h
(1.25 KB)
📄
keytable.h
(9.24 KB)
📄
keyvalues.h
(4.06 KB)
📄
lib.h
(1.16 KB)
📄
log.h
(3.87 KB)
📄
lookup.h
(2.86 KB)
📄
master.h
(11.02 KB)
📄
masterdump.h
(12.35 KB)
📄
message.h
(37.92 KB)
📄
name.h
(36.25 KB)
📄
ncache.h
(4.81 KB)
📄
nsec.h
(2.86 KB)
📄
nsec3.h
(7.84 KB)
📄
nta.h
(4.44 KB)
📄
opcode.h
(1007 B)
📄
order.h
(1.95 KB)
📄
peer.h
(5.83 KB)
📄
portlist.h
(2.05 KB)
📄
private.h
(1.89 KB)
📄
rbt.h
(39.67 KB)
📄
rcode.h
(2.42 KB)
📄
rdata.h
(21.11 KB)
📄
rdataclass.h
(2.2 KB)
📄
rdatalist.h
(2.51 KB)
📄
rdataset.h
(21.03 KB)
📄
rdatasetiter.h
(3.83 KB)
📄
rdataslab.h
(4.28 KB)
📄
rdatastruct.h
(60.14 KB)
📄
rdatatype.h
(2.24 KB)
📄
request.h
(10.89 KB)
📄
resolver.h
(19.75 KB)
📄
result.h
(9.07 KB)
📄
rootns.h
(892 B)
📄
rpz.h
(10.09 KB)
📄
rriterator.h
(4.13 KB)
📄
rrl.h
(6.48 KB)
📄
sdb.h
(7.05 KB)
📄
sdlz.h
(13.88 KB)
📄
secalg.h
(1.67 KB)
📄
secproto.h
(1.52 KB)
📄
soa.h
(2.13 KB)
📄
ssu.h
(8.11 KB)
📄
stats.h
(13.14 KB)
📄
tcpmsg.h
(3.07 KB)
📄
time.h
(1.66 KB)
📄
timer.h
(1.03 KB)
📄
tkey.h
(7.45 KB)
📄
tsec.h
(2.88 KB)
📄
tsig.h
(8.19 KB)
📄
ttl.h
(1.9 KB)
📄
types.h
(13.83 KB)
📄
update.h
(1.61 KB)
📄
validator.h
(6.99 KB)
📄
version.h
(868 B)
📄
view.h
(34.45 KB)
📄
xfrin.h
(2.86 KB)
📄
zone.h
(59.44 KB)
📄
zonekey.h
(777 B)
📄
zt.h
(5.43 KB)
Editing: dnssec.h
/* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ #ifndef DNS_DNSSEC_H #define DNS_DNSSEC_H 1 /*! \file dns/dnssec.h */ #include <stdbool.h> #include <isc/lang.h> #include <isc/stdtime.h> #include <isc/stats.h> #include <dns/diff.h> #include <dns/types.h> #include <dst/dst.h> ISC_LANG_BEGINDECLS LIBDNS_EXTERNAL_DATA extern isc_stats_t *dns_dnssec_stats; /*%< Maximum number of keys supported in a zone. */ #define DNS_MAXZONEKEYS 32 /* * Indicates how the signer found this key: in the key repository, at the * zone apex, or specified by the user. */ typedef enum { dns_keysource_unknown, dns_keysource_repository, dns_keysource_zoneapex, dns_keysource_user } dns_keysource_t; /* * A DNSSEC key and hints about its intended use gleaned from metadata */ struct dns_dnsseckey { dst_key_t *key; bool hint_publish; /*% metadata says to publish */ bool force_publish; /*% publish regardless of metadata */ bool hint_sign; /*% metadata says to sign with this key */ bool force_sign; /*% sign with key regardless of metadata */ bool hint_remove; /*% metadata says *don't* publish */ bool is_active; /*% key is already active */ bool first_sign; /*% key is newly becoming active */ unsigned int prepublish; /*% how long until active? */ dns_keysource_t source; /*% how the key was found */ bool ksk; /*% this is a key-signing key */ bool legacy; /*% this is old-style key with no metadata (possibly generated by an older version of BIND9) and should be ignored when searching for keys to import into the zone */ unsigned int index; /*% position in list */ ISC_LINK(dns_dnsseckey_t) link; }; isc_result_t dns_dnssec_keyfromrdata(dns_name_t *name, dns_rdata_t *rdata, isc_mem_t *mctx, dst_key_t **key); /*%< * Creates a DST key from a DNS record. Basically a wrapper around * dst_key_fromdns(). * * Requires: *\li 'name' is not NULL *\li 'rdata' is not NULL *\li 'mctx' is not NULL *\li 'key' is not NULL *\li '*key' is NULL * * Returns: *\li #ISC_R_SUCCESS *\li #ISC_R_NOMEMORY *\li DST_R_INVALIDPUBLICKEY *\li various errors from dns_name_totext */ isc_result_t dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, isc_stdtime_t *inception, isc_stdtime_t *expire, isc_mem_t *mctx, isc_buffer_t *buffer, dns_rdata_t *sigrdata); /*%< * Generates a RRSIG record covering this rdataset. This has no effect * on existing RRSIG records. * * Requires: *\li 'name' (the owner name of the record) is a valid name *\li 'set' is a valid rdataset *\li 'key' is a valid key *\li 'inception' is not NULL *\li 'expire' is not NULL *\li 'mctx' is not NULL *\li 'buffer' is not NULL *\li 'sigrdata' is not NULL * * Returns: *\li #ISC_R_SUCCESS *\li #ISC_R_NOMEMORY *\li #ISC_R_NOSPACE *\li #DNS_R_INVALIDTIME - the expiration is before the inception *\li #DNS_R_KEYUNAUTHORIZED - the key cannot sign this data (either * it is not a zone key or its flags prevent * authentication) *\li DST_R_* */ isc_result_t dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, bool ignoretime, isc_mem_t *mctx, dns_rdata_t *sigrdata); isc_result_t dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, bool ignoretime, isc_mem_t *mctx, dns_rdata_t *sigrdata, dns_name_t *wild); isc_result_t dns_dnssec_verify3(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, bool ignoretime, unsigned int maxbits, isc_mem_t *mctx, dns_rdata_t *sigrdata, dns_name_t *wild); /*%< * Verifies the RRSIG record covering this rdataset signed by a specific * key. This does not determine if the key's owner is authorized to sign * this record, as this requires a resolver or database. * If 'ignoretime' is true, temporal validity will not be checked. * * 'maxbits' specifies the maximum number of rsa exponent bits accepted. * * Requires: *\li 'name' (the owner name of the record) is a valid name *\li 'set' is a valid rdataset *\li 'key' is a valid key *\li 'mctx' is not NULL *\li 'sigrdata' is a valid rdata containing a SIG record *\li 'wild' if non-NULL then is a valid and has a buffer. * * Returns: *\li #ISC_R_SUCCESS *\li #ISC_R_NOMEMORY *\li #DNS_R_FROMWILDCARD - the signature is valid and is from * a wildcard expansion. dns_dnssec_verify2() only. * 'wild' contains the name of the wildcard if non-NULL. *\li #DNS_R_SIGINVALID - the signature fails to verify *\li #DNS_R_SIGEXPIRED - the signature has expired *\li #DNS_R_SIGFUTURE - the signature's validity period has not begun *\li #DNS_R_KEYUNAUTHORIZED - the key cannot sign this data (either * it is not a zone key or its flags prevent * authentication) *\li DST_R_* */ /*@{*/ isc_result_t dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node, dns_name_t *name, isc_mem_t *mctx, unsigned int maxkeys, dst_key_t **keys, unsigned int *nkeys); isc_result_t dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node, dns_name_t *name, const char *directory, isc_mem_t *mctx, unsigned int maxkeys, dst_key_t **keys, unsigned int *nkeys); isc_result_t dns_dnssec_findzonekeys3(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node, dns_name_t *name, const char *directory, isc_stdtime_t now, isc_mem_t *mctx, unsigned int maxkeys, dst_key_t **keys, unsigned int *nkeys); /*%< * Finds a set of zone keys. * XXX temporary - this should be handled in dns_zone_t. */ /*@}*/ bool dns_dnssec_keyactive(dst_key_t *key, isc_stdtime_t now); /*%< * * Returns true if 'key' is active as of the time specified * in 'now' (i.e., if the activation date has passed, inactivation or * deletion date has not yet been reached, and the key is not revoked * -- or if it is a legacy key without metadata). Otherwise returns * false. * * Requires: *\li 'key' is a valid key */ isc_result_t dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key); /*%< * Signs a message with a SIG(0) record. This is implicitly called by * dns_message_renderend() if msg->sig0key is not NULL. * * Requires: *\li 'msg' is a valid message *\li 'key' is a valid key that can be used for signing * * Returns: *\li #ISC_R_SUCCESS *\li #ISC_R_NOMEMORY *\li DST_R_* */ isc_result_t dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg, dst_key_t *key); /*%< * Verifies a message signed by a SIG(0) record. This is not * called implicitly by dns_message_parse(). If dns_message_signer() * is called before dns_dnssec_verifymessage(), it will return * #DNS_R_NOTVERIFIEDYET. dns_dnssec_verifymessage() will set * the verified_sig0 flag in msg if the verify succeeds, and * the sig0status field otherwise. * * Requires: *\li 'source' is a valid buffer containing the unparsed message *\li 'msg' is a valid message *\li 'key' is a valid key * * Returns: *\li #ISC_R_SUCCESS *\li #ISC_R_NOMEMORY *\li #ISC_R_NOTFOUND - no SIG(0) was found *\li #DNS_R_SIGINVALID - the SIG record is not well-formed or * was not generated by the key. *\li DST_R_* */ bool dns_dnssec_selfsigns(dns_rdata_t *rdata, dns_name_t *name, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, bool ignoretime, isc_mem_t *mctx); bool dns_dnssec_signs(dns_rdata_t *rdata, dns_name_t *name, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, bool ignoretime, isc_mem_t *mctx); /*%< * Verify that 'rdataset' is validly signed in 'sigrdataset' by * the key in 'rdata'. * * dns_dnssec_selfsigns() requires that rdataset be a DNSKEY or KEY * rrset. dns_dnssec_signs() works on any rrset. */ isc_result_t dns_dnsseckey_create(isc_mem_t *mctx, dst_key_t **dstkey, dns_dnsseckey_t **dkp); /*%< * Create and initialize a dns_dnsseckey_t structure. * * Requires: *\li 'dkp' is not NULL and '*dkp' is NULL. * * Returns: *\li #ISC_R_SUCCESS *\li #ISC_R_NOMEMORY */ void dns_dnsseckey_destroy(isc_mem_t *mctx, dns_dnsseckey_t **dkp); /*%< * Reclaim a dns_dnsseckey_t structure. * * Requires: *\li 'dkp' is not NULL and '*dkp' is not NULL. * * Ensures: *\li '*dkp' is NULL. */ isc_result_t dns_dnssec_findmatchingkeys(dns_name_t *origin, const char *directory, isc_mem_t *mctx, dns_dnsseckeylist_t *keylist); isc_result_t dns_dnssec_findmatchingkeys2(dns_name_t *origin, const char *directory, isc_stdtime_t now, isc_mem_t *mctx, dns_dnsseckeylist_t *keylist); /*%< * Search 'directory' for K* key files matching the name in 'origin'. * Append all such keys, along with use hints gleaned from their * metadata, onto 'keylist'. Skip any unsupported algorithms. * * Requires: *\li 'keylist' is not NULL * * Returns: *\li #ISC_R_SUCCESS *\li #ISC_R_NOTFOUND *\li #ISC_R_NOMEMORY *\li any error returned by dns_name_totext(), isc_dir_open(), or * dst_key_fromnamedfile() * * Ensures: *\li On error, keylist is unchanged */ isc_result_t dns_dnssec_keylistfromrdataset(dns_name_t *origin, const char *directory, isc_mem_t *mctx, dns_rdataset_t *keyset, dns_rdataset_t *keysigs, dns_rdataset_t *soasigs, bool savekeys, bool publickey, dns_dnsseckeylist_t *keylist); /*%< * Append the contents of a DNSKEY rdataset 'keyset' to 'keylist'. * Omit duplicates. If 'publickey' is false, search 'directory' for * matching key files, and load the private keys that go with * the public ones. If 'savekeys' is true, mark the keys so * they will not be deleted or inactivated regardless of metadata. * * 'keysigs' and 'soasigs', if not NULL and associated, contain the * RRSIGS for the DNSKEY and SOA records respectively and are used to mark * whether a key is already active in the zone. */ isc_result_t dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys, dns_dnsseckeylist_t *removed, dns_name_t *origin, dns_ttl_t hint_ttl, dns_diff_t *diff, bool allzsk, isc_mem_t *mctx, void (*report)(const char *, ...)); /*%< * Update the list of keys in 'keys' with new key information in 'newkeys'. * * For each key in 'newkeys', see if it has a match in 'keys'. * - If not, and if the metadata says the key should be published: * add it to 'keys', and place a dns_difftuple into 'diff' so * the key can be added to the DNSKEY set. If the metadata says it * should be active, set the first_sign flag. * - If so, and if the metadata says it should be removed: * remove it from 'keys', and place a dns_difftuple into 'diff' so * the key can be removed from the DNSKEY set. if 'removed' is non-NULL, * copy the key into that list; otherwise destroy it. * - Otherwise, make sure keys has current metadata. * * If 'allzsk' is true, we are allowing KSK-flagged keys to be used as * ZSKs. * * 'hint_ttl' is the TTL to use for the DNSKEY RRset if there is no * existing RRset, and if none of the keys to be added has a default TTL * (in which case we would use the shortest one). If the TTL is longer * than the time until a new key will be activated, then we have to delay * the key's activation. * * 'report' points to a function for reporting status. * * On completion, any remaining keys in 'newkeys' are freed. */ isc_result_t dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys, dns_rdataset_t *cds, dns_rdataset_t *cdnskey, isc_stdtime_t now, dns_ttl_t hint_ttl, dns_diff_t *diff, isc_mem_t *mctx); /*%< * Update the CDS and CDNSKEY RRsets, adding and removing keys as needed. */ ISC_LANG_ENDDECLS #endif /* DNS_DNSSEC_H */
Upload File
Create Folder