1 /* SPDX-License-Identifier: LGPL-2.1+ */
4 typedef enum DnssecResult DnssecResult
;
5 typedef enum DnssecVerdict DnssecVerdict
;
7 #include "dns-domain.h"
8 #include "resolved-dns-answer.h"
9 #include "resolved-dns-rr.h"
12 /* These five are returned by dnssec_verify_rrset() */
14 DNSSEC_VALIDATED_WILDCARD
, /* Validated via a wildcard RRSIG, further NSEC/NSEC3 checks necessary */
16 DNSSEC_SIGNATURE_EXPIRED
,
17 DNSSEC_UNSUPPORTED_ALGORITHM
,
19 /* These two are added by dnssec_verify_rrset_search() */
23 /* These two are added by the DnsTransaction logic */
25 DNSSEC_FAILED_AUXILIARY
,
27 DNSSEC_INCOMPATIBLE_SERVER
,
30 _DNSSEC_RESULT_INVALID
= -1
40 _DNSSEC_VERDICT_INVALID
= -1
43 #define DNSSEC_CANONICAL_HOSTNAME_MAX (DNS_HOSTNAME_MAX + 2)
45 /* The longest digest we'll ever generate, of all digest algorithms we support */
46 #define DNSSEC_HASH_SIZE_MAX (MAX(20, 32))
48 int dnssec_rrsig_match_dnskey(DnsResourceRecord
*rrsig
, DnsResourceRecord
*dnskey
, bool revoked_ok
);
49 int dnssec_key_match_rrsig(const DnsResourceKey
*key
, DnsResourceRecord
*rrsig
);
51 int dnssec_verify_rrset(DnsAnswer
*answer
, const DnsResourceKey
*key
, DnsResourceRecord
*rrsig
, DnsResourceRecord
*dnskey
, usec_t realtime
, DnssecResult
*result
);
52 int dnssec_verify_rrset_search(DnsAnswer
*answer
, const DnsResourceKey
*key
, DnsAnswer
*validated_dnskeys
, usec_t realtime
, DnssecResult
*result
, DnsResourceRecord
**rrsig
);
54 int dnssec_verify_dnskey_by_ds(DnsResourceRecord
*dnskey
, DnsResourceRecord
*ds
, bool mask_revoke
);
55 int dnssec_verify_dnskey_by_ds_search(DnsResourceRecord
*dnskey
, DnsAnswer
*validated_ds
);
57 int dnssec_has_rrsig(DnsAnswer
*a
, const DnsResourceKey
*key
);
59 uint16_t dnssec_keytag(DnsResourceRecord
*dnskey
, bool mask_revoke
);
61 int dnssec_nsec3_hash(DnsResourceRecord
*nsec3
, const char *name
, void *ret
);
63 typedef enum DnssecNsecResult
{
64 DNSSEC_NSEC_NO_RR
, /* No suitable NSEC/NSEC3 RR found */
65 DNSSEC_NSEC_CNAME
, /* Didn't find what was asked for, but did find CNAME */
66 DNSSEC_NSEC_UNSUPPORTED_ALGORITHM
,
73 int dnssec_nsec_test(DnsAnswer
*answer
, DnsResourceKey
*key
, DnssecNsecResult
*result
, bool *authenticated
, uint32_t *ttl
);
75 int dnssec_test_positive_wildcard(DnsAnswer
*a
, const char *name
, const char *source
, const char *zone
, bool *authenticated
);
77 const char* dnssec_result_to_string(DnssecResult m
) _const_
;
78 DnssecResult
dnssec_result_from_string(const char *s
) _pure_
;
80 const char* dnssec_verdict_to_string(DnssecVerdict m
) _const_
;
81 DnssecVerdict
dnssec_verdict_from_string(const char *s
) _pure_
;