resolved: fix the rcode to SUCCESS if we find at least one matching RR in a DNS response

[thirdparty/systemd.git] / src / resolve / resolved-dns-dnssec.h
diff --git a/src/resolve/resolved-dns-dnssec.h b/src/resolve/resolved-dns-dnssec.h

index f1068750273570f261a21999c48c5ffbf7e80895..c99861b8e5260cd26f3f9d1b07193ac15429f445 100644 (file)
--- a/src/resolve/resolved-dns-dnssec.h
+++ b/src/resolve/resolved-dns-dnssec.h
@@ -21,34 +21,17 @@
    along with systemd; If not, see <http://www.gnu.org/licenses/>.
  ***/
  
-typedef enum DnssecMode DnssecMode;
  typedef enum DnssecResult DnssecResult;
+typedef enum DnssecVerdict DnssecVerdict;
  
  #include "dns-domain.h"
  #include "resolved-dns-answer.h"
  #include "resolved-dns-rr.h"
  
-enum DnssecMode {
-        /* No DNSSEC validation is done */
-        DNSSEC_NO,
-
-        /* Validate locally, if the server knows DO, but if not,
-         * don't. Don't trust the AD bit. If the server doesn't do
-         * DNSSEC properly, downgrade to non-DNSSEC operation. Of
-         * course, we then are vulnerable to a downgrade attack, but
-         * that's life and what is configured. */
-        DNSSEC_DOWNGRADE_OK,
-
-        /* Insist on DNSSEC server support, and rather fail than downgrading. */
-        DNSSEC_YES,
-
-        _DNSSEC_MODE_MAX,
-        _DNSSEC_MODE_INVALID = -1
-};
-
  enum DnssecResult {
-        /* These four are returned by dnssec_verify_rrset() */
+        /* These five are returned by dnssec_verify_rrset() */
          DNSSEC_VALIDATED,
+        DNSSEC_VALIDATED_WILDCARD, /* Validated via a wildcard RRSIG, further NSEC/NSEC3 checks necessary */
          DNSSEC_INVALID,
          DNSSEC_SIGNATURE_EXPIRED,
          DNSSEC_UNSUPPORTED_ALGORITHM,
@@ -67,31 +50,41 @@ enum DnssecResult {
          _DNSSEC_RESULT_INVALID = -1
  };
  
+enum DnssecVerdict {
+        DNSSEC_SECURE,
+        DNSSEC_INSECURE,
+        DNSSEC_BOGUS,
+        DNSSEC_INDETERMINATE,
+
+        _DNSSEC_VERDICT_MAX,
+        _DNSSEC_VERDICT_INVALID = -1
+};
+
  #define DNSSEC_CANONICAL_HOSTNAME_MAX (DNS_HOSTNAME_MAX + 2)
  
  /* The longest digest we'll ever generate, of all digest algorithms we support */
  #define DNSSEC_HASH_SIZE_MAX (MAX(20, 32))
  
-int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey);
+int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, bool revoked_ok);
  int dnssec_key_match_rrsig(const DnsResourceKey *key, DnsResourceRecord *rrsig);
  
-int dnssec_verify_rrset(DnsAnswer *answer, DnsResourceKey *key, DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, usec_t realtime, DnssecResult *result);
-int dnssec_verify_rrset_search(DnsAnswer *answer, DnsResourceKey *key, DnsAnswer *validated_dnskeys, usec_t realtime, DnssecResult *result);
+int dnssec_verify_rrset(DnsAnswer *answer, const DnsResourceKey *key, DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, usec_t realtime, DnssecResult *result);
+int dnssec_verify_rrset_search(DnsAnswer *answer, const DnsResourceKey *key, DnsAnswer *validated_dnskeys, usec_t realtime, DnssecResult *result, DnsResourceRecord **rrsig);
  
-int dnssec_verify_dnskey(DnsResourceRecord *dnskey, DnsResourceRecord *ds);
-int dnssec_verify_dnskey_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds);
+int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds, bool mask_revoke);
+int dnssec_verify_dnskey_by_ds_search(DnsResourceRecord *dnskey, DnsAnswer *validated_ds);
  
  int dnssec_has_rrsig(DnsAnswer *a, const DnsResourceKey *key);
  
-uint16_t dnssec_keytag(DnsResourceRecord *dnskey);
+uint16_t dnssec_keytag(DnsResourceRecord *dnskey, bool mask_revoke);
  
  int dnssec_canonicalize(const char *n, char *buffer, size_t buffer_max);
  
-int dnssec_nsec3_hash(const DnsResourceRecord *nsec3, const char *name, void *ret);
+int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret);
  
  typedef enum DnssecNsecResult {
          DNSSEC_NSEC_NO_RR,     /* No suitable NSEC/NSEC3 RR found */
-        DNSSEC_NSEC_CNAME,     /* Would be NODATA, but for the existence of a CNAME RR */
+        DNSSEC_NSEC_CNAME,     /* Didn't find what was asked for, but did find CNAME */
          DNSSEC_NSEC_UNSUPPORTED_ALGORITHM,
          DNSSEC_NSEC_NXDOMAIN,
          DNSSEC_NSEC_NODATA,
@@ -99,10 +92,14 @@ typedef enum DnssecNsecResult {
          DNSSEC_NSEC_OPTOUT,
  } DnssecNsecResult;
  
-int dnssec_test_nsec(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result, bool *authenticated);
+int dnssec_nsec_test(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result, bool *authenticated, uint32_t *ttl);
  
-const char* dnssec_mode_to_string(DnssecMode m) _const_;
-DnssecMode dnssec_mode_from_string(const char *s) _pure_;
+int dnssec_nsec_test_enclosed(DnsAnswer *answer, uint16_t type, const char *name, const char *zone, bool *authenticated);
+
+int dnssec_test_positive_wildcard(DnsAnswer *a, const char *name, const char *source, const char *zone, bool *authenticated);
  
  const char* dnssec_result_to_string(DnssecResult m) _const_;
  DnssecResult dnssec_result_from_string(const char *s) _pure_;
+
+const char* dnssec_verdict_to_string(DnssecVerdict m) _const_;
+DnssecVerdict dnssec_verdict_from_string(const char *s) _pure_;