src/libstrongswan/resolver/resolver_response.h

   1 /*
   2  * Copyright (C) 2012 Reto Guadagnini
   3  *
   4  * Copyright (C) secunet Security Networks AG
   5  *
   6  * This program is free software; you can redistribute it and/or modify it
   7  * under the terms of the GNU General Public License as published by the
   8  * Free Software Foundation; either version 2 of the License, or (at your
   9  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
  10  *
  11  * This program is distributed in the hope that it will be useful, but
  12  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  13  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * for more details.
  15  */
  16
  17 /**
  18  * @defgroup rsolver_response resolver_response
  19  * @{ @ingroup resolver
  20  */
  21
  22 #ifndef RESOLVER_RESPONSE_H_
  23 #define RESOLVER_RESPONSE_H_
  24
  25 typedef struct resolver_response_t resolver_response_t;
  26 typedef enum dnssec_status_t dnssec_status_t;
  27
  28 #include <library.h>
  29 #include <resolver/rr_set.h>
  30
  31 /**
  32  * DNSSEC security state.
  33  *
  34  * DNSSEC security state, which a security aware resolver is able determine
  35  * according to RFC 4033.
  36  */
  37 enum dnssec_status_t {
  38         /**
  39          * The validating resolver has a trust anchor, has a chain of
  40          * trust, and is able to verify all the signatures in the response.
  41          * [RFC4033]
  42          */
  43         SECURE,
  44         /**
  45          * The validating resolver has a trust anchor, a chain of
  46          * trust, and, at some delegation point, signed proof of the
  47          * non-existence of a DS record.  This indicates that subsequent
  48          * branches in the tree are provably insecure.  A validating resolver
  49          * may have a local policy to mark parts of the domain space as
  50          * insecure. [RFC4033]
  51          */
  52         INSECURE,
  53         /**
  54          * The validating resolver has a trust anchor and a secure
  55          * delegation indicating that subsidiary data is signed, but the
  56          * response fails to validate for some reason: missing signatures,
  57          * expired signatures, signatures with unsupported algorithms, data
  58          * missing that the relevant NSEC RR says should be present, and so
  59          * forth. [RFC4033]
  60          */
  61         BOGUS,
  62         /**
  63          * There is no trust anchor that would indicate that a
  64          * specific portion of the tree is secure.  This is the default
  65          * operation mode. [RFC4033]
  66          */
  67         INDETERMINATE,
  68 };
  69
  70
  71 /**
  72  * A response of the DNS resolver to a DNS query.
  73  *
  74  * A response represents the answer of the Domain Name System to a query.
  75  * It contains the RRset with the queried Resource Records and additional
  76  * information.
  77  */
  78 struct resolver_response_t {
  79
  80     /**
  81      * Get the original question string.
  82      *
  83      * The string to which the returned pointer points, is still owned
  84          * by the resolver_response. Clone it if necessary.
  85      *
  86      * @return                  the queried name
  87      */
  88         char *(*get_query_name)(resolver_response_t *this);
  89
  90         /**
  91          * Get the canonical name of the result.
  92          *
  93          * The string to which the returned pointer points, is still owned
  94          * by the resolver_response. Clone it if necessary.
  95          *
  96          * @return                      - canonical name of result
  97          *                                      - NULL, if result has no canonical name
  98          */
  99         char *(*get_canon_name)(resolver_response_t *this);
 100
 101         /**
 102          * Does the RRset of this response contain some Resource Records?
 103          *
 104          * Returns TRUE if the RRset of this response contains some RRs
 105          * (RRSIG Resource Records are ignored).
 106          *
 107          * @return
 108          *                                      - TRUE, if there are some RRs in the RRset
 109          *                                      - FALSE, otherwise
 110          */
 111         bool (*has_data)(resolver_response_t *this);
 112
 113         /**
 114          * Does the queried name exist?
 115          *
 116          * @return
 117          *                                      - TRUE, if the queried name exists
 118          *                                      - FALSE, otherwise
 119          */
 120         bool (*query_name_exist)(resolver_response_t *this);
 121
 122         /**
 123          * Get the DNSSEC security state of the response.
 124          *
 125          * @return                      DNSSEC security state
 126          */
 127         dnssec_status_t (*get_security_state)(resolver_response_t *this);
 128
 129         /**
 130          * Get the RRset with all Resource Records of this response.
 131          *
 132          * @return                      - RRset
 133          *                                      - NULL if there is no data or the query name
 134          *                                        does not exist
 135          */
 136         rr_set_t *(*get_rr_set)(resolver_response_t *this);
 137
 138         /**
 139          * Destroy this response.
 140          */
 141         void (*destroy) (resolver_response_t *this);
 142 };
 143
 144 #endif /** RR_SET_H_ @}*/